SMEs: Build your basic Business Continuity Plan in 4 steps

No one can argue today the importance of operational resilience whether to face an internal crisis or an external hazard. But unfortunately, the number of companies having a fully functional Business Continuity Plan is still very low, especially among Small and Medium Enterprises who are the first impacted by any major crisis.

If you are willing to do something but you find the current BCP frameworks unwieldy and costly, here are some tips for building a basic BCP in 4 steps:

Step 1: Conduct your Business Impact Analysis

A Business Impact Analysis (BIA) lays the groundwork for your continuity process by assessing the resilience limits of your organisation. Here’s how to proceed with your basic BIA:

• List your companies’ activities and affect an owner for each one (generally the manager or the team leader)
• List the number of personnel for each activity and specify the key people, by asking yourself: What is the minimum number of people needed to ensure the continuity of the most crucial tasks of that activity?
• List the systems and applications used by this activity
• Indicate if this activity can be conducted remotely by teleworking
• Estimate the Recovery Time Objective (RTO) by asking yourself (and the activity owner): What is the maximal duration of interruption acceptable for this activity before having a serious damage for the company’s finances, operations and or reputation?

PS: A more detailed methodology consists of listing the processes for each activity and conducting the BIA based on those processes and not the activity itself

Step 2: Elaborate your Business Continuity Plan(s)

A simple approach to elaborate a Business Continuity Planning is to focus on the following generic but very useful scenarios:

Loss of premises

The traditional approach to face the loss of premises is based on a fallback strategy, moving the essential personnel from a primary site to a backup site. The backup site must have the capacity of absorbing the incoming people in term of space and installation.

If you are an SME (or even a big company from a service sector), you should implement a wide-scale teleworking strategy. This approach enables most of your personnel (and not only key people) to quickly resume their work remotely, using secure solutions provided by your IT. This strategy once mastered, comes handy in case of pandemic like COVID-19.

 Loss of HR

The best way to deal with the loss of HR is to ensure that:

• You have a designated backup for each key personnel (mainly in management)
• Important tasks can be performed by more than one person if needed
• External experts or firms are identified as backup for each activity in case of complete loss of internal personnel

Loss of Vendors

To address the loss of vendors, the company must ensure that:

• A potential backup is identified for all vendors
• An escrow agreement is included in the contracts for all critical software

Loss of IT Services

Concerning the IT continuity, two important aspects must be covered:

• All document must be backed up daily on an external environment so data can be recovered in case of system crash or a cyber attack (like ransomware)
• Your infrastructure must be redundant, and your business data backed up daily:

1. If you outsource your infrastructure or application, make sure that your vendor has elaborated a Disaster Recovery Plan and performs a daily backup on your data
2. If you manage your own infrastructure, make sure that your CTO has elaborated a Disaster Recovery Plan, that your databases are backed up daily and a restoration test is performed at least once a year

 Step 3: Elaborate your Crisis Management Plan

A Crisis Management Plan helps you manage any major crisis independently of the covered BCP scenario. This document must include at least the following:

• A presentation of the crisis cell, its members and their respective roles
• A methodology for triggering the crisis plan containing a checklist related to major crisis situations
• A communication plan with internal and external parties including useful contacts for authorities and press

 Step 4: Perform BCP and Crisis Management exercises

Organize an awareness session for your personnel to explain the Business Continuity and Crisis Management Plans and perform at least once a year an exercise for each one based on a different scenario each time.

Those exercises are important to gather feedback and improve your process to be ready when facing a real-live crisis.

Share your thoughts with us and stay tuned for more!

For any question or assistance about risk management, business continuity or crisis management issues, feel free to contact us at: paul@clarice.cloud