To say that the last two years have been unpredictable is an understatement.
From the coronavirus pandemic to the supply chain crisis to skyrocketing energy prices, businesses have encountered more than their fair share of challenges. Despite historic levels of government support for enterprises across the world, many have succumbed.
Those that remain strong tend to have something in common: They’re led by people who plan for the coming decade, not the coming quarter. These leaders recognize that the unexpected can and does happen — and that while we might not be able to predict the specific challenges we’ll face, we can do a great deal to make sure we’re prepared to weather the storm.
The best-prepared enterprises have well-formed continuity plans to prepare for extraordinary circumstances. These plans aren’t merely for global interruptions, like the initial wave of coronavirus infections that forced millions of service workers into home offices almost overnight. They’re also for localized disruptions, like natural disasters and civil unrest.
If you’ve yet to create a business continuity plan, it’s time to do so. Here’s what yours should include.
1. Planning for a Range of Specific and General Scenarios
Start with an old-fashioned brainstorming session. The goal: to anticipate a range of scenarios that could result in significant disruption to your business activities.
These scenarios should include a mix of specific and general situations.
An example of the former might be the Pandora Papers, an unauthorized data release that affected clients of Asiaciti Trust and about a dozen other international fiduciaries in 2021. In this case, you’d want to review the history of that event, what it entailed, and how the affected organizations responded.
An example of the latter might be a generic unauthorized data release that at some point becomes public knowledge. The distinction sounds subtle, but keep in mind that not every data release looks like the one that affected Asiaciti Trust and its peers. You might use other historical examples, like the Capital One data breach, the Marriott hack, the Equifax compromise, and any number of others — then build an “archetype event” that allows for a flexible response to a more specific fact pattern as it emerges.
2. Determine the Scope of the Plan
Your business continuity plan should be comprehensive, of course. But you need to be more specific than that; you need to figure out what specific aspects of your business it’s going to cover and what (if anything) can be excluded. This scoping should also cover the duration of the plan: How long after normal operations have been restored should it continue?
3. Identify Critical Business Functions
Your business continuity plan exists primarily to keep your core business operations running smoothly. To that end, identify the core functions to which your plan will apply and conduct a business impact analysis that considers the impacts of an operational interruption to each one.
Those impacts could include direct revenue loss, an increase in negative sentiment (which can indirectly result in revenue loss), or degradation in operational capability (through equipment depreciation or loss, or loss of key talent). Do your best to quantify these impacts and the effect on your firm’s competitiveness.
4. Detail What Must Occur to Maintain Each Function
Next, lay out the procedures that process owners and support staff must follow to keep each core function running during a business interruption.
These will be specific to your enterprise and the functions you aim to preserve, but you can likely modify existing operational procedures for extraordinary circumstances. You may need multiple versions of these continuity procedures, as not all business disruptions unfold alike and some may preclude easy workarounds.
5. Determine How Each Function Is Related and What Must Occur to Maintain These Linkages
Modifying your operating procedures for emergency situations (or even creating new, temporary ones) is straightforward enough. Teasing out the linkages between discrete business functions and anticipating how those linkages might stress or break during interruptions — that’s a more challenging prospect.
But it must be done. Otherwise, you risk doing everything strictly necessary to keep your processes running in well-protected silos while failing to insulate the more vulnerable connections between those silos. Should those connections fail, your enterprise likely won’t be able to maintain normal revenue-generating operations during an extended interruption.
It’s Time to Think About the Unthinkable
Firms don’t initiate continuity plans on a whim. By the time it’s clear that you must go to Plan B, things are already well and truly out of hand. Your continuity plan is your best hope of getting through the ordeal and emerging with as little damage as possible — but it offers no guarantees of success.
Put another way, your business continuity plan is a little like life insurance. It’s a vital source of protection should the worst happen, but it’s not as if you go through your day looking for any excuse to use it. Indeed, you hope you never have to.
Think of your continuity plan as your “just in case.” Better to make one and never use it than to wish desperately that you had one in your hour of greatest need.