A Five-Step Plan
Fortunately, improving an organization’s management of risk exposures across the business, and strengthening its responses to threats and real attacks, does not have to be overwhelming. Indeed, preparation of a strong risk management program can be broken down into five steps:
Step 1: Design a business continuity plan. A company can begin by conducting a thorough business impact analysis to identify which organizational processes, products, locations, lines of business, and departments should be highlighted in the continuity plan. Ideal recovery times for incidents should also be documented. This analysis should generate a comprehensive list of resource needs in the face of a serious disruption — including personnel, computer hardware, networks, applications, communications technology, specialized equipment, office space at alternative sites, equipment, and supplies. It is also important that there be a schedule for reviewing, and, if necessary, updating the business continuity plan on a regular basis.
|“A business continuity plan must have strong support from the chief executive; there must be a clear commitment to never let disruptions seriously hurt a company’s performance.”|
Step 3: Develop a business continuity management infrastructure. This infrastructure serves as a command center and coordinates reporting, response, transportation, external communications, e-mail, facilities, legal actions, loss control, and resources during and after a crisis or disaster. Essentially, it’s the internal organization that administers the business continuity plan. It is critical to success to have a list of assignments that shows who is responsible — from CEO to legal counsel to facilities staff — for which resources and response activities during an incident. What is equally important, but often overlooked, is that there should be guidelines for quick, accurate, and appropriate notification of third parties, such as media, shareholders, police, regulators, and public utilities. Just by creating this infrastructure, and linking it to the business continuity plan, top management can become more aware of their organization’s vulnerability. For example, they can see how frequently their companies actually suffer potentially serious disruptions, a measure that is difficult to obtain without an infrastructure. (After implementing an incident management infrastructure, one insurance giant recently found that in a six-month period it faced 29 major interruptions and more than 300 minor outages.)
Step 4: Train employees in crisis management. There should be a formal, written plan that educates employees responsible for continuity planning and crisis or incident management. A series of mandatory classes with a curriculum that mirrors the company’s business continuity plan is the best way to ensure that employees are taught practical knowledge that will fit with the internal procedures to deal with disruption. In addition, the company’s business continuity specialists — for instance, those who led the creation of the business continuity plan in the first place — should remain in touch with industry crisis management best practices by being active in such groups as the Contingency Planning Exchange (www.cpeworld.org). This organization offers educational materials, provides member forums, and helps set broad standards for business continuity issues.
Step 5: Establish metrics. High benchmarks for corporate business disruption preparedness and recovery must be set to ensure that the continuity plan and the incident management infrastructure are effectively guarding the organization from natural disasters as well as cyber or physical attacks. For instance, all new technology initiatives need to be analyzed to show how system downtime would affect the business; this will help to determine how much redundancy (in the form of backup systems) is needed, and where. Benchmarking should be done to set goals for how well the company must perform during an actual incident — whether it is a virus, bad weather, an earthquake, a terrorist attack, etc. Among the possible guidelines: Recovery time should vary no more than 10 percent from the targets laid out in the continuity program; event assessment, reporting, and action plans must be prepared within 48 hours of an incident; and the company’s incident response and alert center should be activated within two hours of awareness of a threat. Other metrics might be used to evaluate whether employees have a basic understanding of crisis management policies and procedures, and whether they have done a sufficient number of disaster drills.