Build an Effective Business Continuity Plan in Just 4 Steps with the “S.A.F.E” Approach
S: Support: Receive executive-level support for the plan.
A: Assess: Assess all threats and identify solutions.
F: Framework: Build the framework of your plan through a business impact analysis.
E: Exercise: Exercise, test and improve your plan routinely.
Let’s cover each step, one at a time.
SUPPORT: Receive Executive-Level Support for the Plan
Although it may sound simple, this step is critical. For many businesses, the first challenge in getting a business continuity program off the ground is getting support from a CEO or senior level executive. With rallied support underscoring the importance of the plan, leaders are more likely to get behind the plan and see it through to completion.
ASSESS: Assess All Threats and Identify Solutions
The next step in the S.A.F.E approach involves defining all threats and solutions at a high level by creating an “assessment map”, as shown below. Next to each threat, define a solution to resolve the threat along with a way to prevent that threat from occurring in the future.
For example, here’s how a cyber-attack might be broken down:
Solution: Data recovery plan
Prevention: Layered security approach, employee education
When it comes to cyber-attacks and data breaches, a layered security approach may be necessary to protect your network from a broad range of attacks through multiple layers of security. Additionally, a data backup and recovery plan should be in place, in the event your network is compromised.
Continue to follow the same steps to define each threat, identifying solutions and different ways to prevent each particular threat from occurring.
If you’re not sure which solution and method of prevention would be the best fit, contact us by phone at (262) 522-8560 or email and we’ll help you understand what solutions are available to you.
FRAMEWORK: Build the Framework of Your Plan through a Business Impact Analysis
Define critical functions and resources: In this step, identify how each threat would affect the survival of your business.
What functions and resources absolutely need to be up and running and, if interrupted/lost, could affect your ability to meet regulatory requirements or continue providing goods and services?
Define Maximum downtime: Record the longest period you can be without these systems.
The answer to this question will become the maximum tolerable downtime, or MTD, for those systems. This step is necessary when allocating your business continuity resources, so be sure to evaluate all systems that are critical to the operation of the business. You’ll want to identify and document any critical functions of the business that absolutely need to be up and running as quickly as possible in the event of a disaster. Then, record the longest period of time you can be without these systems.
For example, one department may initially indicate they need access to a particular system within 24 hours of a disaster, but further questioning might reveal they can effectively do their job while accessing a system several times a month rather than on a daily basis. This simple change could lengthen the MTD significantly and therefore dramatically affect the prioritization of resources.
Define Recovery speed: Once you know what systems need to be recovered, and how long you can be without these systems, define how quickly you will need access to those systems. The answer to this question becomes your recovery time objective or RTO.
To find your recovery speed, ask your Ontech IT consultant “How long would it take to restore XYZ system to working order in the event of a disaster?”
Assess impact: Finally, assess the impact of a disaster on your systems. Pay close attention to cases where the MTD (maximum tolerable downtime) is less than the RTO (recovery time objective).
It is these gaps where your recovery requirements are NOT in line with your business continuity plan. To fix this, meet with executives again, ensure MTD is accurate and confirm with your Ontech IT consultant that recovery times are truly insufficient for meeting these needs.
This step ensures all parties are on the same page and provides a path to negotiating a solution regarding expectations vs. realistic recovery time. Any remaining gaps are areas that may require additional investment to reduce the RTO or alternatively, increase the MTD.
EXERCISE: Exercise, Test and Routinely Improve Your Plan
Once you build a business continuity plan, don’t simply file it away as you would a business plan or mission statement. A business continuity plan is a “living process” that must evolve with the needs of the business as technology capabilities change. Test your plan and update it regularly (yearly – at a minimum) or as any time critical functions, facilities or systems change.
Finally, take the time to train employees to understand their role in executing the plan. Hypothetical walk-throughs, drills, exercises or simulations can stimulate great discussion and ensure your business continuity plan executes seamlessly in the event of a disaster.