A business continuity plan is an essential tool all organisations should possess. Although many do, it is not considered important unless or until a disaster strikes, and it may be only at that time that the plan is found to be deficient. In this post, we share five crucial tips to build a more robust business continuity plan.

 

The start of the 2022 North Atlantic Hurricane Season in June was pretty quiet, and it may have seemed that the countries would have been spared for another year the devastation a major hurricane can cause. However, with the recent passage of Hurricane Ian, which so far has devastated Cuba and Florida, and the fact that we still have two more months before the official end of this year’s hurricane season, we are still vulnerable.

For the past two years, thanks to the upsurge in Saharan dust and Lady Luck, the Caribbean region had experienced limited devastation from adverse weather conditions, such as tropical storms and hurricanes. As a result, we may not have been as vigilant in our disaster preparation and disaster recovery planning as we have been in previous years. Further, with more organisations benefiting from work-from-home and flexi-work arrangements, the disaster preparation and recovery plans instituted when all staff members worked on-site may still be the ones in effect. In this article, we offer a few key tips to get organisations’ business continuity plans back on track.

 

1.  Broaden the range of disasters that can threaten your operations:

In the Caribbean region, we are acutely aware and tend to make provision for disasters, such as storms, hurricanes, flooding, fire and civil unrest. However, in our increasingly digital age, the scope of business continuity plans ought to be expanded to include, among other things:

  • Cyberattacks
  • Ransomware infections
  • Viruses and malware
  • Power failures
  • Telecommunications failures
  • Infrastructure failures.

Caribbean organisations are not immune to any of the above, and each should be fully assessed and the requisite procedures and other supporting mechanisms established to minimise the loss, damage and downtime should they be experienced.

 

2.  Apply lessons learned from COVID

Although there might be a greater sense of normalcy these days than existed two and a half years ago, it is prudent to revisit the initial impact of the pandemic on your organisation: the uncertainty, the lockdowns, the curfews, sanitisation, etc.  To a considerable degree, many businesses and organisations were unprepared for the impact of the pandemic on their operations, which resulted in panic and uncertainty.

The disruption to business operations, employees and consumers would be similar to that experienced for other types of disasters. Hence, there may be takeaways and lessons that can be incorporated into the revised business continuity plans to make them more robust and directly relevant to the organisation and its operations.

 

3.  Invest in employee training

When storms are pending, staff are often asked to assist in taping windows and in squirrelling away important documents and equipment in filing cabinets or garbage bags that are safely stored. In essence, the focus is on tangible items that can be damaged or destroyed. However, the same approach cannot be applied to digital assets, which can be compromised or destroyed without notice.

It thus becomes critical for employees to be more informed and vigilant with respect to the digital equipment, data and digital assets that are under their care. In addition to observing basic computer security protocols and good digital hygiene, staff need to be versed in the procedures to be followed if a vulnerability is suspected, seemingly suspicious activity is observed, or a failure is experienced. Frequently, and when computing equipment, data or software is involved, time is of the essence to minimize damage and loss.

 

4. Ensure the plan aligns with compliance requirements

In organisations that are regulated or are required to comply with specific standards, the business continuity plan ought to consider the requirements of the standards or regulations to which the organisation needs to adhere. This approach should also be employed in matters related to insurance, for example, as there might be specific actions that ought to be taken to maintain coverage and/or support potential claims that may be made.

Depending on the situation, compliance may be relaxed, but those circumstances ought to be clearly known and understood. Further, although one aspect of an organisation’s operations may be under threat, it does not necessarily remove or cancel any of its other compliance-related responsibilities, which ought to be factored into the business continuity plan developed.

 

5.  Test the plan regularly

Finally, there is a lot of information and guidance online and from other resources on how to prepare a business continuity plan. However, regardless of how well or comprehensively the plan has been prepared, its true test comes when it is put into action.

Mock scenarios, tests, drills, and even penetration tests ought to be scheduled regularly, and at least once a year, to check the integrity of the organisation’s systems and recovery procedures. The outcome of those exercises may highlight a broad range of deficiencies, such as with respect to the plan itself, the capability of designated team members, or the knowledge of the wider team on the plan and key procedures.

 

In summary, a business continuity plan is not just a “nice-to-have” that sits on a shelf gathering dust. It is a living instrument for the organisation it serves, which will become invaluable when disaster strikes. To that end, it also needs to evolve with the organisation and be seen as an integral tool for its continued functioning, particularly in adverse situations.

 

 

Image credit:  jcomp (freepik)