Business continuity planning is an extensive, ever-changing process that has many potential pitfalls for the unprepared. Last week I wrote a list of things you DON’T want to be doing with your business continuity plan. This week, I’d like to go through a few tips that you will want to incorporate to really ensure you’re creating a complete and successful plan to get your business recovered quickly in the event of a disaster.
DO: Keep open communication
During an outage, communication is incredibly important. Not only do you need to be able to keep everyone in the company apprised of the situation on a regular basis, you also need to plan for many different avenues of communication, so if one isn’t available people can still get critical information disseminated.
The most important thing is to plan for communication outage before something happens. The last thing your organization needs is a half dozen people all messaging different information, and giving their own, potentially incorrect, version of what’s happening to clients and the media. It’s best to assign one person responsible for internal communication, and one person responsible for external (the media and clients). With this written in your incident response plan, you’ll know that in a disaster the messaging will be optimized, and uniform. Very important: Be sure your employees understand that if they aren’t responsible for external communication, they should be not be interacting with the media.
This communication reaches into how you plan as well. Open up a dialogue with the fire and police departments about specifics in your plan. They likely have some insight that can help you create a more efficient process. These professionals are a great resource, so don’t shy away from utilizing that expertise.
DO: Vet your third party providers
Every organization has a group of vendors that they use to help make their products and services available. You need to understand how each of those vendors fit into your business continuity plan. The FFIEC specifically states in Appendix Jthe four elements of BCP that financial institutions need to be sure and address as it pertains to these Technology Service Providers (TSPs), to make sure the partnership strengthens the resiliency of the services provided:
- Third-party management addresses a financial institution management's responsibility to control the business continuity risks associated with its TSPs and their subcontractors.
- Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer's ability to restore services to multiple clients.
- Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.
- Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.
Check their SLAs, and understand what the DR plans for their organization look like before partnering. Make sure your providers take business continuity planning as seriously as you do, because if they go down, you’ll be dependent on their plan to get your services back up.
I cannot emphasize enough how important testing is to a business continuity plan. Having good documentation used to be enough for regulators, but now they want to see that the plan has been carried out, and that you’re testing dynamically. Regulators want to see that you’re not just doing the same test, year after year, but that you’re testing your plan on different scenarios, with different levels of severity. Instead of testing the whole system at once every year, I often suggest doing smaller tests more frequently, to make it a little more manageable on your team and resources.
Testing has the added bonus of giving not only the plan itself some practice, but the people. Employees need to understand their role in the business continuity plan, and a test is a great way to prepare them. When your systems are down, every moment is a loss of revenue and reputation. The last thing you’re ever going to want is an employee who is trying to learn what their role is for the very first time in the middle of your outage.
Looking for more information to help you with your Business Continuity Plan? Look no further!