Alert & Declare: (877) 364-9393
Member Emergency Hotline
Emergency Hotline
Agility Recovery +

Protecting Operations for Financial Institutions

The history of business continuity planning for banks and financial crises that inevitably impact banking institutions has taught us that nothing is 100 percent certain or safe. We can come up with analyses and forecasts, but a crisis can strike at any time. It can come in the form of natural catastrophes. Crises can also arise from human-made disasters, such as acts of terrorism, civil war, fraud in various forms and at different levels, cybercriminal attacks, technological failures, human error, and many others. This is why business continuity planning is such an essential company-wide responsibility. It involves the development of strategies designed to ensure the restoration of critical business processes, as well as the technical recovery of critical information systems integral to such functions during bank-wide service or operational disruptions. It plans for how critical processes, departments, information systems, and business units will work in tandem as a coordinated response to any disruption. For timely business resumption and recovery, there should be a tightly unified planning process involving each business unit’s plans and roles in the resumption of essential processes. This includes both short-term and long-term disruptions and subsequent recovery operations. Moreover, senior management must set the tone for everyone else that business continuity is an organizational responsibility, and not an information technology (IT) department matter for which only the IT function is liable.

The objectives of business continuity planning

Business continuity planning is essential to all companies during disruptions. In the banking industry, in particular, it aims to accomplish the following objectives:

  • To reduce financial loss to the banking institution.
  • To ensure customers and financial market participants continue to be served.
  • To diminish the negative impact of disruptions on the bank’s reputation, market position, liquidity, credit quality, strategic plans, and operations.
  • To maintain the bank’s ability to comply with applicable laws and regulations.

Today, technological innovation and changing internal and external business processes, as well as the emergence of new threat scenarios, require the continuous review and update of business continuity plans. A bank’s business continuity plan must always take into account regional disasters, and possible staff inaccessibility and losses. This is especially useful in the case of pandemics, such as epidemic-prone diseases like Ebola, influenza, and SARS, which affected several countries. Such outbreaks do not only impact staff availability but also affect customers who may become paralyzed with fear and panic, leading to increased delinquencies, higher internet banking volume, more requests for additional credit, and, at worst, bank runs.

The importance of impact analysis

An essential step in any business continuity plan is a business impact analysis that distinguishes critical from non-critical functions. A critical function is one whose implication for stakeholders or the extent of damage to the bank is considered unacceptable or disastrous. Moreover, any function that is dictated or required by law is automatically regarded as critical. What are perceived to be acceptable disruptions may be changed based on the cost of establishing and maintaining the necessary business or technical recovery solutions? Furthermore, impact analysis leads to the identification of each critical function’s recovery requirements. These include the timeframe in which the critical operation is restored after a disaster, the business and technical requirements essential to the recovery of each vital process. These days, banks have shorter business recovery time objectives compared to just a few years ago. In fact, recovery time for some institutions takes only a matter of hours, minutes, and sub-minutes, depending on the reason for the disruption. A business continuity plan must also address or take into account market-based and geographic interdependencies since there are now local, national, and global banking networks, as well as infrastructure service providers.

Critical components of a business continuity plan

According to the Financial Industry Regulatory Authority’s (FINRA) FINRA Rule 4370, the elements comprising a member’s business continuity plan are flexible. They can be tailored to the scale and requirements of each member. However, all plans must address the following:

  • Data backup and recovery (hard copy and electronic): This encompasses a clear identification of where primary books and records, as well as backup files (hard copy and electronic) of the same, are kept or located. Establishments should also be prepared to provide a detailed description of the data backup and recovery process during major business disruptions.
  • All mission-critical systems: What is deemed to be mission-critical systems vary based on each member’s business. For banks, these would include online banking, access to customer accounts, and encryption.
  • Financial and operational assessments: These assessments include a record of procedures to be undertaken, allowing for a bank to identify changes in its operational, financial, and credit risk exposures.
  • Alternate communications between customers and the firm and between the firm and its employees: These encompass the provisions to be made to ensure an interrupted connection among everyone involved.
  • Alternate physical location of employees: In the case of disruptions, there should be designated alternative sites for employees (this includes key personnel) in the resumption of business operations.
  • Critical business constituent, bank, and counterparty impact: This covers the effect significant business disruption can have on a bank’s relationships with other banks, counterparties, and other stakeholders, and how it will address such impacts.
  • Regulatory reporting: This should spell out the capability of a bank to ensure compliance with regulatory reporting requirements in the event of business disruption.
  • Communications with regulators: This covers how a bank can communicate with FINRA during a significant disruption, and identifies designated business continuity plan contacts with FINRA who will assist in the communication.
  • How the firm will assure customers’ prompt access to their funds and securities: Comprises details on how the bank will make funds and securities available to customers in the event of an extensive business disruption.

The business continuity planning process should be a continuously evolving step and bank-wide responsibility. It must be resilient and current to be capable of efficiently responding to changes in business operations and potential threats, and must completely address all audit recommendations and test results.

Business continuity planning is the process of planning for the potential issues that a company or business could face while maintaining operations. Creating and updating a business continuity plan is a cornerstone of successful businesses, and you should invest ample time and resources in ensuring that your plan is the best that it can be. Having a well-thought-through continuity plan in place ensures your business can recover seamlessly and be able to continue operations if there is an emergency.

Business Continuity Planning for 2023

As 2023 begins, it is important to start planning— and updating your business continuity plan is a huge part of that. Planning ahead ensures that you have a vision for your business moving forward and that you have the tools and resources in place to manage your growth and maximize success. Not sure how exactly to get started? Read ahead for practical steps and advice.

Perform a Business Impact Analysis

One of the first things you can do to aid your business continuity planning is to perform a business impact analysis. A business impact analysis (or BIA) explores the impact a widespread disruption would have on your business. Performing a business impact analysis is one of the best ways to start planning for the future. Doing so can help you find where there might be vulnerabilities in your operations and overall business model. It’s a great way to find and identify your business’s blind spots and prepare potential solutions. This can also assist with other essential business-related tasks, like budget planning and understanding hiring needs for the upcoming year. Planning ahead and performing a business impact analysis will save you lots of time and stress in any case.

Business Resilience

Part of planning ahead for 2023 should include solidifying your business’s overall resilience. Let’s face it— 2023 is a risky time to be operating a business. Think ahead about ways you can strengthen and solidify your business model. The world is more unpredictable than ever, and businesses need to be built to withstand it. Creating a business continuity and recovery plan will ensure your business is around for the long haul, allowing you to grow and invest in the future.

Disaster Recovery

It might sound obvious, but make sure you have a plan in place for disaster recovery as a part of your business continuity plan. Knowing and identifying issues is one thing, but dealing with them can be a different task. So, make sure you not only have a plan to identify risk, but also have a plan to manage and recover from it.

Risk Management

Now that you have invested in your business’s health and resiliency, you should start figuring out ways to mitigate risk. Investing in risk management plans should be a key part of planning for 2023. One of the biggest lessons that business leaders can take away from 2020 and the COVID-19 pandemic is the need for proper risk management techniques. Don’t leave yourself unprepared like many businesses did— research and understand risk management in your field and implement best practices into your business continuity plan. Once you understand the value of risk management, you should identify and prevent these issues and tackle them head on. With that in mind, here are some common trends and potential risks projected for the year 2023.

Crime

Crime is one of the biggest trends you should be aware of when updating your business continuity plan this upcoming year. With issues like COVID-19, natural disasters, and high inflation, crime is on the rise. Consider common issues such as shoplifting, hackers, and other technology-related scams, and have plans and protocols in place to deal with these problems. Make sure that you also train both yourself and your employees to spot and prevent crime. Doing so will help prevent both financial losses, as well as ensure your business remains safe and trustworthy in the eyes of the public.

Working with Extreme Weather

With more occurrences of extreme weather on the rise it is smart planning to consider how extreme events could affect your business when updating your business continuity plan. Offering flexible work setting for your employees, such as work-from-home or a hybrid model, can help everyone maintain productivity during periods of extreme weather, such as the snowy winter months and extreme temperatures of late summer. It’s always best practice to have a protocol in place before the extreme weather hits, so research potential risks for your area and make a plan well ahead of time.

The Future of COVID-19

While many lockdowns and other early pandemic worries are now a thing of the past, there are still several highly contagious COVID-19 strains that are likely to stick around. Thus, it’s not unreasonable to assume that there will likely be times when your business may encounter issues due to COVID-19, including the possibility of multiple employees being out or even a temporary closure. Thus, it is vital that you have contingency plans built into your overall business continuity plan so everyone knows what to do in the event of COVID-19 affecting your workplace and business operations.

Continuing Work-from-Home (WFH) Trends

The word is in: Work from home is here to stay, as continual studies show that many people (and even employers) enjoy working from home while continuing to maintain similar, or even better, productivity levels as when they were working in the office. Rather than fighting work-from-home , future-minded employers are embracing the trend and strategizing ways to implement it into their overall business model and business continuity plans.

Dealing with Inflation

Inflation was a hot topic in 2022, and businesses and their employees can expect this trend to continue into 2023. Operating costs are likely to remain high due to inflation. Likewise, in response to inflation and the increasing costs of living, many workers are looking for jobs with higher wages. In addition, many states and local towns have passed minimum wage increases in response to the rising rates of inflation. Build inflation into your budget and have a plan in place to manage it going into the year 2023.

New Year, New Regulations

When the new year rolls around, there are almost always new laws and regulations that come into effect, be it on the state, local, federal, or even business level. It’s essential to research these new laws and regulations well ahead of time so that you can understand how they are going to affect your business going forward. Don’t wait until the new year has already arrived— doing so could mean fines or other legal penalizations if it turns out that you have broken labor or safety laws. If you have questions or any confusion or concerns about any new laws or regulations, you should talk to your business’s human resources department and legal team, to ensure you are prepared for new laws going forward. Doing so protects both your business and your employees, so don’t neglect this essential step. It’s part of your responsibility as someone who owns and operates a business.

Cybersecurity

Focusing on cybersecurity is a vital part of business planning in the modern era, and 2023 is no exception to this rule. Recent research  shows that cybersecurity events and business disruptions have been some of the most common types of business disasters in recent years. As technology grows and evolves, unfortunately, so do criminals. It will be well worth the effort to have a plan in place ahead of time, so your business’s safety is ensured online. Don’t wait until there is a data breach or extended outage to think about your cybersecurity. Your customers trust that you are being confidential and responsible with their information and jeopardizing that trust could result in a negative blow to your business reputation. Plan before it is too late.

Conclusion

A business continuity plan is a key component of your operations. It should be well thought through, carefully researched, and tested regularly. Creating a business continuity plan prevents a multitude of issues down the line for you and your business. Agility can help you create a customized plan for your business, so you can move forward through 2023 with confidence and maximize growth. Contact us today and learn how we can help you and your business succeed.

The manufacturing industry is one of the most critical sectors in the U.S. A disruption to its activities can have far-reaching effects on relevant industries and the economy. This makes it essential for companies in this sector to ensure their production facilities can resume operations after a disaster. To achieve this goal, manufacturers must use a sound contingency plan to protect themselves.

What Is a Business Continuity Plan?

A BC plan is a system every manufacturer should follow to prevent and recover potential threats. The plan ensures employees and assets are safe and can function quickly after a disaster.

What Are the BC Plans That Protect Production and Quality of Goods?

There are two types of BC recovery plans that protect the production and quality of goods:

  • 1. Natural disaster recovery plan: This plan helps businesses recover from earthquakes, tornadoes, floods, and other environmental disasters.
  • 2. Manufactured threats: Such plans serve as protection from terrorism, cyberattacks, or sabotage.

In both cases, you must have a plan to protect your facilities, equipment, and team members. That way, they can continue operations at their normal level of productivity even after a disaster has occurred.

What Do Business Continuity Recovery Plans Cover?

You should customize a recovery plan to your business’s needs. However, these are the general sections that appear in your BC plan.

1. Testing and Training

BC plans aren’t only theoretical — they must be robust enough to implement. Therefore, manufacturers can check their plans by testing and exercising them. That is where you can use realistic scenarios to test your team’s response to a disaster. By doing so, you identify areas for improvement, allowing you to take action to improve the plan before a disruption occurs.

2. Plan Reevaluation

If your business undergoes significant changes, you should reevaluate your action plan and update it accordingly. This may include updating information to reflect changes in personnel or expanding certain sections. Once you’ve coordinated the updates, you should indicate any staff changes and explain when the next evaluation period will occur.

3. Personnel

Personnel is key to a business continuity plan. This team offers guidance and helps make decisions in an emergency. Additionally, you should include personnel such as stakeholders, executives, and employees. To ensure you can resume normal business operations, you should appoint a team leader who understands all aspects of disaster recovery. Then, you should assign the roles and responsibilities of key personnel. For example, suppose there is a cyberattack on your company. You would need someone with access to your network to respond to the breach when IT managers are unavailable.

4. IT Continuity

The manufacturing industry heavily relies on data and technology. Currently, no overarching or mandatory cybersecurity regulations exist for the manufacturing industry, which can unfortunately mean lax security standards. Following the NIST Cybersecurity Framework, which can help protect both IT and OT, and following CMMC regulations, which currently apply only to Department of Defense contractors but could soon extend to suppliers of multiple other federal departments, can boost your security standards to help prevent destructive cyberattacks. However, even if you never suffer a cyberattack, natural disasters can still disrupt your operations and completely devastate them. Your IT department must always have a BC plan, as one survey found over 72% of businesses don’t meet their recovery expectations. Typically, this occurs without a solid recovery plan. Therefore, you must ensure your BC plan outlines data backup processes and technologies to restore your IT infrastructure.

5. Asset Management

A BC plan should also include the recovery plan for your equipment and asset management. Take inventory of all equipment and assets and ensure they are identifiable. You must consider how you’ll replace them if they are destroyed or inaccessible.

6. Communication

Clear communication is necessary for every part of your business’s interactions. Therefore, the BC plan should indicate how you’ll convey information when disaster strikes. The plan should outline how personnel will reach out when other modes of communication are down. In critical moments, you must make decisions quickly.

7. Document Storage

In addition to digital files, there must be a plan to protect and restore essential physical files. Manufacturing companies have crucial information in their documents. A plan will tell you what to do if these get lost in a flood or fire. For instance, some manufacturers will back up copies in a remote location.

8. Medical Response

Whether the disaster is natural or manufactured, you need a plan to respond to life-threatening situations. In severe cases where a worker becomes injured, you need to consider the kind of care you’ll provide on-site. For instance, where would you keep emergency supplies, and how would someone access them? Or, where will you take your employees to receive urgent care?

9. Contingency Locations

Certain impacts can be so disastrous that manufacturers must find a temporary site to continue their operations. Your BC plan should have the location of where your work will resume and how long it will take to get it running. Additionally, your plan should have contingency locations for your IT department and data center in case of downtime. This is especially important for privacy and data regulations.

Use a BC Plan to Prepare for All Disasters

BC plans are a vital part of the manufacturing industry. Threats and disruptions can mean increased costs and loss of revenue, which can impact other businesses down the line. Unfortunately, manufacturers can’t rely on insurance alone, as it doesn’t cover all the costs. But when they have a sound BC plan to minimize downtime, they can gear their company toward a speedy recovery and operational success.

Zac Amos is the Features Editor and a writer at ReHack, where he loves digging into business tech, cybersecurity, and anything else technology-related. You can find more of his work on Twitter or LinkedIn.

Unless those who deliver healthcare invest in continuity planning, they risk never being able to recover from events like natural disasters, human-caused events, and malicious technological breaches. Continuity planning places the organization in the best position to avert these and other threats.

Nationwide, the healthcare system includes:

  • Hospitals
  • Skilled nursing facilities
  • Home health services
  • Physician offices
  • Diagnostic centers
  • Specialty care treatment centers
  • Mental and behavioral health
  • A variety of other components

In 2021, in collaboration with Infogroup, a leading provider of data and data-driven marketing solutions, the U.S. Department of Labor found that healthcare providers represented three of the top five largest employers in major metropolitan cities. To avert disaster, public and nonprofit entities and others all require the same level of continuity planning as their for-profit partners. Two distinct goals surface when examining the healthcare delivery system and the role of continuity. First, individual businesses or agencies should have plans in place to recover business or mission functions after a disaster occurs. According to the Federal Emergency Management Agency (FEMA), “40 percent of small businesses never reopen after a disaster and another 25 percent that do reopen fail within a year.” FEMA has found that “following a disaster, 90% of smaller companies fail  within a year unless they can resume operations within five days.” Continuity is not only important to a business’s bottom line, but it has a broader socioeconomic impact regarding employment and services. Second, the healthcare system must be maintained following a disaster. Rapid recovery of operations after an event is critical to the community, which may require medical services. At first glance, continuity planning and emergency preparedness can be daunting, especially for professionals who are unexpectedly saddled with those responsibilities. Dedicated emergency managers typically exist only within hospital systems in most national and state healthcare delivery systems. In most small- to medium-sized workplaces, staff with other primary day-to-day missions will complete the organization’s continuity and emergency planning. Although these terms and processes overlap, they are quite different. The primary goal of emergency preparedness is to safeguard people and property from harm. Preparedness is a fluid and dynamic process that requires continual updates with adjustments. Continuity’s main goal focuses on the continuation of critical business or mission operations. Recognizing the difference permits the identification of different key tasks relating to the planning processes. Many healthcare facilities manage the two processes as one – a logical combination since both are working towards the same objective. And many healthcare facilities have one person managing both. However, this may not be the right decision for many organizations. The organization’s emergency preparedness planning component cannot fully address continuity. Many state and government agencies maintain continuity of operations plan, known as COOP. BC and COOP are specific plans, procedures, and resources that allow a healthcare organization to recover its essential services and functions during an event that disrupts normal operations. Organizations that meet the CMS emergency preparedness guidelines may not have a robust BC plan. To champion continuity with an organization, follow the five best foundational practices:

1. Gain Organization Leadership Buy-In

Many BC and COOP mitigation measures, such as creating a staff contact roster, can be performed at little to no cost. Remember that the goal of BC is self-preservation. Can your organizational leadership afford to do nothing?

2. Establish a BC or COOP Planning Team

Establish a strong internal planning team with staff that have preparedness mindsets. Regardless of size, the team should represent all critical elements: clinical operations, non-clinical operations, and human resources or IT specialties.

3. Identify One Leader With Authority to Serve as Project Manager

One executive or leader with authority should function as the overall project manager. That person ensures that collaboration occurs, deadlines are met, and the project maintains forward progress, in addition to resolving conflicts.

4. Perform a BC Risk Assessment or COOP Threat & Hazard Identification & Risk Assessment (THIRA)

The first step to performing a BC risk assessment or COOP THIRA is understanding what risks exist. This process is more straightforward than you think. Most emergency management and public health agencies are required by their grants to perform risk assessments for their jurisdictions. Many are available online; however, contact the state or local public health preparedness office or emergency management agency if one cannot be located for your area. The risk assessment should identify threats or hazards with opportunities for hazard prevention, deterrence, or risk mitigation.

5. For BC: Perform a Business Impact Analysis (BIA)

The business impact analysis (BIA) predicts the consequences of disruption of a business function or process and gathers information needed to develop a recovery strategy. Considering potential operational and financial impacts, the BIA should include other outcomes such as regulatory fines, contractual penalties, and customer dissatisfaction. Factor in the timing and duration of disruption, as these variables can alter the impact on the business. The BIA will be used to establish priories to restore business operations. Ready to get started? Reach out to Agility today to discuss your organization’s priorities and planning.

With cyber threats like ransomware routinely interrupting business operations around the globe, cybersecurity is not just an IT problem — it’s a business risk that needs to be accounted for in the business continuity plan. But how do you go about doing that?

Gain Executive Support

The tone from the top drives the success of your business continuity and cybersecurity preparedness. If your organization is going to continually strengthen and insulate itself from all of the likely foreseeable — and sometimes even unforeseeable events — you need to get executive support . It’s also important for executives to support a culture of collaboration. Business continuity owners, info security officers, and business units need to be transparent with each other. Sometimes that means admitting that a process under your control has to be improved. If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.

Your BC and incident response plans should each include:

  • – Classification of various security incidents.
  • – Criteria for triggering the plan.
  • – Employee roles and responsibilities.

Clearing these obstacles with many employees working remotely could be tricky, especially if there are connectivity issues. This brings us to our next point.

Connectivity

No matter where they work, employees need to have access to the resources they need to do their jobs: voice and data communications, power, phones, computers, etc. After major “perfect storms” (which are becoming the new normal ), cell phone, power and internet connectivity might not be available. For example, after Hurricane Harvey hit Rockport, Corpus Christi and Port Aransas in Texas, wind damage knocked out power and communications. WFH wasn’t even an option for businesses in those areas. In Houston, WFH seemed to be an ideal strategy. Countless roads closed, floodwaters lingered for days, and offices were destroyed. Although the city experienced record levels of flooding, the communications and power infrastructure proved resilient. For many companies, it just made sense to have employees work remotely. But many businesses hadn’t thought through the logistics of the entire company working remotely. The sudden influx of remote employees taxed company resources: VPN licenses, bandwidth availability of VPN concentrators at the home office, etc. How would you handle your entire business working remotely? Think about how you’d respond to the following potential issues :

  • – Employees might not have the right equipment, whether because they weren’t issued company-approved hardware in time or because it’s trapped inside the home office.
  • – Internet connectivity in employees’ homes isn’t always reliable.
  • – A significant increase in remote workers can overload the VPN.
  • – Employees not used to working from home might have trouble logging in.
  • – Company phone systems might not be compatible with employees’ personal devices.
  • – Vulnerable network connections increase the risk of sensitive data exposure.
  • – Employees are more likely to use personal devices without appropriate security settings.

The higher your ability to address potential connectivity challenges, the more likely WFH is to succeed. But that’s only one part of the equation.

Evaluate Your Incident Response Plan

The traditional way of looking at business continuity is looking at the inoperability of a facility or a particular service or a function. It’s a worst-case scenario. Cyber threats have just added a whole new world of potential ways to take down a particular operation. Does your organization have a detailed incident response plan that accounts for the various types of security incidents your organization could face? Start with looking at how detailed the incident response plan is. Many businesses simply tack on a brief incident response paragraph — maybe even a page or two — to their business continuity plan . Be advised: That is not a comprehensive incident response plan. Make sure the plan catalogs at least the top seven to 10 security incident types that could disrupt or halt business operations. It should provide for specific responses and procedures tied to those events. You also need to determine what incidents will trigger the business continuity and incident response plans. For example, an email phishing scenario wouldn’t necessarily shut down access to critical data or affect your ability to service your customers. In that case, you might activate your incident response plan but not your business continuity plan. A ransomware attack, on the other hand, could actually take your systems offline. Since it would leave you without access to critical data and the ability to service your customers, you might classify that as an outage requiring a business continuity response.

Test Your Plan

Just as you test your business continuity plan for worst-case scenarios, you need to test scenarios that integrate business continuity and incident response . For example, you could walk through the process of responding to a Cryptolocker outbreak that encrypts a drive or data store and requires the restoration of that data to another platform. To work through how the plans play out in a particular scenario, start with a tabletop exercise  before doing a functional test.

The pandemic epitomized what an unforeseen circumstance means and highlighted the importance of incident management and business continuity. It was elusive. Its arrival wreaked more havoc that not even the experts could have forecasted. It took and continues to take a toll on individuals of all ages. It has disrupted families. Many businesses have taken a massive financial hit as a result of it. Businesses with a robust business continuity plan would have avoided some of the pandemic’s adverse effects. No doubt, the pandemic tested your business emergency management protocols and continues to. Unfortunately, 51% of businesses worldwide did not have a business continuity plan. Did your plan pass the test? You may not be able to undo any damage that has already occurred but you can ensure that you learn from this incident. This article covers some basic business continuity measures you can put in place right now.

What Is Business Continuity?

Business continuity is an organization’s ability to continue its operations throughout and after a significant disaster has occurred. Major disasters that can affect businesses include:

  • Natural disasters
  • A fire or anything that causes extensive physical damage to infrastructure
  • Any cybersecurity threat
  • Server failure or utility outage
  • Incidents that disrupt the day-to-day operations of a business

The aim is to have essential business functions up and running with minimal downtime. Doing so ensures that your business can continue to serve customers and facilitate providers with the least amount of disruption. It is important for all businesses but can be better sustained by larger enterprises. This is dependent on the extent and duration of the incident or emergency. Despite this, all companies should have measures in place to ensure the continuity of their operations. You should include the details of these measures in a business continuity plan.

What Is a Business Continuity Plan?

A business continuity plan is a detailed outline of the steps to ensure business operations continuation during an emergency or natural disaster. It should also encompass plans to deal with cybersecurity threats. These can include data breaches, loss of access, ransomware attacks, or malicious insider incidents. Business continuity plans reduce any adverse effects from the emergency or disaster. A BCP aims to reduce financial losses, maintain supplier relationships and other business partnerships, and service customers. Continuous updating and maintenance are important elements of a continuity plan. The Federal Emergency Management Agency (FEMA) states that one in five companies does not spend time maintaining their continuity plan. In contrast, 20% of larger businesses spend over ten days every month on their plans. Continuity plans should also consider widespread disasters that can affect employees’ accessibility to the physical business location, as has been the case during the pandemic. The plan should differentiate between critical and non-critical business functions. Critical business functions are activities or processes that must be restored to protect your business’s assets, meet regulations, and the organization’s needs. The unavailability of critical business functions can affect business operations, which, in turn, impacts the business’s ability to serve its customers and other stakeholders. The plan outlines the recovery requirements for each critical function. It includes the timeframe for the resumption of the operation and the business and technical requirements for recovery.

Characteristics of a Business Continuity Plan

Four noteworthy characteristics should guide the design of your business continuity plan. The business continuity plan should be:

1. Comprehensive

Try to plan for every possible incident or disruption. Review and rework your business continuity plan several times. Backup plans are essential. They should not stop at Plan B or C. Even though there may be many, consider every factor that could play a role. Cater for things that may go wrong.

2. Adaptable

Despite catering to every possible scenario, leave room for quick adaptation of the plan because circumstances will change. In extreme cases, changes can be minute by minute. It is one of the main reasons that the plan must be reviewed continuously and maintained. However, once the plan provides a good foundation or starting point, the rest should be easily adaptable. Many organizations can help you support and maintain your plan.

3. Realistic

Ensure easy implementation of your plan when a disaster does strike. Make it realistic and include many contingency plans where possible.

4. Efficient

Your business continuity plan should enable efficient execution with your current resources. Having it laid out can reduce stress levels during an incident. This can make the tasks that need to be executed a little easier to achieve despite the anxiety and additional pressure. Taking these four elements into consideration while planning for your business’s continuity will help ensure your plan is as effective as possible.

The Importance of Emergency Management

If you hadn’t put much thought into emergency management before, the last few years should have made you realize just how important it is. It is an essential element to help you effectively manage your business. Unfortunately, disruptions are costly, but they can sometimes lead to a business’s closure, especially for smaller companies. Ninety percent of smaller businesses fail within a year after a disaster unless they resume operations within five days. Businesses that don’t have an emergency response plan often lose customers, suffering financial losses that can harm their brand reputation. Here are a few other reasons why emergency management or continuity planning is essential to all businesses. A continuity plan can help to:

1. Continue Business Operations

It supports the continuation of your business operations during a crisis and helps reduce financial losses. It lets stakeholders, including employees and customers, know your company is stable. Communication throughout the organization is vital to keep all employees informed and on the same page. This can be a challenge for organizations with many employees who work remotely or with offices spread worldwide. These organizations must invest in a solution that facilitates real-time, effortless communication.

2. Improve Customer and Stakeholder Confidence

Investing in effective incident management processes and policies helps improve customer and stakeholder confidence and resilience.

3. Maintain Your Brand and Reputation

Managing the crisis effectively and preparing your company for any possibility will augur well for your brand. It preserves confidence in your brand and bolsters your reputation when your company manages the situation with grace, strength, and consistency. Back in 2018, the city of Atlanta sustained a cyberattack that locked down the city systems for a week. Workers had to complete all documentation by hand. The City of Atlanta was not prepared and taken by surprise, with out-of-date software and a number of other IT vulnerabilities.

4. Get a Competitive Advantage

Use your response to not only build confidence in your brand with current customers but let it show potential customers you should be their brand of choice too. Your reaction during a crisis will speak volumes about your company and your brand. Make it tell a positive story. This is an opportunity to gain an advantage over your competitors by reacting quickly and decisively during a crisis.

5. Reduce Financial Risk

Quick and decisive actions during a crisis will also reduce the downtime for your business. More extended downtimes can mean greater financial losses. Minimize your losses by restoring functionality as quickly as possible.

6. Protect Your Supply Chain

Remember, natural disasters will affect your suppliers as well. Ensure your plan caters to supply chain resilience by spreading your risk across several suppliers. This will give you options. Your organization will be minimally affected due to a lack of supplies or raw materials.

10 Steps to Creating Your Business Continuity Plan

Now that you know the characteristics of a business continuity plan and its benefits, here are 10 steps you can follow to create your plan.

1. Create an Incident Response Team

The incident response (or crisis) team should include some cross-functional managerial roles or any other person you believe will be valuable to the team. Designate a leader who will be able to make decisions and ensure steady progress. Each team member should receive specialist training and expertise across technical and non-technical areas, including forensic investigation. Recruit external resources specializing in incident management.

2. Identify the Plan’s Objectives and Goals

Your business continuity’s main objective is to ensure there is minimal disruption to critical business functions. This includes vital business functions across the organization – operations, human resources, public relations, etc. However, every business will have different objectives and goals that are important to the business’s running. It will vary based on the type and size of the company, among other things. Once you identify the plan’s goals and objectives, map out a strategy for the plan. Ensure the objectives are clearly understood and that the goals align with the objectives. Take the opportunity to identify the key people and processes that will keep it operational. The draft should also include a list of all possible disruptions that can affect business operations. Identify the critical functions in day-to-day business processes and create recovery strategies for each scenario.

3. Conduct a Risk Assessment and Business Impact Analysis (BIA)

A BIA will identify significant threats to your organization. After identification:

  • Research and analyze.
  • Include the team in discussions about incidents that may reduce, modify, or eliminate critical services or functions.
  • Document all of the issues and what their business impact might be.

4. Identify Critical and Non-Critical Business Functions

Before determining how your organization will maintain critical business functions, it is crucial to identify which processes are essential during an emergency. Consider some of these essential functions:

  • Maintaining customer service.
  • Supply continuity and inventory management.
  • Order fulfillment and shipping deadlines.
  • Ecommerce platforms, if used.
  • Other applications used in business operations.

5. Identify and Isolate Sensitive Information

Identify critical data, such as financial records or other mission-critical information, including login credentials. Store them where they can be quickly recovered. Storage should also be according to priority based on how important the data is to the business.

6. Conduct Data Backup

Create copies of all irreplaceable data. Include customer data, employee records, files, business emails, etc. This should also be easily accessible so that the business can recover quickly from any disaster that occurs.

7. Protect Hard Copy Data

Even though businesses store large amounts of electronic data, they still use many physical documents daily. These can include contracts, tax documents, and employee files. Where possible, convert hard copies into digital files to minimize the loss of physical documents.

8. Find a Designated Recovery Site

This secondary site will be a backup for your company’s primary location. Equip the site with tools and systems that will allow recovery of any affected systems. Doing so will ensure the continuation of business operations within the shortest period.

9. Develop a Communication Strategy

Crisis communication is crucial during a disaster. Your company should implement a strategy that ensures effective communication to both internal and external stakeholders. Pre-drafted sample messages will expedite communications to suppliers, partners, and employees during the crisis. A detailed communication strategy can help incident response teams efficiently coordinate their efforts.

10. Test, Measure, Review, and Update the Plan

A business continuity plan is cyclical. It should be continuously tested, measured, reviewed, and updated, proving its effectiveness. Testing should include simulations that can determine the team’s level of preparedness during an incident. Use the results to modify the plan and then test it again. These steps should allow you to formulate a comprehensive business continuity plan. It includes constant analysis, design, implementation, testing, and maintenance.

Potential Risks for Businesses Without a Plan

Business continuity planning can seem exhaustive, especially for smaller businesses with limited resources. Whether you choose to use internal or external resources, your company must implement a plan as the potential risks of not having one can adversely affect your company. Some of the risks of not having a business continuity plan include:

  • Financial losses
  • Increased costs
  • Repeated exposure to the risk
  • Regulatory and legal penalties (Marriott was fined £18.4m for a data breach that didn’t meet General Data Protection Regulation standards and affected millions)

Being Prepared

There are many options to ensure your organization’s emergency management is effective. A detailed business continuity plan that is continuously updated and reviewed can save your business. Doing research and reviewing examples of well-implemented continuity plans will help prepare you if your company faces a similar incident. Agility Recovery provides business continuity solutions. Contact us to find the solution that is best for your organization.

A BIA (business impact analysis) is essential in every organization. Often, companies don’t allocate enough time or resources to identify risk factors properly – and instead dive straight into creating a recovery strategy. Below will help you learn more about what a BIA involves and how to conduct one.

Defining Business Impact Analysis

The BIA is a framework used to analyze the consequences of disruptions and how they impact your business. The analysis considers potential loss scenarios, the timing of disturbances, and the results affecting crucial products and services. A risk assessment also examines the processes or activities supporting these disruptions. As a result of a BIA, organizations can plan recovery strategies alongside investments in prevention and mitigation strategies. For instance, 68.5% of organizations fell victim to ransomware attacks in 2021. If your organization were to, unfortunately, be part of a similar statistic in the future, performing a BIA now could be the foundation for creating a business continuity plan that could help you prevent or at least mitigate these cybersecurity threats.

Put Your Plan to the Test

Schedule Testing

The Benefits of a BIA

A BIA is your starting point for your BCP (business continuity plan). It acts as a checklist to help you prepare your annual activities and can be beneficial in the following ways:

  • Recovery process: Your BCP should include the procedures or highest-impact assets for all the functions listed in your BIA. These prioritizations will provide transparency on where you can improve the BCP.
  • Organizes recovery: In a recovery situation, it’s crucial to have a disaster plan that defines the highest prioritized tasks. A BIA accomplishes this for you. You can use it to rank each priority and procure an “order of recovery” list within your BCP.
  • Prioritizes BCP testing:  Your BIA will prioritize the areas you’ll be testing in your BCP. For instance, you may need to test critical assets annually and high-priority assets every 18 months.
  • Measures BCP testing effectiveness: A BIA provides sufficient measures to evaluate the BCP testing effectiveness. You can compare testing recovery times to the maximum tolerable downtime (MTD). If recovery time takes longer than the MTD, you can reevaluate and make improvements.
  • Provides a rational approach to the backup rotation: Helps you to understand whether your backups achieve the desired results of your recovery point objective. Your IT staff can use this information to set backup schedules and rotations.

How to Conduct a Business Impact Analysis

A BIA ensures your organization can survive if a disaster or crisis occurs. Once you complete a BIA, you’ll learn the following:

  • Critical business functions
  • The impact of an interruption to those functions
  • How long your business will thrive without performing the activities

Knowing how long your business will survive, you can define an MAO (maximum acceptable outage) period for every function. An MAO is the amount of time you have from when a disaster occurs to the time your business function must be operational to avoid financial loss. To learn how to conduct a BIA, follow the steps below.

1. Identify the Scope of the Business Impact Analysis

Small to medium-sized businesses can involve all business functions when conducting a BIA. After identifying the processes you’ll cover, you can meet with individuals you need to interview for the assessment. These individuals are people who do hands-on work and are informed of the processes and vulnerabilities. One person you should make sure to include is someone from your IT department. Even when someone knows how to use the software, they may not know how the back end functions. Once you’ve gathered all the critical business continuity information, you’ll create a timeline for conducting your BIA. Doing this will help you stay on track and complete the following two steps.

2. Schedule Business Impact Analysis Interviews

After you’ve identified the scope of departments and activities, the next step is to schedule a meeting with each department’s leadership team. Establish the value of conducting a BIA so they understand the purpose and importance of one. Your management team may not realize the investment into the BIA process. Therefore, knowing the value will allow your team to have all the information upfront.

3. Execute BIA Interviews

The purpose of these interviews is to determine the activities each department performs. According to Business2Community, scheduled interviews take approximately 2-2.5 hours to conduct. Furthermore, these activities should support the in-scope products and services. For each activity, gathering the steps necessary to complete the function, peak operation times, downtime, and dependencies required to perform one is essential. Consider documenting the following dependencies:

For each dependency, you’ll need a description of their use, manual workarounds, and recovery time. Additionally, you should conduct a risk assessment by assigning the value for the likelihood of loss or the impact for every dependency. Once you’ve collected your data, you can multiply your numbers to provide a risk rating. You can value each rating from 1 to 10 during the process. Additionally, it helps to understand if any departments have experienced a disruption in the past. Knowing this information will merit stronger planning.

4. Document and Approve Each Department BIA Report

Upon completing each department meeting, you’ll have a documented report showing the results. Using business continuity software will increase the efficiency of the process. It can automate the analysis for you and the functionality for further updates. These reports should’ve captured all pertinent information and recommendations, such as recovery time objectives. Once you’ve drafted the report, you’ll distribute it to your staff and meet with participants to review it. During the meeting, you can make necessary changes and approve the narrative. Each department report will be essential to establish company-wide business continuity requirements for management to review and endorse.

5. Complete the BIA Summary

After each department completes its reports, you can finalize the BIA summary for management to review and approve. The purpose of this is to provide an overview of the key activities, requirements, and identified risks. Additionally, the report allows you to make risk treatment recommendations. For instance, some applications may need to be restored within 24 hours after a disaster – depending on the BIA you’ve conducted. After coordinating each department’s BIA conclusions, you can present your findings to leadership. During your presentation, focus on the following:

  • Revisit the products and services identified in the risk assessment
  • Verify the established recovery times
  • Present the key risks and recommendations for addressing them

It’s important to prioritize these recommendations for leadership by focusing on accomplishing the correct level of resilience and the strategies to address the loss of resources.

Use Your BIA for Business Continuity Success

While a BIA often feels like you’re ticking boxes, it can provide a ton of value for your organization. Going through this exercise with your leadership team will help align everyone on what’s important to your business. Remember that it’s essential to make time for your business impact analysis. Taking action will provide you with better outcomes and help you stay on top of everything. Reach out to Agility today to get started.

Zac Amos is the Features Editor and a writer at ReHack, where he loves digging into business tech, cybersecurity, and anything else technology-related. You can find more of his work on Twitter or LinkedIn.

Why Tabletop Exercises?

Even the best-laid plans can go wrong with the simple introduction of the “human factor.” Introduce this in the emergency response planning, when the stakes are high, and even the most thorough plan can begin to fall apart. That is why tabletop exercises can be critical to ensuring the success of your scenario plans when they are put into action. Tabletop exercises are group activities that examine the response of your crisis team to a specific scenario and quickly detect previously undetected gaps in your plan or issues that need to be addressed. Such exercises also remind of small yet crucial details, for example, whose responsibility is to provide comments to the media if the VP of communications is on vacation. These are some of the essential tips for maximizing an outcome of a tabletop exercise:

Before deciding on a scenario, define a reasonable number (3-5) of objectives. For example, if you choose to test your organizational response to an Active Shooter incident, first determine what aspects of the response you need to focus on. Then, develop a scenario that aligns with the objectives.

Choose a Realistic Scenario

A successful tabletop exercise should resemble the real world as closely as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic threat behavior. Examples of real-world cybersecurity threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords. The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it must mimic a threat that’s likely for that specific environment.

During the Tabletop Exercise: Have Clear Objectives and Follow the Schedule

Make copies of your emergency response and business continuity plans and a whiteboard to track the progress. Before you begin, the moderator needs to review the objectives and scope of the exercise. Note that the crisis leader has the final say if there are conflicting opinions. It’s also important to keep track of time; the moderator needs to set time limits for each action item. Once the imaginary threat has been set into motion, each member of the group should perform – in real time – the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place. These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third parties. They also include making decisions about whether to shut down systems and collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it. After the exercise is complete, review the process to understand what worked and what needs improvement. The rules of any successful meeting or a tabletop are: start on time, finish early, and offer refreshments.

To improve the effectiveness of a tabletop exercise, FEMA recommends for all potential players to complete Incident Command System 100 and National Incident Management Systems 700A-level training, which is a quick, easy and free course.

After the Tabletop Exercise: Act on What Was Learned

In addition to allowing the entire team to practice their response in real time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what tabletop exercises are designed to weed out.

“The tabletop exercises with Agility are always a valued service. By providing fresh insights and opportunities for improvement, Agility has helped us grow and improve our BC Program immensely.”
Robert Behling, IT Systems Administrator, First FarmBank

After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will help the next exercise run more smoothly and ensure a more effective response when an actual threat strikes. Make sure action items are circulated after the exercise is complete and review and update your plans accordingly.

Business continuity testing is critical to your organization's resilience. However, many organizations are still wondering why they should test their business continuity plans. With the increasing number of natural disasters, the likelihood of your organization being affected is becoming higher every day. It isn't a matter of if a disruption does occur; it's about when it happens. That's why your organization needs to be fully prepared to withstand any potential disruption, and the best way to find any gaps is through business continuity testing .

business continuity risks

However, if you've never tested your plan, it's hard to be confident that it will meet your expectations. Regularly testing your business continuity plan (BCP) helps to continually improve your company's ability to withstand and recover from various disruption scenarios successfully. Let's look into some other arguments for why testing is integral to your organization's success.

The ROI of Business Continuity Testing

A well-orchestrated test strategy helps protect the brand, its promise, and its value proposition. Suppose your competitors had a poor test performance or made a critical mistake in a real-life situation with a client. In that case, your company can shine by demonstrating its reliability and advance its business forward. So, why test your BCP?

  • – Identify interdependencies, gaps, and areas for improvement.
  • – Demonstrate to your clients a higher degree of commitment.
  • – If you are the supplier to a firm, you rise among competitors, taking on more projects and winning new business.
  • – Continually validate and improve plans.
  • – Satisfy compliance requirements and regulators.
  • – Reduce recovery time and cost.

Reasons to Test Your BCP​

1. Test the “New Normal”​​

  • – Regional risk of working from anywhere​

  • – Isolated issues for staff​

  • – Solving for one building vs. many​ locations

2. Validate Recovery Plan/Gap Analysis​

  • – Confirm RTOs​

  • – Train your staff – instill confidence of employees + stakeholders​ in the plan

  • – Update procedures ​

3. Compliance/Regulatory/Legal​

  • – Plan review​

  • – Tabletop exercises​

  • – Drills​

Ways Our Customers Are Testing

why test business continuity plan

  • – Verify the connection and performance of hosted data/backups from a different location​

  • – Rebuild critical applications on Agility equipment​

  • – Establish a working partnership with Agility​

  • – Evaluate disaster readiness of lines of business​

Types of Business Continuity Tests

Every business continuity test in a company has very targeted and specific ways and types of tests   used to ascertain information in different areas within the company. The list below gives you some but not all the information about BCP test types and reasons.

  1. Plan Review: Includes a BCP team with C-level management or department heads to see if their current BCP plan needs revisions. The plan review goes over recovery contract validity, business continuity management, and any disaster recovery scenarios that can be shared with other company teams.
  2. Tabletop Test: Includes role-playing discussion exercises that are scenario based. You usually have employees participate so they can practice their roles and responsibilities in case of any disruptive emergency, from an active shooter to a hurricane tornado.

There’s also the BCP walk-through, which mimics the tabletop test discussions with planned details but takes those details and turns them into a simulation test that combines real recovery actions. The real scenario ranges from data loss backups and restoring to emergency notifications and physical recoveries.

However, consider deviating from the test script to interject unplanned events, such as the absence of key individuals or services. ​

Plan Review​

  • – It’s best practice to walk through your plans quarterly – does not have to be elaborate (an hour or less in a group session)​.

  • – Helps to identify gaps and areas for improvement​.

  • – Ensures everything is up-to-date with the latest information (employee contact info, regulations, etc.)​.

Tabletop Exercise​

  • – Facilitated discussion – 1½ – 2 hours​.

  • – Participants are seated around a table – all activity is “virtual”​.

  • – An incident “scenario” is presented to the team along with a series of “How Would You Respond” questions as the scenario unfolds​.

  • – Use the time to identify gaps and develop confidence​.

Drill/Simulation​

  • – Test individual components (wire transfers, notification system, etc.)​.

Full Test​

  • – Moving people and technology to an alternate location​.

  • – Partner with a company like Agility to go through a full-scale test​.

what makes a good bcp test

After a Business Continuity Test  ​

  • – Ensure you have actionable deliverables and commitments for those responsible for executing.

  • – Clearly define timetables and who is responsible for ensuring findings are resolved​.

  • – Regulators will want to review written documentation and will be checking to make sure issues were addressed​.

  • – Consider planning and testing as a continuous improvement process​.

Protecting Your Organization

Organizations face continuous threats that can put lives in danger and disrupt operations. However, implementing an incident management program that fits your organization is challenging. To help mitigate these threats, Agility offers an integrated business continuity solution that helps businesses plan, test, train, alert, and recover—all in one. It enables organizations to eliminate business impacts and ensure their workforce is safe and informed.

protect your organization with bc planning

A large part of business continuity planning is defining your organization’s RTO, or recovery time objective. How long can you realistically afford to be nonoperational? Defining your RTO can help your management and crisis teams understand expectations for recovery. Business continuity testing plays a huge part in determining whether you can realistically meet your RTOs and efficiently recover from a disaster.

Test to Know Exactly What Your Company Needs to Recover – and to Leverage the Resources Available to You

If you do not test, how can you know what recovery looks like for your organization and what you will need most urgently? One Agility customer discovered this the hard way. Though the bank had maintained a contract with Agility (previously with Rentsys) for years, they had never opted to schedule any testing with Agility’s customer success team. The bank knew they needed to have a continuity plan and recovery services available for compliance purposes but were unclear about what the recovery process would look like if their physical space were impacted by a disaster. When a hurricane hit their town, the bank’s team assumed they wanted a mobile unit, but did not know what that entailed, such as time for delivery and setup, options and additional cost drivers, or even where the unit could be installed. Agility was able to use Google Maps to estimate a zone where the unit could be installed but needed on-the-ground support to truly understand the layout. It wasn’t until this client saw another bank with an Agility mobile unit set up that they began to understand the capability of Agility’s recovery team, and they reached out to their Agility representative to understand what Agility could provide quickly to get the bank back up and running. Before seeing a recovery environment in person, it was hard for the bank to understand the benefits physical recovery services would bring. In short: By testing, you will identify the needs for your business – and pinpoint what’s needed for optimal response – before disaster strikes to be able to hit the ground running.

Test to Know What to Expect During a Recovery

Hopefully, a disaster like a tornado, hurricane, or even a major power outage is something that happens only once to your business. By testing, you will know what to expect if or when that disaster happens and set expectations among both your leadership and customers. From testing, organizations understand that downed trees, closed roads, and more can delay a recovery, since resources cannot easily get through barriers. Organizations must also often work with local municipalities to secure letters allowing recovery providers to pass through barricades. These things factor into your recovery timeline so you can prepare your customers. Finally, a recovery environment will never be able to completely recreate your office environment. If you test, this will not be a surprise, and you will be ready to dive into work in a modified space. The most important thing is that your business will be back up and running and operational.

Test to Learn What Permits Your Organization Needs

Oftentimes, what delays a recovery is paperwork. At the time of a major interruption, permits will be the last thing on your organization’s mind, but without them, recovery may be impossible. During testing, we encourage customers to incorporate all permitting aspects and involve those entities, so they are not blindsided during a recovery. Each state is different in how they handle permitting – if your business has multiple branches, it must account for different legal requirements. Recovery providers must rely on our clients to investigate permitting; though we cannot do it for businesses, we can help with networking. In fact, we helped one client with a permitting specialist to reduce a 4-6-week turnaround time for permits to just one week. Do not let a visit from the fire inspector be the reason you are unable to serve your customers!

In Conclusion

Defining your RTO is just one step in business continuity planning and disaster preparedness. Agility offers an integrated business continuity solution that helps businesses plan, test, train, alert, and recover – all in one. We offer several types of testing, including virtual tabletops, in-person tabletops, onsite mobile testing, and testing at our facilities throughout the U.S. Reach out to us today to learn more.