Alert & Declare: (877) 364-9393
Member Emergency Hotline
Emergency Hotline
Agility Recovery +

Are you prepared for when disaster strikes? Do you know what to do when your business faces a crisis? Many business owners don’t have a plan for business continuity, which can lead to big problems during an emergency.

This blog post will discuss 12 things your boss expects you to know about business continuity. By knowing these things, you can be better prepared to protect your business during a crisis! Let’s get started.

12 Things Your Boss Expects You to Know About Business Continuity

1. Planning

The first step to business continuity is planning. You need to prepare for what you will do if your business faces a disaster. This plan should include things like how you will keep your employees safe, how you will keep your customers informed, and how you will keep your business running. Your boss will likely be very upset if you’re unfamiliar with the company’s plan. A crisis can lead to big problems for a business, and it is vital to be prepared. A comprehensive BC plan and recovery strategy is the best way to protect your business during an emergency.

2. Communication

Communication is vital during a crisis. You need to be able to communicate with your employees, customers, and suppliers. Make sure you have a plan for how you will communicate with everyone. It should include a phone number or email address that everyone can use in an emergency. It would be best if you also had a plan for how you will keep everyone updated on the situation. Communication is critical to effective business continuity. Having a plan and communicating with everyone can help protect your business.

3. Backup systems

Another critical aspect of business continuity is having backup systems in place. It includes having a backup power supply, backup data storage, and a way to keep your business running if your primary systems fail. Backup systems are vital to keeping your business running during an emergency. These systems can help protect your business from significant problems.

4. Employee training

Training your employees on how to handle a crisis is often neglected. They should know what to do if there is an emergency at work. They should also know how to communicate with you and other employees. Training your employees can help protect your business during a crisis. By having trained employees, you can be sure they know what to do to help protect your business.

5. Customer service

Customer service can’t go dark in the event of an emergency. You need to make sure your customers are taken care of. You should provide updates on the situation, answer questions, and help resolve any problems. Customer service must be a priority for business continuity.

6. Supplier relations

Another critical aspect of business continuity is supplier relations. You need to ensure you have a good relationship with your suppliers because, in an emergency, they help keep your company in business. This should include having a backup supplier, communicating with your suppliers early and often, and ensuring they can meet your needs. Supplier and third-party vendor relations are vital to business continuity.

7. Financial stability

You must ensure your business has enough money to survive a crisis. This includes having an emergency fund, cutting costs, and protecting stable revenue streams. Financial stability is paramount to business continuity. By ensuring your business is financially stable, you can help protect it weather the storm.

8. Legal compliance

In the event of an interruption, your boss expects you to be able to maintain compliance with all applicable laws and regulations. This includes things like environmental regulations, safety regulations, and intellectual property laws. Just because an emergency has struck or you’re missing key personnel doesn’t mean you can suddenly breach the law.

9. Security

In the event of a crisis, it is essential to have security measures in place to protect your employees, customers, and assets. Ensure you know what security protocols are in place and how to implement them. Never overlook having a plan for data backup and recovery. In the event of a power outage or natural disaster, you will need to be able to access your data and keep your business running. Ensure you know where your backup files are stored and how to retrieve them.

10. Business impact analysis

A business impact analysis is an essential tool for any business continuity plan. This analysis identifies which aspects of your business are most critical and must be protected. It also assesses the risks that could affect your business and the potential impact. This information is used to develop plans and strategies to protect your business during a disaster.

11. Recovery time objective

The recovery time objective is the amount of time your business can be down before it starts to experience serious consequences. It could be the loss of revenue, data, or customers. It is crucial to have a realistic recovery time objective so that you can plan accordingly. Remember that the goal is to get your business back up and running as quickly as possible.

12. Testing and maintenance

A business continuity plan is not a static document; it should be regularly tested and updated. Business continuity testing ensures that your strategies are effective and that you are prepared to implement them in the event of a disaster. Maintenance ensures that your plans stay up to date as your business changes and grows. Make sure you schedule regular test dates and update your plans accordingly. These are just a few things your boss will likely expect you to know about business continuity. By knowing these things, you can be better prepared to protect your business during a crisis!

What Is Business Continuity?

Business continuity is the process of maintaining operations during and after an interruption. The goal is to keep the business running, albeit in a limited capacity, until normal operations can be resumed. Many potential interruptions could bring business to a halt, such as natural disasters, key personnel deaths, power outages, cyberattacks, or even pandemics. While it’s impossible to plan for every eventuality, having a business continuity plan can help minimize the disruption and get the business back up and running as quickly as possible.

Importance of Business Continuity

  1. It ensures that the company can continue to operate in the event of an interruption. It could be due to a natural disaster, power outage, or other unforeseen circumstances.
  2. It helps to protect the company’s reputation. If something happens and the company cannot continue operating, having a business continuity plan in place will help to ensure that the company’s reputation is not tarnished.
  3. It can help to save the company money.

By having a plan in place, the company can avoid the cost of shutting down operations and then restarting them later. These factors make the business continuity plan an essential part of any business.

Three Components of Business Continuity

Business continuity has three key components: prevention, protection, and recovery. By focusing on these critical areas, businesses can minimize the impact of disruptions and ensure a quick return to operations. Prevention is the first and most crucial step in business continuity. It includes identifying potential risks and taking measures to avoid or mitigate them. For example, a company might install backup generators in case of a power outage or implement policies and procedures to prevent data breaches. Protection is the second component of business continuity. It focuses on minimizing the impact of disruptions when they occur. For example, a company might have duplicate copies of critical data so that it can be recovered quickly in the event of a data loss. Recovery is the third and final component of business continuity. It ensures that operations can be restored quickly after a disruption. For example, a company might plan to relocate swiftly to another facility if its primary office is damaged or destroyed. By focusing on these three key components, businesses can minimize the impact of disruptions and ensure a quick return to operations.

Difference Between Business Continuity vs. Disaster Recovery

There are a few critical differences between business continuity and disaster recovery:

  1. Business continuity focuses on keeping your business running during an interruption, while disaster recovery focuses on getting your business up and running after an interruption.
  2. Business continuity plans are typically more comprehensive than disaster recovery plans.
  3. Business continuity plans often include alternate site locations and redundant systems, while disaster recovery plans may only include data backup and restoration.

However, both plans are essential for ensuring the long-term success of your business.

Common Obstacles to Business Continuity Programs

When it comes to implementing a business continuity program, there are many common obstacles that organizations face. Here are some of the most common:

Lack of senior management support

Business continuity programs require buy-in and support from senior management to succeed. Getting other employees on board and allocating the necessary resources can be difficult without this support.

Lack of funding

Business continuity programs can be costly, especially if they require new technology or training. Many organizations lack the budget to adequately fund a program, leading to it being understaffed or poorly equipped.

Lack of understanding

Many people are unsure what a business continuity program is or why it’s necessary. This lack of understanding can make it challenging to get employees on board and buy-in from senior management.

Lack of time

Implementing a business continuity program takes time and effort, both in the initial planning stages and ongoing maintenance. Many organizations don’t have the time or resources to dedicate to a program.

Inadequate planning

One of the most common problems with business continuity programs is that they are not adequately planned. Plans are often created without input from key stakeholders or considering all potential risks. It can lead to gaps in the program and ultimately to its failure. If your organization faces any of these obstacles, it’s important to address them head-on. Overcoming these challenges is essential to implementing a successful business continuity program.

Who Is Responsible for Managing My Company’s Disaster Response and Recovery Efforts?

The answer to this question will likely vary depending on the size and structure of your organization. Smaller companies’ responsibility for managing business continuity may fall to a single individual or department. A dedicated business continuity team may be responsible for developing and implementing plans in larger organizations. Regardless of who is ultimately responsible for managing your company’s disaster response and recovery efforts, it is vital that you have a clear understanding of your role and how you can contribute to the action. If you are unsure who is responsible for managing business continuity in your organization, start by asking your boss or another senior leader. Once you understand the overall structure and responsibility for business continuity, you can begin to develop a plan for how you can best contribute to the effort. Remember that even if you are not directly responsible for managing business continuity, you can still play an essential role in ensuring your company is prepared for a disaster. By familiarizing yourself with the company’s plans and procedures, you can help ensure that you and your colleagues are prepared to take action in the event of a disruption. Additionally, you can use your knowledge of the company’s plans to help identify potential weaknesses or gaps that could be addressed.

Steps to Develop a Business Continuity Plan

1. Identify your critical business functions

What are the functions of your business that are essential to its survival? For each function, ask yourself how long it can be interrupted before it starts to impact your bottom line.

2. Develop strategies for maintaining continuity

For each critical function, develop a plan to maintain continuity during an interruption. It might include things like identifying alternate suppliers or establishing redundant systems.

3. Test your plans

Once you have developed your continuity plans, conduct regular exercises and audits to test them. It will help you identify any weaknesses in your procedures and make necessary adjustments.

4. Communicate your plans

Make sure your employees are aware of your continuity plans and know their roles in the event of an interruption. It will help ensure a smooth and orderly response should an incident occur. Now that you understand the basics of developing a business continuity plan, you can start implementing one for your organization. Taking these steps can help ensure that your business is prepared for anything.

Conclusion

Developing a business continuity plan is essential for any organization. By taking the time to identify your critical functions and develop strategies for maintaining continuity, you can help ensure that your business is prepared for anything. Regular testing and communication of your plans will help ensure a smooth and orderly response should an incident occur. While building your business continuity and recovery strategies may seem daunting, it is essential to remember that any steps you take to prepare your business will be beneficial in the long run. By taking the time to develop a plan now, you can help ensure that your business can weather any storm.

Nick Patrocky is a UX/UI designer, app reviewer, software reviewer, and blogger. Nick’s worked with over 150+ clients from countries all around the globe. Nick also enjoys reviewing mobile apps, web apps, and websites. Check out his blog if you want to know what it takes to be an app designer or a successful freelancer.

A BIA (business impact analysis) is essential in every organization. Often, companies don’t allocate enough time or resources to identify risk factors properly – and instead dive straight into creating a recovery strategy. Below will help you learn more about what a BIA involves and how to conduct one.

Defining Business Impact Analysis

The BIA is a framework used to analyze the consequences of disruptions and how they impact your business. The analysis considers potential loss scenarios, the timing of disturbances, and the results affecting crucial products and services. A risk assessment also examines the processes or activities supporting these disruptions. As a result of a BIA, organizations can plan recovery strategies alongside investments in prevention and mitigation strategies. For instance, 68.5% of organizations fell victim to ransomware attacks in 2021. If your organization were to, unfortunately, be part of a similar statistic in the future, performing a BIA now could be the foundation for creating a business continuity plan that could help you prevent or at least mitigate these cybersecurity threats.

Put Your Plan to the Test

Schedule Testing

The Benefits of a BIA

A BIA is your starting point for your BCP (business continuity plan). It acts as a checklist to help you prepare your annual activities and can be beneficial in the following ways:

  • Recovery process: Your BCP should include the procedures or highest-impact assets for all the functions listed in your BIA. These prioritizations will provide transparency on where you can improve the BCP.
  • Organizes recovery: In a recovery situation, it’s crucial to have a disaster plan that defines the highest prioritized tasks. A BIA accomplishes this for you. You can use it to rank each priority and procure an “order of recovery” list within your BCP.
  • Prioritizes BCP testing:  Your BIA will prioritize the areas you’ll be testing in your BCP. For instance, you may need to test critical assets annually and high-priority assets every 18 months.
  • Measures BCP testing effectiveness: A BIA provides sufficient measures to evaluate the BCP testing effectiveness. You can compare testing recovery times to the maximum tolerable downtime (MTD). If recovery time takes longer than the MTD, you can reevaluate and make improvements.
  • Provides a rational approach to the backup rotation: Helps you to understand whether your backups achieve the desired results of your recovery point objective. Your IT staff can use this information to set backup schedules and rotations.

How to Conduct a Business Impact Analysis

A BIA ensures your organization can survive if a disaster or crisis occurs. Once you complete a BIA, you’ll learn the following:

  • Critical business functions
  • The impact of an interruption to those functions
  • How long your business will thrive without performing the activities

Knowing how long your business will survive, you can define an MAO (maximum acceptable outage) period for every function. An MAO is the amount of time you have from when a disaster occurs to the time your business function must be operational to avoid financial loss. To learn how to conduct a BIA, follow the steps below.

1. Identify the Scope of the Business Impact Analysis

Small to medium-sized businesses can involve all business functions when conducting a BIA. After identifying the processes you’ll cover, you can meet with individuals you need to interview for the assessment. These individuals are people who do hands-on work and are informed of the processes and vulnerabilities. One person you should make sure to include is someone from your IT department. Even when someone knows how to use the software, they may not know how the back end functions. Once you’ve gathered all the critical business continuity information, you’ll create a timeline for conducting your BIA. Doing this will help you stay on track and complete the following two steps.

2. Schedule Business Impact Analysis Interviews

After you’ve identified the scope of departments and activities, the next step is to schedule a meeting with each department’s leadership team. Establish the value of conducting a BIA so they understand the purpose and importance of one. Your management team may not realize the investment into the BIA process. Therefore, knowing the value will allow your team to have all the information upfront.

3. Execute BIA Interviews

The purpose of these interviews is to determine the activities each department performs. According to Business2Community, scheduled interviews take approximately 2-2.5 hours to conduct. Furthermore, these activities should support the in-scope products and services. For each activity, gathering the steps necessary to complete the function, peak operation times, downtime, and dependencies required to perform one is essential. Consider documenting the following dependencies:

For each dependency, you’ll need a description of their use, manual workarounds, and recovery time. Additionally, you should conduct a risk assessment by assigning the value for the likelihood of loss or the impact for every dependency. Once you’ve collected your data, you can multiply your numbers to provide a risk rating. You can value each rating from 1 to 10 during the process. Additionally, it helps to understand if any departments have experienced a disruption in the past. Knowing this information will merit stronger planning.

4. Document and Approve Each Department BIA Report

Upon completing each department meeting, you’ll have a documented report showing the results. Using business continuity software will increase the efficiency of the process. It can automate the analysis for you and the functionality for further updates. These reports should’ve captured all pertinent information and recommendations, such as recovery time objectives. Once you’ve drafted the report, you’ll distribute it to your staff and meet with participants to review it. During the meeting, you can make necessary changes and approve the narrative. Each department report will be essential to establish company-wide business continuity requirements for management to review and endorse.

5. Complete the BIA Summary

After each department completes its reports, you can finalize the BIA summary for management to review and approve. The purpose of this is to provide an overview of the key activities, requirements, and identified risks. Additionally, the report allows you to make risk treatment recommendations. For instance, some applications may need to be restored within 24 hours after a disaster – depending on the BIA you’ve conducted. After coordinating each department’s BIA conclusions, you can present your findings to leadership. During your presentation, focus on the following:

  • Revisit the products and services identified in the risk assessment
  • Verify the established recovery times
  • Present the key risks and recommendations for addressing them

It’s important to prioritize these recommendations for leadership by focusing on accomplishing the correct level of resilience and the strategies to address the loss of resources.

Use Your BIA for Business Continuity Success

While a BIA often feels like you’re ticking boxes, it can provide a ton of value for your organization. Going through this exercise with your leadership team will help align everyone on what’s important to your business. Remember that it’s essential to make time for your business impact analysis. Taking action will provide you with better outcomes and help you stay on top of everything. Reach out to Agility today to get started.

Zac Amos is the Features Editor and a writer at ReHack, where he loves digging into business tech, cybersecurity, and anything else technology-related. You can find more of his work on Twitter or LinkedIn.

According to the Federal Emergency Management Agency, approximately one out of four businesses are unable to reopen after a disaster. Additionally, a staggering 60% of small businesses have to shutter their doors within six months of falling victim to a cyberattack.

While many factors contribute to the failure of these businesses, most of them can be traced back to deficiencies in their business continuity plan. Countless company leaders, particularly those operating small- to medium-sized businesses (SMBs), neglect key aspects of emergency preparedness and business continuity planning.

These leaders have bought into a few too many common business continuity misconceptions. To help you protect business continuity, the team at Agility has identified five common misconceptions. We also reveal the truth about these dangerous myths.

Business Continuity Planning Defined

Business continuity planning (BCP) focuses on improving organizational resilience. A business continuity plan accomplishes this by outlining key prevention and recovery protocols.

Ideally, a business continuity strategy will help you proactively guard against operational disruptions. However, the plan should also provide a roadmap for resuming normal operations as efficiently as possible following a disaster or critical incident.

In decades gone by, business continuity strategies were stored in physical binders and kept on site. While there is nothing wrong with keeping a physical copy of your emergency preparedness plan on hand, a binder should not be your primary means of accessing these materials.

If it is, then that itself is a surefire sign that your business continuity plan is due for an overhaul.

Digitally transformed businesses leverage modern BCP solutions. These solutions include contact tracing tools, business continuity planning features, BCP testing capabilities, and more. Cutting-edge BCP tech optimizes organizational resilience and agility in the event of a critical incident.

5 Business Continuity Planning Myths

Business continuity planning myths tend to be more prevalent in the SMB space. The biggest issue facing SMBs is that they rarely have the budget to hire a full-time BCP practitioner. Instead, one or more trusted staff members will be tasked with overseeing business continuity planning while juggling their other responsibilities.

However, larger businesses are not immune to these misconceptions. Organizations experiencing rapid growth may inadvertently fall prey to some of these misbeliefs as they attempt to scale their business model.

While there are many different myths about business continuity planning, we have focused on five of the most damaging. If these myths guide business continuity planning, they have a propensity to cause significant harm to an organization. 

Myth 1: BCP Is Only for Natural Disaster Recovery

Before the technological revolution, virtually all business continuity planning focused on recovery from natural disasters.

There is no question that emergency preparedness is important. One out of four businesses is never able to reopen after closing due to a natural disaster. Additionally, 25% of companies that do reopen fail within 12 months of doing so. 

As evidenced by the statistics mentioned above, disaster recovery must be a component of a business continuity plan. However, the plan needs to address other threats as well. Otherwise, businesses will remain vulnerable.

Truth: BCP Should Address Multiple Resilience Concerns

The biggest threat to business continuity facing most organizations is a cyberattack. According to research, a single cyberattack costs companies an average of $200,000 per incident. Many small to medium-sized businesses cannot absorb that degree of financial hardship, even if they recoup some of the money via insurance.

Unfortunately, some SMB owners take the “it will never happen to me” approach. This overconfidence is based on another big myth that leads countless companies to neglect BCP. The truth is that nearly half of all cyberattacks target SMBs.

SMBs are ripe targets for hackers for several reasons. Small to medium-sized businesses have less robust security than international enterprises. This vulnerability means that hackers have an easier time penetrating SMBs’ networks and can quickly obtain valuable data. 

Build Your Business Continuity Plan

Download our free checklist to create a robust business continuity plan.

Download Checklist

Myth 2: Only Big Companies Need BC Planning

Another common misconception about business continuity planning is that it is only necessary for mega conglomerates and large enterprises. Nothing could be further from the truth.

Every business, including yours, needs a comprehensive business continuity plan. The adage “if you fail to plan, then you are planning to fail” applies to BCP and many other facets of running a successful business.

Truth: Every Organization Needs a Business Continuity Plan

Busting this myth is simple. If your business does not currently have a business continuity plan, it is time to remedy this issue as quickly as possible.

Not sure where to begin? We recommend that you jumpstart your efforts by investing in some quality business continuity planning resources. Traditionally, developing a BCP was a costly and time-consuming endeavor, which is part of the reason why it was viewed as something only accessible to big businesses.

However, BCP software has significantly lowered the cost of entry. This affordable technology is a wise investment for SMBs that want to protect business continuity through planning, testing, and training.

Myth 3: You Don’t Need to Test Your Plan

Does your company already have a business continuity plan in place? If so, then you are off to a great start. But having a plan is only part of the equation. When was the last time that you tested it?

If the answer is “never” or “I don’t remember,” you have fallen victim to myth number three. Testing your business continuity plan is the only way to verify that it actually works.

Truth: Your Plan Should Be Routinely Tested and Improved Upon

If you want to optimize your business continuity plan’s efficacy, then you should routinely test it. The exact interval at which you should test your plan will vary on factors such as the size and complexity of your business.

However, a good general rule is to test your business continuity plan at least twice per year. Additionally, you should retest your plan anytime you modify or alter it.

After each test, make sure to collect feedback from your team. Host a roundtable session so that you can zero in on what worked and what did not. Use this information to improve upon your plan and address any shortcomings that you identified.

Myth 4: Insurance Will Sufficiently Cover Your Losses

If you opted in for top-flight coverage and extra protections when selecting your business insurance policy, you probably assume you are well prepared for whatever disasters come your way. Unfortunately, this is often not the case.

As you know, your insurance policy is complex. It contains highly specific provisions regarding what types of losses are covered and which are not. It will also list a wide array of exclusions not covered under your policy.

Given these exclusions, your policy may provide far less protection than you think. That is why it is important to understand your policy’s limitations and how they will impact your ability to file a claim.

Truth: Insurance Typically Only Covers Documentable Expenses

Following a natural disaster or cyberattack, many business owners are shocked to learn that their insurance policy only covers a relatively small portion of their losses.

In the event of a natural disaster, the policy will likely cover things like structural damage, equipment damage, etc. But what about all those profits you forfeited while your company was shut down?

The losses attributed to cyberattacks can be even more substantial. In addition to profit losses caused directly by disruptions to business operations, you will also experience damage to your brand reputation. This damage can be difficult to measure and even more challenging to undo.

Myth #5: Your Staff Will Rise to the Occasion

One of the most dangerous myths about business continuity planning is that your staff will “step up” in a crisis. While there are certainly exceptions, most employees will not spontaneously become business continuity conscious during a crisis.

If they lack direction and training, your staff will struggle to navigate the challenges associated with a cyberattack or natural disaster.

Truth: Employees Fall to the Level of Their Training in Crises

The heading says it all. Employees will fall to the level of their training when they enter crisis mode. They will likely perform well under pressure and work together to protect business continuity if they have received high-quality training. Conversely, those who receive the bare minimum level of training will struggle during a crisis.

Conclusion

That rounds out our list of five common business continuity planning misconceptions. If you discovered that you have bought into one or more of these myths, it is time to revisit your business continuity strategy. Investing in quality technologies and taking a proactive approach can enhance emergency preparedness and overall resilience. Reach out to us today to talk about your business continuity strategy.

Why Tabletop Exercises?

Even the best-laid plans can go wrong with the simple introduction of the “human factor.” Introduce this in the emergency response planning, when the stakes are high, and even the most thorough plan can begin to fall apart. That is why tabletop exercises can be critical to ensuring the success of your scenario plans when they are put into action. Tabletop exercises are group activities that examine the response of your crisis team to a specific scenario and quickly detect previously undetected gaps in your plan or issues that need to be addressed. Such exercises also remind of small yet crucial details, for example, whose responsibility is to provide comments to the media if the VP of communications is on vacation. These are some of the essential tips for maximizing an outcome of a tabletop exercise:

Before deciding on a scenario, define a reasonable number (3-5) of objectives. For example, if you choose to test your organizational response to an Active Shooter incident, first determine what aspects of the response you need to focus on. Then, develop a scenario that aligns with the objectives.

Choose a Realistic Scenario

A successful tabletop exercise should resemble the real world as closely as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic threat behavior. Examples of real-world cybersecurity threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords. The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it must mimic a threat that’s likely for that specific environment.

During the Tabletop Exercise: Have Clear Objectives and Follow the Schedule

Make copies of your emergency response and business continuity plans and a whiteboard to track the progress. Before you begin, the moderator needs to review the objectives and scope of the exercise. Note that the crisis leader has the final say if there are conflicting opinions. It’s also important to keep track of time; the moderator needs to set time limits for each action item. Once the imaginary threat has been set into motion, each member of the group should perform – in real time – the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place. These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third parties. They also include making decisions about whether to shut down systems and collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it. After the exercise is complete, review the process to understand what worked and what needs improvement. The rules of any successful meeting or a tabletop are: start on time, finish early, and offer refreshments.

To improve the effectiveness of a tabletop exercise, FEMA recommends for all potential players to complete Incident Command System 100 and National Incident Management Systems 700A-level training, which is a quick, easy and free course.

After the Tabletop Exercise: Act on What Was Learned

In addition to allowing the entire team to practice their response in real time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what tabletop exercises are designed to weed out.

“The tabletop exercises with Agility are always a valued service. By providing fresh insights and opportunities for improvement, Agility has helped us grow and improve our BC Program immensely.”
Robert Behling, IT Systems Administrator, First FarmBank

After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will help the next exercise run more smoothly and ensure a more effective response when an actual threat strikes. Make sure action items are circulated after the exercise is complete and review and update your plans accordingly.

Agility recently hosted a webinar with implementation manager Alexa Grose and sales director Warren Mullis about what they have seen change within business continuity in the last year.

Biggest Changes in Business Continuity Within the Last Year

Alexa Grose

Alexa : There is a broader knowledge of business continuity in general; more people understand that when something like a pandemic happens, they need a plan in place. More clients from all backgrounds are coming to us wanting to learn about how to get started. The power of automation has never been more apparent, either. People had huge documents created years ago that were never touched again, and they didn’t know where to start with updating. You can easily change one section with a more automated program and see those updates automatically populated everywhere.

Warren Mullis

Warren : Organizations got used to work-from-home and people relocating, which led them to change their business continuity plans, procedures, and testing. When some of the severe storms last year knocked remote employees offline, companies realized that there were still challenges with work-from-home. Employees needed to be able to pick up and work somewhere else if they were affected by weather or outages or needed to bring something to their home to supply power and connectivity.

Advice for Those Looking to Start Planning

Alexa : When someone comes to me saying they got handed this project by leadership and feel lost, I ask them what they do every day. What’s critical that you do every day that your business wouldn’t be up and running if you didn’t? What departments and processes are in place? Define roles within the company and make sure everyone knows who is responsible for what. Warren : Include multiple business leaders. Business continuity used to live in IT or operations, but you need to look at it holistically. This isn’t disaster recovery; it’s recovering the whole business. You need everyone’s help.

The Future of Business Continuity

Warren : There’s job security in business continuity. Overall knowledge around business continuity is drastically increasing as companies look at risk profiles and comfort levels around interacting with outside vendors . States are beginning to adopt rigorous regulations (New York is a good example), like conducting annual business impact analyses and tabletop tests and requiring due diligence questionnaires (DDQs) and cybersecurity questionnaires from third parties. These programs will continue to get beefed up as organizations realize they can’t depend on an old plan that hasn’t been updated in years. They need to take business continuity seriously. Alexa : Everyone wants to see your organization’s business continuity plan. If you have a prospect or client who asks for it and you don’t have one, they’ll see that as a red flag. That’s even for industries without requirements. With the pandemic, people were caught unaware. You can’t be too prepared – start now before the next incident occurs.

Business Continuity Plan Update Frequency

82% of respondents updated their BCPs in 2021

Warren : At a minimum, every organization needs to update its business continuity plan annually. We’re in one of the biggest hiring frenzies, leading to high employee turnover. Make sure also to update your plan after a test – you’ll learn that you may need to change procedures, not just people and systems. Alexa : Update any time after completing a test. That’s why you test – to find gaps. Run through your plan quarterly and update any employee changes; account for new vendors and processes.

Key Lessons Learned During 2021

Alexa : As much as you plan, you can’t plan enough; the unexpected will always happen. The biggest key is learning to adapt. Don’t focus on the cause of the impact but its impact. What are your continuity operations no matter what? How do you stay above water and get things done? It’s essential to adapt to an ever-changing environment and ensure everyone has that awareness. Warren : We can’t keep focusing on threats. There will be a disruption – organizations must define and plan for results like the loss of technology, third-party vendors , infrastructure, and people. The awareness of needs has increased. There’s more emphasis on working with vendors with work-from-anywhere; there’s a higher dependence on the cloud and SaaS-based platforms. Make sure you have redundancies and hard copies.

Advice for Business Continuity Peers

Alexa : Test! You need to test . You might “know” it’ll work, but you need to test. Just because you have a process doesn’t mean that process works. Assess your communication chain. Ensure people know if they’re going to be a go-to person when an incident occurs and that they’re included in the test. Don’t surprise them. Unless people know they’re included in plans and what they’re responsible for, the plan is worthless. Warren : Test using different scenarios and threats with a multipronged approach – for example, a blackout that occurs causing an IT outage. Many clients do the same incident year after year and don’t take it seriously; you need to try different things. Get your plan out in front of others in the business. Recency bias may prevent you from seeing shortfalls, but you’ll create unique opportunities to improve your plan by getting out of the operations and business continuity departments. Look for areas within the plan with a single point of failure – one person or system you depend on for a process. You want to be able to pivot to a secondary and tertiary resource. Many clients in Q1 want multiple threats – a tornado and a cyberthreat, a power outage leading to loss of IT.

The Best Way to Communicate with Staff

Alexa : It’s a mix of everything. Don’t just ever have work emails, personal emails, or mobile phones. How much information can you get? Do you really care if you’re sending a message to multiple devices in case of an incident? Not everyone checks or has access to work emails outside of the office. Emails are not the best way to communicate. How many unread messages do you have on Slack or another messaging app? You can’t communicate that way during a disruption.

Blind Spots During Planning, Testing, and Recovery

Warren : The most significant blind spot is having only one person responsible for recovery. You must have secondary and even tertiary people, preferably who are geographically dispersed. Within companies’ work-from-home strategies, companies don’t always account for significant geographical disruptions, blackouts, or cyber threats that will take big systems offline. Identify and supply your critical employees with things like a DIY kit with a battery pack that can power a laptop and cell phone and a hotspot that can run independently of Wi-Fi. Find areas outside employees’ homes that they can go to and continue working. Alexa : Recovery strategies aren’t one size fits all. Work-from-home might not be doable for all departments or processes. Losing access to an office for a day requires a different recovery strategy from the office crumbling to the ground. Have an open mind – you may need to dig deeper. You can’t over plan! Have something in place for different recovery strategies. Greg Tillotson (test & declare manager): With testing, many clients don’t explain why they’re testing – they do it to check a box. You need to get something out of every test. Have defined objectives; use the test to get people on board and raise awareness of your plan.

Common Objections to Testing

81% plan to test in 2022

Alexa : Clients don’t know where to start or who to go to to help them test. People don’t know the first steps to take. Warren : Clients don’t know how to test. They may have imposter syndrome; they’ve never collected this group of stakeholders together and walked them through their plan.

Changes in Testing Strategies and Gaps

Warren : Testing has gone almost fully remote the last couple of years. There has been an increase in organizations bringing in third parties and technology to support their efforts. Traditionally they’ve worked through a paper document, but now people are using incident management programs to get real-time visibility into their plans. That gives them more feedback on areas to adjust. Alexa : There is more participation now that tabletop tests have moved to virtual. People tend to interact more since the plan isn’t all on a piece of paper. In terms of gaps, now that many have and use software, they learn during tests that they don’t have the right people trained or aren’t taking advantage of new enhancements to the tools. Virtual testing also takes away a lot of the COVID risk and the costs of in-person testing.

How Work-from-Anywhere Has Changed Business Continuity

82% of employers plan on a hybrid return-to-office strategy

Alexa : The communication piece has changed a lot thanks to work-from-anywhere. You can go to someone’s desk and rally people during an incident when you’re in an office. In a work-from-anywhere environment, people struggled with whether and how to contact colleagues after hours. Organizations were reminded that they still needed a business continuity plan , even when employees were remote. Many offices shut down central locations that had been part of their plans during COVID and never updated the plans. Warren : Have a backup for work-from-anywhere. Work-from-anywhere has changed the systems, people, and processes we depend on, and redefined realistic RTOs . At the beginning of the pandemic, organizations weren’t making massive changes to their business continuity plans because it seemed like COVID would end quickly. Now, organizations realize this is the new normal, whether that’s hybrid or going back to work or going fully remote, so they need to look at their entire plan from the beginning – or even redo it. Look at the whole plan holistically and make sure you’re making changes to address the new normal.

Challenges Organizations Face

Alexa : Customers are trying to determine what they need to have compared with best practices. A customer may ask for one thing, and regulations require another. There are also significant privacy concerns. Our customers are looking for advice, consultation , and best practice sharing to know they’re doing what they need to. They’re asking questions about what templates they need to have saved for crisis communications and who should have the capability to send alerts company wide.

Business continuity testing is critical to your organization's resilience. However, many organizations are still wondering why they should test their business continuity plans. With the increasing number of natural disasters, the likelihood of your organization being affected is becoming higher every day. It isn't a matter of if a disruption does occur; it's about when it happens. That's why your organization needs to be fully prepared to withstand any potential disruption, and the best way to find any gaps is through business continuity testing .

business continuity risks

However, if you've never tested your plan, it's hard to be confident that it will meet your expectations. Regularly testing your business continuity plan (BCP) helps to continually improve your company's ability to withstand and recover from various disruption scenarios successfully. Let's look into some other arguments for why testing is integral to your organization's success.

The ROI of Business Continuity Testing

A well-orchestrated test strategy helps protect the brand, its promise, and its value proposition. Suppose your competitors had a poor test performance or made a critical mistake in a real-life situation with a client. In that case, your company can shine by demonstrating its reliability and advance its business forward. So, why test your BCP?

  • – Identify interdependencies, gaps, and areas for improvement.
  • – Demonstrate to your clients a higher degree of commitment.
  • – If you are the supplier to a firm, you rise among competitors, taking on more projects and winning new business.
  • – Continually validate and improve plans.
  • – Satisfy compliance requirements and regulators.
  • – Reduce recovery time and cost.

Reasons to Test Your BCP​

1. Test the “New Normal”​​

  • – Regional risk of working from anywhere​

  • – Isolated issues for staff​

  • – Solving for one building vs. many​ locations

2. Validate Recovery Plan/Gap Analysis​

  • – Confirm RTOs​

  • – Train your staff – instill confidence of employees + stakeholders​ in the plan

  • – Update procedures ​

3. Compliance/Regulatory/Legal​

  • – Plan review​

  • – Tabletop exercises​

  • – Drills​

Ways Our Customers Are Testing

why test business continuity plan

  • – Verify the connection and performance of hosted data/backups from a different location​

  • – Rebuild critical applications on Agility equipment​

  • – Establish a working partnership with Agility​

  • – Evaluate disaster readiness of lines of business​

Types of Business Continuity Tests

Every business continuity test in a company has very targeted and specific ways and types of tests   used to ascertain information in different areas within the company. The list below gives you some but not all the information about BCP test types and reasons.

  1. Plan Review: Includes a BCP team with C-level management or department heads to see if their current BCP plan needs revisions. The plan review goes over recovery contract validity, business continuity management, and any disaster recovery scenarios that can be shared with other company teams.
  2. Tabletop Test: Includes role-playing discussion exercises that are scenario based. You usually have employees participate so they can practice their roles and responsibilities in case of any disruptive emergency, from an active shooter to a hurricane tornado.

There’s also the BCP walk-through, which mimics the tabletop test discussions with planned details but takes those details and turns them into a simulation test that combines real recovery actions. The real scenario ranges from data loss backups and restoring to emergency notifications and physical recoveries.

However, consider deviating from the test script to interject unplanned events, such as the absence of key individuals or services. ​

Plan Review​

  • – It’s best practice to walk through your plans quarterly – does not have to be elaborate (an hour or less in a group session)​.

  • – Helps to identify gaps and areas for improvement​.

  • – Ensures everything is up-to-date with the latest information (employee contact info, regulations, etc.)​.

Tabletop Exercise​

  • – Facilitated discussion – 1½ – 2 hours​.

  • – Participants are seated around a table – all activity is “virtual”​.

  • – An incident “scenario” is presented to the team along with a series of “How Would You Respond” questions as the scenario unfolds​.

  • – Use the time to identify gaps and develop confidence​.

Drill/Simulation​

  • – Test individual components (wire transfers, notification system, etc.)​.

Full Test​

  • – Moving people and technology to an alternate location​.

  • – Partner with a company like Agility to go through a full-scale test​.

what makes a good bcp test

After a Business Continuity Test  ​

  • – Ensure you have actionable deliverables and commitments for those responsible for executing.

  • – Clearly define timetables and who is responsible for ensuring findings are resolved​.

  • – Regulators will want to review written documentation and will be checking to make sure issues were addressed​.

  • – Consider planning and testing as a continuous improvement process​.

Protecting Your Organization

Organizations face continuous threats that can put lives in danger and disrupt operations. However, implementing an incident management program that fits your organization is challenging. To help mitigate these threats, Agility offers an integrated business continuity solution that helps businesses plan, test, train, alert, and recover—all in one. It enables organizations to eliminate business impacts and ensure their workforce is safe and informed.

protect your organization with bc planning

Resilience Is Good for Business

What has emerged from the organizational response to COVID is a greater focus on business resilience: not only attaining an understanding of it but also developing a desire to achieve it. With COVID, both leadership and staff saw firsthand that being resilient is good for business. Current risks, such as increased and extreme weather-related events and cybersecurity concerns, have companies looking at what made organizations more resilient during COVID and increasing their investment in resilience. Aon surveyed 800 C-suite leaders and senior executives. One of their main findings was that “ across industries, executives are reporting a greater willingness to address risk and make investments to build resiliency for the future .” A PwC survey of 2,800 business leaders found that 7 out of 10 organizations reported planning to increase their investment in building resilience ; among risk leaders, that number rises to 9 out of 10. But what is business resilience? The International Organization for Standardization (ISO) defines resilience as “the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.” In general, this is achieved by rapidly responding to business disruptions and crises and safeguarding people and assets while maintaining continuous business operations. Ernst & Young continues , “Enterprise resilience is a firm’s ability to respond to, recover from, and resume operations at acceptable levels of service to customers, clients, and counterparties through significant disruptions.” However, it is not just about crisis management or business continuity planning; it is also about foreseeing risks and mitigating them.

Beyond the ability to recover quickly from and respond to events, resilience enables organizations to both foresee upcoming threats and capitalize on opportunities.

Risk Resilience Report 2021, Marsh LLC

Attributes of Business Resilience

Components of resilience

Anticipate

Resilient companies anticipate threats. They know a crisis will come, and they prepare by looking for vulnerabilities and putting controls in place to mitigate negative impacts.

Prepare

Resilient organizations prepare for crises by conducting BIAs, creating all types of plans, and raising awareness of the plans through exercising and training.

Respond

Resilient organizations rapidly respond by continually communicating with all applicable stakeholders and utilizing actionable plans.

Adapt

Resilient organizations adapt by having plans that are flexible and that provide strategies to be able to quickly change course based on current conditions.

Learn

Resilient organizations continually learn from past incidents by reviewing and making changes in after-action assessments. During a longer-term incident, such as the pandemic, they assess during the incident and apply lessons earned in real time.

Operational Resilience

Operational resilience focuses on the organization’s ability to deliver its critical products and services. The Basel Committee on Banking Supervision, for example, defines operational resilience as “the ability of a bank to deliver critical operations through disruption.” A more vertical-agnostic definition is one by Protiviti, which defines operational resilience as the “ability of an organization to withstand adverse changes in its operating environment and continue the delivery of business services and economic functions.” Organizations can accomplish operational resilience by building resilience into processes and assets, such as within personnel, third-party service providers, communications, physical infrastructure (structure and recovery), data (backup and replication), power, cyber resilience, telecommunications, change management, and resumption of operations as built into the FFIEC BCM framework .

A More Holistic Program for Greater Business Resilience

Many reported that what made their COVID-19 response successful was breaking down silos and increasing collaboration. “Crises like the COVID-19 pandemic highlight the importance of effective collaboration for long-term commercial success,” states an article in the Harvard Business Review . Organizations are finding that there are inconsistencies and redundancies in plans and that teams are disjointed and less effective without collaboration. Companies also realized that all personnel were important in their success and concluded that business resilience must be an enterprise-wide effort. As a result, organizations are now looking to implement or enhance strategies to ensure these elements in the next crisis. The recent BCI survey on business continuity and resilience found that “COVID-19 continues to drive better interdepartmental collaboration as well as more effective industry collaboration.” This is reinforced by C-level executives surveyed by Deloitte regarding building a resilient organization, noting that “removing silos within our organization and focusing more on cross-functional collaboration was a top strategic action that CXOs were focused on both before and during 2020.” Build the foundation in the preparation phase. Promote collaboration and consistency by formalizing a resilience team, group, or department that brings together multi-risk and resilience disciplines. These disciplines can include crisis management, business continuity, disaster recovery, information security, emergency management, risk management, vendor management, and areas that support them, like human resources or security. Additionally, leadership must recognize that everyone in the organization is integral in a response; therefore, plans should consider individual and function, not just those deemed critical.

A large part of business continuity planning is defining your organization’s RTO, or recovery time objective. How long can you realistically afford to be nonoperational? Defining your RTO can help your management and crisis teams understand expectations for recovery. Business continuity testing plays a huge part in determining whether you can realistically meet your RTOs and efficiently recover from a disaster.

Test to Know Exactly What Your Company Needs to Recover – and to Leverage the Resources Available to You

If you do not test, how can you know what recovery looks like for your organization and what you will need most urgently? One Agility customer discovered this the hard way. Though the bank had maintained a contract with Agility (previously with Rentsys) for years, they had never opted to schedule any testing with Agility’s customer success team. The bank knew they needed to have a continuity plan and recovery services available for compliance purposes but were unclear about what the recovery process would look like if their physical space were impacted by a disaster. When a hurricane hit their town, the bank’s team assumed they wanted a mobile unit, but did not know what that entailed, such as time for delivery and setup, options and additional cost drivers, or even where the unit could be installed. Agility was able to use Google Maps to estimate a zone where the unit could be installed but needed on-the-ground support to truly understand the layout. It wasn’t until this client saw another bank with an Agility mobile unit set up that they began to understand the capability of Agility’s recovery team, and they reached out to their Agility representative to understand what Agility could provide quickly to get the bank back up and running. Before seeing a recovery environment in person, it was hard for the bank to understand the benefits physical recovery services would bring. In short: By testing, you will identify the needs for your business – and pinpoint what’s needed for optimal response – before disaster strikes to be able to hit the ground running.

Test to Know What to Expect During a Recovery

Hopefully, a disaster like a tornado, hurricane, or even a major power outage is something that happens only once to your business. By testing, you will know what to expect if or when that disaster happens and set expectations among both your leadership and customers. From testing, organizations understand that downed trees, closed roads, and more can delay a recovery, since resources cannot easily get through barriers. Organizations must also often work with local municipalities to secure letters allowing recovery providers to pass through barricades. These things factor into your recovery timeline so you can prepare your customers. Finally, a recovery environment will never be able to completely recreate your office environment. If you test, this will not be a surprise, and you will be ready to dive into work in a modified space. The most important thing is that your business will be back up and running and operational.

Test to Learn What Permits Your Organization Needs

Oftentimes, what delays a recovery is paperwork. At the time of a major interruption, permits will be the last thing on your organization’s mind, but without them, recovery may be impossible. During testing, we encourage customers to incorporate all permitting aspects and involve those entities, so they are not blindsided during a recovery. Each state is different in how they handle permitting – if your business has multiple branches, it must account for different legal requirements. Recovery providers must rely on our clients to investigate permitting; though we cannot do it for businesses, we can help with networking. In fact, we helped one client with a permitting specialist to reduce a 4-6-week turnaround time for permits to just one week. Do not let a visit from the fire inspector be the reason you are unable to serve your customers!

In Conclusion

Defining your RTO is just one step in business continuity planning and disaster preparedness. Agility offers an integrated business continuity solution that helps businesses plan, test, train, alert, and recover – all in one. We offer several types of testing, including virtual tabletops, in-person tabletops, onsite mobile testing, and testing at our facilities throughout the U.S. Reach out to us today to learn more.

Want to know the secret for keeping your manufacturing business running even after it experiences a disaster? Good business owners know that their companies’ ongoing success and well-being depend on operational resilience. The manufacturing industry is no exception. So, manufacturers need to have business continuity plans . It’s best to form these plans as soon as you launch your manufacturing company. Without them, you run the risk of frustrating clients and not generating as much revenue. Below, we’ll get into some key things you need to know about developing and preserving business continuity. Keep reading to learn more.

What Challenges Do Manufacturing Companies Face?

A manufacturing company faces many of the same emergency preparedness challenges that other companies confront. Yet, there are some key differences. Manufacturing companies might be especially vulnerable to certain kinds of risks. Because the manufacturing industry relies on the ability to promptly create and deliver items to customers, companies might stagnate if their internal problems interfere with this process. Your goal as a manufacturing leader should always be to get your products to your consumers as fast as you safely can. To accomplish this, you need to avoid staffing, equipment, and materials disruptions . If you work long enough, you have a high probability of encountering problems in at least one of these areas. Companies with a solid business continuity plan fare better during these times.

What Areas Should Your Plan Include?

A smart business continuity plan doesn’t only look toward the future. It involves looking at what you can do in the here and now to make sure you stay afloat during an emergency. To get started on formulating a business continuity plan, you’ll need to call a team meeting that includes your company leaders. You should identify some of the specific risks to your company. You should also focus on prevention whenever possible. Then, look at the resources you’ll need if these things happen. If it’s not possible to prevent an emergency from occurring, figure out the likelihood of it happening. Then, look at its potential impact on your business. You should plan for the most likely emergencies first. In the past, business continuity plans were difficult to formulate and required a lot of long hours from workers. Now, that’s not the case.

Incident Management

The main goal of any business continuity plan should center on doing as much prevention as possible. As such, you need a system that allows you to share what you’d like your employees to do. Always start with creating action lists for your workers. Action lists let them know what needs to get done when certain circumstances happen. As people complete the actions, they can check them off the list. Incident management puts you in control in the case of an emergency. You’ll also get real-time updates, so you can oversee how your employees are handling the crisis. Be sure to review your plan in advance. You can identify potential fail points and correct them before an emergency happens.

Emergency Contact System

After identifying your potential problems, you’ll want to develop a robust emergency communication system. Communication is essential when you have an ongoing emergency. In some cases, the emergency will involve physical danger to your workers. Your employees will need to know how to adapt and alter their actions in all cases. You need a communication system that allows you to share information. It should also give your employees the ability to ask questions and communicate updates. MyAgility allows you to send mass messages that include information about potential hazards and employee instructions. These messages are bi-directional, so your workers can reply. You’ll know if they need resources to handle the emergency, and you can check on their safety. MyAgility also lets you send out updates to people. You can let your employees know when the situation evolves and give them updated instructions. You can also let them know when the situation has concluded, and they can go about business as usual.

Planning, Testing, Training, and Exercising

After you finish the planning phase, you need to get into testing , training, and exercising . An emergency isn’t the time to teach your employees about your plan. Instead, everyone should know about the plan beforehand. You should train them on how to implement the plan. For the best results, go through exercises with them. That way, they’ll have the ability to execute the plan without needing someone to walk them through it.

Ready to Improve Your Emergency Response?

Your manufacturing business needs to have a quick and dynamic response to the emergencies it might face. Business continuity planning helps you avoid as much disruption as possible and keeps you on track to meet your business goals. When you put time and effort into your business planning, you’ll save yourself money and keep your employees safer. Ready to improve your response to emergencies? Contact our team to get started.

What would happen to your company if it lost $9.44 million in an instant? That’s the average total cost of a data breach in the United States in 2022. In addition to cyber threats, there are also myriad incidents that could threaten the security and future of your company, including natural disasters and other physical hazards. Are you prepared to weather these kinds of storms? Unless you have a dedicated incident management checklist in place, the answer is likely no. Creating one doesn’t require a significant investment of time. Still, it could make all the difference when you’re faced with the unexpected. Read on to learn how to create a comprehensive incident management checklist that can help make sure your teams are as protected as possible.

Why Do I Need an Incident Management Checklist?

No organization, regardless of size, is immune from external threats, which can range from hackers to hurricanes. However, small businesses are even more susceptible to these perils, as many lack the infrastructure required to fortify their workplace against them proactively. In fact, research shows that nearly 70% of SMBs experience a cyberattack every year. They’re also hit harder by natural disasters . Thirty-five percent of companies that operate in FEMA-designated disaster areas report revenue losses of more than $25,000 after such an event. An incident management checklist won’t shield your company against all losses. Nor will it make it entirely impenetrable to external assaults. What it will  do is give your employees a clear path to follow when the worst happens. Knowing how to react is critical to minimizing losses and regaining as many assets as possible.

Creating Your Plan, Step by Step

Looking at a blank screen and unsure how to craft an effective incident response plan? Resist the urge to follow the path of many business leaders and use a cookie-cutter template that isn’t specific to your organization. Recent reports reveal that most companies rely on generic documentation devoid of actionable items, rendering the entire effort fruitless. While the below checklist can serve as a starting point for your plan, remember that it’s essential to customize it to fit your needs. In addition to protecting your IT infrastructure and data security, your plan should also include steps to take in the event of a natural disaster or another physical incident. That said, let’s take a look at the steps to follow when you’re ready to create your incident management plan.

Step 1: Establish Ownership and Authority

Before you begin to write your actual checklist, you must first decide who will be in charge of it. To help make your decision, focus on employees who meet the following criteria:

  • – They have been trained in incident management and workplace safety and security.
  • – They have access to the tools and technology required to manage the incident.
  • – They are positioned to provide quick and effective incident response.

In addition to appointing one or two business leaders as guardians of the plan, you should also involve your executive team members in its development. Their approval and buy-in is critical to the performance of the plan and should not be overlooked.

Step 2: Set Roles and Contacts

Next, you’ll identify everyone who could be involved in your organization’s incident response process. Include employees across different departments, including:

  • – Executive team
  • – Customer support
  • – Legal support
  • – Technical support
  • – Public relations
  • – Finance
  • – Human resources

List each person by name and clearly define their role. Now is not the time to make broad assumptions or generalizations. Spell out how an incident could affect these employees and how they’re expected to respond.

Step 3: Determine Alternative Communication Methods

What happens if an intense storm sweeps through and knocks out your phone lines? What if a hacker gets into your network and you’re unable to communicate over the internet? A lack of access to traditional technology could significantly impact your organization, so it’s important to have alternate communication methods in place. Create a list of people that you’ll need to contact as soon as an incident occurs, such as technical responders. Then, make sure you have online and offline methods in place to get in touch with them as soon as possible. Only having their telephone number and nothing else could hinder your ability to notify them in the future.

Step 4: Identify and Confirm the Incident

Once you’ve taken care of preliminary details, you’re ready to define the actual steps that your organization will take if an incident occurs. Your first step is to identify and confirm the incident. Keeping in mind that your process should be specific to your company, most plans will include steps that cover:

  • – Incident identification
  • – Incident reporting
  • – Incident tracking (all sources and times of occurrence)
  • – Incident analysis (initial source, type, impacted assets, location, scope)

Based on this data, your response team can identify the overall impact of the incident on your business.

Step 5: Contain the Incident

Once you confirm that a threat is present, you can take quick action to help mitigate the damage it will cause. At this juncture, you’ll have two choices: watch the threat or contain it. To help you decide which course of action to take, you can asses the impact of the threat by asking:

  • – Which systems are affected?
  • – Has any sensitive data been stolen?
  • – Has any mission-critical hardware been destroyed?
  • – Does the incident carry any legal ramifications?

If you decide to pursue containment, you may need to contact local law enforcement authorities, especially if the impact will affect other organizations.

Step 6: Eradicate Impacted Systems

When responding to a cybersecurity incident, you can mitigate its impact by restoring your systems to their pre-attack state. This helps shut down a hacker’s access to your accounts and networks. Common steps include:

  • – Patching your systems
  • – Closing network access
  • – Resetting the passwords of compromised accounts

Step 7: Recover and Restore Systems

Once the incident has passed, you need measures in place to recover and restore as many of your lost assets as possible. It might take some time to regain the integrity, confidentiality, and availability of your systems, but the effort is necessary. Moving forward, you can use your incident identification and confirmation process outlined above to monitor and continuously detect incidents in the future.

The Integrated Business Continuity Solution You Need

What if your company could prepare, protect, and respond to any incident, from anywhere in the world? With Agility Recovery, it can. Contact us today to learn more about how we can help your business stay in business.