In my career, I’ve given away assessments of business continuity programs. I’ve also charged $100,000 for assessments. The difference is, of course, the amount of time and detail I put into the project. The small or medium sized business owner/executive will be happy with the first option and irritated by the second.
The constant question I hear is “How do I know if I’m ready for anything bad that can happen to my company?” To be honest, it’s not that hard. It’s a matter of challenging yourself in areas where you’re not completely knowledgeable or comfortable. That’s why the title of this blog post refers to “Challenges” and not questions. This could have been an extensive list of 250 questions (yes, I do have a good, solid, proven list of 250), but that would scare you off. That’s the last thing you need, because you have a nagging concern – Am I Ready?
So here are 7 challenges. Each challenge has a question or two to get you going, along with a brief discussion to help you use what you know about your business in the context of the challenge.
- Do you know what to do if there is a fire? A flood? A violent intruder? A power failure? A serious, lengthy computer failure? This is a short list of events that can harm your staff and your assets. Your people come first. They are your most important asset and the only asset you have that can get your business up and running after one of these events. Other events could be burglary, tornado, medical emergency, bomb threat, and so on. You need a set of simple, clear procedures so that your people know exactly what to do for each event. They need to know now, before it happens. Having the procedures in a book somewhere that nobody knows about doesn’t work.
- Do you know what are the worst risks facing your business? Have you worked to reduce or eliminate those risks? This challenge is closely linked to number 1 above. The events that you are most worried about are most likely the highest probability and highest impact to your business. If you’re in tornado alley, you may well already have a good procedure in place. You may already have used it, particularly in the last 12 months. But it is a very good idea to step back from your day-to-day tasks and think about what risks you face, how bad (high probability, high impact = bad) they are and what you have done to reduce the chances of them happening or the effect on your business. No, you can’t reduce the chance of a tornado, but you can reduce the chance of a fire. You can reduce the possibility of burglary (locks, security monitoring systems) and you can reduce its impact (storing data backups offsite).
- Have you decided what is the minimum set of tasks you must do for your business to survive an extended interruption? The point here is that you simply can’t get everything going again all at the same time. You are going to have to decide what is most critical to the success of your business. The consultants can easily make this a complex analysis process. But you can do it pretty easily for your small and even medium sized business. What is most important to you? Delivering your products and services to customers? Taking orders? Collecting money? Writing proposals? Take some time to think about this. Once you are down to the shortlist of activities you need to get going as soon as possible after their disruption, list what you need to get those few activities underway. How many people? Which ones? What computer applications? What pieces of paper? What equipment? Then figure out how you are going to make that happen. Where will your people work if they can’t work at their normal location? Where do the computer applications run? Where does the necessary equipment come from? You are well down the road to getting ready.
- Do you have formal plans that you and your people know how to execute if your business is interrupted? “Formal” means documented. If it’s not written, it’s not a plan. Moreover, if it’s just a page or two, it’s not a plan either. It’s an idea. So document exactly what you would do in a serious disruption of your business. You are going to have to make some difficult decisions (as in number 3. above) and then implement them. And BTW, in this case “implement” usually means “pay for”. So think hard about what you can just barely get away with and still have your business survive.
- Is your valuable data safe and secure, no matter what happens? The key phrase here is “no matter what happens”. Storing your vital paper records and computer backup files in another room in your building isn’t good enough. You have to store them offsite such that no other event can deny your access to them. That includes hurricanes, major flooding in your area, power outages, and so on. And do note that I mean both paper and computer records. Don’t forget your critical paper files.
- Have you trained your staff to respond quickly and efficiently? Now it gets a little tougher. You might have written plans that are based on good analysis and judgement. However, if your staff knows little to nothing about the plans, how will they help you when you need it most? I’ve seen lots of plans that are well enough developed and documented, but they just sit on the shelf. So start your training program for your staff. Make sure they understand the emergency procedures in particular. These are the procedures that will protect them from those really bad things, such as fires, tornadoes, medical emergencies, violent intruders, etc. These are also the procedures that must be executed instantaneously. They won’t have time to read the procedure to see how they can save their lives.
- Have you exercised your plans and staff to see if you are ready? The best way for training to be reinforced is to exercise your plans. Exercise builds muscle. At least once a year, design a scenario that might actually happen to your business. Run it past your staff
in a one to two hour table top exercise. See if they would know what to do. Judge their responses and decide if your plans need to change or more staff training is needed. Repeat as required.
If you have answered all questions honestly and confidently with a Yes, then you are ready enough for any of those bad things that disrupt your business. If you haven’t, then you have good guidance on where to focus your efforts for getting ready.