Yes, this is a trick question.
What I mean is, does your organisation have an Emergency Response Plan? Or a Business Continuity Plan, or an Incident Management Plan?
These three-letter acronyms specifically refer to what your organisation has in place when something bad happens. You may even have a different name for it. It is essential a how-to guide for when the pawpaw hits the fan.
If your organisation does not have something like this in place, don’t just rush out and download something from the internet. There should be a couple of things in place along with this how-to guide to ensure that your organisation is ready to tackle almost any event! So, what are they, and why is this important?
The emergency response and business recovery plans are integral parts of a comprehensive strategy to reduce the impacts of negative events on your organisation. If the proverbial pawpaw hits the fan, how are you going to minimise the mess, and how quickly will you be able to get back to business as usual?
In an ideal world, nothing unforeseen happens, but we know this is not true! The last five years have shown us that plagues happen, ships block shipping routes, and even state-owned enterprises are not immune to hacking.
Best practice suggests having an overall integrated approach, as illustrated below:
Risk Management Plan
The first step to a proactive business continuity plan is preventative. This starts by having a brainstorming session to identify all potential risks. Each of these risks must be assessed, based on the possible causes, and their possible impacts on the business. Once this has been determined, actions must be put in place to eliminate, prevent, or mitigate each risk. The actions could include putting in place new policies or procedures, bringing in more resources, or adding other safety or security measures. At worst, insurance can be taken out to bridge the financial impact should the event occur.
Business Impact Analysis
The next aspect of a proactive business continuity plan is to review what redundancies are available for when the unforeseen occurs. Should the worst come to pass, a business impact analysis will identify the critical business activities and prioritise the recovery of these activities.
A good place to start is with all the divisions within your business, such as manufacturing, finance, human resources, warehousing, sales, and marketing.
Based on this list, you can determine which divisions should get priority. For instance, in a typical manufacturing concern, supply chain divisions – such as manufacturing, warehousing and distribution – are more important that marketing.
Both the risks and the business impacts must be reviewed on a regular basis, to ensure that the identified actions that need to happen have taken place. It is also good practice to update these documents, based on any changes that may impact your organisation.
Incident Response Plan
The incident response plan requires two things to be in place before an event occurs: first up is an Incident Management Team (IMT), and second is the actual plan.
The IMT is responsible for clear communication to all the stakeholders, as well as for guiding the company safely through the incident response plan. The team may also need to coordinate resources for the incident response, including personnel, equipment, and supplies. This means the people on the team must have the right levels of authority and influence to make things happen.
The plan is a step-by-step guide to lead the IMT through all the phases to successfully navigate through the event and bring the organisation back to business as usual. This should include what constitutes an incident, and when the plan is invoked, as well as containment, and recovery. This last step is discussed in detail next.
Recovery Plan
A recovery plan is a detailed list of actions for each business function, that describes how the specific department will function in the interim, and what steps need to be taken to get it back to business-as-usual. So why do you need one for each department? This is best illustrated by an example: let’s say a fire rips through your call centre and the building is no longer accessible, as it is dangerous. Your recovery plan needs to address the following:
- Do you have a backup facility?
- What about hardware and software?
- Does the staff know where to go?
- Do they have transport to the interim location?
The recovery plan must also focus on managing the rebuild of the call centre.
This example illustrates that a major event for the call centre would likely not affect manufacturing.
So, back to the original question: does your organisation have its ducks in a row for when things go wrong?