Prioritizing What Requires BCP Based On Real Business Data (You Can't Just Do Everything and Still Be In Business)
Risk is defined as the combination of how likely a key operation will be disrupted, how much time before the business experiences the negative impact of losing the operation, and how much this disruption will hurt the business performance.
Example: The manufacturing plant can be shutdown for several months in the event that the river running through the property overflows and floods the building. Some flooding has occurred once every 3 years with major flooding occurring on average every 25 years. This will result in loss of sales within 2 days).
The information documented in this section is used to justify the prioritization of the Business Continuity Plan activities and justify the money allocated to ensuring the continued operations during an emergency or disaster.
Example: A backup manufacturing site is qualified and PO-##### is issued to Company Z to enable startup of production within 1 day in the event of an emergency at the primary manufacturing facility. A new manufacturing site has been identified and a project initiated to relocate primary manufacturing to this site by 15-JUN-20## .
The more these figures can be quantified, the better will be the Business Continuity Plan decision-making. To assist in this evaluation, use a scale is provided in Section 14 of the Business Continuity Plan Template.
Once this section is complete, this information will provide a roadmap for prioritizing the Business Continuity Plan tasks.
The result will be a list of key business operations/processes with risk levels assigned. The operations/processes with the lowest numbers will have the highest risk level.
The high risk items are the ones which should receive the most attention when designing and implementing the Business Continuity Plan. These are the items which will hurt the business the most if they are not adequately addressed.
The critical elements for establishing value-added priorities for Business Continuity Plan are:
Identifying the key business operations and processes. These are operations or process which must be working in order for the business to continue.
Identifying the likelihood of disruption (chances that something unexpected could happen which disrupts the key business operation or process). SCALE: 1 – 10 (1 = Very High Likelihood of Unplanned Disruption, 10 = Very Low Likelihood of Unplanned Disruption)
Identifying how significant the effect is of losing this operation or process. (i.e. people at risk, profits lost, customers lost) SCALE: 1 – 10 (1 = Very High Significance To The Business, 10 = Very Low Significance To The Business).
Identifying how long this operation can be disrupted before it negatively impacts the business.Number of Days without this operation before business would experience negative impact to operations and/or sales.
The worksheet table used to calculate risk is shown below:
Business Process Disruption Impact Evaluation For the key business processes identified in the risk evaluation, evaluate the impact to the business of an unplanned disruption in terms of:
Available work-arounds to temporarily replace the process (ex. paper records can be processed manually in the event that a key computer system is unavailable, process can be outsourced to Company X).
How long can the business continue to operate until the process must be restored? (ex. computer system must be back online within 3 months or costs and loss of efficiency will reach unsustainable levels).
What resources are needed for work-around and for restoration of the process? (ex. for the duration of manual processing of paper forms, resources needed include: 3 temporary people working 8 hours per day each, 3 computers with internet access, 1 printer, XYZ software with 3 licenses, workspace for 3 people, 1 telephone, 1 FAX, etc.).
List the Key Business Processes in order of Business Continuity Plan Priority (lowest number first) using the information identified in the table provided in Section 14A of the Business Continuity Plan Template. The objective here is to identify which processes require the most immediate attention in the event of a disruption and what is required to address the disruption.
The worksheet table to calculate the impact of a disruption is shown below:
In the event of an emergency or disaster, it is critical to have contact information for all personnel to be able to quickly share important information as it becomes available and to quickly account for all personnel. The most useful format for this information, in the event of an emergency, is to set it up as one or multiple contact trees (depending on how big your organization is).
The contact tree is a structured hierarchical format with multiple levels which look like a pyramid if you draw them in a diagram (see example below).
In the event of an emergency, the Business Continuity Plan leadership contacts the person at the top of the tree (Level 1).
The Level 1 person then contacts the assigned people in the tree one level down (Level 2). The Level 2 people then contact the people assigned to them one level down (Level 3). Once the Level 2 people have contacted (or attempted to contact) all the Level 3 people assigned to them, they then contact the Level 1 person above them to report the status (All People Accounted For or People Not Accounted For) and any question or information to be shared.
This provides confirmation that the contact tree has reached all the affected individuals and that everyone is accounted for. The Level 1 person at the top of the tree is then responsible for reporting back to the Business Continuity Plan Leadership the status of people in their contact tree and conveying any information they need to share.
The contact tree can be set up various ways depending on what makes sense to your organization such as supervisor with associated personnel below, or it make more sense to have a level 1 site person with assigned people at the same site below (for organizations where reporting structures span multiple locations).
The contact tree can be expanded (more levels added) for larger groups. Multiple contact trees can be set up for multiple groups, functions, or locations.
The table provided below is set up in a contact tree structure to identify each person within a contact tree and to provide instructions on what to do in the event the contact tree is activated. Information about each person should include how to reach them through multiple means (phone, email, text, etc) and at different times (work hours, after work hours, etc). It is also very useful to note any special skills or training each person has (i.e. paramedic, firefighter, doctor, nurse, etc.) in the event their services are needed in an emergency.