Business Continuity Plan Development and Testing
Your Business Continuity Plan (BCP) is really about the impact of a business interruption event, and how you can continue to function or how fast you can recover. So when the much threatened 9.0 quake hits the Pacific Northwest, your first reaction should be, “OMG, we’ve just had a mega-quake. I want to make sure that my family and friends are safe.“ That’s cool.
But – if cables and power lines get cut accidentally, you want to make sure that your reaction is not about “Yay! Unscheduled days off” but rather “I don’t have electricity and phones to run my business. How can I make sure I have electricity and phones, somewhere, to run my business?”
Whether the event is a cyberattack, an earthquake or a hurricane, a well-developed, tested Business Continuity Plan makes the difference between your ability to recover operations or be forced to close the doors. It’s also a HIPAA Security Rule requirement!
In other words, with a Business Continuity Plan, your approach focuses on the potential impacts of the disaster. Then, you think about reasonable steps to help you mitigate those impacts. Remember, they could be as minor as phones down for a couple of days or as large as losing your entire building.
Disaster Recovery vs Business Continuity
There’s also a big difference between having a Disaster Recovery Plan and having a Business Continuity Plan. Disaster recovery is a component of BCP. For example, your DRP has your data safe at an off-site secondary location several states away. Accessing that data so you can run your business is the BCP portion of the equation. Rather than data centered (disaster recovery) a BCP is business centered. You want to:
- Assure you can continue to provide services to your customers.
- Have a way to assure your customers that you are still in business – and stable!
- Be able to reassure your vendors and business partners that you’re stable and can deliver services or products, despite delays.
Getting Started: The Business Impact Analysis (BIA)
We conduct the Business Impact Analysis to identify what your core, mission-critical functions are and to determine the level of impact the loss of those functions could have on your business. For instance, we look at:
- How much income will you lose? Is it a complete loss or a delay?
- What are the related labor costs? Include costs to re-start, stabilize.
- Will you suffer fines or penalties due to regulations or service level agreements?
- Will you lose customers? How much will customer satisfaction suffer?
- How long will new business development efforts have to stop?
To create a BIA, you’ll want to involve managers and other key personnel who have detailed knowledge of your business processes. Ask them what they think potential impacts to business are just as related to their particular areas of responsibility. Your BIA should identify not only the critical resources and business processes needed for business continuity, but also report which of those business processes take top priority, i.e., are most critical to resume first.
Business Associates and Covered Entities alike need a BCP Team that’s trained in the emergency recovery processes.
Essential BCP Action Items:
- Develop Business Continuity Plan
- Concurrently, develop BCP & Disaster Recovery Team
- Implement & Train Workforce
- Test BCP process
- Develop Emergency Mode Operations Plan
- Periodically update & re-test BCP
- Update & document key staff & contact information
- Retrain Workforce regularly!
Call on Apgar & Associates to conduct a BIA for your business and to develop a BCP (with a DRP!): 877-376-1981.