Why You Need A Scenario-Based Business Continuity Strategy
For businesses, it can be easy to get a kind of tunnel vision - focusing on specific risks instead of creating a broader, more scenario-based approach.
For many businesses, they may know their top two or three risks. It could be hurricanes or wildfires, or even cyber threats or active shooters. But just like markets change, so do a company’s risks.
Factors like new products, mergers or markets can all create new risks. But businesses need to evolve their risk assessment beyond that. They must look at emerging universal threats like pandemics, cyber attacks and terrorism and incorporate them into their planning.
So how can businesses evolve their continuity planning to look at scenarios instead of just threats?
It’s About The Result, Not The Specific Risk
Instead of focusing on a risk like receiving anthrax in the mail, it’s better to think about what happens if you can’t access your office. Whether it’s because of anthrax, a fire or a flood, the key result is that your employees can’t access the building.
In scenario-based planning, you focus on how to continue business operations when you can’t get into your building. That means creating alternate office locations, remote working policies and remote access and disaster recovery for all your IT systems.
You Can’t Cover Every Option
One key benefit of this approach is that a scenario-based approach is simpler than trying to account for every possible risk. Even the largest, most prepared organizations don’t have business continuity plans that can do this.
Instead, it’s better to take you and your team’s time and resources and spend them on these more agile, scenario-based plans. By moving to a scenario-based approach, you have fewer plans but still cover your biggest risks.
For smaller organizations or those that are new to business continuity planning, this approach is simpler. It allows the company to walk before they run, said Bob Clark in his recent webinar, “No Threat Too Large Or Small: Business Continuity Planning for Today’s Risks.”
Getting Started
Once you’re ready to implement a scenario-based approach, the first step is to undertake a risk assessment. There may be scores of threats that you're considering. Some organizations already have risk management embedded. If so, use what you have. But ideally, you should have a risk register.
After all the risks are recorded, then you need to ask "What are we going to do about this risk?
Then you want to map your risks into a 5 by 5 matrix, like this one in the U.K. Risk Register. The most severe and most likely risks go in the upper right corner. The less severe and less likely risks are in the lower left corner.
For example, say there’s a fire. Your first priority is get people out of the building. This is where we have a crossover with emergency preparedness. Business continuity isn't looking to reinvent the wheel or come up with a better way of evacuating a building. What it's looking to do is to hook into what is there.
If you find that “Oops, we don't have an emergency preparedness plan for a building evacuation,” then clearly one needs to be defined. Getting people out of the building is your first priority.
Then you start looking at the questions in terms of the short-term, medium-term, long-term plan. If the building is destroyed and you're not going to be back in there for a long time, then clearly, you need a long-term contingency plan. Do you have another building that you can use? Do you have an arrangement with an office space rental company like Regis?
On the other hand, if it’s just a short-term issue where you need to be out of the building for 24 hours, then everyone goes home and comes back in tomorrow as normal. This is how you would need to react.
Identify Who Owns Each Emergency Preparedness Plan
You also need to determine who owns the particular plan for each specific area. Now, the person that owns the denial of access plan might be the person responsible for the buildings. The person that owns the employee-centric issues may be the human resources or the personnel department. The person that owns the IT failure could be the IT manager or the CIO. It's not necessarily going to be the same person responsible for every plan.
To learn more from Bob Clark about how companies can evolve their business continuity planning, listen to our new webinar, “No Threat Too Large Or Small: Business Continuity Planning for Today’s Risks.”
You are well on your way toward protecting your staff and organization.
Take the next step toward protecting your organization by learning more about emergency notification systems and the vital role they play in your emergency preparedness plan.