How to Create a Business Continuity Plan

In the wake of the recent ransomware breach at Rackspace, many of their customers lost all access to their email accounts, calendars, and other critical information. The company responded by initiating emergency protocols. User accounts were migrated from Rackspace’s hosted Exchange to Microsoft’s O365 platform. Despite restoring services, users lost all their data due to the nature of the attack. 

For many organizations, this was a devastating blow to their operations. It is ridiculously hard for a business to function in today’s landscape without email, calendars, and the ability to retrieve data from those interactions. The key question here is, “What damage would be done to your business if yesterday’s emails were gone?”  

Sadly, that happens all too often. Case studies like this happen every day and in all types of environments. Make sure that you have a rock-solid business continuity plan in place. The benefits are enormous. 

• It addresses critical risk factors. 
• It identifies what systems are vital for operations. 
• It determines functions necessary to transact business. 
• It provides data recovery options after worst-case-scenario events. 

A Method to the Madness 

While there are many approaches for creating a business continuity plan, this is a basic approach for small businesses that need a place to start. This should not be confused with a disaster recovery (DR) plan which would more specifically cover the technical details around acceptable length of time to restore data, programs, communications, power, and internet. 

First, Review the Continuity Plan of Each Department in Your Business 

Enlist your entire administrative team to participate in the process. Accounting, human resources (HR), c-suite executives and each department head should be represented in this endeavor. Ask these questions: 

• What key activities must occur for each department? 
• What business programs or files are used to facilitate those activities? 
• What happens if the programs or files go offline or are breached?
• Have you developed and tested your DR plan for your programs and data? Note: It is important to understand what measures you will take while waiting for functionality to be restored. Also, you may be limited to using old-fashioned methods like pen and paper and cash transactions. 
• How fast can your backups be restored so that your business will be operational again? The importance of this cannot be over emphasized.  
• Where is our data stored and who has access to the various segments? Check out our blog, “Information Access: Avoiding Lax Controls in Your Business Environment.” 
• How does each department communicate internally to one another or externally to clients? 

Second, Understand the Flow of Critical Information

In addition, build a flowchart to visualize how your data is stored and accessed by employees. Here is a generic example that you can modify for your environment. 

While each company’s data flow diagram will look different, this information will identify areas of risk and opportunities for improvement.  

A similar flow diagram should be created for communications both internally and externally. Normally, we assume that the tools we use to talk with each other, or our customers will continue to work as expected. But what happens if your email, phone system, chat tools or video conferencing suddenly go offline? Identify any single point of failure in your communication’s plan and develop a fallback plan. For example, there are multiple team-chat tools available on the market. If you prefer using Slack, you might also have Microsoft Teams ready to launch if the former goes offline for some reason, and vice-versa. 

Third, Your Business Continuity Plan Should Include Your Revenue Streams 

Evaluating your existing revenue stream and looking for potential failure points is important. This could be your credit card processor or even the bank your company uses. For example, Wells Fargo is under the microscope once again for poor customer relations (source). Could your business move banks if it needed to? If not, start documenting what your existing money flow looks like. 

In addition, the vendors and supply chain relationships your business uses to provide products or services needs to be evaluated. If you rely on an overseas supply chain vendor, are you prepared to start working with another one if global conflict forced your hand?  

Final Thoughts 

It is important to remember that not all risks can be mitigated. As a business owner or IT professional, you must evaluate the potential impact around any single risk factor and determine what resources are required to mitigate that risk. Sometimes it makes financial sense, and at other times the barrier of resolution might be too high.  

Ultimately, the ability to operate and transact business as an organization, regardless of the circumstances, is the essence of a business continuity plan. As business leaders, we have a fiduciary duty to our employees and the communities we serve to ensure that our services and products will continue operating.