The way to kick off planning is to think of all the things that could derail the business and rank them in order of likelihood and impact on the operations. In effect, carry out a Risk Analysis. Remember though, this covers the entire business, not just a part of it. There will be some parts, for example, IT, that will have individual plans, but these are a subset of the overall Business Continuity plan.
There is also a section devoted to the actions needed by senior management.
Be creative, think out of the box. But remember as Donald Rumsfeld said, “there are known knowns, there are known unknowns, and there are also unknown unknowns”. In short, you can’t plan for everything. There may even be a scenario where your business cannot survive.
Some areas to consider include:
- A supply chain failure, such as loss of services like water, electricity, or a major supplier.
- A fire or natural disaster destroying key parts of the business.
- Loss of a key member of staff.
- A cyber-attack on your IT systems; and
- Political changes affecting the business.
These are just some of the general risks a business potentially faces. Others will be particular to a business, some to a business area, for example, changes to regulatory compliance regulations in the pharmaceutical industry.
Today, with an increased focus on IT continuance, there are some key factors to consider:
- Malware attacks, especially DDoS and ransomware, have increased significantly recently.
- If you have outsourced to a managed service supplier:
- Their stability
- Their vulnerability to external attack
- Their accessibility
- Connectivity failure, either in-house or at an external point.
- Internal threats of theft of Intellectual property or financial information; and
- Key staff, their reliability, and sustainability.