Business continuity: It begins with a plan
If the unthinkable were to occur and your agency had to continue providing essential services and performing essential activities, would you know what to do and where to go?
In most cases, the answer is yes. Today, thanks to lessons learned from past disasters and government requirements, most government agencies and departments have some type of business continuity plan that allows them to maintain critical functions.
The groundswell for developing formal business continuity plans began in 2007, when President Bush issued the National Continuity Policy, requiring a single National Continuity Coordinator responsible for coordinating the development and implementation of federal continuity policies. That spurred most federal agencies to start developing business continuity plans, with many state governments following suit.
To help federal agencies develop effective plans, FEMA offers a continuity of operations plan template and instructions for federal departments and agencies. The template includes sample text that complies with federal continuity directives.
FEMA offers a similar template and instructions specifically for non-federal entities. In addition, the National Association for State CIOs (NASCIO) has developed a suite of planning tools, with different templates for different government functions.
Making a plan truly effective
The effectiveness of an organization’s business continuity plan rests on several factors: how well it spells out what data, applications and personnel are critical, how well it communicates the plan, and how often it is tested.
The first step in developing a business continuity plan is to conduct a business impact analysis. This step, which can be aided either by software or a consultant, involves doing an inventory of all applications, data, and people and assessing their impact on operations – and what happens if they are not available.
Be careful during this process to ensure that adjunct but important applications that help keep critical applications running are included in the assessment, warns Bob Laliberte, senior analyst for Enterprise Strategy Group.
It’s also important during this stage to ensure that various groups that work together in a disaster are coordinated. That means understanding what capabilities of each group would work together with the capabilities of other groups, and communicating your business continuity measures with those other groups. For example, Montana’s business continuity plan includes a continuity of operations agreement between its Department of Military Affairs, Disaster and Emergency Services Division and Department of Administration.
From the assessment, it will become obvious where gaps exist. If the organization doesn’t have written procedures or hasn’t notified people what to do in case of emergency and how to access data and applications remotely, for example, this is the time to address that.
The next step is writing the plan. The document should address which resources are critical, how those resources will be allocated, which applications and data will be accessible via mobile devices, how crisis communications will occur, physical locations where personnel can go, and how to manage likely incidents.
Once the plan is in place, don’t simply put it aside until an emergency arises, or you could be in for an unpleasant surprise.
“What was implemented and worked on Day 1 might not work as well on Day 100,” Laliberte says. “Technology changes and needs change.”
Instead, test the plan once it is finalized and again at set intervals after that. In the beginning, your training drills should simulate situations that could realistically arise, which allow staff to fully understand how things will change and what it will take to get back to full capacity again.