We often urge you to have a risk management plan in place so that you are prepared for the many eventualities that can affect your business. Your risk management plan should be part of a larger business continuity plan for keeping your organization going during periods of disruptions that are both large and small. The plan should be broad to cover prevention and response, and that can only be done with input from representatives of all your firm’s divisions.
Companies can spend considerable time putting together a risk management plan that is unique to their workplace and operations. But, after they have created and implemented their plan, many businesses fail to evaluate and update it on a regular basis. You will need to test, evaluate and update your risk management and business continuity plans regularly because risks can change as your business, your industry and the environment you operate in also change.
A prime example of a new risk is the cyber threat that continues to grow in significance, having cost many businesses millions of dollars in response, remediation and notification costs. If you have not included this eventuality in your business continuity plans, you should do so.
If you set aside time once or twice a year to review your plans, you can identify new risks and monitor the effectiveness of your current risk management strategies. This gives you an opportunity to modify or enhance your plan in response to those emerging or newly identified threats. As you did when you created your original plans, you should involve personnel from your various departments and also consider inviting key vendors or customers to the planning sessions. This will help bring different perspectives to the table, resulting in a more comprehensive overall plan.
The business continuity plan
Besides identifying and trying to mitigate for risks that you identify, your risk management plan should be part of a broader business continuity plan that includes strategies for responding to and recovering from incidents if they do happen. Business continuity planning has four steps:
• Prevention – This is essentially the risk management part of the plan, which is to prevent problems from occurring in the first place.
• Preparedness – This should be the fruits of your risk management plan, requiring to you have plans and resources in place to respond and recover from an incident. You should conduct a business impact analysis that identifies all of the resources, personnel and equipment critical to keeping your business running. Your plan should identify external stakeholders, the skills and knowledge necessary to run your business and how long your business can survive without performing these tasks.
• Response– This part of the plan should cover what you do following an incident, such as containing, controlling and minimizing the effects. This should include details on when the plan would be activated, assembling an emergency kit, having evacuation procedures in place and a communication plan to implement during an event.
• Recovery – After the initial response to an incident you will want to ramp up to full operations again as quickly as possible. You need to map out strategies to recover your business activities in the quickest possible time. That entails a description of key resources, equipment and staff required to recover your operations – and a time objective.
Making sure your business continuity plan is reliable and up to date will help you resume operations quickly after an incident and reduce the effects on your business. While you may be able to predict and deal with a number of potential risks, there will be some that are unexpected or impossible to plan for. That’s why the last two parts of your business continuity plan – incident response and recovery – are important, as they can be used after both foreseeable and unforeseeable events. Also, depending on the size of your business, you may choose to have separate risk management, impact analysis, incident response and recovery plans, or a single plan incorporating all of the above elements – known as a business continuity plan. A business continuity plan is a practical blueprint for how your organization will recover or partially restore critical business activities after a change or interruption.