Business Continuity Planning: Developing An Impact Analysis

According to FEMA, 40% of businesses hit with a disaster never recover, and this rate more than doubles for those without a business continuity plan. While the two are linked, a business continuity plan shouldn’t be confused with disaster recovery. You might have a great plan for getting things up and running after an event but still fail to plan for continuity of time-sensitive business functions. And that’s why developing a real continuity plan is so important.

Business Continuity Planning

What Is a Business Continuity Plan?

Business Continuity Plan is an essential component of risk management. The BCP specifically addresses the risk associated with an unanticipated lack of ability to continue business operations. The reasons for this lack could be many:

  • Natural disaster
  • Terrorist attack
  • Major power outage
  • Technology failure
  • Loss of customer data
  • Someone hijacking customer data and holding it for ransom

Even a couple hours of lost operations can have multiple consequences. A BCP mitigates them by identifying and assessing risks before developing, testing, implementing and measuring the effectiveness of strategies that keep your business running with the least downtime possible.

Some of these strategies may include:

  • Reducing risk to customer data through firewalls, backups, employee education, security protocols, etc.
  • Enhancing your servers and telecom infrastructure
  • Enhancing data recovery
  • Re-routing calls/contact
  • Developing a work from home program
  • Setting up a temporary “base” when your building isn’t accessible

The strategies vary as much as the companies that employ them. So before anyone begins developing a business continuity plan, it’s important to know what areas are impacted by the inability to continue operations. How much do they cost your company?

What is a Business Impact Analysis?

The Business Impact Analysis is the first critical step in developing a business continuity plan. In this phase, identify time-sensitive business operations. Additionally, consider related resources needed for employees to perform those functions.

An effective analysis not only identifies these elements. It employs data to prioritize business continuity efforts.

Continuity concerns may present themselves on a scale. At one end you have mere inconvenience. At the other is significant (and possibly irreparable) business harm. So it’s important that when developing a business impact analysis, you make the distinction.

Every department will naturally feel that they are the “most important”. But scrambling to prevent inconvenience will drain resources from impactful continuity challenges. Once again, data save the day. It helps us make the most impartial, data-driven decision.

When it comes to business impact analyses, there are no “cookie-cutter” solutions. That’s why this phase of planning is so important. It helps you develop the customized plan you need to mitigate risk effectively.

How to Develop a Customized Impact Analysis for Your Business

When developing an impact analysis, look at each department, team, and/or area of your business. As you do, consider these three areas. FEMA business impact analysis worksheet says that those elements are:

  1. Timing/Duration of outage
  2. Operational Impacts
  3. Financial Impacts

So, for example, if Department A can’t continue operations for 30-60 minutes what happens? How does this impact the bottom line? What if that department/team were down for two hours? And so on. The ramifications will get progressively worse.

In some departments, financial impacts may be fairly easy to measure. But in others, you may need to think more broadly about the costs of downtime or lack of access. This will give you a truer picture.

  • Direct Financial Impact – lost sales, paying employees who can’t work, overtime to catch up, increased customer returns, etc.
  • Customer Relationship Impact – lost client contracts, bad customer reviews, diminished social sharing, bad public relations, cost of PR damage control
  • Vendor Relationship Impact – lost vendor contracts, increased vendor costs, strained partnerships, lost trust, trouble building new partnerships
  • Employee Relationship Impact – lost faith in the company, morale issues from too much overtime, retention problems, increased recruiting costs
  • Regulatory Impact – This one may vary by industry as well as department. For example, in healthcare, failure to comply with HIPAA may result in fines and legal troubles. If you process payments, inability to meet PCI regulations could result in loss of contracts with major credit card companies. Any company that’s managing customers data ( e.i., every company) should have some awareness of SOC2 compliance and the impacts of not properly securing customer data to maintain business functions. In education, lack of continuity would not only impact FERPA compliance.

Don’t “assume” these costs. In most cases, you’ll have data to clearly quantify their impact. Once you’ve considered the true impacts of lack of continuity in each area, you’re ready to prioritize and develop your business continuity plan.