Have you ever wondered what would happen if a key person or system became unavailable?

In almost every organization I've worked in for any length of time, I've heard a comment from somebody like - "If Fred ever got hit by a bus, or decided not to come in one day, we'd be screwed!"  (Not that every company I've worked for had somebody important named Fred.)  In some cases, "Fred" did give 2 weeks notice, but it put a lot of stress on the organization in order to recover from this perterbation of the business. If you find that your organization has an indispensible person or system, don't assume that "somebody is on top of the issue" or that "things will work out on their own."

So, what should you do to figure out if the organization really is at risk from losing a critical cog in the big machine? Here are a few tips on doing cost-effective "Business Continuity Planning" in a small organization - without a lot of room to put an official program in place.

1) Start by asking around at various levels and in various functional areas, to get predictions from people about what the real impact could be if that resource or business process became unavailable. Ask these people who the best representative from their organization would be to have on call for responding to incidents involving the critical process.

2) Ask the question, "How long do you think we could operate without somebody competent in Fred's position?" or "How much would it cost us in lost revenues per day/week/month if that system was not usable?" Maybe it wouldn't be an insurmountable problem at all... but what if it really would have a big impact? You need to do  a few more things to make sure it doesn't catch you off-guard.

3) Recruit people who work in the affected workflow to help brainstorm on alternative processes - paper, electronic or even outsourced - that could be used in an emergency.

4) Write down a plan for how to deal with a loss of availability for the people, system or data in these critical workflows.

5) Have people from each part of the organization review the plan and offer suggestions for improvement.

6) Designate an official representative for that key business process who can maintain the plan, monitor the process and instigate alternative arrangements when required.

7) Allocate some amount of budget to monitoring the process, and incorporate performance objectives related to the process into the official representative's compensation plan (and follow through on review results).

8) Check in with that official representative on a regular basis to ensure that the process plan is still up to date and relevant.

9) If the alternative process has to be used at some point, do a post-mortem when the dust has settled, and incorporate any lessons learned into your business continuity plans and processes.

Have you had to recover from this type of incident?

How did it affect your revenues or costs, and how did you respond to it?

What would you add to these points for doing business continuity planning?

Real case studies in this area from you and other members of the Streetwise Security Zone community are very helpful.

rate this post: