5 steps to developing a business continuity plan for health crises steps to developing a... · this...

5 steps to developing a Business Continuity Plan for health crises

E-BOOK

2 | © Copyright NTT Limited 2020

Overview

It is not if, but when, a crisis will occur.

When faced with sudden disruptions, businesses must react quickly, methodically and effectively to prevent significant financial, regulatory and reputational losses. It starts with understanding what a Business Continuity Plan (BCP) is and the elements it needs to cover.

Typically, a BCP illustrates how your organization will respond in the event of crisis. Detailed and meticulous planning is required for this level of response to ensure that all aspects of your business are covered, evaluated and ready to recover at a moment’s notice.

While BCPs are traditionally focused on keeping data centres up and running, a BCP that is designed for health crises puts emphasis primarily on workforce continuity strategies, along with tools and technologies that are required for connecting dispersed employees.

This eBook is designed to help you understand the key considerations your business should take when developing a BCP for health crises, as well as key strategies and best practices for creating a comprehensive plan.

Unified Communications I Ebook - 5 steps to developing a business continuity plan for health crises


Step 1: Perform a detailed risk assessment

What it does: A risk assessment helps you identify and prioritize potential business risks and disruptions based on severity and likelihood of such events.

In addition to pandemics, there are other threats that could jeopardise the infrastructure and database that is crucial to your organization. They include security and network breaches (viruses, Trojans, worms, etc), staffing shortages or natural forces that could throw your operations offboard. Therefore, performing a detailed risk assessment on your organization is an important first step to building your BCP.

At a high level, a risk assessment helps you identify and prioritize potential business risks and disruptions based on severity and likelihood of such events. For example, do you live on an earthquake fault, tornado alley or a flood zone? Or does your region frequently experience power interruptions from storms and rolling blackouts?

The process enables you to understand the implications that these potential risks pose to your organization and its functions, reputation and assets. It is also a balance of what kind of risks are deemed acceptable and which you would like to safeguard against, whether it be reducing these risks, creating contingency plans, or simply accepting them.

Performing a risk assessment typically includes the following steps:

Evaluating the organization’s risks and exposures

Assessing the potential impact of multi business

disruption scenarios

Determining the most likely threat scenarios

Assessing recovery options and communication strategies

Prioritization of findings and development of a roadmap



Step 2: Conduct a business impact analysis (BIA)

Conducting a business impact analysis (BIA) helps you understand how different business functions in an organization work, and which are critical to a business’s continuity and survival. In a BCP, a BIA report quantifies the importance of these business functions (e.g. IT, human resources, finance) and suggests appropriate fund allocation as measures to protect them and/or to limit losses.

In addition, it helps to ascertain any gaps your organization may have such as costs associated with potential failures, disruption to workflow, replacement of equipment, or loss of profits or clients.

A BIA should cover every functional area of your business and identify the potential operational and financial impacts resulting from the disruption of these functions and processes. However, business functions do tend to overlap and typically rely on a combination of components to operate. A function may also be considered critical if the law mandates it.

Examples of critical organizational functions may include the following:

Examples of organisazional functions:

• Customer service• Finance • Human resources• Information technology• Marketing• Operations


What it does: A BIA helps you differentiate critical and non-critical organizational functions and activities, and suggests measures to protect them and/or to limit losses.


For each function, two recovery timeframes are assigned:

• Recovery Point Objective (RPO) – RPO refers to your organization’s “loss tolerance” or the amount of data that can be lost before the business suffers. The RPO is expressed as a time measurement from the event of loss to the most recent preceding backup. For example, if you determine that your business can function three days in between backups, then the RPO would be three days.

• Recovery Time Objective (RTO) – RTO refers to the amount of time in which business processes can feasibly be restored in the event of disruption. RTO is defined by the duration it would take to restore a system or process from backup, and can be measured in minutes, hours or days. For example, if your RTO is five hours, it means that your business can survive with systems down for this amount of time.

The major difference between RPO and RTO is their purpose. RPO focuses primarily on data and your overall resilience to the loss of data, while RTO is usually applied on a larger scale and looks at your entire organization and systems involved.

As part of your BIA, you should also consider the resources and requirements that are required for maintaining your critical functions. They may include:

• Your workforce and their capabilities• Management facilities • Supplies and equipment• Information and data• Technology (systems and applications)• Suppliers of goods and services



Step 3: Build a workforce continuity strategy

If your data center is fine, but your employees can’t access the data, documents and collaboration tools required for their work, then the business is still down - and you continue to lose productivity, reputation, customers and opportunities for every moment that it takes to get them back to work.

A complete BCP plan must hence encompass both infrastructure and workforce recovery, with technologies and best practices to ensure seamless operations.

To achieve this, the first step would be to cross-train your employees as part of your disaster recovery and business continuity strategy. Very often, businesses create a disaster recovery and business continuity plan that depends on just a few people.

To mitigate risk, you need to identify and cross-train a pool of employees who are capable of responding to a crisis. It also helps if this pool of resources is geographically dispersed in case of a large environmental disaster that affects all local employees. Having a workforce continuity strategy is essential for connecting dispersed employees to the tools and communications they need in instances where pandemic or natural disaster strike.


What it does: A workforce continuity strategy connects a dispersed workforce to the communications tools and technologies they require in instances when pandemic or natural disaster strike.


Step 4: Create a communications plan

Another critical component of a BCP is communication. In an organization, it is essential to be able to communicate with key personnel quickly and efficiently amid disruptions.

Having the right collaboration tools and technologies is crucial to supporting your workforce continuity strategy. Our APAC 2020: Enterprise Risk Management Readiness Survey Report*, revealed that over 50% of respondents cited the lack of collaboration tools as the primary roadblock for the implementation of remote working policies. This was coupled with the lack of expertise to implement these policies.

In a BCP, it is important that you encourage the use of communication and collaboration tools such as Microsoft Teams and Cisco Webex to ensure that all members can successfully connect.

Direct communication from senior leaders can help keep the team on track, especially amid an influx of misinformation and uncertainty.

Keeping external parties or stakeholders informed of ongoing activity will also be vital during uncertain times. Your BCP plan should establish who will be responsible for contacting necessary parties - be it your employees, investors, stakeholders or regulators – and how they will maintain these communications throughout.

*The APAC 2020: Enterprise Risk Management Readiness Survey was conducted in 1Q2020 and was based on responses from over 290 enterprise contacts across the Asia-Pacific region.


What it does: Amid unprecedented disruptions, it allows for swift and seamless communications both internally and with external stakeholders.


Step 5: Test, train and maintain your BCP

Business continuity exercises are an ongoing initiative and your plan must be regularly tested using the strategies you developed. The scope of assessment should include: testing objectives and associated measurement metrics, scenario scripts, improvement planning strategies and post-mortem findings. The focus of your tests will depend on which business functions, conditions, frequency or supporting information that you wish to assess.

In terms of frequency, it is recommended that organizations set up a testing schedule of at least once to twice in a year. Additionally, do ensure that your organisation is able to provide specific scripts or instructions to follow in a test so that they follow through as they should.

Simulation exercises are also recommended as part of BCP testing, training and maintenance. These can be conducted in-person or through virtual sessions and should involve department representatives from across the organization to facilitate and verify the planning process.

Get in touch to find out more about how the Cloud Communications division of NTT Ltd. can help facilitate your BCP and workforce continuity needs during times of uncertainty.

Contact us


What it does: Testing verifies the effectiveness of your plan, trains participantson what to do in the event of crisis and identifies areas that need improvement.

References:1.www.bmc.com/blogs/bcp-business-continuity-planning/2.www.investopedia.com/terms/b/business-continuity-planning.asp3.thinkwhy.com/news-detail/coronavirus-business-continuity-planning4.fmlink.com/articles/5-ways-remote-working-impacting-business-resilience/5.www.eci.com/blog/135-five-steps-of-business-continuity-planning-for-investment-firms.html6.www.ptonline.com/articles/what-is-workforce-continuity7.www.techadvisory.org/2014/07/the-difference-between-rto-and-rpo/

https://connect.arkadin.com/enterprise-risk-management

5 steps to developing a business continuity plan for health crises steps to developing a... · this...

Documents