Copyright Samaritan Protective Services, Woodbridge, Virginia

The Only Thing Certain is Uncertainty

Businesses and organizations of all types and sectors face unique challenges to their operations on a daily basis, however some incidents can pose more significant risk than others. We live in an unpredictable world that poses hazards in many ways. From natural disasters to terrorist attacks or cyber threats, the risk landscape is ever evolving and requires consistent mitigation strategies. Some private sector businesses play a vital role in the protection, operation and maintenance of Critical Infrastructure (CI) systems. Some of these can include energy, healthcare, transportation and communications, requiring comprehensive strategies and planning to ensure continued operations after a disaster.

Organizations must update plans, train personnel and test their Continuity of Operations (COOP) planning on a regular basis. The planning process should include key leaders and stakeholders to determine the organization’s unique needs and challenges during a contingency. A Business Continuity Plan (BCP) must be tailored to each organization, their functions and essential operations; not approached with a cookie-cutter mentality.

What is Business / Organization Continuity Planning

In short, a BCP is a multifaceted set of detailed plans, processes and actions that facilitate mission essential tasks and operations continue, allowing the organization to recover from a significant negative impact event. The plan consists of numerous parts, including a detailed Risk Assessment, Business Process Analysis, Impact Analysis and prioritization of essential functions.

Determine Mission Essential Tasks & Operations

Determining essential tasks (and who is responsible for their execution) for the organization to continue operations is one of the most important and tedious parts of the BCP. This is a very unique and specialized process to each organization. What is vital for a telecommunications organization to continue operations will be different from a healthcare facility.

Some things to consider:

• Location: If the primary location of operations is compromised, is there a secondary location identified, equipped and staffed to support critical operations? Can these functions be accomplished remotely or require on-site personnel and specialized equipment?
• Communication: Does your organization require constant and reliable communication with staff, customers or government agencies? What happens when the power goes out? Has alternative power generation been considered? If power is off-line, does this affect your physical security systems?
• Specialized Equipment: Does your business require the use of special or not easily replaceable equipment or devices? If this device went off-line for a period of time, how would that effect operations? Are there operational redundancies or backups?
• People: People are the most important resource to any organization. Have key players been identified and understand their role in a contingency, to include any required delegation of authority? Are plans in place to provide life support, economic aid or support to families after a disaster? If a key player is incapacitated or unwilling/unable to support COOP operations, are others identified with the required training and understanding to perform the duties of the primary? Has a dedicated Crisis Action Team been established?
• Record Keeping: Most businesses are required to keep certain things on record for a period of time. This might be financial records, personnel files, client information or numerous other types of data that is crucial for the organization to operate. If access to this record was curtailed or the data was destroyed, how would this effect your organization? Are there backup servers, cloud-based resources or hard copies available?
• Partner Organizations: Some organizations require the assistance of outside entities or suppliers to effectively run operations day to day. What are the potential impacts if a key supplier is unable to deliver critical supplies or services? What are the impacts if this is reversed and your organization is unable to deliver? Are there additional vendors or partners available in emergency situations? Are agreements in place between partner organizations that specifically address contingencies?

Develop, Test and Update the Plan

A well designed BCP goes through a cycle and is continuously updated to reflect changes within the company, operating environment, personnel and new and emerging threats.