We are in a pandemic.
Government's around the world are demanding people isolate and work from home.
As a Compliance Professional, it’s time to reach for the Disaster Recovery Plan (DRP) or your Business Continuity Plan (BCP) and enact it.
However, this may be a problem for many organisations. They haven't got plans! It's always been an after-thought "we really should get around to doing one".
There is good news. Start your planning now. You have time.
The following are our (Mango's) observations on how we did our Business Continuity Planning.
This is not an exhaustive list but just some pointers to help your business when you start planning:
- Just Start. When were started in business (20 years ago) we had an A4 page of things we would do in case of an emergency or if something went wrong. We found through experience the list wasn't right. The only thing we did right was to have started planning.
- Don't Focus on the Technical Stuff. The thing we did wrong was we focused on technical-side of business continuity. We made sure PCs, servers and power were all up and running and that was about it. In hindsight, for most situations this was wrong.
- Focus on People. Your plan should always be focused around your people, your employees and your suppliers. Without them, none of the technical and general work will not get done. We learnt this in the Christchurch Earthquake in 2011. In that event we lost power, communication, water and sewage. We soon realised we could very little. But we could help family, friends and neighbours and when services came back we could rely on them to help us.
- Determinate Jobs and Functions. Next, list the jobs and functions in your business. So when the time is right to enact your plan you can give clear instructions and assign jobs. Don’t be too prescriptive as an Earthquake, or a Mass Shooting, or a Pandemic are all different events.
- Ensure the Plan is Simple. Don’t over document your plan. It should have a structure that is flexible to change depending on the emergency. This approach enables the plan to change and cope with the situation.
- Constantly Review the Plan. Review the plan annually. We have always formally reviewed our plan yearly or as the business changes. For example when we got certified to the information security standard ISO 27001, we updated the security and privacy information into our plan.
The Mango Business Continuity Plan is only 7 pages long and has only 1300 words.
These are the headings in the plan:
- Employees – are they safe, can I speak to them and are they available.
- Disaster Recovery Team – assign responsibilities.
- Days and Steps – we look 3 days out and break down jobs and actions over that period.
- Office Infrastructure – equipment, physical, communication and internet.
- Product and Services – status and actions required to get business back to normal.
- Partners/Customer – communication how we know how the business is we are in a position to advise.
- Post emergency – congratulate ourselves on what went right, and learn and update plan on the things we could do better.
- Test and review plan
Download you free Disaster Recovery Plan here:
Takeaway
So to summary the steps you should take these are my key points
- Start the plan, do not over think it, and build on it.
- Focus on people not on technical
- Test it with your Disaster recovery team
- Update it after an emergency
- Review it annually.