8 steps for planning your emergency and disaster plan
Whether it’s a natural disaster such as an ice storm, a serious accident in an industrial plant or a ransomware attack, an unforeseen event can disrupt business operations at any company.
Your employees may not be able to work or access equipment, systems or data; your suppliers may face a shortage of the materials you need to continue your business activities; or demand for your services may simply decline.
The key benefits of a business continuity plan
No one can predict the future; however, you can be ready with a sound business continuity plan. Getting a plan in place shows your employees, shareholders and customers that you are a proactive organization; it also improves overall efficiency in your company and helps you allocate the right financial, human and technical resources to keep your firm up and running during a serious disruption.
Here are 8 basic steps to keep in mind when putting together your plan. Click on the link in each step to find more information and useful templates from BDC’s complete Business Continuity Plan template.
Assign a team the responsibility for emergency preparedness. Select a few managers or an existing committee to take charge of the project.
It’s advisable to assign one person to lead the planning process. You should also ensure that this “emergency manager” has the authority to get things done.
As with other business aspects, planning for an emergency relies on the following:
- an understanding of the organizational objectives
- solid risk assessment and business impact analysis
- creative alternatives to challenges
- a reliable decision-making process
What are the key roles and responsibilities of your emergency preparedness team?
Planning and implementation
- Develop a business continuity plan (BCP), and include or add an IT disaster recovery plan (DRP) and incident response plan (IRP). These plans should include information on what situations trigger the plan’s activation. For example, the DRP is typically activated if IT infrastructure (hardware or software) is affected.
- Establish alert levels and monitor them.
- Develop training and cross-training plans.
- Identify key business partners such as suppliers and clients and determine if they have a BCP.
- Assess the potential financial impact of an emergency on the business.
- Ensure adequate supplies (emergency safety equipment, such as personal protective equipment, or in the event of a pandemic, hygiene supplies like hand sanitizers, cleaning products, masks and protective barriers).
- Have local site manager(s) implement the plan.
- Perform trial run of the plan.
Policies, procedures, organization
- Establish policies such as compensation and absences, return-to-work procedures, telecommuting, flexible work hours and travel restrictions.
- Define chain of command for plan implementation.
- Establish emergency safety policies for the workplace. For example, in the event of a pandemic, policies that will help prevent the spread of influenza, such as promoting respiratory/hygiene/cough etiquette, and prompt exclusion of people with influenza symptoms.
- Establish policies for employees who are directly affected by the emergency. For example, in the event of a pandemic, policies for employees who have been exposed.
Communications
- Maintain good communications and manage relations with all levels of staff.
- Advise senior management.
- Instill the importance of the BCP (including the DRP and IRP) throughout the organization.
- Liaise with local government agencies such as Health Canada, Public Safety Canada and the Privacy Commissioner of Canada (the last to report any personal data violation).
- Prepare and disseminate timely and accurate information to all employees.
- Educate staff about possible emergencies. For example, in the event of a pandemic, give information on signs and symptoms of influenza, modes of transmission, personal and family protection, and response strategies.
- Evaluate and maintain communications through various forms of technology.
- Help prepare training on the subject.
- Have local site managers implement the plan.
Use the “Planning team for business continuity” template in the Business Continuity Plan template to clearly identify and keep contact information for team members and the coordinator who will create your BCP.
During an emergency, your business may experience a disruption in your operations due to:
- high staff absenteeism
- unavailability of supplies and materials
- disrupted access to data, systems and equipment
- interruptions to services like power, transportation and communications
Objective of the business continuity planning process
Determine how your organization will maintain essential services and functions in the event of an emergency.
What are essential services?
These are services that:
- create an impact on the health and safety of individuals
- may lead to the failure of a business unit if activities are not performed in a specified time period
- in some organizations, must be performed to satisfy regulatory requirements
- if not performed, may have an immediate or proximate impact
This means that your business may be forced to modify, reduce, or even eliminate specific services and functions to cope with the impacts of the emergency. The changes may have an impact across the organization or affect specific business units.
As you begin discussions, you may find that you have existing resources that you can use to extract information about essential services in your organization, such as pandemic plans.
How to determine and prioritize your essential services
- Complete the essential services ranking template in the Business Continuity Plan template.
- This will help you create your list of essential services by department or business unit. You will then need to rate the degree to which it will negatively impact the various key areas such as financials, employees, customers and technology.
- Prioritize and categorize by using the essential services criticalness factor template in the Business Continuity Plan template.
- For each essential service, assign a degree of criticalness (Priority A, B or C). Rate the impact on each service such as staff absenteeism, unavailability of critical supplies, or disruptions to essential systems.
- Priority A: Essential services/functions
- Priority B: Services that can be suspended for a short period of time, such as one month.
- Priority C: Services that can be suspended for an extended period of time. This may require a corporate overview.
As part of your business continuity planning process, you’ll need to identify the number of staff and skills required to perform and maintain the essential services/functions.
Use the essential services criticalness factor template to help you capture the information necessary to develop your plan.
Try to identify any special requirements necessary to perform the essential services/functions (e.g., licence to operate heavy machinery).
You may also wish to prepare a list of special tasks and skills required in emergency situations and assign them to appropriate employees, such as crisis management team, employee support, IT backup and restoration and defining security perimeters.
Additional sites with useful information:
Discuss what will happen if you have to reduce, modify or eliminate essential services or functions. Document the following points:
- all issues that can be identified
- action plans for each issue
- individual responsibilities for each essential service or function
Strategies and action plans
Use the Action plan for maintaining essential service template to write your plans for each essential service or function. This should include:
- a description of the service or function
- individuals responsible for implementing the action plan
- backup individuals
- business impact issues
- a disaster recovery plan that includes key information such as your notification communication plan, staff relocation, alternate resources, suppliers, an inventory of technology hardware, software and data, a list of technical personnel, your data backup plan and a priority list for recovery based on the information prepared in earlier steps (such as your business impact analysis)
- resource needs
Key contacts
Use the available templates to create lists of key contacts and ways to reach them.
Customers
Being proactive in contacting important customers can go a long way in mitigating losses. Use the Action plan for key customers template to list customers who would need and expect a personal notification from you, or who would be offended or take their business elsewhere if they were not contacted.
Include the following information on your list:
- Product or service provided: Use the comments to indicate the reason that this customer should be contacted in an emergency, along with a description of the product or service provided.
- Contact person’s name: If there is no specific person to list in an organization, you can list a title or department (e.g., “service representative on call” or “service department”).
- Contact’s phone numbers and email: Include all possible ways to reach the customer, including cellphone and landline numbers, email address and LinkedIn or company website.
- Alternate names and numbers: Where possible, list alternatives to the primary contact person.
- 24-hour service: If your customer does not have 24-hour service, discuss with them how to contact them during off-hours. Reassure them that the information will have limited distribution.
- Comments: Include any significant information, including the reason this customer should be contacted following an incident, and instructions the customer would need.
Suppliers and subcontractors
Use the Action plan for critical suppliers template to list essential information on your key suppliers. The information should be the same as that described for key customers, above.
Business partners and support providers
This is for important partners who do not fall into the earlier categories but that you would need to contact in the event of an emergency:
- Business partners (internal and external) that are neither vendors nor customers. These would include internal business units who rely on your business for information or your management and business units that would support your recovery. Some examples include corporate insurance, internal security, facilities, public relations, legal entities, cybersecurity and service providers.
- Support providers include emergency-response agencies such as police, fire, utility companies, and the Canadian Red Cross. (Documentation should mention whether your community uses the 911 system.)
Use the Action plan for business partners template to list essential information about these other partners. The information should be the same as that described for key customers above.
Review your Business Continuity Plan to make sure that all issues have been addressed and identify any areas in which you may need additional documentation.
The Business continuity plan checklist was developed to ensure that you’ve covered most aspects of your plan, including:
- the impact on your business, employees and customers
- policies to be implemented during an emergency
- resources allocated to protect your employees and customers
- communication with employees
- coordination with external organizations and community outreach
Impact on your business
- Have you identified an emergency coordinator or team and clearly defined their roles and responsibilities? Do you need to involve employee representatives?
- Have you identified the employees and critical inputs you need to maintain business operations during an emergency?
- Have you trained and prepared a backup workforce?
- Have you planned for scenarios that are likely to affect the demand for your products or services during an emergency?
- What is the potential impact of an emergency on company financials, as well as on different product lines, production sites, technology systems and data?
- What is the potential impact of an emergency on business-related domestic and international travel?
- Have you established the financial impact of an unexpected outage or service disruption on your technology systems or data (e.g., hardware failure or cyberattack)?
- Do you have access to up-to-date, reliable information on emergencies from community public health, emergency management, and other sources? Do the links to this information function?
- Do you have an emergency communication plan?
- What mechanisms are in place to regularly revise and update the plan to ensure the information is current?
- Have you tested out your plan?
Impact on your employees and customers
- Have you planned for employee absences during an emergency?
- Do you have guidelines to reduce face-to-face contact in the workplace and with customers in the event of a pandemic?
- Do you encourage and monitor annual employee flu vaccinations?
- Have you evaluated access to and the availability of employee healthcare services during an emergency? Do these services need improvement?
- Have you evaluated access to and availability of employee mental health and social services during an emergency?
- Have you identified employees and key customers with special needs? Are their needs incorporated into your BCP?
Establishing policies to be implemented during an emergency
- Have you established emergency policies for employee compensation and sick-leaves?
- Have you established flexible policies regarding remote work?
- Have you established policies to prevent the spread of disease at the worksite?
- Do you have policies for employees who have been exposed, are suspected to be ill, or become ill at the worksite?
- Have you established policies for restricting travel to affected geographic areas, evacuating employees working in or near an affected area when an emergency occurs, and guidance for employees returning from affected areas?
- Have you set up authorities, triggers, and procedures for activating and terminating the company’s response plan, for altering business operations and for transferring business knowledge to key employees?
- Does your BCP include an IT disaster recovery plan that provides an inventory of hardware, software applications and data, backup sites, technology personnel, workflow and recovery priorities?
- Does your BCP include an incident response plan to allow your organization to quickly and effectively respond to cyberattacks and natural disasters?
Allocating resources to protect your employees and customers during an emergency
- Do you provide sufficient and accessible emergency supplies?
- Do you need to enhance communications and information technology infrastructures to support employee telecommuting and remote customer access?
- Will medical consultation and advice be available for emergency response?
Communicating with employees
- Have you developed and disseminated programs and materials covering emergency fundamentals?
- Have you prepared to address fears and anxieties that may present themselves from employees or ways to mitigate potential rumours and misinformation?
- Are your communications culturally and linguistically appropriate?
- Have you disseminated information to employees about your emergency preparedness and response plan?
- Have you provided information for the at-home care of ill employees and family members?
- Do you have a platform for communicating emergency status and actions to employees, vendors, suppliers, and customers inside and outside the worksite in a consistent and timely way? Have you included redundancies in the emergency contact system, including in the event of disruption to your information technology systems and data?
- Have you identified community sources for timely and accurate emergency information? Resources for obtaining safety equipment and countermeasures?
- Have you established policies for employees on computer safety and internet usage?
Coordinating with external organizations and helping your community
- Have you consulted insurers, health plans, and major local healthcare facilities to share your emergency plans and understand their capabilities and plans?
- Have you consulted your IT service providers and other technology partners to discuss your DRP and incident response plan, and understand their capabilities?
- Have you consulted federal, provincial, and local public agencies or emergency responders?
- Have you asked local or provincial public agencies or emergency responders how your business might contribute to the community in case of disaster?
- Do you share best practices with other businesses in your community, chambers of commerce, and associations to improve collective response efforts?
- Have you established a plan for communicating with customers, the public and partners in the event of a security breach or disruption in your information technology?
You should present a draft of the BCP (including IT disaster recovery plan and incident response plan) to your emergency preparedness team for review and/or comment. Since the committee will understand the overall corporate impact of an emergency, they should review to ensure that your plan:
- is consistent for all business units/departments
- addresses all critical elements
The committee should also oversee monitoring the progress of the initiative.
Be proactive by putting your plans to the test and performing trial runs. This will help you identify any missing aspects or possible weaknesses. It’s also important to update the plans regularly. For example, you’ll want to be sure your plan is current in terms of personnel and supplier contacts, and technology systems.
BDC is here to help
Our Advisory Services experts can help you complete and implement a business continuity plan to ensure your business remains resilient through any crisis. Contact us is you’d like to learn more.