Business continuity plans will be a key component of your approach to operational resilience. While there are differences between Business Continuity Plans and Disaster Recovery Plans the terms are often used interchangeably and have been for the purposes of this article.
The importance of these plans can not be underestimated. There are number of surveys that show that 40% of businesses disappear after being hit by a major business disruption.
The regulators’s discussion paper on operational resilience should be reviewed when developing your Business Continuity Plan. Your plan should be discussed with your IT company/staff to ensure it is robust from an IT perspective. In addition, we have set out some other points to consider.
While most Credit Unions have plans in place they are often focused solely to a disruption to the place of business. Plans often only cover events such as fires, earthquakes or flooding. Disruptions such as cyber attacks, loss of key individuals or supplier are often more common disruptions and should be included in your business continuity plans.
Testing the Plan
Even the best plans in the world are of limited value if they are not regularly and fully tested. We have seen backups fail to disastrous consequences and it is important to check if you can fully restore. Having arrangements to use alternative premises can be a key part of a good continuity plan but does the premises have the hardware and cabling required?
It is not just the member database that needs backed up but also copies of key forms and documents that you will need in the event of a disruption. Backups should be stored far enough away from the office to reduce the chances of both being impacted in the event of a disaster.
Some cyber attacks may not be identified for a period of time after they have infected your systems. It is therefore important that you have a range of backups over a period of time in case recent data is infected. Any backup should of course be encrypted and held in a secure location.
Distributing the Plan
The plan also needs to be distributed and kept off site. We have seen plans where the only copy is on the office server or only one person has access to the plan. If anything happened to either then the organisation would be left without a plan.
Contact details for staff, officers, key suppliers and the regulator should also be documented in the plan. These details will change often and it is important the plan is therefore regularly updated.
It is also important that the plan is written as clearly as possible. In the event of a disruption people often panic. It is therefore important instructions are as clear as possible.
These are just some of the aspects that need to be considered in developing your business plan. Please see our Operational Resilience page for more assistance.