X

Business Continuity Planning (BCP) How-To Guide

Whether it’s a fire, flood, earthquake or pandemic, disasters can strike at a moment’s notice and many organizations are unprepared to respond and still function. In times of crisis, a well-thought out business continuity plan is critical to prevent interruptions to the business.

To enable your organization to respond quickly during a disaster, you need to put a current, reliable plan in the hands of all personnel who are responsible for carrying out any part of the BCP.  The lack of a plan doesn’t just mean your organization will take longer than necessary to recover from an event or incident — you could go out of business for good. Your employees need to understand what needs to be done to get the business back on track as quickly as possible.

Your BCP should be thorough and include readiness procedures to protect against possible threats and information on roles and responsibilities. Leaders need to be identified, understand their responsibilities and be equipped with relevant information to act during a crisis situation.

Google Legal is one organization who has spent the time to develop a robust Business Continuity Plan. Here are the steps they used to prepare their plan.

Business Continuity Plan Development at Google

By Mary O’Carroll, Director of Legal Operations, Google and President of CLOC

With help from Deloitte, Google’s Legal Department embarked on a project to create a business continuity plan for the department. To help others we would like to share the process that we used during the development of our Business Continuity Plan and the learnings we experienced. This how-to guide outlines the steps that were used to create our BCP.

Project Goal

Implement an event-neutral, impact-oriented, broad business continuity program to reduce the impacts and to support the expeditious recovery of critical legal processes in the event of a disaster.

Project Objectives: Prioritize Legal Business Processes

  1. Determine Qualitative and Quantitative Impacts
  2. Identify Dependencies
  3. Determine Recovery Requirements and Timeframes

Project Approach:

  1. Understand the Process (Create process maps)
  2. Conduct Business Impact Analysis (Understand the potential impacts from disruption and the resources required to perform your processes)
  3. Plan for Recovery (Develop recovery plans)

UNDERSTAND THE PROCESS

Meet with leads across each practice group or area in your department.  Create high level process maps for each key process or workstream that takes place on that team.  

Things to consider in each process:

  • Which location(s) is your process executed from?
  • Are there other business processes / areas that you depend on to perform your process?
  • What systems/tools/applications are needed?
  • Are there specific skills / resources that are essential to perform your
  • process?
  • Are there critical documents / vital records that you need access to in order to perform your process?
  • Does the process rely on a 3rd party?

CONDUCT A BUSINESS IMPACT ANALYSIS (BIA)

A BIA is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. Create your list of prioritized processes based on your BIA, focusing on critical workstreams by utilizing a questionnaire to ensure consistency across impact areas.

Outputs/Deliverables: Develop a prioritized list of processes based on impacts

Take each process or workstream in the department and rank them based on the five following impact areas across multiple time frames.  Create an objective five point scale for each of these impact areas that define the magnitude of the impact.  

  1. Financial impact: Impact on the finances of the organization (potential decrease in revenue, impact on cash flow) resulting from a business disruption.
  2. Legal and regulatory penalties:  Exposure of the organization to legal liabilities, penalties, and regulatory sanctions due to non-compliance with applicable regulations or adherence to legal and contractual obligation following a business interruption.
  3. Client experience:  Number of or percentage of clients or customers affected, how quickly the situation will impact clients, and risk of losing clients temporarily or permanently.
  4. Employee experience:  Risk to employee morale/culture which could result in high employee turnover resulting from a business disruption.
  5. External brand image: Impact to public confidence in the organization and negative publicity resulting from a business disruption.

Example:  Rate each workflow across this matrix on a scale from 1-5

NEXT STEPS: PLAN FOR RECOVERY

As a result of the BIA effort, we prioritized recovery efforts for the Legal Department and identified resources required for each process to be operational. The recommended next steps were to:

  1. Develop recovery procedures for prioritized business areas and processes
  2. Design, conduct, and evaluate tests to socialize, validate and improve procedures

Determine the recovery requirements for each critical workstream based on the following five areas:

  1. Building requirements: Which of the tasks can be supported by working remotely?  Are there alternate strategies to continue operations in case the primary facility is not available?
  2. Process dependency requirements: What processes within the Legal Department or other departments do you need in order to restore to normal operations? Is there a workaround available to support your team until the identified dependencies are available?
  3. Technology requirements: Identify all the applications that your team requires for the identified business processes. Can the identified processes be performed without the application for a limited time – indicate the workaround where applicable?
  4. Human resource requirements: What are various roles/titles within your team that are critical for defined business processes? How many personnel are available at each assigned role? How many personnel are required to support each business process at various time-periods after a disruption? How many of the personnel within each assigned role have the remote working capability? Are resources available at an alternate location?
  5. Third party requirements: Is there a key third party vendor who supports the identified processes?

Effective recovery procedures address short-, medium-, and long-term outages and account for the following considerations:

  • Building Specific Strategies
  • Technology Specific Strategies
  • Human Resources Strategies
  • 3rd Party Strategies
  • Dependencies
  • Focus on Impacts

Resource Category

Potential Recovery Strategies

Building Specific Strategies

Example: What will be the strategy for a loss of the physical office?

● Work remotely

● Preconfigured alternative worksite

● Transfer work to staff in other facilities/geographic areas

● Transfer work to outside counsel (or established third party service provider)

● Prioritize critical processes/activities and delay non-urgent tasks

Technology Specific Strategies

Example: What strategy will we take if crucial applications are not available?

● Manual workarounds

● Transfer work to unaffected staff (as applicable)

● Transfer work to outside counsel (or established third party service provider)

● Prioritize critical processes/activities and delay non-urgent tasks

Human Resources Strategies

Example: What if key resources are not available in the event of a disruption?

● Crosstrain existing staff/personnel on critical functions and processes

● Transfer work to staff in other facilities/ geographic areas

● Transfer work to outside counsel (or established third party service provider)

● Prioritize critical processes/activities and delay non-urgent tasks

● Hire/leverage contract staffing


3rd Party Strategies

Example: What workarounds are in place for third party unavailability?

● Develop alternative service provider for critical services

● Include SLAs and resiliency/recoverability clauses into contracts

● Crosstrain existing staff/personnel on critical processes/activities

KEY TAKEAWAYS AND LEARNINGS

Having a concrete business continuity plan plays an essential role in today’s environment at Google Legal. We learned that the most valuable part of the entire exercise was sitting down with team leaders and having a conversation about what is critical and how we might think about recovering those workflows. Given how much organizations move and change over time, it is a lofty expectation to develop BCPs for each workflow and to ensure they are kept up to date.  Setting aside a regular time to revisit that conversation each year and talk through the “what ifs” ensures that we’re aligned on how we would proceed.  

A clear, concise and well communicated BCP is not just a nice to have, it’s a critical necessity in today’s world.