The bigger an organisation gets, the more the plans multiply. There may be plans for dealing with contingencies, crises, disasters, emergencies, pandemics, risks and who knows what else, all in addition to your business continuity plan.
Even for small and medium-sized businesses, it is not always clear as to what should go into which plan, and how many of them you need. Here’s a quick rundown and rule of thumb guide to what you should have and how it all fits together.
The first step is to understand your business risks. Whether you are starting a business or already running one, you need to know what could affect it.
Depending on the risk in question, including its potential impact and probability of occurring, you then have up to four choices. You can eliminate it, transfer it to somebody else, mitigate it or accept it.
Your business continuity plan then starts with the risks you have decided to mitigate or accept. It is also a document that focuses on maintaining or restoring business operations.
While it does not ignore personal safety, items like evacuation procedures are handled in a separate emergency plan. The two plans can, of course, reference each other.
Other plans may be written according to specific needs:
- An IT disaster recovery plan (DRP) is increasingly common, because IT is such a big part of most businesses. A business continuity plan will reference any separate DRP, and IT disaster recovery can be considered a part of business continuity.
- High-profile enterprises and organisations may require a crisis management plan that includes not only emergency and safety procedures, but also public relations management.
- Specific threats with catastrophic consequences may also justify their own threat handling plans. Pandemic management plans, for example for flu, are an example.
Nowadays, a risk management plan, an emergency management plan, a business continuity plan, and a disaster recovery plan are a good basic set of plans to make, test, and maintain in good order.
Add plans for other specific threats according to the gravity and probability of those threats affecting you, your employees, and your business.