Key Elements of a Successful Business Continuity Plan

"Everyone has a plan until they get punched in the mouth." — Mike Tyson In complex business management, the unexpected is inevitable. Challenges will arise when navigating a major transition, market shift, or critical carveout. While you can’t predict every issue, you can prepare for them with strategic contingency planning. Contingency planning is more than just a safety net; it’s essential for mitigating risks and ensuring resilience. The process begins with identifying critical processes—those functions that must continue regardless of circumstances. This includes operations like payroll, IT systems, and customer service. Next, assemble a planning team with diverse expertise from finance, operations, HR, and IT to ensure a comprehensive approach to risk management. Assess your business's most significant risks and develop targeted strategies to address them. This might involve creating backup systems, cross-training employees, securing alternative suppliers, or establishing clear communication protocols for crises. Once your plans are in place, you can rigorously test them through simulations and drills to identify weaknesses. Update and review your contingency plans regularly to keep them relevant. Adjust your strategies to reflect new risks or priorities. In high-stakes situations like corporate carveouts, where continuity is crucial, robust contingency plans are vital. Ensuring that critical operations are covered gives you peace of mind and prepares you to face the unexpected confidently. No plan can account for every scenario, but by focusing on what can be controlled and preparing for likely risks, you position your organization to handle surprises with agility. So, what events would cause you the most concern? How prepared is your business to navigate them? Solid contingency planning will mitigate risks and build a more resilient organization. #RiskManagement #BusinessStrategy #Leadership #ContingencyPlanning #CrisisManagement #Execution

Emergencies are unavoidable—fires, floods, shootings, cyberattacks. The only thing worse than an emergency is being unprepared for it. Just ask yesterday's "Worst Employer" nominee. A well-crafted Emergency Action Plan (EAP) keeps everyone safe and your business running. Here's 10 things to consider in creating one: 1./ Assess Your Risks Identify the emergencies most likely to hit you—whether natural disasters, workplace violence, or data breaches. Prioritize based on impact and likelihood. 2./ Get Employee Input Your employees are on the front lines and often spot risks management misses. Including their insights builds a better plan and fosters buy-in. 3./ Assign Clear Responsibilities Who calls 911? Who initiates evacuations? Everyone should know their role before an emergency strikes to avoid confusion in the heat of the moment. 4./ Map Out Evacuation Plans Chart exits, evacuation routes, and assembly points. Make sure everyone can evacuate safely, including employees with disabilities. 5./ Establish Communication Channels Use multiple methods—emails, texts, and phone trees. Keep clients, vendors, and other stakeholders informed, too. 6./ Stock Emergency Supplies First-aid kits, fire extinguishers, and flashlights are must-haves. Regularly check supplies so nothing fails in a real emergency. 7./ Plan for Business Continuity Know which processes must keep running and how to do it—whether remote work, cloud backups, or backup vendors. 8./ Stay Compliant Verify if OSHA or other laws require specific elements in your plan. Non-compliance can mean fines. 9./ Train, Drill, and Support Your Team Hold regular drills, offer training refreshers, and provide mental health support after stressful events. 10./ Debrief, Report, and Improve After every emergency or drill, debrief with your team. File necessary incident reports for OSHA or insurance. Assign someone to review and update the plan regularly. Emergencies aren't predictable, but your preparation should be. A well-thought-out EAP protects your people and helps your business bounce back as quickly and easily as possible.

Instead of starting with threats or systems, I start with the value stream. Why? Because business continuity isn’t really about hurricanes, power outages, or servers going down. It’s about something much simpler: preserving the flow of value through the business. Executives don’t care which database is offline. They care that customers can’t buy, contracts can’t close, or invoices can’t be sent. That’s the flow you’re protecting. Here’s how I break it down: 1️⃣ Identify the process that directly supports revenue or mission-critical outcomes. - What activity actually creates value? - For a SaaS platform, it might be the software deployment pipeline. - For a manufacturer, it might be raw materials through production to distribution. - For a hospital, it might be patient intake → treatment → billing. 2️⃣ Map each step in that process — people, systems, vendors, tools. - Who touches this? - What tech or suppliers does it rely on? - Where are the single points of failure? 3️⃣ Estimate what percentage of the company’s total revenue depends on this process. - If it fails, how much of your annual revenue would actually pause or disappear? - Is it a core process that drives 80% of revenue or a supporting function tied to 10%? 4️⃣ Estimate how much of that revenue is at risk in a realistic disruption. - Will you lose all revenue immediately? - Or just delay it? - Be conservative and credible — executives hate inflated numbers. 5️⃣ Spread that loss over operating hours to create an hourly cost of disruption. - Take the annual revenue at risk, divide it by 8,760 hours (for 24/7 ops) or by working hours for narrower processes. - Then add recovery costs (staff overtime, consultants) and reputational or compliance penalties. What you end up with isn’t perfect — but it’s credible. It turns abstract “criticality” into a number: This process costs $X per hour when it’s disrupted. Why this works: ✅ It sidesteps technical jargon — you’re talking value, not servers. ✅ It reframes continuity as a business problem, not an IT problem. ✅ It gives executives a simple, repeatable model to prioritize investments. ✅ And yes, it’s executive-friendly — because it speaks in dollars, not downtime. I’ll walk through a concrete example in my next post. But first, let me ask you — what would you add or improve in this approach? Have you seen a better way to make the financial case for continuity?

Disaster Recovery: It (literally) hit home during Blackhat! During the week of Blackhat in August, a fast-moving storm produced 6 tornadoes in Maryland. I wish I had been there to help my husband over the 3 days he had to live (and work) with without power, but I got home just in time to help him with the massive cleanup from the storm. It has taken us two weeks of clearing trees to even see the grass again. The winds were so fierce that broken tree branches were driven into the earth, and we have had to dig them up to move them. Luckily, no one was hurt in our area, but our little town is still recovering. Since I was a kid in a small Texas town, there was a plan. When we saw the storm coming we would head to the hallway bathroom and put a mattress over us. Sounds crazy, but that was our plan, and our family knew the drill. Through our personal disaster, I have been working on Business Continuity and Disaster Recovery Plans for our customers. We cannot predict nor stop events that can cripple our homes or businesses, sometimes for weeks, so what can we do to survive through them? Have a Plan! Why does your organization need a Business Continuity Plan (BCP)? For many it is a compliance requirement. I encourage everyone that if you are taking the time to develop a BCP for compliance, design it as if your business is going to use it. Identify the most critical processes for your business through conducting Business Impact Analyses (BIAs) with each business unit in the company. These help organizations prioritize response to keep the business afloat until operations are restored. This effort also sets Recovery Time Objective  (RTO) and Recovery Point Objectives (RPO) for restoration. Prioritization of services is key: every system cannot be restored in 4 hours. Then comes your Disaster Recovery (DR) Plan. What does this look like? Have you tested it? Can you failover to an alternate site successfully or restore critical systems in 4 hours? If you rely on third party partners to run the most critical components of your business, do you understand their DR Plan? In a year of unprecedented weather events and continued large-scale cyberattacks, this is a great time to have those conversations. From IT support teams carrying servers above their head through knee-deep waters to companies having to shift to writing paper checks to keep employees paid, I have seen the power of a plan keep organizations viable through the worst of times. If you need any help designing a plan, don’t hesitate to reach out. I am always ready to help. #businesscontinuity #disasterrecovery #businessresiliency #planning #restoration #compliance #cisos Photo: Our backyard after 4 trips to the dump.

Waiting until you have an incident to understand which of your systems are critical can have serious consequences, sometimes even life or death consequences. Here is an unusual example: It was recently reported that hackers launched a ransomware attack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. See https://lnkd.in/eVhzu429. The farmer apparently did not want to pay a $10K ransom, and thought he didn't really need data on the amount of milk produced in the short term. In addition, the milking robot also worked without a computer or network connection. The cows could therefore continue to be milked. The farmer, however, apparently didn't account for the fact that the data at issue was particularly important for pregnant animals. As a result of the attack, the farmer was unable to recognize that one calf was dying in the womb, and in the end, this lack of data may have prevented the famer from saving the calf. While most of us will hopefully not find themselves in this exact situation, the takeaways are the same for all of us: 1. CONDUCT A BIA: Consider conducting a business impact assessment (BIA) to understand the criticality and maximum tolerable downtime (MTD) of all your systems, processes, and activities, from a business or commercial standpoint. Of course, such analysis should include the health and safety impact of downtime. 2. VENDORS: As part of the BIA, consider assessing the MTD for each vendor as well. This will help you decide which primary vendors require a secondary, as well as define the terms of your contract with the secondary vendors. More details on backup vendors can be found here: https://lnkd.in/e-eVNvQz. 3. UPDATE YOUR BC/DR PLAN: Once you have conducted a BIA, update your business continuity and disaster recovery (BC/DR) plan to ensure that that your recovery time objective (RTO) and recovery point objective (RPO) are consistent with the MTD determined through your BIA. 4. PRACTICE: Conduct regular incident response (IR) and BC/DR tabletop exercises, as well as full failover exercises, to test and improve your ability to respond to a real event. Advice on conducting successful tabletop exercises can be found here: https://lnkd.in/eKrgV9Cg. Stay safe out there!