At first you may be frustrated that there are many functions, and due to a lack of resources all cannot be considered or addressed in your plan. Upon compiling a list, prioritize them into what are critical, essential, or non-essential. Think how a loss of any of these functions would impact people, operations, and reputation of the company. Consider using the following as a guide:
Business function ratings:
It is important to establish priorities since there are rarely enough resources to respond to every situation. To further help refine the critical business functions, determine which ones must be immediately addressed and immediately recovered. Prioritize them according to recovery time or “Maximum Allowable Down Time.This is the time from loss of the function to time when continued disruption is detrimental to the business:
Immediate – 0 to 24 hours
Delayed – 24 hours to 7 days
Deferred – more than 7 days
The critical business functions that must be immediately recovered must be addressed first and all resources directed to them.
Then, list any perceived or actual internal and external threats (manmade or natural) that could impact those critical business functions and what can be done to minimize or prevent such incidents. These threats should align with threats identified by the other major functions within your company as part of the company`s annual strategic plan. Reviewing the history of past events, not only within your company but outside in the community, can also be very helpful. Upon estimating how vulnerable your company is to those threats, determine its risk tolerance towards these threats. Then, an allocation of resources to prevent or respond to such incidents can be made.
This process cannot be done alone but will require the support and contribution of partners within the company as well as outside community resources such as the local police and fire department. The companies with the most effective business continuity programs ensure that it is aligned with the company`s annual risks and threats, and with cross functional stakeholders involved.