You show up at work and the office building has burned down. Or, perhaps, the neighbourhood has been left in ruins by a hurricane or a massive flood. Or an earthquake has levelled the entire block. How do you contact your staff? Where are your files and critical client data? What do you do?

A business continuity plan ensures critical services or products are delivered during a disruption, according to Public Safety Canada. For an advisor, a plan entails a specific list of steps you and your staff can take in the event of a disaster in order to keep your business operating while maintaining control of critical data and communications with staff, clients and the institutions with which you do business.

Business continuity planning is an “all-hazards approach,” says Veronica Marsman, senior project manager with the Nova Scotia government’s Emergency Management Office.

“We don’t focus on the event that has caused the interruption,” she says, “but rather the impact to the organization that results from the interruption.”

The federal Office of Critical Infrastructure Protection and Emergency Preparedness outlines several steps in developing a business continuity plan.

First, there is governance. In the event of a calamity — you show up for work, for example, and your office building has burned down — who does what, when and how must be spelled out clearly.

This is often co-ordinated through an “incident command team,” a group of key employees including senior personnel who are trained to deal with a crisis and are responsible for overseeing the organization’s response to that crisis, says John Esvelt, director of information technology with Fraser Milner Casgrain LLP, a business law firm in Toronto.

Next, the plan must spell out the critical services, in order of importance, and how clients, staff, suppliers and others would be affected if disaster struck. This involves understanding what you do as an organization, how you do what you do and whom you serve, says Marsman. It means answering the question: what are our critical services?

This “what if” exercise is followed by a “what now” approach. “You need to have solutions in place to address a full range of situations,” says Susie Spencer, senior production manager in Utah with Symantec Corp., a computer security firm.

Take, for example, the burning building. “Identify the risks, then how they would be addressed,” says Allan Ebedes, president and CEO of the National Quality Institute in Toronto, which assists organizations with business continuity planning.

If your office has been destroyed, for instance, is there a place for staff to go? Do they know where that place is? You must determine how you will tell staff where to meet and how will you connect with clients. Also, is clients’ information protected? These are the types of questions that must be answered with specific instructions before the disaster strikes.

That action, advises Spencer, should be clear. “Solutions need to be simple and powerful,” she says.

Communication must be disasterproof. A printed staff directory in everyone’s desk, or even an electronic version on a shared server is no good to anyone when there is no office, no paper and no computer system.

However, providing all staff with a pocket-sized, laminated list of everyone (or, at least, the key contacts) and their home phone and cellphone numbers could prove invaluable in a crisis.

In identifying solutions, you will also discover where your firm is vulnerable, which, in turn, will help you to reduce or eliminate risks. For example, many firms rigorously back up the information they have in their computer systems — if not daily, at least weekly. But if the backup files are in the office and the office has just burned to the ground, that back-up is lost. A simple solution and preventative measure: store all backup data off-site.

Once your plan is in place, it should be tested. “People need to take time to go through this process,” says Ebedes.

But this is where many organizations fall down. “Our research shows 50% of organizations that test say the test fails,” Spencer says.

That failure, she adds, occurs for three reasons: the technology didn’t do what it was supposed to do, people didn’t do what they were supposed to do or processes didn’t work as they were supposed to work.

@page_break@Finally, there is maintenance. A business continuity plan that sits for years without being reviewed or revised is unlikely to be useful in an emergency.

“Because of the constantly evolving nature of organizations today, maintenance of the business continuity plan must have a high priority,” says Marsman. “As the organization changes, so should the plan to reflect the current state of the organization.”

Each organization needs to develop a “business continuity management culture,” according to Marsman.

“From front-line workers to those in management,” she says, “business continuity management should be reflected in what you do and how you do things.”

That means making business continuity planning a priority. “It’s absolutely essential,” says Ebedes. “If you don’t have it, your business may not continue.” IE