This article is sponsored by First Defense Solutions.
You've probably heard the old saying, “Hope for the best but plan for the worst.”
It's been around at least since the days of Marcus Tullius Cicero, a Roman politician, lawyer, and orator who lived from 106 BC to 43 BC.
Empire building was a big deal in those days and the most important part of that was empire preserving. Cicero, Mark Anthony and the rest of the toga set were concerned about commerce, supply chain, continuity of government and preserving prosperity – just like now in 2019.
Cicero knew there were threats to the empire, from the recurve bows and arrows of Atilla the Hun's hordes to Hannibal's elephant army marching across the Alps. Stress-inducing threats, indeed, but wise Cicero knew planning for the worst was much more effective than worrying.
“It is foolish to tear one’s hair in grief, as though sorrow would be made less by baldness.”
The Romans were practicing Business Continuity Management (BCM). They just hadn't invented acronyms yet.
Keeping a business running in the midst of disaster is what BCM is all about. You can’t schedule disasters, but you can plan to mitigate their effects. Whether it’s fires and floods, critical accidents by personnel, server crashes, viruses, hacking attacks, or even stock market crashes, you want to have a plan in place for resiliency and recovery.
Although often described as “just common sense,” it’s really about taking responsibility and taking business continuity seriously.
First Defense Solutions is a local company dedicated to redefining how businesses and schools view security, offering workable, thoughtful solutions to enable businesses to lead their staff and clients through a crisis and ensure optimal resiliency.
Continuing Lifestyle Frisco's series of articles profiling First Defense Solutions and the services they provide, we had a conversation with company co-founder Heidi Wysocki to learn about the BCM services they provide.
LsF: What is business continuity management and how does it add value to a business?
Business Continuity Management, or BCM, is the program you have in place to keep your lights on and business running through or as soon as possible after a crisis. Nearly half of small to mid-sized businesses have no BCM plan at all, and over 75% close down within a year of a crisis, so it's important to have the plan in place.
Larger companies that depend on you as part of their supply chain will generally only partner with businesses that show commitment and forethought to delivering the product no matter what.
Having BCM in place will make a small business more competitive and more likely to get those contracts.
LsF: Is there a strategy behind this strategy?
The BCM process includes 9 critical practices, including a broad-spectrum risk assessment where we analyze and prioritize risks based on impact to the company; strategies to handle those risks; incident response and crisis communication; establishing what you need to restore, from what point and in what order; and training for your employees, to name a few.
While it can sound complex or overwhelming (or expensive), First Defense Solutions is here to do the heavy lifting for you. With over 3 million Texans employed by SMBs just in the DFW area, we believe that BCM needs to be a part of every business, so we've worked to bring Big-4 quality consulting to small business budgets.
LsF: What expertise does First Defense Solutions offer? How are your BCM experts certified?
I'm nationally certified through Disaster Recovery Institute International (DRII.org), the leader in the industry. With experience working with Pfizer's corporate BCM team and as a PwC management consultant, we bring professionalism and expertise that is generally only available to large-scale companies.
LsF: Why is social media important in a BCM effort?
It's important for an organization, whether it's a school or a business, to get in front of the situation and manage the flow and tenor of information. The goal is to get clear, direct information to people who need it and prevent misinformation from creating panic.
LsF: Speaking of managing the flow and overall tone of messaging, what does a crisis communications strategy look like?
This is such a small portion of the overall process. Can we talk about risk assessment instead? I'd like to explain the value of this process and how it's useful not only for a crisis but as a tool for your daily business practices.
LsF: Absolutely. Thank you for the clarification.
When we do a risk assessment, we use several data gathering tools (think surveys and interviews as examples) to pull together a list of what the risks are.
These cover everything from natural disasters like a tornado or flood, to workplace violence, third-party supply shortages, or maybe a sprinkler system malfunction that ruins your computers and shuts down your office for a few days.
How will you continue providing customer service if a major part of your manufacturing line breaks and there's a ten day wait for the repair parts? How will your clients react? What if you're hacked and the ransom is 5000 in bitcoin to get your data back?
There are all sorts of crazy things that can happen, and while we can't avoid or plan for everything, we can take a good look at most risks and decide in advance how we want to react.
An interesting part of this process is determining Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). We talk about current processes such as data backups and decide how much data needs to be recovered, starting at what point in time, and how long you can wait to recover it.
There was a community-based hospital in the midwest that didn't really consider RTOs and was hacked to the point where 14,000 patient records were held for ransom. They had a recovery plan for their patient data at an offsite backup. However, they would have to wait three weeks to get that back up.
With patients coming in the door within hours, they ended up spending hundreds of thousands of dollars to pay the ransom and get back the data, pay for security upgrades in an emergency, and their budget for the year was in shambles. Had they committed to a BCM program up front, this impact would have been minimized, if the threat even came to pass at all.
LsF: That's incredible.
Another benefit to establishing RPOs and RTOs, particularly for small companies, is that they can use that data to talk about processes that may not add the value that justifies continuing doing it at all.
Have you ever received a monthly report and immediately filed it in your email without even opening it? RPOs and RTOs allow you to smoke out those processes and decide as a company whether they're really needed or if you can reallocate those resources to something more valuable.
LsF: I understand First Defense Solutions offers three different BCM plans to address any business size of need. Is there a minimum size for a business? A maximum size? How do your billing rates work?
Our target audience for our BCM program is small to mid-sized businesses. From 5-10 employees with $500k annual revenue, up to several thousand employees with multiple business lines and up to $5 billion annual revenue, we offer solutions to fit everyone.
We offer three levels: DIY, Crash Course, and Full Consulting. Our DIY plan is a downloadable set of templates with a detailed guide to follow. While you can download mad-lib style templates for free from other companies, we're offering an abridged version of our Crash Course that provides you with context and actual guidance.
We also include a one-hour consultation to help get you on the road, but you will need to create your own training courses and do the stress testing and reviews. It's a great place to begin the process and at less than $1000, it fits into any budget.
Our most popular program is a one-week Crash Course. We send some homework ahead of time and come to your office for a week to guide you through the entire process. At the end of the week, we take the information and decisions back, create the plan and return to do a Train the Trainer course, so that you can add BCM to your onboarding or as a town hall for your entire team, on your own timeline.
The Crash Course is ideal for most companies. We do the heavy lifting and give you a robust plan to implement and maintain.
For larger, complex organizations we provide a full consulting plan. Time and cost are dependent on the scope. (And we offer a discount for non-profits.)
LsF: What would you characterize as the most important part of a BCM plan?
Leadership and support is where BCM begins and ends, like any other critical work function. Its value can't be overstated. Our goal as a small business is to ensure the vitality and health of fellow small businesses, which is why we are as reasonably priced as we are.
For more information:
First Defense Solutions has released the first in a series of informational videos on BCM. You can find it here.