GE Capital
Business continuity management: Preparing
your business for emergencies
viewpoint
�GE Capital
Business continuity management: Preparing your business for emergencies
When you think of unforeseen events that might disrupt your business, some obvious ones come to mind: natural
disasters, power outages, data breaches and acts of terrorism, to name a few. But there are also a host of more
common threats that can derail most forms of commerce, ranging from flu outbreaks to labor strikes, supply chain
interruptions to negative publicity.
For the same reason that individuals take out insurance
policies to protect their homes and their health, companies need to protect themselves against these kinds
of disruptions so they can: minimize the loss of data,
revenue and customers; get core business functions
back up and running efficiently; reduce dependency on
specific personnel; maintain the companys reputation;
and, in extreme cases, safeguard human life. According to Business Network of Emergency Resources,
44 percent of businesses that do not have recovery
plans in place and lose records during a disaster never
resume business, and 47 percent of businesses without
such a plan who experience a fire or theft are out of
business within two years.
Business continuity management a three-pronged
strategy comprised of crisis management, disaster
recovery and business continuity planning helps
avoid these outcomes by arming business leaders
with a blueprint for minimizing damage and recovering quickly when the unexpected happens. Since
the domain of financial services firms and insurance companies became mandated by law to have
recovery plans in place, business continuity management is now practiced across many industries
and by businesses large and small, either because
they recognize the benefits or they are required by
their business partners to plan for emergencies.
Business continuity management: Preparing your business for emergencies
What should a business continuity plan cover?
The last thing you want to do during a crisis is spend
time trying to figure out what decisions you need to
make. A big part of planning ahead for emergencies
is understanding those decisions and knowing how to
prioritize them in the heat of the moment. Critical questions you should be asking as part of business continuity management include, but are not limited to:
Who? You need to know who is going to make
key decisions, which employees are critical
to maintaining business operations, and
who is going to step in for critical employees
who cant perform their tasks as needed.
viewpoint
�GE Capital
What? IT equipment and other infrastructure
needed to conduct business may be compromised
and you need a plan to restore this equipment
or turn to a suitable alternative. You also need
to know what you are going to communicate to
customers, stakeholders and the press.
Where? Employees need to know where they are
going to be able to work if their routine workspaces
are compromised, and they need to know where to
retrieve data and supplies in the event they are lost
or destroyed.
How? You need processes in place to guide your
employees as they seek to answer the questions
above, and you need to know how you are going to
communicate with workers and customers under a
wide variety of scenarios.
Businesses can answer each of these questions
by adopting a three-pronged strategy that breaks
decisions into three major categories: crisis
management, disaster recovery and business
continuity.
A recovery coordinator should lead the crisis
management team and that person should have the
ear of senior management. The recovery coordinator
should be supported by a blend of representatives from
operations, facilities, administration, communications,
IT and human resources.
Disaster recovery
Where crisis management focuses on people, disaster
recovery is mainly concerned with the information
technology and other infrastructure that are required to
conduct business. The disaster recovery team works to
ensure that critical information is being backed up on
a regular basis, that alternate systems are in place to
carry the load when IT components are compromised,
and that the loss of data is minimized. In a perfect
world, all data is backed up daily and fully-equipped
alternate sites are at the ready during times of crisis.
However, these solutions in many cases may be cost
Crisis management
Above and beyond any other considerations, the
safety of your employees has to come first. You need
an emergency response process in place to establish
your workers whereabouts, take head counts, manage evacuations, identify safe zones or shelters, and
coordinate with emergency authorities. After the safety
of your workforce is established, you need someone
within your organization to serve a command-andcontrol function, coordinating the response of each
business and the interactions between them, prioritizing and allocating resources, and managing media
communications.
Business continuity management: Preparing your business for emergencies
prohibitive, so its up to the disaster recovery teams to
judge which information or IT capabilities the company
cant afford to lose.
Due to the focus on technology systems and
components, this team is mainly comprised of IT
specialists, but representatives of each business
are included to help assess the nature and extent
of any problems and report back to their respective
departments.
Business continuity
One of four discrete threat scenarios typically cause
business interruption and your business should have
a plan for addressing each one from a business process
perspective:
1. Loss of facility: The place where work
happens is compromised in some way.
2. Loss of IT: Employees and customers lose access
to information technology resources that are
needed to support revenue-generating activities.
3. Loss of a critical vendor: A key business partner
experiences their own disruption, which in turn
affects your ability to service customers.
4. Loss of workforce: Key personnel
are unavailable to work.
The business continuity team is the most forwardlooking of the three, as it documents how the company
will respond, in a methodical step-by-step way, when
addressing each of these disruptions before they occur.
When a crisis hits, they work to ensure that these
procedures are being followed, that workarounds
are operating as designed, that authority is being
delegated properly, and that external partners such as
vendors are actively involved if necessary.
viewpoint
�GE Capital
and customer relationship perspective. Business
dependencies also need to be assessed, as your
company may be able to restore its internal processes
quickly but business cant resume because a data
provider or other outside partner is still in recovery
mode.
The business continuity team is comprised of XXXX.
All three teams need to be involved in the planning
process when a business begins to map out its strategy
for managing events that could seriously threaten the
health of its workforce, compromise its ability to deliver
products and services to customers, or tarnish the
companys reputation.
While the business continuity team is getting a
handle on potential business impacts from a broad
perspective, the disaster recovery team should be
conducting a technical impact analysis to understand
how different businesses within the organization would
be affected by an IT disruption, such as loss of Internet
connectivity or a critical application.
The process for building a formal business continuity
management plan typically involves five key steps: 1)
assessing the risks, 2) determining the business impact
if those risks come to fruition, 3) developing a recovery
strategy, 4) developing and documenting the formal
plan, and 5) validating and testing the plan.
Step 1: Conducting a risk assessment
The first step in crafting a business continuity plan is to
understand and catalog the multitude of risks that can
impact your business. These range from geographical
threats (e.g., hurricanes in the U.S. Southeast, snow or
ice in the U.S. Midwest and U.S. Northeast, earthquakes
in California), to security risks (both cyber-related
and physical breaches), to personnel issues (e.g.,
pandemics, labor unions, location-specific workforce
issues in remote corners of the world), to infrastructure
disruptions (e.g., IT failure, lost power/phone service).
Businesses should also consider potential threats to
vendors, who may be exposed to many of these same
risks, as well as local economic conditions such as low
unemployment that could make it difficult to solve
staffing shortages.
While these issues can affect all businesses equally,
there are also risks specific to your company that
should be identified and analyzed. For instance, a
refrigerant company whose business is keeping
customers food products fresh has to consider the risk
of freezer failure.
Understanding these potential repercussions is important because it helps you prioritize your recovery plans
to focus first on those processes that would cause the
most harm if they were compromised for a prolonged
period. Conversely, you may decide that those processes with relatively low potential impact could go a
number of days or weeks before they began to meaningfully impact the business.
Step 2: Analyzing business impacts
The second step entails examining the worst case
scenarios if any of the identified risks actually come
to fruition. These impacts should include not only
the quantitative aspects such as lost revenue and
associated expenses, but the qualitative costs as well,
such as potential hits to your corporate image and
compromised customer service.
The business continuity teams task is to identify
those business processes that would be jeopardized
in such an event, and how those disruptions would
impact the business from a financial, legal, regulatory
Business continuity management: Preparing your business for emergencies
Step 3: Setting a recovery strategy
Next, your business needs a game plan for how its
going to recover when any of the risks your company
faces materialize. One helpful way to think about
this aspect of the planning exercise is to match up
the four kinds of loss identified above with how your
organization would optimally respond.
Loss of facility
Your business needs a workplace strategy in case your
existing locations are rendered unavailable. In some
instances, employees may be able to accomplish their
work from home or another remote location. In others,
work may need to be transferred to a sister site or
another location within your company.
viewpoint
�GE Capital
Loss of IT
Your business should have technical workarounds
should you lose access to data or applications
needed to operate and generate revenue. The
disaster recovery team will want to make sure the
business is backing up vital records and other critical
information, and that redundant IT systems are in
place that share the same data but not the same
location in case one of them is inoperable. The
team will also want to decide whether to maintain
a hot site (an alternate location where all systems
are loaded and ready to go), a warm site (basic
machines exist but may or may not have operating
systems on them) or a cold site (an empty alternative
workspace where IT systems can be installed) to
house IT processes in the event of an emergency.
Loss of a critical vendor
Even when you require your vendors to have their own
business continuity plans in place, you cant control
what happens within their organization when a crisis
hits. You should have emergency contact numbers
for each vendor, and a contingency plan for obtaining
products or services when they arent able to recover
quickly.
Loss of workforce
Losing key personnel can be just as disruptive as
losing a main supplier or service provider. Thats why
each business should have a plan that identifies what
work needs to be done no matter what, and what
work can wait. When the employees who normally
manage critical tasks cant be counted on, you may
need to leverage other people within your organization.
The business continuity team should have a wellestablished workflow assignment plan that maps out
which employees will be pulled into critical assignments
in the case of emergencies. Your business should
ensure that employees are cross trained on different
tasks to ensure they establish a basic competency level
for work assignments they may be asked to cover.
As these determinations are made, you should conduct
cost-benefit analyses along the way to make sure that
the expenses tied to your contingency plans in each
area dont exceed their level of importance to your
business. A lot of companies exhibit a tendency to go
overboard on business continuity plans, sometimes at
great expense. Some costs may in fact be prohibitive.
For instance, a hot site for IT applications may offer the
quickest recovery but wont be worth the expense if the
businesses those applications support can go a few
days without them and still keep customers happy.
Step 4: Formalizing the plan
Once the recovery strategy has been discussed, its
time to write down the procedures that will guide
employees step-by-step responses in each scenario.
When it comes to business continuity, a certain degree
of flexibility is needed so employees dont fall into
the trap of not being able to respond to changing
conditions as they occur. These procedures are meant
to help them prioritize decisions that need to be made
and provide general guidance on how to make them.
By contrast, the technical procedures drafted by the
disaster recovery team should be detailed and precise.
After all, when an application needs to be brought
back online, theres only one way to do it. As such, the
team should create explicit instructions for aiding the
recovery of lost IT applications and components, along
with an inventory of all Internet protocol (IP) addresses
associated with the business and emergency contact
information for any IT vendors.
Business continuity management: Preparing your business for emergencies
Importantly, you need to consider all of the
assumptions that underpin your plan during this step,
particularly those related to the recovery schedule and
the timing of each step along the way. For instance, if
your strategy spans a recovery period of two weeks,
you need to come up with alternate plans for what you
will do if your business is still working at less than full
capacity when that time is up.
Step 5: Validating the plan
Having a formal plan will allow you to begin the process
of training all personnel who will be involved when a
crisis hits, from key executives to members of all three
teams, to vendors. The more they understand their own
individual responsibilities, the better equipped your organization will be to act quickly and efficiently throughout the recovery timeline. This training should begin as
a series of tabletop exercises, where different scenarios
are considered so employees can understand their
assignments and expectations from the standpoint of
timing and results. During these meetings the business
continuity team members stress the interdependencies
between departments and response teams, so that
individual responders will understand how their actions
will relate to others. The tabletop exercises should
eventually transition to real-life walkthroughs.
During this final step, its important to be on the lookout
for procedures that may need to change or adjust in
the face of wrong assumptions or new information.
Each team leader should be thinking of ways the
plan may get off track, so that gaps can be remedied
beforehand.
viewpoint
�GE Capital
Conclusion
Most business leaders like to think that if they deliver a superior good or service, customers will stick
by them no matter what comes. But, in reality, even
the most loyal customer will hold out only for so long
before they go elsewhere to meet their needs. These
days, there are any number of growing threats that
can knock a business out of commission for an extended period of time, increasing the chances of
losing sales that never come back. Knowing how
your business would respond ahead of time to these
potential disruptions is the best way to soften the
blow, protect critical information and processes, and
help your organization recover as quickly as possible.
GE Capital is an extension of GEs rich heritage of building
and supporting growth. Investing in the sectors we know
best, we can provide more than just financing: We bring
insight, knowledge and expertise to every loan. And as a
result, businesses that finance with GE Capital benefit from
the global know-how and expertise of GE.
gecapital.com
2014 General Electric Capital Corporation. All rights reserved.
This publication provides general information and should not be used or taken as
business, financial, tax, accounting, legal or other advice. It has been prepared without
regard to the circumstances and objectives of anyone who may review it; therefore,
you should not rely on this publication in place of expert advice or the exercise of your
independent judgment. The views expressed in this publication reflect those of the
authors and contributors and not necessarily the views of General Electric Capital
Corporation or any of its affiliates (together, GE). GE does not guarantee that the
information contained in this publication is reliable, accurate, complete or current,
and GE assumes no responsibility to update or amend the publication. GE makes no
representation or warranties of any kind whatsoever regarding the contents of this
publication, and accepts no liability of any kind for any loss or harm arising from the use
of the information contained in this publication.
GE, General Electric Company, General Electric, General Electric Capital Corporation,
the GE Logo, and various other marks and logos used in this publication are registered
trademarks, trade names and service marks of General Electric Company. You may
not use, reproduce, or redistribute this publication, any part of this publication, or any
trademark or trade name without the written permission of GE.
Business continuity management: Preparing your business for emergencies
viewpoint
