A Deming Cycle Approach to Business Continuity Strategy

It’s not a question of if but when a business will encounter disruption. Challenges are inevitable, whether natural disasters, cybersecurity breaches, or other unforeseen emergencies. How your company responds will determine its trajectory.

Forty-three percent of small businesses affected by a natural disaster never reopen. But a business continuity strategy can prevent your business from living the statistics. We’ve talked to financial, aerospace, and telecom industry leaders to understand their business continuity strategies. Read on to learn about crafting an adaptable, systemic approach to navigating expected and unforeseen challenges.

A Cyclical Approach to Business Continuity

Business is not static, and neither are the threats to operations. Organizations need dynamic frameworks to navigate uncertainty in an environment characterized by constant change and evolving risks. That’s why many companies turn to the Deming Cycle, also known as PDCA (Plan-Do-Check-Act).

Developed by Dr. W. Edwards Deming, this model emphasizes a cyclical process of planning, executing, evaluating, and refining. Its iterative nature fosters continuous improvement and adaptation, making it a valuable tool in various domains, from quality management to problem-solving.

• Plan: Develop a robust continuity strategy
• Do: Execute the preparedness measures
• Check: Assess effectiveness through testing
• Act: Adjust based on feedback for continual improvement

How to Build Your Business Continuity Strategy

A business continuity strategy ensures your organization can maintain operational resilience during and after a crisis. With a systematic approach, you can manage various disruptions effectively. But first, you need to understand the potential threats to your business and how those threats would disrupt operational continuity.

This assessment process is critical for your initial planning and as an ongoing pulse check to ensure your business continuity strategy is effective—considering how your organization’s vulnerabilities and risks are changing.

We follow a slight alternative to the Plan-Do-Check-Act approach: the Design-Test-Reflect-Iterate Cycle.

• Design: Develop the initial framework
• Test: Implement controls to assess functionality and performance
• Reflect: Evaluate outcomes and identify critical optimizations
• Iterate: Adapt the strategy for improved business continuity management

1. Design a working business continuity management strategy

Identify stakeholders and plan leaders

A business continuity management (BCM) team is responsible for implementing your plan, so choosing the right people is vital to success. It’s typically an interdisciplinary team made up of individuals from various departments and roles within the organization, including:

• Business Continuity Manager: This individual leads the continuity program’s development, implementation, and maintenance.
• Risk Management Specialist: They identify, assess, and prioritize risks to the organization’s operations.
• IT Director/Manager: This leader ensures critical IT systems and infrastructure resilience.
• Operations Manager: Their role involves coordinating continuity efforts across departments and ensuring operational readiness.
• Human Resources Manager: They are responsible for developing employee safety, communication, and workforce continuity plans.
• Facilities Manager: This leader addresses physical security and facility-related risks.
• Supply Chain Manager: They are responsible for assessing supply chain risks and developing strategies for continuity.
• Legal and Compliance Officer: Their responsibilities include continuity plan compliance with regulatory requirements and contractual obligations.
• Communications Coordinator: Their main task is to develop communication protocols and channels for internal and external stakeholders during emergencies.
• Team Leaders: These individuals act as boots on the ground, providing direction and guidance to workers on the floor, in the field, or wherever they’re located.

By assembling a diverse and capable team with representation from these key areas, organizations can effectively address all aspects of business continuity planning and enhance their resilience to disruptions.

Assess potential risks and impacts

Only by knowing your risk profile inside and out can you manage and mitigate the risks to business continuity. The more you know, the more proactive you can be.

Assessments come in different forms. A threat or risk assessment considers the potential causes of disruptions, such as natural disasters, cyberattacks, power outages, supply chain interruptions, public demonstrations, public health risks, and many more. On the other hand, a business impact analysis focuses on the impacts that arise from these emergencies and disruptions, such as downtime, travel delays, compromised data, increased costs, facilities damage, delayed or lost income, regulatory fines, reputational damage, and more.

Begin with both types of assessment to understand the vulnerabilities and risks that could threaten business continuity.

Set your recovery time objective (RTO)

When setting a recovery time objective (RTO), you must consider your organization’s specific needs and priorities. Start by evaluating the criticality of each business process or system, considering factors such as customer expectations, regulatory requirements, and financial implications. Determine the maximum tolerable downtime for each function, keeping in mind that mission-critical systems may require a shorter RTO than less essential processes.

Once you’ve defined the RTOs for your key business functions, develop comprehensive strategies to achieve them. This may involve implementing redundant systems, establishing backup procedures, and investing in technologies that minimize downtime. Review and update your RTOs to ensure they remain relevant and aligned with your evolving business needs.

Remember to conduct tests and simulations regularly to validate the achievability of your RTOs and identify areas for improvement in your recovery strategies. Setting realistic and achievable recovery time objectives can enhance your organization’s preparedness for disruptions and minimize their impact on your operations and stakeholders.

Develop plans to prevent, mitigate, respond to, and recover from business disruptions

You might as well consider every version of your business continuity plan (BCP) a rough draft. Until it has been tested, you can’t be sure it’s comprehensive or effective enough to safeguard your business operations. Here are some necessary elements to consider for your dynamic strategy:

• The tools and the team to monitor threats and determine their potential impacts on your organization
• An emergency communication plan and a software system to keep everyone connected during expected and unexpected crises
• Backup plans, equipment, locations, power, and any other redundancies that will keep operations running

Read more about the business continuity planning process on our blog.

2. Test your plan during actual and simulated emergencies

Train employees

In the previous step, you determined which stakeholders need to be involved in the planning and preparedness efforts, risk mitigation, response procedures, disaster recovery, and any other elements of your business continuity strategy. This next phase involves preparing these people for their responsibilities. Here are suggested trainings tailored to each stakeholder’s role within the business continuity framework:

• Business Continuity Manager: Training should cover developing and maintaining the continuity program, including risk assessment methodologies, plan development, testing protocols, and coordination with departmental stakeholders.
• Risk Management Specialist: Offer detailed training on risk assessment techniques such as scenario analysis, impact assessment, and probability assessment.
• IT Director/Manager: Conduct technical training on data backup and recovery procedures, system redundancy configurations, cybersecurity best practices, and incident response protocols.
• Operations Manager: Provide training on crisis management principles, including incident response procedures, business impact analysis, and resource allocation strategies.
• Human Resources Manager: Offer comprehensive training on crisis communication strategies, employee safety protocols, and workforce continuity planning. Include modules on remote work arrangements, employee assistance programs, and psychological support during crises.
• Facilities Manager: Review building security systems, access control protocols, emergency response drills, and facility maintenance procedures.
• Supply Chain Manager: Provide training on supply chain risk management techniques, including supplier assessment methodologies, inventory management strategies, and alternative sourcing options.
• Legal and Compliance Officer: Cover topics such as data protection laws, industry standards, contractual obligations for continuity services, and legal implications of business disruptions.
• Communications Coordinator: Provide comprehensive training on crisis communication strategies, including message development, media relations, stakeholder engagement techniques, and communication channel management.

By providing detailed and targeted training to each stakeholder, you ensure they have the necessary knowledge and skills to contribute to the organization’s business continuity efforts effectively. Of course, a significant part of that training is testing the skills they’ve learned.

Conduct drills and other exercises

Emergency drills, full-scale simulations, and tabletop exercises can test your preparedness, response, and recovery plans. These exercises allow you to identify weaknesses and gaps in your plans in a controlled environment, enabling you to address them proactively before a real crisis occurs. By simulating various scenarios, you can evaluate the effectiveness of your communication protocols, decision-making processes, and resource allocation strategies.

Involving key stakeholders in these exercises fosters collaboration, enhances coordination, and increases familiarity with their roles and responsibilities during emergencies. Regularly conducting drills and exercises ensures your team remains well-prepared and agile in responding to unexpected events, strengthening your organization’s resilience and ability to navigate challenges effectively.

After-action reviews following exercises, not just actual emergencies, are essential for continuous improvement and learning. These reviews provide an opportunity to evaluate the effectiveness of your response and recovery plans in a structured manner before putting them to the test with your business on the line. By examining what went well and what could be improved, you can identify lessons learned and best practices to incorporate into future planning efforts.

On top of that, conducting after-action reviews fosters a culture of accountability and transparency within your organization, encouraging open communication and constructive feedback among team members. This process allows you to iterate on your strategies and capabilities, ensuring you are better prepared to handle real emergencies when they arise.

Activate the plan as any actual threats or disruptions arise

Hopefully, you’ve been able to prioritize training and exercises before a significant crisis hits. Doing so ensures that your team is well-prepared to execute the plan with confidence and efficiency when it matters most.

However, even if you haven’t had the opportunity to conduct extensive training beforehand, your preparation through drills and simulations will still significantly enhance your response capabilities. Remember to remain agile and adaptable during emergencies, leveraging the knowledge and experience gained from training to make informed decisions and effectively manage the situation.

3. Reflect on the plan’s effectiveness and its need to evolve

Perform after-action reviews

After-action reviews (AARs) enhance business resilience by providing a structured post-crisis evaluation and improvement framework. These reviews thoroughly examine the response to a crisis or disruption, aiming to identify strengths, weaknesses, and opportunities for enhancement. They allow you to test your business continuity plan and management systems in real-time to address any gaps. Typically conducted shortly after the event, AARs gather input from key stakeholders involved in the response effort, including frontline responders, managers, and support staff.

Conducting an AAR begins with a comprehensive review of the incident, including the timeline of events, actions taken, and outcomes achieved. This retrospective analysis allows participants to understand what transpired during the crisis and how the organization responded. Facilitators guide discussions by prompting participants to reflect on their experiences, share observations, and identify successes and improvement areas.

Central to the AAR process is emphasizing open and honest communication, creating a safe space for participants to voice their perspectives and insights without fear of retribution. This collaborative approach fosters a culture of continuous learning and improvement within the organization. By soliciting feedback from all levels of the organization, AARs capture diverse perspectives, enriching the insights gained from the review process.

Determine gaps and necessary contingency plans

The ultimate goal of conducting AARs is to distill lessons learned from the crisis response and translate them into actionable improvements to the organization’s business continuity plan and risk management strategy. This may involve updating procedures, refining communication protocols, or investing additional resources to address identified gaps. By leveraging the insights gleaned from AARs, organizations can strengthen their preparedness for future crises, enhancing their resilience and ability to navigate adversity effectively.

4. Iterate on your strategy in light of dynamic risks

Adapt to company changes

The after-action reviews are what keep the cycle turning. While the advance threat and impact assessments help you align with and prioritize what you know, post-event reviews are about opening up to what you don’t know—or what you didn’t know with the most recent iteration of your plan.

You may only know about certain vulnerabilities once you are in an actual or simulated emergency. So, looking back and acting on those learnings is foundational to business continuity.

Adapt to changing risk

Twenty years ago, businesses rarely considered the effect that a prolonged pandemic could have on their ability to operate. Continuity plans were based more on immediate threats like natural disasters or economic downturns.

However, the landscape has shifted dramatically, emphasizing the need for organizations to adapt and expand their risk management strategies to encompass emerging threats such as pandemics. The global impact of COVID-19 has underscored the importance of proactive planning and preparedness for unforeseen events that can disrupt operations on a massive scale. As businesses navigate the complexities of this evolving risk landscape, it becomes increasingly crucial to prioritize resilience and agility in their continuity planning efforts.

In response to the lessons learned from COVID-19 and other emerging risks, business leaders can take proactive steps to stay ahead of future challenges. To adapt to changing risks, you should:

• Conduct regular risk assessments to identify vulnerabilities.
• Diversify supply chains to mitigate disruptions.
• Prioritize employee well-being and flexible work arrangements.
• Implement cross-training programs to ensure redundancy in critical roles.
• Maintain adequate financial reserves to weather economic uncertainties.
• Strengthen cybersecurity measures for remote work environments by implementing multi-factor authentication, encryption, and regular security training.

Organizations can also make use of various technologies for proactive threat monitoring. Threat intelligence platforms can help them discover cyber risks, while real-time alert tools can keep them ahead of natural disasters or other widespread disruptions.

Strategic Planning to Keep the Wheel Turning

Business continuity planning is not a nice-to-have but a necessity in today’s unpredictable world. Whether it’s a natural disaster, cybersecurity breach, or other unforeseen emergency, the ability to respond effectively can make or break a business. As industry leaders and best practices highlight, adopting a structured approach like the PDCA cycle is essential for building resilience and adaptability.

Learning from business continuity strategy examples, companies can prioritize collaboration, real-time communication, and flexibility in their response efforts. Download our business continuity checklist for a template to help guide you on solid business continuity planning.