A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event.
The BCP should state the essential functions of the business, identify which systems and processes must be sustained, and detail how to maintain them. It should take into account any possible business disruption.
With risks ranging from cyberattacks to natural disasters to human error, it is vital for an organization to have a business continuity plan to preserve its health and reputation. A proper BCP decreases the chance of a costly outage.
While IT administrators often create the plan, the participation of executive staff can aid the process, adding knowledge of the company, providing oversight and helping to ensure the BCP is regularly updated.
Importance of business continuity planning
BCP is a proactive business process that enables a company to understand potential weaknesses and threats to their organization in times of crisis. The creation of a continuity plan assures that company leaders can react quickly and efficiently to business interruption.
A BCP allows a company to continue to serve customers during a crisis and minimize the likelihood of customers going to competitors. A BCP decreases business downtime, and outlines the steps to be taken -- before, during and after an emergency -- in order to maintain the company's financial viability.
Elements of a business continuity plan
According to business continuity consultant Paul Kirvan, a BCP should contain the following items:
- Initial data, including important contact information, located at the beginning of the plan
- Revision management process that describes change management procedures
- Purpose and scope
- How to use the plan, including guidelines as to when the plan will be initiated
- Policy information
- Emergency response and management
- Step-by-step procedures
- Checklists and flow diagrams
- Schedule for reviewing, testing and updating the plan
In the book Business Continuity and Disaster Recovery Planning for IT Professionals, Susan Snedaker recommends asking the following questions:
- How would the department function if desktops, laptops, servers, email and internet access were unavailable?
- What single points of failure exist?
- What risk controls or risk management systems are currently in place?
- What are the critical outsourced relationships and dependencies?
- During a disruption, what workarounds are there for key business processes?
- What is the minimum number of staff needed and what functions would they need to carry out?
- What are the key skills, knowledge or expertise needed to recover?
- What critical security or operational controls are needed if systems are down?
Business continuity planning steps
The business continuity planning process contains several steps, including:
Once the business has decided to undertake the planning process, the BIA and RA help to collect important data. The BIA pinpoints the mission-critical functions that must continue during a crisis and the resources needed to maintain those operations. The RA details the potential internal and external risks and threats, the likelihood of them happening and the possible damage they can cause.
The next step determines the best ways to deal with the risks and threats outlined in the BIA and RA, and how to limit damage from an event. A successful business continuity plan defines step-by-step procedures for response. The BCP should not be overly complex and does not need to be hundreds of pages long; it should contain just the right amount of information to keep the business running. For a small business, especially, a one-page plan with all the necessary details can be more helpful than a long one that is overwhelming and difficult to use. Those details should include the minimum resources needed for business continuance, the locations where that may take place, the personnel needed to accomplish it and potential costs.
Key implementation steps
- Decide who will oversee the plan. Ideally, a BCP committee will include business, security and IT leaders.
- Conduct the business impact analysis (BIA).
- Answer business continuity questions such as:
- Who will be affected by a business disruption?
- Who holds hard/remote copies of contact information for top customers/clients?
- How and when will customers/employees/management be notified?
- What are the alternative means of communication if phones go down?
- Which employees are critical to the restoration of business function and how will they be reached/relocated?
- Which critical products and services should the company focus on restoring first?
- What issues will need to be addressed within the first 24 to 48 hours?
- Does every team/department have their own BCP? Who is in charge of each?
- What is the emergency succession plan for senior staff including the CEO?
- Which employees will perform emergency tasks?
- Where will offsite crisis meetings take place?
- Who will interact with local emergency response groups (e.g., firefighters, police)?
- Who are the key vendors and back up vendors?
- Create a BCP that includes specific actions and assigned roles for each stage of the emergency, including:
- Initial response - This defines how the company will respond to the business interruption within the first hours. This is the period when team members are contacted and the BCP plan is activated.
- Relocation - During this stage, alternate facilities are activated and work-at-home policies implemented.
- Recovery - Once personnel and equipment have been relocated, the assessment of damage and monitoring of business recovery begins.
- Restoration - This is the period after personnel return to the original workplace or an alternate facility. This is when the company undertakes infrastructure verification, documents the incident, and reviews lessons learned.
Technology, processes, staff, and facilities are in a constant state of flux. Therefore, a continuity plan must be tested, reviewed and updated regularly. BCP testing should be undertaken using tabletop exercises, walk-throughs, practice crisis communications, and emergency enactments to see how employees and executives react under stress and test the viability of the plan.
The BCP should be current and accurate, which can be achieved through regular testing and maintenance. A business continuity plan test can be as simple as talking through the plan and as complex as a full run-through of what will happen in the event of a business disruption. The test can be planned well in advance or it can be more spur-of-the-moment to better simulate an unplanned event. If issues arise during testing, the plan should be corrected accordingly during the maintenance phase. Maintenance also includes a review of the critical functions outlined in the BIA and the risks described in the RA, as well as plan updating if necessary.
A business continuity plan is a living document and should not sit on the shelf waiting for a crisis. It needs to be continually improved and staff should be kept up to date through regular educational awareness and testing activities. In addition, an internal or external business continuity plan audit evaluates the effectiveness of the BCP and highlights areas for improvement.
For specific BCP testing steps, download the guide, Business continuity and disaster recovery testing templates.
Business continuity planning software, tools, and trends
There is help available to guide organizations through the business continuity planning process, from consultants to tools to full software. An organization bases its investment in assistance on the complexity of the business continuity planning task, amount of time and budget. Before making a purchase, it is advisable to research both products and vendors, evaluate demos and talk to other users.
The Federal Financial Institutions Examination Council's Business Continuity Planning booklet contains guidance for financial -- and nonfinancial -- professionals, delving into the BIA, RA, BC plan development and testing, standards and training.
SearchDisasterRecovery's free, downloadable business continuity plan template helps users create a successful BCP.
For more complicated functions, business continuity planning software uses databases and modules for specific exercises. The U.S. Department of Homeland Security, through its Ready.gov website, offers software in its "Business Continuity Planning Suite." Other business continuity software vendors include ClearView, Continuity Logic, Fusion, and Sungard Availability Services.
The role of the business continuity professional has changed and continues to evolve. As IT administrators are increasingly asked to do more with less, it is advisable for business continuity professionals to be well versed in technology, security, risk management, emergency management, and strategic planning. Business continuity planning must also take into account emerging and growing technologies -- such as the cloud and virtualization -- and new threats, such as cyberattacks like ransomware.
Business continuity planning standards
Business continuity planning standards provide a starting point.
According to Kirvan, the International Organization for Standardization (ISO) 22301:2012 standard is generally regarded as the global standard for business continuity management. (ISO 22301:2012 is currently under review and will be replaced by ISO/FDIS 22301.) ISO 22301:2012 is often complemented by other standards, such as:
- ISO 22313: Guidance for a business continuity management system and continual improvement
- ISO 22317: Guidelines for business impact analysis
- ISO 22318: Continuity of supply chains
- ISO 22398: Exercise guidelines
- ISO 22399: Incident preparedness
Other standards include:
Emergency management and disaster recovery plans in BC planning
An emergency management plan is a document that helps to mitigate the damage of a hazardous event. Proper business continuity planning includes emergency management as an important component. The specifically defined emergency management team takes the lead during a business disruption.
The emergency management plan, like the BCP, should be reviewed, tested and updated accordingly. It should be fairly simple and provide the steps necessary to get through an event. The plan also should be flexible, because situations are often very fluid, and the team should communicate frequently during the incident.
Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR plan is reactive as it details how an organization recovers after a business disruption. A business continuity plan is a more proactive approach, as it describes how an organization can maintain operations during an emergency.