A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event.
The BCP should state the essential functions of the business, identify which systems and processes must be sustained, and detail how to maintain them. It should take into account any possible business disruption.
With risks ranging from cyberattacks to natural disasters to human error, it is vital for an organization to have a business continuity plan to preserve its health and reputation. A proper BCP decreases the chance of a costly outage.
While IT administrators often create the plan, the participation of executive staff can aid the process, adding knowledge of the company, providing oversight and helping to ensure the BCP is regularly updated.
What a business continuity plan needs
According to business continuity consultant Paul Kirvan, a BCP should contain the following items:
- Initial data, including important contact information, located at the beginning of the plan
- Revision management process that describes change management procedures
- Purpose and scope
- How to use the plan, including guidelines as to when the plan will be initiated
- Policy information
- Emergency response and management
- Step-by-step procedures
- Checklists and flow diagrams
- Schedule for reviewing, testing and updating the plan
In the book Business Continuity and Disaster Recovery Planning for IT Professionals, Susan Snedaker recommends asking the following questions:
- How would the department function if desktops, laptops, servers, email and internet access were unavailable?
- What single points of failure exist? What risk controls or risk management systems are currently in place?
- What are the critical outsourced relationships and dependencies?
- During a disruption, what workarounds are there for key business processes?
- What is the minimum number of staff needed and what functions would they need to carry out?
- What are the key skills, knowledge or expertise needed to recover?
- What critical security or operational controls are needed if systems are down?
Business continuity planning steps
The business continuity planning process contains several steps, including:
- Initiating the project
- Information-gathering phase, featuring business impact analysis (BIA) and risk assessment (RA)
- Plan development
- Plan testing, maintenance and updating
Once the business has decided to undertake the planning process, the BIA and RA help to collect important data. The BIA pinpoints the mission-critical functions that must continue during a crisis and the resources needed to maintain those operations. The RA details the potential internal and external risks and threats, the likelihood of them happening and the possible damage they can cause.
The next step determines the best ways to deal with the risks and threats outlined in the BIA and RA, and how to limit damage from an event. A successful business continuity plan defines step-by-step procedures for response. The BCP should not be overly complex and does not need to be hundreds of pages long; it should contain just the right amount of information to keep the business running. For a small business, especially, a one-page plan with all the necessary details can be more helpful than a long one that is overwhelming and difficult to use. Those details should include the minimum resources needed for business continuance, the locations where that may take place, the personnel needed to accomplish it and potential costs.
The BCP should be current and accurate, which can be achieved through regular testing and maintenance. A business continuity plan test can be as simple as talking through the plan and as complex as a full run-through of what will happen in the event of a business disruption. The test can be planned well in advance or it can be more spur-of-the-moment to better simulate an unplanned event. If issues arise during testing, the plan should be corrected accordingly during the maintenance phase. Maintenance also includes a review of the critical functions outlined in the BIA and the risks described in the RA, as well as plan updating if necessary.
A business continuity plan is a living document and should not sit on the shelf waiting for a crisis. It needs to be continually improved and staff should be kept up to date through regular educational awareness and testing activities. In addition, an internal or external business continuity plan audit evaluates the effectiveness of the BCP and highlights areas for improvement.
Business continuity planning software, tools and trends
There is help available to guide organizations through the business continuity planning process, from consultants to tools to full software. An organization bases its investment in assistance on the complexity of the business continuity planning task, amount of time and budget. Before making a purchase, it is advisable to research both products and vendors, evaluate demos and talk to other users.
The Federal Financial Institutions Examination Council's Business Continuity Planning booklet contains guidance for financial -- and nonfinancial -- professionals, delving into the BIA, RA, BC plan development and testing, standards and training.
SearchDisasterRecovery's free, downloadable business continuity plan template helps users create a successful BCP.
For more complicated functions, business continuity planning software uses databases and modules for specific exercises. The U.S. Department of Homeland Security, through its Ready.gov website, offers software in its "Business Continuity Planning Suite." Other business continuity software vendors include ClearView, Continuity Logic, Fusion and Sungard Availability Services.
The role of the business continuity professional has changed and continues to evolve. As IT administrators are increasingly asked to do more with less, it is advisable for business continuity professionals to be well versed in technology, security, risk management, emergency management and strategic planning. Business continuity planning must also take into account emerging and growing technologies -- such as the cloud and virtualization -- and new threats, such as cyberattacks like ransomware.
Business continuity planning standards
Business continuity planning standards provide a starting point.
According to Kirvan, the International Organization for Standardization (ISO) 22301:2012 standard is generally regarded as the global standard for business continuity management. ISO 22301:2012 is often complemented by other standards, such as:
- ISO 22313: Guidance for a business continuity management system and continual improvement
- ISO 22317: Guidelines for business impact analysis
- ISO 22318: Continuity of supply chains
- ISO 22398: Exercise guidelines
- ISO 22399: Incident preparedness
Other standards include:
Emergency management and disaster recovery plans in BC planning
An emergency management plan is a document that helps to mitigate the damage of a hazardous event. Proper business continuity planning includes emergency management as an important component. The specifically defined emergency management team takes the lead during a business disruption.
The emergency management plan, like the BCP, should be reviewed, tested and updated accordingly. It should be fairly simple and provide the steps necessary to get through an event. The plan also should be flexible, because situations are often very fluid, and the team should communicate frequently during the incident.
Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR plan details how an organization recovers after a business disruption. A business continuity plan is a more proactive approach, as it describes how an organization can maintain operations during an emergency.