Editor's note: This article was expanded and updated in November 2017.
Business continuity and disaster recovery (BC/DR) planning are critical activities for organizations of any size. This article and our free, downloadable business continuity policy template provide a useful starting point to prepare a business continuity policy. Read our tips, and then download the template.
Rather than addressing problems only after a crisis strikes, a business continuity policy can help your organization recover from a disaster faster and get your systems up and running more smoothly.
Business continuity focuses on the failure of any part of an organization's IT platform so the business can continue to operate and function uninterrupted. A disaster recovery policy is intended to get IT resources back up and running again after processes stop working.
Basic elements of a business continuity policy
The three basic elements every business continuity policy should address are resilience, recovery and contingency planning.
Resilience means designing your enterprise's most important functions and infrastructures with the possibility of disaster at the forefront. With business resilience, your organization can continue to provide crucial services -- both locally and off site -- without disruption regardless of the cause of the interruption.
Recovery addresses the rapid restoration of business functions after a disaster or disruption. An important step here is to set recovery time objectives (RTOs) for applications, networks and systems to help prioritize the order of recovery. Other approaches to recovery include inventorying IT resources and partnering with third parties to take on business processes during a disaster.
Contingency planning describes the measures your organization can take to successfully react to any possible future situation or event. This would include conducting a business impact analysis, identifying preventive controls, and detailing a chain of command and responsibilities for staff. An information system contingency plan should also be created to ensure that plan testing, training and maintenance are taking place.
Steps for creating a business continuity policy
However you choose to create your plan -- from scratch or by using the business continuity policy template included with this article -- there are steps you can take to ensure its success.
- Make senior management aware of the plan and get their approval.
- Outline emergency action steps to take in case of an incident.
- Detail the types of incidents that will launch the BC plan.
- List key business processes to protect.
- Specify critical technologies to safeguard.
- Itemize RTOs and recovery point objectives.
- Identify key vendors, stakeholders, regulators and other third parties.
- Implement step-by-step procedures for various recovery activities.
- Develop processes for procuring emergency funds.
- Compile lists of vital records the organization requires to operate.
- Include references to all business recovery activities, such as data backup procedures and those for training, updating, testing, auditing and reviewing your business continuity strategies and plan.
Components of a business continuity policy
Policies for business continuity and disaster recovery can be simple -- a few paragraphs can set the foundation for BC/DR activities without going into a lot of specifics. More detail can be included if necessary, but most organizations will want to keep their initial policies relatively simple.
Here's a continuity management policy outline that addresses most issues:
- Introduction: States the fundamental reasons for having a BC/DR policy.
- Purpose and scope: Provides details on the policy's purpose and scope.
- Statement of policy: States the policy in clear and unambiguous terms.
- Policy leadership: States who is responsible for approving and implementing the policy, as well as levying penalties for noncompliance.
- Verification of policy compliance: States what is needed, e.g., assessments or exercises, to verify that BC/DR activities are in compliance with policies.
- Penalties for noncompliance: States penalties, e.g., verbal reprimand or note in personnel file, for failure to comply with policies.
- Appendixes (as needed): Additional reference information, such as lists of contacts, service-level agreements and additional details on specific policy statements.
After you have drafted a set of policies, have them reviewed by your department management, human resources and legal departments. Invite other relevant departments to comment if you have time.
Auditing business continuity policies
For auditing and effectiveness purposes, your business continuity management policies should adhere to or include components of one or more of the following BC standards:
- International Organization for Standardization 22301:2012;
- National Fire Protection Association 1600:2016;
- Federal Financial Institutions Examination Council BC Handbook; and
- Financial Industry Regulatory Authority Rule 4370.
There are also country-specific standards, regulations and good practices to consider. In the U.S. alone, that would include those from organizations such as ASIS International, the National Fire Protection Association, the Financial Industry Regulatory Authority, the Information Systems Audit and Control Association, the Federal Emergency Management Agency, the Federal Financial Institutions Examination Council and the National Institute of Standards and Technology.
In addition, observe the following best practices to help guarantee the success of business continuity audits:
- Make sure your organization's audit team knows when you are preparing the business continuity plan and systems. They should also be aware of associated assessments, such as risk and business impact analyses, training programs and maintenance exercises.
- Review previous BC/DR reports and operational audits for useful historical information and areas of weakness for re-examination.
- Educate the audit team with documentation regarding the standards, regulations and best practices you used to help create your business continuity policy.
- Work with the audit team to develop your business continuity audit program to define the scope of the audits and to establish frequency, responsibilities, planning needs, reporting activities and methodology.
A formal internal or external audit is a sound way to ensure a business continuity plan works and meets company objectives. A good audit enumerates the impact of any plan weaknesses and provides insight and recommendations for how to improve it.
Why do business continuity plans fail?
Business continuity plans fail for a number of different reasons. You may not have identified all the potential threats in your business continuity policy template. Or the plan may not have taken into account every aspect of the business, leaving some groups out in the cold. Perhaps your business continuity planning didn't contain a process to maintain communication among members of the BC team and other employees in the event of an interruption or disaster.
In addition, the business continuity plan may not have established which IT and business resources to restore first, and in what order. Or, if it did, it didn't do a very good job of doing so. Lastly, and most importantly, you may have failed to properly document, maintain or test your business continuity plan.
How to test business continuity policies
Regular testing, in addition to the aforementioned audits, is an excellent way to make sure your business continuity policies are sound. There are three primary BC test types: plan review, tabletop test and simulation test.
A plan review requires business continuity plan stakeholders to closely examine the actual plan document to look for any absent components, elements and discrepancies.
Tabletop tests gather members of the BC team in a room to walk through every step in the BC plan. This helps participants to know exactly what their responsibilities are should an emergency arise. It can also assist in finding inconsistencies or identify missing information and documentation errors.
Lastly, you should run a full-scale test or simulation using whatever business continuity resources -- backup systems, recovery sites and so on -- you've implemented and described in your business continuity policy template. It is best to mimic several different scenarios the organization may face when running your simulations.
In this article, we have provided a convenient starting point for developing business continuity policies. The process can be fairly simple, but the decision to develop and approve BC/DR policies is critical for organizations of any size.
The evolving role of BC managers in data storage environments
Steps to take when developing a business continuity plan
Be proactive when performing business continuity planning