The business continuity planning process contains several steps. These include project initiation, risk assessment,...
business impact analysis, strategy development, plan development, plan exercising and maintenance, emergency communications, awareness and training, and coordination with public authorities.
For many professionals, these steps present a formidable challenge. To make the business continuity management process easier, people seek out alternatives, such as software, templates, checklists or consultants. While each of these options can build a plan and its associated program elements, too often these tools are used to get something done quickly. Typically, the process involves some data gathering and interviewing, followed by a fill-in-the-blanks business process that somehow magically creates a finished product.
SearchDisasterRecovery has created a free business continuity plan template to assist you in your BC planning. Download and print out our template, and then, read the step-by-step guide below to create a successful business continuity plan (BCP).
Why you need a business continuity plan
A BCP helps an organization continue to operate during a service interruption. It should state the key functions of the organization and have all the information necessary to keep business functions running.
A business must have a BC plan that tackles a variety of events, including natural disasters, workplace violence, failures in infrastructure and staff disruptions. In an age of cyberthreats, the plan should also take into account the possibility of such unplanned incidents as ransomware attacks and data breaches. Protecting data is paramount, as it is the lifeblood of many companies today.
If a business does not have a continuity plan when an interruption occurs, it risks financial, reputational and personal loss. With a small business especially, an extended service interruption can be catastrophic.
A business may require a continuity plan for compliance or insurance reasons. Proper business continuity planning also improves communications and helps the organization discover areas where it may be lacking.
This article is part of
General business continuity planning tips
The following checklist should be top of mind during BC planning.
Take the process seriously. If you want to protect your business from unplanned events that could disrupt operations, create a plan. It doesn't have to be hundreds of pages long. It just needs the right information, which should be current and accurate.
Use BC and disaster recovery (BC/DR) standards as a starting point. Almost two dozen BC standards are available worldwide. In the U.S., several options are currently in use:
- National Fire Protection Association 1600;
- International Organization for Standardization 22301; and
- Federal Financial Institutions Examination Council BC handbook used by the banking and finance sectors.
Keep it simple. Less can definitely be more in this situation, unless the user is primarily a technology-based group, such as IT.
Limit content to actual disaster response actions. If you are creating a plan to respond to specific incidents, include only the information needed for the response and subsequent recovery.
Make it happen. Once the BCP is complete, exercise it to ensure that the documented procedures make sense in the sequence indicated.
Be flexible. A single template may not be universally applicable to all departments or locations in your organization; consider other templates, software or consultants.
The keys to a creating a successful business continuity plan are to define step-by-step procedures for response and recovery, validate these activities through periodic exercising and maintain the plan and its various components.
Who should be involved in BCP planning
It is often the job of the IT administrator to create the BCP, but participation by executive staff and other employees can help make the document more comprehensive.
One of the key pieces of any BCP creation, the business impact analysis (BIA), requires input from employees. The BIA includes what employees do, what they need and the impact on the business if they can't do their work.
Gathering information through a BIA and risk assessment (RA) is critical because it helps to inform the business continuity plan. When the organization has enough information, it can fill out the free business continuity plan template found on this page.
When an organization has finished its BCP, employees should be thoroughly trained on the document to make sure they know what's required of them during an incident. Some employees, for example, will be part of the emergency response team. Training also provides guidance on how employees can implement BC principles into their daily work.
A guide to using our business continuity template
Here's a look at the structure and content of our free business continuity plan template, indicating key issues to address and activities to perform.
- Initial data: If you have identified various people to contact during a business disruption, locate their contact information at the front of the plan so you won't have to waste valuable seconds paging through a lengthy document.
- Revision management: Have a page that reflects your change management process.
- Purpose and scope (Sections 1.1 through 1.6): Provide details on these attributes, as well as assumptions, team descriptions, a list of terms and other background information.
- How to use the plan (Sections 1.7.1 through 1.7.4): Provide information on circumstances under which the plan will be activated, including outage time frames, who declares a disaster and who should be contacted in this situation.
- Provide policy information (Section 1.7.5): This is a good place to use standards documents as references.
- Emergency management and response (Section 1.7.6): Specify situations in which the plan is to be activated and response procedures.
- Use step-by-step procedures (Sections 1.7.7 through 1.7.10): These are easier to follow than broad general statements, such as "relocate to alternate building," that require considerable details to work properly.
- Plan review and maintenance (Section 1.8): Describe how often the plan is to be reviewed and updated and by whom.
- Alert/verification/declaration phase (Section 2): Assuming a situation has occurred, this provides steps to take to address it. These can be in the form of checklists (useful to keep track of scheduled and completed tasks) and flow diagrams that provide a high-level view of response and recovery. Information needs to be gathered before officially declaring a disaster. This includes damage assessment data and firsthand reports from staff and first responders. Convene meetings as needed with key emergency management team members to evaluate the facts before proceeding to a declaration.
- Disaster declared (Section 3): Address actions to take when it becomes obvious that management needs to declare a disaster. A damage assessment can be initiated either before or after the declaration; it is up to company management.
- Business recovery (Section 4): Provide detailed instructions on recovery operations, relocating to an alternate site and related activities.
- Detailed appendices (Section 5): These include lists and contact details on all emergency teams, primary and alternate vendors, alternate work space locations and other relevant information. It is very important to keep this information up to date.
- Additional forms (Appendix 5.7): These should be developed in advance, validated by exercising (as is the entire plan) and kept in a ready-to-use format.
Elements to consider when filling out the template
Remember that this free business continuity plan template is just that -- a template. Some sections may not apply as much to your business as others. Don't just fill out a section for the sake of filling it out if it's not going to help you during a business disruption.
Make sure you have the correct information, from contacts to procedures. Having the wrong phone number in a crisis situation can lead to even bigger problems.
Make sure you have the right amount of information to continue running your business. A plan that's two pages long may be more efficient than one that's 100 pages long.
Keep in mind how the minimum amount of staff and resources can keep the business functions running, and go from there. During an incident, there may not be a lot of time and resources at your disposal.
Remember to use the data and information you have accumulated in the RA and BIA. These two documents are valuable resources for BC planning.
Be specific in your directions. You don't want anything left up in the air during an unplanned incident.
Make sure your plan starts at the beginning and ends at the end -- as in, don't leave anything out across the entire business continuity process.
Testing the plan
After the organization completes its BCP, which includes getting approval from the management team, it should circulate the document and make sure employees know how to view it. For redundancy, the document should be available as a hard copy in multiple places and also online, perhaps through a company intranet site.
The BCP shouldn't sit on a shelf; it should be a living document. An organization should keep its plan updated through testing, review and maintenance.
Testing ranges from talking about the plan to doing a full-scale run-through of what the business will do in the event of an incident. Testing can be planned, but unplanned tests are also important to better mimic an unforeseen event. The organization then reviews the test and makes sure all the information is correct. During the maintenance phase, the organization corrects any issues that came up in testing and review. An internal or external audit of the BCP is also helpful for improvement.
Review of the BCP doesn't need to happen all at once. However, remember to constantly review areas that are most likely to change frequently, such as contact information. Having a schedule is another way to ensure the completion of important business continuity plan exercises.
Continual improvement is a key to an updated, comprehensive BCP.
An organization can perform BCP exercises at the same time as other similar tasks, such as DR testing.
A guide to business continuity and disaster recovery planning
Continually improve your business continuity
Using BC/DR templates