When creating your business continuity planning steps, you have several options: build them from scratch, using...
available books, templates and other reference materials; hire a consultant to build your plan; buy specialized software to help you create the plan; or take an existing plan and repurpose it for your organization's needs.
Your plan should be consistent with -- or at least include components of -- one or more established business continuity (BC) standards, such as:
- International Organization for Standardization 22301:2012;
- National Fire Protection Association 1600:2016;
- Federal Financial Institutions Examination Council BC Handbook;
- Financial Industry Regulatory Authority Rule 4370; and
- country-specific standards.
That will make it easier for you to pass a future audit and scrutiny from existing and potential customers.
A checklist for your business continuity planning
Regardless of how you create a plan, the following 11 business continuity planning steps can help keep your organization running in the event of a disruption.
Evidence of senior management approval. Don't try to develop business continuity planning steps without senior management awareness and approval of your actions. You'll need a budget to prepare the plan, as well as senior management to authorize the funding.
Emergency action steps to take in an incident. Some experts may say it's better to have a separate incident management plan to describe how to initially respond to an event, but consider having a section at the front of your BC plan with your incident response procedures. Include your emergency teams -- incident response team, emergency management team, technology team, damage assessment team -- plus contact lists of first responders, key customers and stakeholders; primary and alternate assembly areas to meet following an evacuation; and emergency phone numbers.
Types of incidents that could launch the BC plan. From your risk assessments (RAs) and business impact analyses (BIAs) -- which should be completed before starting a BC plan -- identify internal and external situations that could be serious enough to launch a BC plan. Remember that not all events may warrant the launching of your BC plan, which is why you have incident response and damage assessment teams.
Lists of key business processes to protect. This list is developed from the results of your RA and BIA activities. These activities can identify the business processes that must be recovered and returned to normal operation as quickly as possible. Your business continuity planning steps will hopefully address these processes right away, while other procedures will be addressed later.
Lists of critical technologies to protect. BIA activities will identify your most critical business processes and the technologies needed to support them. Be sure you have technology disaster recovery plans to address the mission-critical systems, data and databases, and technology resources needed by each process, as these will help restore operations.
Lists of recovery time objectives and recovery point objectives. As identified from your BIA, list the recovery time (elapsed time before a disrupted process needs to be operational again) and recovery point objectives (point in time to which data must be recovered), as these help identify and prioritize recovery activities.
Lists of key vendors, stakeholders, regulators and other third parties. These lists will help ensure you can contact other key players quickly. The entities to contact are identified in your BIAs.
Step-by-step procedures for various activities. These provide the proper sequence of actions and can include damage assessment; initial response activities; disaster declaration criteria; calling trees, or how to access a notification system; building evacuation; staff relocation to an alternate work site; responding to specific kinds of incidents, such as power outages, water damage, floods or severe weather; recovering and restarting business operations; and returning to the original (or new) work location and resuming business operations.
Procedures for obtaining emergency funds. This can include a list of banks and other financial institutions, plus instructions for obtaining cash. Only authorized people should have this data. Company credit cards can be used for emergency purchases, but make sure these are used by authorized persons, and have specific dollar limits. Blank company checks and personal credit cards may also be used for purchases, but all users should be preauthorized, and there should be a reimbursement plan in place.
Lists of vital records the company needs to operate. While many of these special documents, such as personnel records, articles of incorporation and legal documents, are in electronic form, many companies still have lots of paper documents on site. These should be stored in a fire-proof cabinet and also scanned and stored electronically.
References to other activities. Include references in your business continuity planning steps, where appropriate, that indicate your intent to perform the following: awareness and training activities; BC plan exercising; periodic reviews and audits of the BC plan and related documents; periodic updating of BIAs, RAs, BC strategies and data backup procedures; and processes for the continuous improvement of the overall BC program.
All of these items, when completed, can make for a rather lengthy BC plan document. Consider creating one- or two-page playbooks that extract the most important business continuity planning steps -- contact lists, emergency numbers, incident procedures and evacuation sites -- and consolidate that data into an easy-to-use document. It may be useful to laminate these worksheets for ease of use and protection from the elements. Laminated, wallet-sized cards with critical BC plan contact data may also be useful in an emergency.
Be proactive about business continuity planning
Continually improve your business continuity process
The past, present and future of BC managers