If a disaster such as a fire, flood or communication breakdown were to occur, many businesses would lose profits, damage their reputation or even be forced to close. A well-thought-out business continuity plan is what you need to prevent interruptions.
Having a company-wide plan in case of an emergency is essential. If you rely on cloud-based communications, you might still have vulnerabilities. If you centralize your operations in one location, that can also become a risk.
Luckily, there are ample resources available to create a business continuity plan. Here, we’ll cover key aspects of a business continuity plan including:
- What is a Business Continuity Plan?
- Top Threats to Business Continuity
- The Anatomy of a Business Continuity Plan
- Helpful Tools and Strategies
- Business Continuity Infographic
Feel free to jump to a condensed version in our visual below.
What is a Business Continuity Plan?
A business continuity plan is the outline of procedures to prevent damage, maintain productivity and recover in the event of a national emergency or disaster.
When you create such a plan, identify possible threats like fires, utility disruptions or social engineering attacks. Then proactively determine what employees can do to get the business back on track.
A business continuity plan is sometimes abbreviated "BCP," but essentially it details the emergency management procedures and strategies to enact. This avoids panic and uncertainty when outages happen and how to respond effectively.
Every business needs a plan to maintain business continuity. Even if it's a small business, you need to effectively have a plan when disaster strikes to avoid business disruption.
Find out in the 2020 State of Business Communication Report!
Top 6 Threats to Business Continuity
There are several disruptions a company can experience. Some businesses have industry-specific threats, but there are also events that threaten almost any company, including:
1) Global pandemics:
Global pandemics can cause massive issues for companies, namely by forcing employees to work from home and creating a scenario where a company workforce must go remote swiftly and for an indefinite period of time.
In these scenarios, companies must equip their company to communicate with customers and each other remotely in the event of a need for quarantine.
2) Natural disasters:
This includes any force of nature that poses a significant threat to human health and safety, property or critical infrastructure. Natural disasters include all natural phenomena like wildfires, tornadoes, hurricanes, winter storms, floods, or earthquakes.
3) Man-made disasters
Any catastrophe that is the result of human negligence, mistake or accident. Man-made disasters include chemical explosions, gas leaks, oil spills, factory fires, hazardous material spills or improper disposal of waste.
4) Utility failures
This occurs when any utility provider fails to provide service for any reason. Utility failures include electricity or power failure, loss of communication lines, or disruption of water service.
5) Intentional sabotage
These are acts you commit with the intent of putting a business at risk. Sabotage can take many forms. For example, a bomb threat, a financial information leak, or arson.
It's prudent to involve human resources to minimize risks internally and externally in the event of a disgruntled
6) Cybersecurity attacks
This refers to any attack on the company’s technical assets such as by a hacker. Cybersecurity threats include information leaks, ransomware, SQL injection attacks, or denial of service attacks.
Cyberattacks usually result in great harm to consumers and businesses alike, which can trigger an investigation of security protocols at data centers. The effects of such an attack are felt beyond the Information Technology (IT) department.
The Anatomy of a Business Continuity Plan
In order to protect itself from profit losses, reputation damage and customer loss, a company must create a business continuity plan.
The plan should be thorough and include possible threats, readiness procedures to protect against these threats and information on who should be leading each process.
While you create this emergency response plan, be sure to thoroughly document every section so you can share it across the company later. Keep it well-organized so readers can identify risk assessments, planning processes, and recovery steps.
#1 Identify the objectives of the plan and set goals
The first step is to identify the objectives of the business continuity plan and set goals around them. Here are some examples of a BCP:
- How detailed and practiced should the plan be?
- What departments will the plan cover?
- What are the outcomes of a successful plan?
- Which milestones should we track?
One important factor is the budget for the continuity plan. Include any preparation or research hours, training time and materials, etc as you create this plan. Business continuity management extends beyond IT and applies to the entire organization.
#2 Choose the business continuity team
An important part of your business continuity plan is the incident command team and their responsibilities.
Include the contact information, titles, and any other required information for each member. If applicable, specify backup contacts for each responsibility or department. These first responders carry out specific duties to keep the business running smoothly.
Two types of sub-teams to consider are:
Command and control teams
The command and control sub-teams include a crisis and recovery management team. They make sure there is near-perfect execution and that all resources are ready to go.
This sub-team includes specialized teams such as a:
- Internal communication
- External business communication
- Disaster recovery
- Information Technology (IT)
- Supply chain management
- Finance and Human Resources
#3 Conduct a business impact analysis (BIA)
Impact analysis is another crucial aspect of your business continuity plan. A BIA is an assessment of the impact potential threats could have on each aspect of the business.
Predictions and forecasts can help your team put together a custom template. They have to then test it for potential holes and modify the BCP. Use this information to update the recovery plan later.
The BIA document should include explanations of the core business operations and what areas are critical for business continuity. It should document any resources needed to keep these critical departments afloat during a disaster scenario.
As a core function of disaster recovery planning includes a BIA that details scenarios for every level of disaster. This will make it easier to choose the most logical and realistic plan keeping in mind the risks.
#4 Identify key business areas and critical functions
As part of the BIA, the team will want to establish a comprehensive understanding of the business’s core needs. To do this, identify which critical business processes would have the most damage to the company overall. Damage can include revenue loss, harm to the company’s reputation or damage to the company’s ability to operate properly.
Examine each aspect and function of the business and classify it as either high, medium or low. Some questions that can be helpful to consider when examining critical business functions include:
- What business objectives does this aspect support?
- How many departments will this function affect?
- How often does this function occur?
- What other aspects of the business are dependent on this function for success?
- What would be the revenue loss if this function was not completed?
- Are there potential fines or legal issues tied in with this function?
- Does this function impact the business’s public image or market share?
Additionally, it's wise for a business to carefully evaluate how they can move operations offsite. One example might be clear plans to move sales and support staff to work from home proactively.
#5 Identify any pain points or dependencies
Also part of the BIA, businesses should proactively identify potential problems that could arise. If any departments or functions have time-sensitive stipulations, monitor the tolerable downtime. Use the rating system for key business functions to understand where to allocate resources.
Use drills and tests to make your business continuity plan fail-proof. More information on how to do that below.
#6 Make a plan to maintain operations
This should be the most detailed section of the business continuity plan. Note that you should also revisit this as the company evolves. Start by doing an analysis of current recovery capabilities and how you can improve them.
Readiness procedures could include:
Detail any actions your business needs to take as preventative measures before the disaster occurs.
While conducting the BIA, it’s likely you'll find places that need mitigation. This could include having backup providers for utilities or generators available nearby. It could also include setting up alternative communication networks. Remote work solutions for employees in emergencies is another example.
Each department ought to have a detailed emergency response plan. Include exactly what each member of the business continuity team should do in case of an emergency.
For example, if there is a dangerous evacuation, procedures and safety protocols are essential to recovery. When and how the company will contact the media, the public or customers should also be specified as a part of the business communications plan.
It's critical to maintain reliable communication, including your organization's business phone service for announcements and managing reliable call routing.
After the event has been contained, your focus should be recovery. This step of a continuity plan outlines exactly what they are and who is responsible for implementing them.
One example is a manual workaround to get the company running again. Operationalizing an alternative facility that the company could use in the interim is another example.
The first question people will always ask is about the timeline to recovery. Some resolutions are instant. Others may take days or weeks to implement. For all your recovery plans, scope out the Recovery Time Objective (RTO). This gives stakeholders clear-cut estimates on activating a recovery plan.
For companies with data centers where data powers their central operations, it's important to understand the intervals of recovery available. A Recovery Point Objective (RPO) defines the timelines of data recovery available in the event of a loss or corruption.
#7 Develop a testing and training curriculum
Implement a curriculum to train the business continuity team as well as employees in the event of an emergency. This could include basic training and an overview of the business continuity plan. Or in-depth exercises designed to test the procedures and prepare employees.
As a part of a BCP, it can include tactical exercises designed to test the procedures and prepare employees. You might even stage a mock emergency to evaluate areas for improvement.
An emergency protocol to train team members with specialized responsibilities is important. If you are conducting drill exercises, make sure employees display readiness and high comprehension.
One of the best practices to maintain business operations is to instruct employees not to publish unconfirmed reports and rumors on social media like Facebook, Twitter, or LinkedIn. Establish a feedback loop to listen and respond to internal staff concerns. This will conserve communications resources that are dedicated to higher priority objectives.
Exercises should have:
- Clear objectives and goals
- Easily understood assumptions of the scenario
- Instructions for all participants
- A clear narrative
- A post-exercise evaluation
Leaders should identify if you need further training or improvements to the overall business continuity plan.
#8 Determine ongoing program maintenance and quality assurance
Business continuity planning should evolve with your organization. A quality assurance strategy can ensure effectiveness as dedicated departments keep tabs on it. This could include when to hold reviews and tests.
Businesses should conduct a review of the plan annually. This section should address exactly when updates are required due to:
- Threats to the environment
- Exercises that indicate the need for change
- Changes to company structure or personnel
- Geographic distribution of employees
It can be helpful to have an external consultant come in and evaluate the plan or suggest improvements. This section should document when this should happen and who should conduct the audit.
An objective analysis of the disaster recovery plan and its execution is critical for continual improvement.
Additional drills and tests
Exercise ongoing training and tests based on changes to your business continuity plan. This section can outline when that is necessary and how to conduct drills.
The disaster recovery plan for your business is only as good as how well it's put into practice.
Business Continuity Software and Tools
There are many tools and apps you can use to craft a business continuity plan. Tools range from consultants to micro tools to full software platforms. Determine which tools are right for your company by assessing your business processes, plan complexity, timelines, and budget.
Your business is helpless if it cannot communicate with each other before and during a disruptive episode. This includes internal and external communication and notification tools. Communication tools can be used to send direct messages to recovery teams, vendors, shareholders or staff.
- Everbridge is a popular mass notification tool
- Intrado offers enterprise notification services, which is popular with school districts
- A cloud phone system can be helpful in emergency situations as well.
- Slack is one quick way to organize team chats and
These include tools to help you build your BCP. For example, the U.S. Department of Homeland Security offers a Business Continuity Planning Suite. Other business continuity planning software providers include:
Internal auditing tools
These tools can help a business assess their strengths, weaknesses, pain points and areas of concern. Some handy internal auditing tools include:
These can include simple office tools like Word, Excel and other office suite tools, but can also include BCM planning templates.
Cloud-based software can be helpful to document processes and also make sure they are accessible. Cloud storage software like Dropbox, Acronis, and Amazon S3 can ensure data protection. Internet phone service can be managed remotely with no need for on-site changes.
Disaster recovery tools
There are plenty of tools dedicated to disaster recovery in case of business interruption. Depending on the tool, they can help with everything from communication assistance to data recovery and office space.
- Agility Recovery is a company that offers many of these options.
- Novinex is another company that offers a wide range of business recovery services.
- Data recovery tools like Long View can be helpful as well.
No matter the incident, you need to develop a strong disaster recovery plan. This includes names, phone numbers of qualified individuals and agencies to assist with recovering data backups.
The Anatomy of a Business Continuity Plan [Infographic]
Having a dynamic plan in place can help build confidence and trust with employees and shareholders. Such a plan can also help:
- Manage the company’s reputation with customers
- Assist the business to meet legal obligations
- Ensure the business has few interruptions in the event of a disaster
- Identify essential remote tools to maintain operations.
Gaetano DiNardi is the Director of Demand Generation at Nextiva and has a track record of success working with brands like Major League Baseball, Pipedrive, Sales Hacker and Outreach.io. Outside of marketing, Gaetano is an accomplished music producer and songwriter - he’s worked with major artists like Fat Joe, Shaggy and loves making music to stay turbocharged. To get in touch, follow him on LinkedIn.