If a disaster such as a fire, flood or communication breakdown were to occur, many businesses would lose profits, damage their reputation or even be forced to close. A well-thought-out business continuity plan is what you need to prevent this.
Having a company-wide plan in case of an emergency is essential. If you rely more on digital means of communication, operations and data storage can be a vulnerability.
Luckily, there are ample resources available to create a business continuity plan. Here, we’ll cover key aspects of a business continuity plan including:
- What is a Business Continuity Plan?
- Top 5 Threats to Business Continuity
- The Anatomy of a BCP: 8 Crucial Components
- Helpful Tools and Software
- A BCP Infographic (to print and share!)
Feel free to jump to a condensed version in our visual below.
What is a Business Continuity Plan?
A business continuity plan is the outline of procedures to prevent damage, maintain productivity and recover in the event of a disaster.
When you create such a plan, identify possible threats like fires, utility disruptions or social engineering attacks. Then proactively determine what employees can do to get the business back on track.
Top 5 Threats to Business Continuity
There are several fatal disruptions a company can experience. Some businesses have industry-specific threats, but there are also events that threaten almost any company, including:
1) Natural disasters:
This includes any force of nature that poses a significant threat to human health and safety, property or critical infrastructure. Natural disasters include all natural phenomena like wildfires, tornadoes, hurricanes, winter storms, floods or earthquakes.
2) Man-made disasters
Any catastrophe that is the result of human negligence, mistake or accident. Man-made disasters include chemical explosions, gas leaks, oil spills, factory fires, hazardous material spills or improper disposal of waste.
3) Utility failures
This occurs when any utility provider fails to provide service for any reason. Utility failures include electricity or power failure, loss of communication lines or disruption of water service.
4) Intentional sabotage
These are acts you commit with the intent of putting a business at risk. Sabotage can take many forms. For example, a bomb threat, a financial information leak or arson.
5) Cybersecurity attacks/Social engineering attacks
This refers to any attack on the company’s technical assets such as by a hacker. Cybersecurity threats include information leaks, ransomware, SQL injection attacks or denial of service attacks.
The Anatomy of a Business Continuity Plan: 8 Key Components
In order to protect itself from profit losses, reputation damage and customer loss, a company must create a business continuity plan.
The plan should be thorough and include possible threats, readiness procedures to protect against these threats and information on who should be leading each process.
While you create this plan, be sure to thoroughly document every section so you can share it across the company later.
#1 Identify the objectives of the plan and set goals
Identifying the objectives of the business continuity plan and setting goals around them is step #1.
- How detailed and practiced should the plan be?
- What departments will the plan cover?
- What are the outcomes of a successful plan?
- Which milestones should we track?
One important factor is the budget for the continuity plan. Include any preparation or research hours, training time and materials, etc as you create this plan.
#2 Choose the business continuity team
An important part of your business continuity plan is the team and their responsibilities.
Include the contact information, titles and any other need-to-know information for each member. If applicable, specify backup contacts for each responsibility or department.
Two types of sub-teams to consider are:
Command and control teams
The command and control sub-teams include a crisis and recovery management team. They make sure there is near-perfect execution and that all resources are ready to go.
This sub-team includes specialized teams such as a:
- Public relations team
- Damage assessment and salvage team
- Legal team
- Telecommunications team
- Mechanical equipment team
- Cybersecurity and IT team
- Transport coordination team
#3 Conduct a business impact analysis (BIA)
Impact analysis is an0ther crucial aspect of your business continuity plan. This is an assessment of the impact potential threats could have on each aspect of the business.
Predictions and forecasts can help your team put together a custom template. They have to then test it for potential holes and modify the BCP. Use this information to update the recovery plan later.
The BIA document should include explanations of the core business operations and what areas are critical for business continuity. It should document any resources needed to keep these critical departments afloat during a disaster scenario.
The BIA should detail scenarios for every level of disaster from minor disturbances to total losses. There should be options for each disaster level. This will make it easier to choose the most logical and realistic plan keeping in mind the risks.
#4 Identify key business areas and critical functions
As part of the BIA, the team will want to establish a comprehensive understanding of the business’s core needs. To do this, identify which critical business processes would have the most damage on the company overall. Damage can include revenue loss, harm to the company’s reputation or damage to the company’s ability to operate properly.
Examine each aspect and function of the business and classify it as either high, medium or low. Some questions that can be helpful to consider when examining critical business functions include:
- What business objectives does this aspect support?
- How many departments will this function affect?
- How often does this function occur?
- What other aspects of the business are dependent on this function for success?
- What would be the revenue loss if this function was not completed?
- Are there potential fines or legal issues tied in with this function?
- Does this function impact the business’s public image or market share?
#5 Identify any pain points or dependencies
Also part of the BIA, businesses should proactively identify potential problems that could arise. If any departments or functions have time-sensitive stipulations, monitor the tolerable downtime. Use the rating system for key business functions to understand where to allocate resources.
Use drills and tests to make your plan fail-proof. More information on how to do that below.
#6 Make a plan to maintain operations
This should be the most detailed section of the business continuity plan. Note that you should also revisit this as the company evolves. Start by doing an analysis of current recovery capabilities and how you can improve them.
Readiness procedures could include:
Detail any actions you need to take as preventative measures before the disaster occurs.
While conducting the BIA, it’s likely you’ll find places that need mitigation. This could include having backup providers for utilities or generators available nearby. It could also include setting up alternative communication networks. Remote options for employees in emergencies is another example.
Each department ought to have a detailed response plan. Include exactly what each member of the business continuity team should doin case of an emergency.
For example, if there is a dangerous evacuation, procedures + safety protocols are mandatory. When and how the company will contact the media, public or customers, etc is also a part of this.
After the event has been contained, your focus should be recovery. This section should outline exactly what they are and who is responsible for implementing them. An example is a manual workaround to get the company running again. An alternative facility that the company could use in the interim is another example.
#7 Develop a testing and training curriculum
Implement a curriculum to train the business continuity team as well as employees in the event of an emergency. This could include basic training and an overview of the business continuity plan. Or in-depth exercises designed to test the procedures and prepare employees.
An emergency protocol to train team members with specialized responsibilities is important. If you are conducting drill exercises, make sure employees display readiness and high comprehension.
Exercises should have:
- Clear objectives and goals
- Easily understood assumptions of the scenario
- Instructions for all participants
- A clear narrative
- A post-exercise evaluation
Leaders should identify if you need further training or improvements to the overall BCP.
#8 Determine ongoing program maintenance and quality assurance
The business continuity plan should be a living document that evolves and changes as necessary. A quality assurance strategy can ensure effectiveness as dedicated departments keep tabs on it. This could include when to hold:
Businesses should conduct a review of the plan annually. This section should address exactly when updates are required due to:
- Threats to the environment
- Exercises that indicate the need for change
- Changes to company structure or personnel.
It can be helpful to have an external consultant come in and evaluate the plan or suggest improvements. This section should document when this should happen and who should conduct the audit.
Additional drills and tests
Exercise ongoing training and tests based on changes to your business continuity plan. This section can outline when that is necessary and how to conduct drills.
Business Continuity Software and Tools
There are many tools and software you can use to craft a business continuity plan. Tools range from consultants to single task tools to full software programs. Determine which tools are right for your business by assessing your needs, plan complexity, timelines, and budget.
These include tools to help you build your BCP. For example, the U.S. Department of Homeland Security offers a Business Continuity Planning Suite. Other business continuity planning software providers include:
Internal auditing tools
These tools can help a business assess their strengths, weaknesses, pain points and areas of concern. Some handy internal auditing tools include:
Cloud-based software like BC in the Cloud can be helpful to document processes and also make sure they are accessible. Cloud storage software like Dropbox, Acronis and Zoolz can ensure data protection.
This includes internal and external communication and notification tools. Communication tools can be used to send direct messages to recovery teams, vendors, shareholders or staff.
- Everbridge is a popular mass notification tool
- VoIP phone services like Skype can be helpful in emergency situations as well
There are plenty of tools dedicated to recovery in case of business interruptions. Depending on the tool, they can help with everything from communication assistance to data recovery and office space.
- Agility Recovery is a company that offers many of these options.
- Novinex is another company that offers a wide range of business recovery services.
- Data recovery tools like Long View can be helpful as well.
The Anatomy of a Business Continuity Plan [Infographic]
Having a dynamic plan in place can help build confidence and trust with employees and shareholders. Such a plan can also help:
- Manage the company’s reputation with customers
- Assist the business to meet legal obligations
- Ensure the business has minimal loss in the event of a disaster