If a disaster such as a fire, flood or communication breakdown were to occur, many businesses would lose profits, damage their reputation or even be forced to close. A well-thought-out business continuity plan can help prevent this kind of extensive damage from happening.
Having a company-wide plan in case of an emergency is essential, especially as businesses rely more on digital means of communication, operations and data storage. Luckily, there are ample resources available for creating a business continuity plan template and utilizing it within almost any organization. Here, we’ll cover the aspects of a continuity plan and how companies can begin to create their own. Feel free to jump to a condensed version in our visual below.
What is a Business Continuity Plan?
A business continuity plan is the outline of procedures put in place by a company to prevent damage, maintain productivity and recover in the event of a disaster. When creating a business continuity plan, companies identify possible threats such as fires, utility disruptions or cyber attacks and proactively determine what employees can do to get the business back on track.
Threats to business continuity
There are several fatal disruptions a company can experience. Some businesses have industry-specific threats, but there are also events that threaten almost any company, including:
- Natural disasters: This includes any force of nature that poses a significant threat to human health and safety, property or critical infrastructure. Natural disasters include all natural phenomena such as wildfires, tornadoes, hurricanes, winter storms, floods or earthquakes.
- Man-made disasters: This includes any catastrophe that is the result of human negligence, mistake or accident. Man-made disasters include chemical explosions, gas leaks, oil spills, factory fires, hazardous material spills or improper disposal of waste.
- Utility failures: This occurs when any utility provider fails to provide service for any reason. Utility failures include electricity or power failure, loss of communication lines or disruption of water service.
- Intentional sabotage: These are any acts committed with the intent of putting a business at risk. Sabotage can take many forms, for example, a bomb threat, a financial information leak or arson.
Cybersecurity attacks: This refers to any attack on the company’s technical assets such as by a hacker. Cybersecurity threats include information leaks, ransomware, SQL injection attacks or denial of service attacks.
The Anatomy of a Business Continuity Plan
In order to protect itself from profit losses, reputation damage and customer loss, a company must create a business continuity plan that details the actions employees should take in the event of each disaster. The plan should be thorough and include possible threats, readiness procedures to protect against these threats and information on who should be leading each process.
While constructing a continuity plan, each scenario and plan of action should be thoroughly documented so that it can be easily referenced later.
Identify the objectives of the plan and set goals
Identifying the objectives of the business continuity plan and setting goals around those objectives is the company’s first look into the scope of the business continuity plan. How detailed and practiced should the plan be? What departments will the plan cover? Determine the expected outcomes of a successful plan and set goals and milestones to hit during the preparation of the plan.
One important determination is the budget for the continuity plan. This should include any preparation or research hours, training time and materials, or any other costs that having a solid continuity plan might incur.
Choose the business continuity team
The business continuity plan should include a section that outlines the chosen business continuity team and what each member is responsible for. Each member should have their responsibilities clearly outlined.
Include the contact information, titles and any other need-to-know information for each member. If applicable, specify backup contacts for each responsibility or department.
Two types of sub-teams to consider are:
- Command and control teams: The command and control sub-teams should include a crisis management team and a recovery management team. A team that manages the facilitation of the business continuity plan while it is in action is necessary as well.
- Task-oriented teams: This sub-team includes specialized teams such as a public and media relations team, a damage assessment and salvage team, a legal team, a telecommunications (or alternate communications) team, a mechanical equipment team, a cybersecurity and IT team, a transport coordination team, and any other team necessary for the continuation of the business. These teams will vary by industry.
Conduct a business impact analysis (BIA)
When creating the business continuity plan a business impact analysis should also be conducted. This is an assessment of the impact potential threats could have on each aspect of the business.
Through predictions and forecasts, the continuity plan team should be able to create a specialized business continuity plan template, test situations and gather information about potential holes in the plan or additional strategies that should be implemented during the recovery process.
The BIA document should include explanations of the core business operations, as well as which aspects of the business, are critical for successful operation. It should document any resources needed to keep these critical departments afloat during a disaster scenario.
The BIA should detail scenarios for every level of disaster from minor disturbances to total losses. There should be options for each disaster level and the most logical and realistic plan should be chosen, keeping in mind the risks, benefits, costs, flexibility and disruption scenarios.
Identify key business areas and critical functions
As part of the BIA, the team will want to establish a comprehensive understanding of the business’s core needs. To do this, identify which critical business processes, if rendered dysfunctional, would have the most damage on the company overall. Damage can include revenue loss, harm to the company’s reputation or damage to the company’s ability to operate properly.
Examine each aspect and function of the business and classify it as either high (most severe), medium or low (least severe). Some questions that can be helpful to consider when examining critical business functions include:
- What business objectives does this aspect support?
- How many departments will this function affect?
- How often does this function occur?
- What other aspects of the business are dependent on this function for success?
- What would be the revenue loss if this function was not completed?
- Are there potential fines or legal issues tied in with this function?
- Does this function impact the business’s public image or market share?
Identify any pain points or dependencies
Also part of the BIA, businesses should proactively identify potential problems that could arise. If any departments or functions have time-sensitive stipulations or dependencies between any of the areas of business, the amount of tolerable downtime should be addressed. Use the rating system established for key business functions to determine where resources should be allocated and in what order.
If there are any possible pitfalls or situations that might knock the plan off schedule, identify them ahead of time through the use of drills and testing (more information on how to do that below).
Make a plan to maintain operations
This should be the most detailed section of the business continuity plan. Note that it should also be revisited as the company evolves and situations change. Companies should start by doing an analysis of current recovery capabilities and how they could be improved.
Readiness procedures could include:
- Prevention strategies: Detail any actions that need to take place as a preventative measure before the disaster occurs. While conducting the BIA, it’s likely that there will be areas that could use mitigation. This could include having backup providers for utilities or generators available nearby. It could also include setting up alternative communication networks or remote options for employees in emergencies.
- Response strategies: There should be a detailed response strategy for each department. This should include exactly what each member of the business continuity team should do, step by step, in the event of an emergency. For example, if there is a dangerous evacuation, procedures should be in place as well as any safety protocols. The protocols could include when and how the company will contact the media or public or who will notify dependent customers of a disruption.
- Recovery strategies: After the event has been contained or stabilized, there are necessary steps toward recovery. This section should outline exactly what they are and who is responsible for implementing them. An example of a recovery strategy is an alternative method or process (like a manual workaround) to get the company running again, or an alternative facility that the company could use in the interim.
Develop a testing and training curriculum
A curriculum should be implemented to train the business continuity team as well as employees that will be affected in the event of an emergency. This could include basic training and an overview of the business continuity plan or in-depth exercises designed to test the procedures and prepare employees (depending on the industry and possible threats).
Team members who have specialized responsibilities should be properly trained in emergency protocol. If you are conducting drill exercises, ensure that each employee exhibits high levels of readiness and comprehension upon completion.
Exercises should have clear objectives and goals, easily understood assumptions of the scenario, instructions for all participants, a clear narrative and a post-exercise evaluation. Leaders should identify where further training is needed or improvements to the process could be made.
Determine ongoing program maintenance and quality assurance
The business continuity plan should be a living document that evolves and changes as necessary. Quality assurance strategies should be documented to ensure the continued effectiveness of the plan and should be checked by multiple departments. This could include when to hold:
- Internal reviews: Businesses should conduct a review of the plan annually (biannually if in a high-risk industry). This section should address exactly when any updates need to be made due to changes like threats to the environment, results of exercises that indicate a change is needed or changes to the structure or personnel of the company.
- External reviews: It can be helpful to have an external consultant come in and evaluate the plan or suggest improvements. This section should document when this should happen and who should conduct the audit.
- Additional drills and tests: Ongoing training and tests should be exercised based on changes made to the document. This section should outline when that is necessary and how the drills are to be conducted.
Business Continuity Software and Tools
There are numerous tools and software applications businesses can use to assist crafting and maintaining a business continuity plan. Tools range from consultants to single task tools to full software programs. Determine which tools are right for the business by assessing the needs of the organization, the complexity of the plan, the timelines involved and the allocated budget.
- Preparatory tools: These include tools that can help a business prepare their business continuity plan or aid in preparations for a disaster. For example, the U.S. Department of Homeland Security offers a Business Continuity Planning Suite. Other business continuity planning software providers include Arcserve, Axcient, Continuity Logic, StorageCraft and Strategic BCP.
- Internal auditing tools: These tools can help a business assess their strengths, weaknesses, pain points and areas of concern. Some companies that produce tools that can be helpful when performing an internal audit include LogicGate, Form.com, Reciprocity and Onspring.
- Documentation tools: These can include simple office tools like Word, Excel and other office suite tools, but can also include BCM planning software or document storage software. Software that uses the cloud to assist in business continuity, like BC in the Cloud, can be extremely helpful in documenting processes and ensuring they are always accessible. Cloud storage software like Dropbox, Acronis and Zoolz can ensure data is protected and can be accessed anywhere.
- Communication tools: This includes internal and external communication and notification tools. Communication tools can be used to send direct messages to recovery teams, vendors, shareholders or staff. Everbridge is a popular mass notification tool, but VoIP phone services and web conferencing tools like Skype or Zoom can be helpful in emergency situations as well.
- Recovery tools: There are a plethora of tools and entire companies dedicated to aiding businesses in recovery during disaster situations or business interruptions. Depending on the tool or business partner they can aid in everything from communication assistance to data recovery and office space. Agility Recovery is a company that offers many of these options. Novinex is another company that offers a wide range of business recovery services across many industries. Data recovery tools like Long View can be helpful as well.
Having a business continuity plan is an essential security measure in today’s corporate world. The benefits are numerous both internally and externally. Having a dynamic plan in place can help build confidence and trust with employees and shareholders, help with managing the company’s reputation with clients and customers, assist the business in meeting legal obligations and, of course, ensure the business experiences minimal loss in the event of a disaster.