Business Continuity Planning

A Guide to create an effective BCP

Ensuring that your business can keep going when unexpected events happen has always been important, but the events of the year 2020 have brought the need for sound business continuity to the fore. This article will help you to understand what business continuity is all about, provide guidance on creating a business continuity plan and model that’s right for you, give you advice on an appropriate strategy, and help you to maintain the continuity of your business whatever the world might throw at you in the future.

Disruption to any organization’s business can be very costly, and in today’s online consumer choice marketplace, it can even lead to you losing business to your competitors. Using business continuity techniques to prepare for and plan your reaction to disruptions can help you to significantly mitigate risks, reduce any harm, and in turn, improve the experience of your customers.

What is Business Continuity?

Your business can be disrupted at any time by circumstances that are outside your direct control. Business disruption can be a dramatic as a natural disaster or seemingly unimportant such as one of your employees getting sick. Other examples include your premises being flooded by a water leak, one of your suppliers going out of business, or a transport strike that stops your workers from getting into the office. Disruptions like this to your business can happen at any moment, with no warning, and are out of your direct control. Without any emergency preparedness, the implications of these disruptions to your business can be severe.

Business continuity is all about having a plan to deal with these situations so that your organization can continue to function with as little disruption as possible. What is business continuity in detail will be different for each organization, as each organization is different, but each will use the same business continuity principles. Whether you run a commercial business, a public sector organization, a charity, or any other type of organization, you need to understand what is business continuity to help you to keep operating in unforeseen circumstances.

Business continuity doesn’t happen all by itself. Sometimes you might get lucky and be able to carry on as usual after an emergency, but more often than not, your business will be disrupted unless you have created plans for how to keep it going. This might be a high-level business continuity plan that sets up a crisis management team and lets them make the decisions about what to do next. Or it could be a set of more detailed plans that direct the different parts of your business in what they should do next. But trying to keep going without any form of business continuity plan will risk your organization’s survival.

The cycle of events for maintaining business continuity is mostly the same, irrespective of the organization or event that leads to it. Every cycle starts with something untoward happening. This is what should happen next:

  • Someone realizes that the issue can’t be quickly resolved and escalates.
  • A crisis management team is set up.
  • The crisis management team assesses the information about the emergency.
  • They invoke the business continuity plan and potentially a disaster recovery plan in parallel if the solution is in their control.
  • Staff follow the instructions in the business continuity plan so that they can continue to work as normally as possible.
  • The crisis management team monitors the situation.
  • When possible, they issue the instruction to go back to normal working.
  • A review is held to identify what went well and what needs improving.

Table of Contents

The difference between Disaster Recovery and Business Continuity

Many people get confused between what is business continuity and what is disaster recovery. They are not the same thing and have different goals, but there are relationships between them. Business Continuity is concerned with keeping all essential functions of an organization going when there is a significant disruption to any part of the organization, including IT systems, essential infrastructure, people, and premises.

Disaster recovery (DR) is usually only concerned with the IT and technology infrastructures that support critical business functions. DR is aimed at restoring these critical technology-based systems and services in an emergency after a major event stops them from working.  This often involves switching services from the primary site to an alternative location, then switching back again once the emergency is over. Disaster recovery is often considered to be a subset of business continuity.

Consider a holiday booking company that takes orders both online and over the telephone. Both rely on IT systems hosted on the company’s premises. Disaster recovery preparations could include having back-up IT systems in another location, with the data backed up to it several times a day. If the primary IT systems fail, then users could rely on back-up systems.  Business continuity arrangements would, of course, include this but also extend to non-IT issues. For example, making preparations for staff to work from home if they were unable to get into the office for any reason.

What is a business continuity plan (BCP)?

A business continuity plan, often abbreviated to BCP, is a plan that outlines the actions to be taken when one or more defined events disrupt normal business operations.  Having a plan will help you to ensure business continuity. Business continuity planning is the process that helps you to create your BCP, designing a system for prevention and recovery from potential threats to an organization.

Having a well-designed business continuity plan will ensure that your staff and assets are able to get back to operation safely and quickly following a disaster. A BCP should be created using input from key staff and stakeholders, and should be regularly reviewed and updated, particularly if circumstances change. The plan should consider all risks that could materially affect operations, both internal and external. Hence business continuity planning is a key element of any organizations risk management strategy.

business continuity plan - business man looking aheadRisks should include natural disasters such as fire and flood, anything that could prevent access to your premises, cyber-attacks, and pandemics that could reduce your available workforce. All of the identified risks should be included in your BCP, together with:

  • How each risk could affect operations if it materialized.
  • What can be done to either fully mitigate each risk or reduce its impact.
  • How the plan will be tested.
  • Who is responsible for business continuity planning?

Every business, irrespective of its size, should have a BCP.  Disruption to normal operations will lead to loss of revenue and higher costs, contributing to reduced profitability.  Relying on insurance policies alone will not cover the costs of trying to win back the business that you have lost.

The complexity of the BCP will vary according to the size of the organization, how it is structured, the nature of its business, the risks to continuity, and any external regulatory requirements. The aim should be to create a BCP that is in enough detail to be easily followed but not so complex that it is difficult to understand.

What is the goal of BCP?

In order to keep the correct focus, it is important to understand what is the primary goal of business continuity planning. It is easy to get side-tracked and think that having a BCP is the primary goal. It isn’t. The purpose of your business continuity plan is to enable your business to continue in operation in as many circumstances as possible. That must be the primary goal of BCP for every organization.  The only reason why BCP is required is to keep your company operating. Your BCP strategy must ensure that this is the case.

There are a number of lower-level goals that can help you to understand what is the purpose of a business continuity plan, including:

  1. Business Continuity Plan - Team looking at BCPProtect critical business functions. In most businesses, some business functions are more critical than others, especially those that deliver the organization’s goods and services. These should be a priority for all business continuity models.
  2. Minimize negative impacts on the organization, its operations, and its performance.One of the most significant benefits of having a business continuity plan is that it can minimize damage to the organization during disruptive changes, as well as during external events.
  3. Assign roles, responsibilities, and tasks. Who is responsible for what will vary between organizations, but roles and responsibilities for all business continuity planning and execution activities must be clearly defined and communicated. This should include responsible for BCP operations covering who can invoke the plan and who will manage the execution.
  4. Define how the plan will be communicated. Just having a plan isn’t enough. It is unlikely that you will maintain continuity for your business unless all staff are aware of its existence, its content, and what their roles and responsibilities are when the plan is executed.
  5. Define how the plan will be tested. Every plan should be tested, as it’s only then that you will discover what doesn’t work. Testing a business continuity plan will need to use simulations, not real disasters, but your plan should define up-front how testing will be done.
  6. Maintain continuity: This is an obvious goal for every plan that defines the actions that should be taken to maintain the continuity of the business for a number of different scenarios once the plan has been invoked.
  7. Restore normal operations. This goal addresses a missing element in many business continuity plans. There will be a point when the business can return to its regular operating model. How this is done should be defined in the BCP.

How does a BCP help mitigate risk?

Creating a good BCP needs investment in time and money. A big part of justifying the value of business continuity planning is understanding how a BCP helps mitigate risk.

Every business faces risks to its continuing existence. While some of these may be unique to each organization, many of them are common. These include:

  • Natural disasters
  • Terrorist incidents
  • Failure of a supplier
  • Theft
  • Cyberattacks
  • Power blackouts
  • Data breaches
  • Staff availability

The process of creating a business continuity plan forces you to consider all these types of risk in the context of your own business operations. That includes assessing the likely impact and the probability of the risk actually materializing. For example, if your premises are on the top of a mountain, then the likelihood of flooding may be very low! This is why trying to adopt a business continuity plan from another organization without reviewing and updating it for your own circumstances isn’t a good approach. At a high level, it can provide a useful BCP plan checklist to act as a guide for your own business continuity requirements, but you need to do the thinking at a detailed level.

There’s an old saying that goes something like ‘Better the devil you know than the devil you don’t know.’ The activities necessary to create a BCP make you think about what those challenges are for you, then think about how you could deal with them.  That leaves you significantly better prepared when one of them jumps out at you. That will always help you to maintain business continuity.

As you work through the detail of each possible risk, it’s possible that you will identify actions you can take to mitigate against the risk fully. For example, if you operate a data center, your business continuity planning will identify a risk of total power supply failure. Depending on the likelihood and the cost of alternatives, you might decide to fully mitigate against this risk by investing in generators and fuel supplies. Many commercial data centers have taken this approach, even going to the level of paying fuel suppliers a premium to ensure that they get priority for fuel deliveries if there are fuel shortages. This is an excellent example of where BCP activities have considered every risk in detail.  

When you can’t fully mitigate against a risk, then there is a chance that it might materialize. The process for BCP makes you think about what you could do to maintain the continuity of your business if this happens, at worst reducing the impact but at best reducing it to zero.  In reality, this is just good risk management, but a business continuity model will give you a good structure and approach for identifying and then managing the risks.

How to write a business continuity plan

In this section, we will try to answer the question of what does a business continuity plan look like and what should a business continuity plan include, by providing you with a BCP plan outline setting out the elements of a business continuity plan. The detail of what goes into each section will, of course, depend on your own organization and its particular risks, but it should help you to learn how to write a simple business continuity plan.

Components of BCP

Developing a business continuity plan is a vital activity for any organization. Any BCP implementation is not trivial. Preparing a BCP is not an academic exercise just to tick a box in an auditors report or complete a BCP plan checklist. What should a BCP contain in detail will be different for each organization, but the structure can be very similar. This section provides an illustration of the structure for a typical BCP Plan should contain.

These typical components of a business continuity plan aren’t meant to be prescriptive, but following this outline will help you create your first high level business continuity plan that you can then develop and elaborate to suit your own circumstances.  An organization can have a single plan that covers all functions, or a hierarchy of plans within an overall business continuity model, with each function having its own BCP.  This approach helps to avoid an overly large plan that is difficult to follow, but it is a good idea that each individual plan follows the same general structure.

  • BCP - moving pieces on boardBCP section 1: Document control. BCP plans will change over time, so it is crucial that staff knows which is the current version of the plan. The business continuity plan must be a controlled document with a BCP process that releases and communicates new versions when they have been signed off to enable this.  This section of the plan should contain:
    • Version history – who signed off which version when.
    • Purpose of the plan – for example, ‘To provide a flexible response so that XYZ Corporation can respond to a disruptive incident, maintain delivery of critical services during an incident, and return to business as usual.’
    • Plan scope – which parts of the business, activities, and locations are covered by the plan.
    • Plan owner – who is responsible for maintaining the plan.
    • Review cycle – how often will the plan be reviewed.
    • Test history – When was the plan tested, and what were the outcomes?
    • Associated documents – links to any other documents that support the business continuity plan.
  • BCP section 2: Plan activation. This part of the BCP sets out the steps to be taken for invoking the execution of the plan. It should include:
    • Circumstances – A list of all of the identified events that would lead to starting the BCP process. E.g., loss of key staff, loss of critical systems, denial of access to facilities, loss of a key resource such as a supplier.
    • Responsibility for activation– Who can invoke execution of the business continuity actions. In small organizations, this is often a single person in a senior role. A common approach in large organizations is to create a business continuity team with senior representatives from key functions.  When alerted to the situation, the team get together and decide whether to invoke the BCP or wait for more information.
    • Process for activation – This is usually provided as a flow chart showing the BCP process flow from the initial incident, through assessment of the likely impact, then right the way through to return to normal business operations.
      Process Activation
  • BCP section 3: Incident management. This is an essential part of any business continuity plan. It sets out the initial actions that you should take after a disaster to recover efficiently and with minimum disruption.  The purpose of this part of the BCP is to;
    • Protect the safety of staff, visitors, and the wider community.
    • Protect vital assets, e.g., equipment, data, reputation, etc.
    • Ensure necessary communication takes place.
    • Support the Business Continuity phase.
    • Support the Recovery and Resumption phase.

    This section is an essential requirement for BCP implementation, as it lists the actions that should be taken in enough detail so that they can be followed if the BCP is invoked. Determining which actions are needed is a key part of developing a business continuity plan. These and all other actions in a BCP are usually set out in a table to aid understanding. E.g.

    Evacuate the building if necessaryUse standard evacuation procedures for the building
    Ensure all staff report to the Assembly Point.

    The Assembly point for the [team/service/organization] is: The main parking lot

    The alternative Assembly Point for [team/service/organization] is: the shopping mall car park

    [insert name(s)] is responsible for completing this action

    Call emergency services (as appropriate)
    TEL: xxx

    [insert name(s)] is responsible for completing this action

    Different tables should be provided, listing the appropriate actions and responsibilities for:

    • Protecting the welfare of staff, visitors, and the public.
    • Communications, covering who needs to be informed that the business continuity plan has been activated.
    • Actions to support business continuity, including recovering any vital equipment.
    • Actions to support recovery and resumption of normal business activities.
    • Communicating with staff.
  • BCP section 4: Business continuity. The purpose of the business continuity phase of response is to ensure that critical activities are resumed as quickly as possible and/or continue to be delivered during the disruption.  Carrying out a Business Impact Analysis (BIA) will determine the critical activities and the resources required to deliver them both in ‘business as usual’ and in crisis situations.  These critical business activities should be listed in this part of the BCP.  The plan should also list non-critical activities that can be suspended, allowing staff to be re-allocated to critical activities during a business continuity event.

    The actions that the business continuity team should take are listed in this section of the BCP. The actions include:

    • Identifying which staff need to be involved in executing the BCP Plan.
    • Evaluating the impact of the events on business continuity.
    • Recording all decisions, actions, and spend.
  • BCP section 5: Recovery and resumption. This part of the BCP Plan lists the actions that should be taken to resume regular working practices. If the impact of the events leading to the invocation of the business continuity plan is prolonged, this might involve delivering services from new locations such as working from home or alternative premises. Here is an example of the actions in this section:

Steps involved in creating Business Contintuity Plan

This section should help you to understand how to create a business continuity plan. It is a good idea to use a structured approach to create a BCP. A typical BCP process flow will follow these BCP planning steps:

  1. Identify different types of disruptive events. The types of event should include natural disasters, power outages, cyber-attacks, civil disturbances, transport failures, denial of access to premises, and supply chain disruptions. Any of these could cause an emergency, either singly or in combination. For example, widespread flooding could damage essential equipment, cause a power outage, and prevent staff from getting into work.
  1. Business Meeting Define critical business functions and activities. Some functions within a business are more critical to continuity of operation than others, especially those that deliver the organization’s goods and services. Continuity plans address specific types of disruptions, how these disruptions will impact different business units, which business units are most important, and which actions to take in order to protect those functions. For example, most businesses can carry on for a time without a payroll function.
  2. Assess the impact of each type of event against critical business activities. Completing a business impact analysiswill project the potential effects of disruptions, assessing risks, and potential losses. The analysis will provide important information that can be used to develop prevention, mitigation, and recovery strategies. They should be as in-depth as is reasonably possible, covering a variety of potential scenarios, timing, duration, and other relevant variables.
  3. Design recovery strategies. One of the biggest benefits of having a business continuity plan is that it can minimize damage to the organization during a disruption. Though it is not always possible to prevent certain types of events from affecting the business, there are often ways to reduce negative impacts. In certain situations, business continuity efforts can even mean the difference between failure and survival. Approaches should be developed to protect the most critical business functions and restore lost functionality as soon as possible. It is vital for organizations to protect these critical business functions during a disruption so that the crucial business operations can continue. Recovery strategies for business continuity can include relocating operations, outsourcing lost business functions, and hiring in replacement equipment. For example, initiating remote workingpolicies can allow businesses to stay functional when employees cannot work on-site, as organizations discovered during the COVID-19 crisis.
  4. Document the business continuity plan. This is the plan of action with the recovery strategies that will be implemented by business continuity teams. The BCP describes the sequence of actions to take in the event of a disruption or emergency, including the communication protocols and the responsibilities for executing the plan.
    BCP Document
  5. Test the plan. Testing is a vital part of any business continuity strategy. As soon as you create your plan, you must test it. Only by doing that comprehensively and diligently can you prove whether your BCP is going to work or not. Far too many organizations don’t do this and only realize that their plan doesn’t work as expected when they have to execute it for real. Testing will help you to find any parts of the plan that need to be changed or improved.
  6. Develop and conduct training and education.  Just having a tested plan isn’t enough. Everyone in the organization needs to know that the business continuity plan exists, why it is needed, and what are their own roles and responsibilities. Employees should become familiar with a plan before it is ever needed. Providing pre-emptive training can ensure that employees stay prepared and can perform their duties effectively when the plan is invoked.
  7. Execute the plan. Instead of waiting for a real disaster to happen, it is a good idea to execute the plan using a simulated emergency. This should be done with as few people as possible, knowing in advance that it isn’t a real emergency. This approach to testing business continuity will give you the best guarantee of success, as it will highlight any areas of improvement. Ideally, this will be regularly re-run using different scenarios that will test different parts of the BCP plan.

BCP Implementation

Business Continuity Plan project management

Implementing any BCP is a project, so you should follow a project management methodology, using a project team that includes all parts of the business. Business continuity can be implemented solely using internal staff, particularly if you have individuals with the necessary skills and experience.  In a large organization, a BCP plan will be prepared by someone that has a role dedicated to business continuity. In smaller organizations, the task can be assigned to another role, but preparing the plan is not an administration task. It requires knowledge of what a BCP Plan should contain and the BCP process flow, strong risk management skills, and a good understanding of who business continuity planning is done for: the whole organization.  However, many organizations bring in external companies that specialize in business continuity management (BCM).

BCP roles and responsibilities

One of the key activities for any BCP implementation is the definition of roles and responsibilities, both for the implementation itself but also for BCP execution, maintenance, and improvement. Business continuity approaches are often led by a dedicated individual or team. The BCP team’s composition will vary, depending on the nature of the disruption, and each team member will be assigned specific duties.

BCP training

Defining and executing training activities and exercises is a key part of any BCP implementation. Training will ensure that employees are prepared so that they can perform their tasks effectively and operate efficiently during an invocation of the business continuity plan. Without this training, employees will not be able to react effectively or swiftly – precisely when speed is of the utmost importance.

Management support

It is imperative to get genuine management support for the business continuity plan. Far too often, the plans are created to satisfy a governance requirement, but in reality, the management doesn’t really care about business continuity or disaster recovery plan. They care more about profit, business strategy, client satisfaction, and market share. One approach to get management support is to educate them on the need for business continuity and how important it is for continued business operations. Using examples from other organizations is a good way to help.

The bottom line

Creating an efficient business continuity plan is extremely crucial for every company. Despite this, some organizations still underestimate the need for one, believing that nothing bad can happen to them. This is illogical if you consider the number and wide range of potential threats to any business.

Creating a BCP is not an administrative task. It requires considerable thought and effort by a lot of people. Using a robust approach to BCP implementation that has full management support is vital for success.

Any plan is only as good as its testing, so ensure that you test your BCP plan as soon as you create it, then improve and repeat regularly. Doing this will help ensure that your organization can continue to operate in the face of disruptions, helping you build trust and reputation with your customers.