How to Create a Business Continuity Plan (BCP) for Your Company
A business continuity plan outlines the guidelines and specific steps a company will follow when disaster strikes—whether that is a cyberattack, fire, flood, theft or other catastrophe that immediately impacts operations. It is your “in case of emergency” guidebook that directs next steps to take when the unexpected happens. A solid business continuity plan will give you the best chance for surviving and recovering.
Most companies have some base level of procedures in place for securing key business assets, whether physical or digital. Even with preparation or lead time, though, things can go wrong; every event is unique and unfolds in unexpected ways. This is where having a business continuity plan saves the day. For the best chance at success surviving a catastrophe, you need a comprehensive plan in place. It must also be accessible by the members of your team responsible for carrying out its’ components.
We’ll take a closer look at business continuity planning (BCP) and what’s involved. But first things first…
What is business continuity?
Business continuity (BC) is the ability to maintain or rapidly resume business functions in the case of a major disruption. A business continuity plan provides very specific instructions that an organization should follow in the face of such disasters. The plan covers business processes, assets, employees, business partners and more. Often mistaken for a disaster recovery (DR) plan, the business continuity plan is actually much more comprehensive. (Disaster recovery plans generally focus on restoring data, IT infrastructure and operations after a disaster event.) While the business continuity plan includes disaster recovery as a key component, it is not limited to IT, and instead is centered upon restoring operations of the entire organization.
To get a better idea of this in practice, consider an organization that has separate facilities for its call center. If the call center building experiences a fire, there will need to be a plan in place. that accounts for how customer calls will be handled from an alternate location while the building is re-built or call center operations moved. Would call center employees be able to have calls routed to their homes on a short term basis? Is there a backup facility that could be used? What if a manufacturing company’s distribution center was flattened by a tornado? In both cases, the lack of a plan could literally result in the complete disruption of operations, and potentially even permanent closure.
Business impact analysis
An important component of the business continuity planning process is conducting a business impact analysis (BIA). The BIA evaluates the impact of the sudden loss of business functions, and quantifies the associated cost. This serves as a benchmark to help you evaluate the risks and costs of different options you might employ as part of your plan, such as whether or not to outsource certain non-core functions. The business impact analysis provides a basis for helping shape your plan for ensuring continuity of critical business operations for the entire organization.
BC is important for businesses of all sizes
Small and mid-sized businesses often tend to associate business continuity planning as a practice reserved for enterprise-scale organizations. In fact, small and mid-size companies often have an even greater need for BC, as smaller teams typically have greater overlap (their employees may “wear more hats”) and there is a greater possibility for less formal procedures and documentation around critical operational practices. As such, disaster events can result in more devastating impact, taking a smaller business longer to recover—if the business recovers.
Where to start with creating a BCP
The first step in creating a business continuity plan is to assess your business processes and points of vulnerability. What would be the potential losses if one or more of your critical business processes were down for a day? Several days? A week? Longer?
Next is where you begin to shape the plan. There are 4 key steps you will take:
(1) Identify your critical functions
(2) Identify dependencies between the different business areas and critical functions.
(3) Establish what constitutes an acceptable downtime for each critical function.
(4) Map out a plan to maintain operations.
To aid in capturing key details, consider using a checklist. Components to include on the list are: equipment, data backup locations, data backup sites, supplies, where the plan is to be stored, which employees will have access to it, key contact information for emergency responders, and contacts with key vendors, and backup site suppliers.
The disaster recovery plan is a key component of BCP
If you do not already have a disaster recovery plan (which focuses on restoring data and IT infrastructure), you will need to create that as a key component of the business continuity plan. The disaster recovery plan is very granular with regard to recovery time objectives, and recovery point objectives, which together establish how quickly and thoroughly you are able to restore IT function to your business operations. Make sure that the restoration time is clearly defined and is in alignment with the business needs of other critical functions. If not, the time to consider alternate options and adjustments is now—not when disaster strikes.
Confirm your existing disaster recovery plan
If you DO have a disaster recovery plan, you should take the opportunity to thoroughly review it, confirming when it has last been tested, and by whom, along with the results of the test(s). Many organizations leave disaster recovery testing to their IT departments or MSP company and assume that tests are run on a regular schedule. This is often not the case, so taking the opportunity to review the schedule for testing, as well as the scope and frequency, should be at the top of your list!
Breaking the business continuity plan
Once the plan has been established, the strategy carefully reviewed, processes covered and business requirements fully factored, it’s time to see if you can break the plan. Evaluating the business continuity plan is the best way to make sure you haven’t overlooked a key component, as well as providing an opportunity to fully communicate the plan across your organization. Full testing is an effort – don’t take shortcuts or do the minimum to get by. This is where the rubber meets the road and a lack of “real world” testing means your plan could have a gap that leaves you in bad shape should a real disaster occur.
Business continuity plan testing schedule
Many companies schedule business continuity plan testing on a regular basis. Think of it as other critical business processes like taking inventory are done. This is typically done two to four times per year. Depending on the type of organization you have, resources available, turnover of key employees and vendors and how frequently key operations and procedures change, you may want to include full tests, as well as structured simulations and walk-throughs as well as table-top workouts (group review of the strategy, poring over the details and hunting for any gaps or omissions). Structured walk-throughs provide the opportunity for staff to walk through their role within the plan. This is usually done with a specific catastrophe in mind to determine any points of vulnerability. Any issues, oversights and identified vulnerabilities should then be addressed, added to the plan, and the updated plan re-distributed.
Disaster simulation tests
Disaster simulation is the real test of your plan. Recommended as a once-per-year exercise, the disaster simulation test is very detailed. It involves the creation of an environment that simulates an actual disaster with all people, vendors, equipment and supplies that would be involved. The purpose of the full simulation is to validate that the business can carry out critical business functions during a disaster event.