A business continuity plan (BCP) is a set of actions established by a company to make sure it can protect its personnel and assets and keep its operations going in case of a natural disaster, terrorist attack, or any other catastrophic event.
Business Continuity Planning Requirements and Process
Business continuity planning is the process of creating a prevention and recovery system for potential threats to a company. Because BCP calls for identifying risks that can affect the company’s operations, it is a major part of the organization’s risk management strategy. As in disaster recovery planning, BCP involves planning for the worst case scenario.
Many different laws either specify or imply requirements for BCPs. Requirements vary according to geography and industry sector, influencing the development and focus of the BCP.
In the US, organizations in industries such as finance, healthcare, utilities, and government, for example, are all subject to various legal requirements for BCPs and how often BCPs must be tested. Across industries, laws expect organizations to exercise due care around the business continuity plan process and strategy, as do shareholders. Business disruptions often lead to lower revenue, higher costs, and reduced profitability. Because of compliance issue, cloud storage is viewed cautiously.
BCP Primary Purpose
A BCP has the primary purpose of specifying how the business as a whole will survive the catastrophic event. As such, the BCP takes into account questions such as how to safeguard employees, provide physical work space, continue manufacturing processes, and manage shipping and other logistics operations.
Some organizations include a disaster recovery plan (DRP) within the BCP, whereas others manage the BCP and DRP separately. A DRP defines what the organization must do to recover information technology (IT) systems for meeting the company’s technology needs during and after a disaster. A guide to DR services often includes a variety of potential DR as as Service vendors.
Elements of a BC Planning Lifecycle
- Impact analysis: Analyze the overall scope of your BCP, including the desired safeguards.
- Risk assessment: Draw up a comprehensive list of the potential risks, with an eye toward guarding against them.
- Resource identification: Identify the myriad resources that will go into the various elements of your BCP.
- Gap analysis: Be clear on any potential gaps in your BCP – make sure you are addressing them.
- BCP framework: Lay out an overall framework, including remote providers and contingency plans.
- Recovery plans: Determine how long full recovery will take your business – hopefully as short as possible.
- Checklists: Make a full list of checklists, so you can review every division’s preparation.
- Training, testing and evaluation: This is ongoing – testing and evaluation must be continuous. And every new staffer needs to be trained.
Business continuity planning includes many aspects of the traditional business cycle.
Four Aspects of the Business Resilience Process
Organizations vary in how they manage BCP. Generally speaking, however, business continuity planning – also sometimes referred to as business resiliency planning – consists of four stages.
1. Conducting a Business Impact Analysis (BIA)
Organizations typically begin the process of business continuity planning by conducting a business continuity impact analysis (BCIA), which pinpoints specific effects resulting from business disruption and helps the company make decisions around recovery strategies.
The BCIA is either accompanied or followed by a risk assessment (RA), which drills down into the organization’s vulnerabilities and possible responses to specific types of catastrophic events. In the RA, disaster scenarios that could lead to significant injuries should be highlighted to make sure that effective emergency management plans are put in place.
To perform a BIA, a business continuity team consisting of company leaders and/or outside consultants creates a questionnaire which is distributed to the company’s business managers. The questionnaire used in this BCP procedure is designed to identify the operational and financial impacts that would occur from the loss of specific business functions. Impacts might include costs related to cash flow, equipment, and data.
The company also determines the point in time when the loss of a function or process must be recovered before the unacceptable consequences would happen. This point in time is often referred to as the Recovery Time Objective (RTO).
If the BCP includes a DRP, the organization also determines a Recovery Point Objective (RPO) for each function or process. RPO refers to the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 24 hours of data for a particular process?
In the BIA, business functions and processes which would cause the most severe impacts, if lost, receive the highest priority for restoration.
For instance, at a manufacturing firm, the company’s main production operations would likely get higher priority than sales offices in the same building. Without production in progress, the organization would be unable to meet existing sales orders, sooner or later. Also, unlike plant workers, sales employees could work from home temporarily until the crisis is resolved.
Typically, team members suggest allocations of company funding for measures to protect high priority functions and processes.
2. Formulating a Recovery Strategy
In starting to formulate a recovery strategy, companies typically identify and document resource requirements based on the BIA. These include:
- Office space, furniture and equipment
- Technology (computers, peripherals, communication equipment, software and data)
- Vital records (electronic and hard copy)
- Production facilities, machinery and equipment
- Inventory (including raw materials, finished goods and goods in production)
- Utilities (power, natural gas, water, sewer, telephone, internet, and wireless)
- Third-party services
In this phase of the BC planning life cycle, it’s also common to conduct a gap analysis, aimed at finding gaps between the organization’s current operations and its recovery requirements.
Most importantly at this stage of the game, the organization explores various emergency response and recovery options and selects strategies for formal approval.
For instance, if a fire breaks out, a building is typically evacuated immediately, for example. If a tornado strikes, employee sheltering procedures are put into effect, but if a mass shooting is in progress, the building goes into lock down mode.
3. Developing a BCP Framework
Following approval of the recovery strategy, a BCP framework is developed and recovery teams are organized.
The teams help to write procedures for the company’s BCP model and to produce specific recovery plans such as manual workarounds and relocation arrangements.
Manual workarounds come into play when the technology ordinarily used for performing a business function becomes suddenly unavailable.
Let’s say that a customer ordering system goes down when a hurricane strikes the city where the company’s main data center is housed. Until the application is restored at a remote backup center, customer service reps (CSRs) fielding phone calls at satellite locations can resort to a manual workaround. However, the workaround will run more smoothly if the CSRs have already been pre-trained on how to use paper ordering forms during an emergency.r
Strategies can also involve displacing activities elsewhere in a company, contracting with third parties, and forging partnerships for reciprocal agreements.
For instance, if a manufacturing firm owns two production facilities, and only one is damaged by a catastrophic event, manufacturing activities there might be displaced to the second facility, for instance.
The business continuity and recovery teams should also develop plans for crisis communications, including possible interruption of company phone, email, and document management systems during and after a disaster.
4. Testing and Evaluation
The last phase of business continuity management consists of training, testing, exercises, and maintenance.
After employees are trained and a thorough BCP test is completed, the plan should be updated to reflect lessons learned. Organizations should also stay on top of industry regulatory requirements and modify BCPs in accordance with any changes in the laws.
Business Continuity Plan Checklists
Again, organizations handle business continuity management in various ways. Many, however, create checklists of items that should be included in BCPs. The checklists provide specific information to staff about actions that need to put in place. The following are among the most critical checklists to assemble:
- Program implementation
- Business impact analysis
- Resource allocation
- Developing BCP strategy
- Developing BCP procedures
- Emergency response preparedness
- Generic planning tasks
- Staff issues, including working at home
- Service planning tasks
- Document management
- Email management
- Loss of staff (temporary or permanent)
- Loss of premises
- Damage to premises
- Loss of IT and/or communications
- Loss of utilities
- Loss of supplier
- Awareness and training
- Test, audit and maintenance