What's Your Question?
Making a Risk Management Plan for Your Business
It’s impossible to eliminate all business risk. Therefore, it’s essential for having a plan for its management. You’ll be developing one covering compliance, environmental, financial, operational and reputation risk management. These guidelines are for making a risk management plan for your business.
Developing Your Executive Summary
When you start the risk management plan with an executive summary, you’re breaking apart what it will be compromised of into easy to understand chunks. Even though this summary is the project’s high-level overview, the goal is describing the risk management plan’s approach and scope. In doing so, you’re informing all stakeholders regarding what to expect when they’re reviewing these plans so that they can set their expectations appropriately.
Who Are the Stakeholders and What Potential Problems Need Identifying?
During this phase of making the risk management plan, you’re going to need to have a team meeting. Every member of the team must be vocal regarding what they believe could be potential problems or risks. Stakeholders should also be involved in this meeting as well to help you collect ideas regarding what could become a potential risk. All who are participating should look at past projects, what went wrong, what is going wrong in current projects and what everyone hopes to achieve from what they learned from these experiences. During this session, you’ll be creating a sample risk management plan that begins to outline risk management standards and risk management strategies.
Evaluate the Potential Risks Identified
A myriad of internal and external sources can pose as risks including commercial, management and technical, for example. When you’re identifying what these potential risks are and have your list complete, the next step is organizing it according to importance and likelihood. Categorize each risk according to how it could impact your project. For example, does the risk threaten to throw off timelines or budgets? Using a risk breakdown structure is an effective way to help ensure all potential risks are effectively categorized and considered. Use of this risk management plan template keeps everything organized and paints a clear picture of everything you’re identifying.
Assign Ownership and Create Responses
It’s essential to ensure a team member is overseeing each potential risk. That way, they can jump into action should an issue occur. Those who are assigned a risk, as well as the project manager, should work as a team to develop responses before problems arise. That way, if there are issues, the person overseeing the risk can refer to the response that was predetermined.
Have a System for Monitoring
Having effective risk management companies plans includes having a system for monitoring. It’s not wise to develop a security risk management or compliance risk management plan, for example, without having a system for monitoring. What this means is there’s a system for monitoring in place to ensure risk doesn’t occur until the project is finished. In doing so, you’re ensuring no new risks will potentially surface. If one does, like during the IT risk management process, for example, your team will know how to react.
MORE FROM QUESTIONSANSWERED.NET
- Artificial Intelligence
- Business Operations
- Cloud Computing
- Data Center
- Data Management
- Emerging Technology
- Enterprise Applications
- IT Leadership
- Digital Transformation
- IT Strategy
- IT Management
- Diversity and Inclusion
- IT Operations
- Project Management
- Software Development
- Vendors and Providers
- United States
- Middle East
- United Kingdom
- New Zealand
- Data Analytics & AI
- Foundry Careers
- Member Preferences
- About AdChoices
- Your California Privacy Rights
- Network World
How to create an effective business continuity plan
A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood or cyberattack. Here's how to create one that gives your business the best chance of surviving such an event.
We rarely get advance notice that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.
This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn’t just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.
What is business continuity?
Business continuity refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood or malicious attack by cybercriminals. A business continuity plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.
Many people think a disaster recovery plan is the same as a business continuity plan, but a disaster recovery plan focuses mainly on restoring an IT infrastructure and operations after a crisis. It’s actually just one part of a complete business continuity plan, as a business continuity plan looks at the continuity of the entire organization.
Do you have a way to get HR, manufacturing and sales and support functionally up and running so the company can continue to make money right after a disaster? For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? The BC plan addresses these types of concerns.
Note that a business impact analysis is another part of a business continuity plan. A business impact analysis identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your business continuity plan, which can come with its own risks. The business impact analysis essentially helps you look at your entire organization’s processes and determine which are most important.
Why business continuity planning matters
Whether you operate a small business or a large corporation, you strive to remain competitive. It’s vital to retain current customers while increasing your customer base — and there’s no better test of your capability to do so than right after an adverse event.
Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.
“There’s an increase in consumer and regulatory expectations for security today,” says Lorraine O’Donnell, global head of business continuity at Experian. “Organizations must understand the processes within the business and the impact of the loss of these processes over time. These losses can be financial, legal, reputational and regulatory. The risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence. Build your recovery strategy around the allowable downtime for these processes.”
Anatomy of a business continuity plan
If your organization doesn’t have a business continuity plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a business impact analysis.
Next, develop a plan. This involves six general steps:
- Identify the scope of the plan.
- Identify key business areas.
- Identify critical functions.
- Identify dependencies between various business areas and functions.
- Determine acceptable downtime for each critical function.
- Create a plan to maintain operations.
One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.
Remember that the disaster recovery plan is part of the business continuity plan, so developing a disaster recovery plan if you don’t already have one should be part of your process. And if you do already have a disaster recovery plan, don’t assume that all requirements have been factored in, O’Donnell warns. You need to be sure that restoration time is defined and “make sure it aligns with business expectations.”
As you create your plan, consider interviewing key personnel in organizations who have gone through a disaster successfully. People generally like to share “war stories” and the steps and techniques (or clever ideas) that saved the day. Their insights could prove incredibly valuable in helping you to craft a solid plan.
The importance of testing your business continuity plan
Testing a plan is the only way to truly know it will work, says O’Donnell. “Obviously, a real incident is a true test and the best way to understand if something works. However, a controlled testing strategy is much more comfortable and provides an opportunity to identify gaps and improve.”
You have to rigorously test a plan to know if it’s complete and will fulfill its intended purpose. In fact, O’Donnell suggests you try to break it. “Don’t go for an easy scenario; always make it credible but challenging. This is the only way to improve. Also, ensure the objectives are measurable and stretching. Doing the minimum and ‘getting away with it’ just leads to a weak plan and no confidence in a real incident.”
Many organizations test a business continuity plan two to four times a year. The schedule depends on your type of organization, the amount of turnover of key personnel and the number of business processes and IT changes that have occurred since the last round of testing.
Common tests include tabletop exercises , structured walk-throughs and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.
A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.
In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
It’s also a good idea to conduct a full emergency evacuation drill at least once a year. This type of test lets you determine if you need to make special arrangements to evacuate staff members who have physical limitations.
Lastly, disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine if you can carry out critical business functions during the event.
During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.
Review and improve your business continuity plan
Much effort goes into creating and initially testing a business continuity plan. Once that job is complete, some organizations let the plan sit while other, more critical tasks get attention. When this happens, plans go stale and are of no use when needed.
Technology evolves, and people come and go, so the plan needs to be updated, too. Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.
Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units. If you’ve had the misfortune of facing a disaster and had to put the plan into action, be sure to incorporate lessons learned. Many organizations conduct a review in tandem with a table-top exercise or structured walk-through.
How to ensure business continuity plan support, awareness
One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.
Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts? Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.
Ai value begins with managing the c-suite conversation, sports venues advance goals, enhance fan experience with data analytics, mulesoft, tableau uptake fuels salesforce growth spurt, macquarie government: providing australia’s federal agencies with the cloud and security solutions they need to safeguard the most sensitive data, from our editors straight to your inbox, show me more, the 10 most in-demand tech jobs for 2023 — and how to hire for them.
United Airlines gives employees the digital tools to make customers happy
Top 9 challenges IT leaders will face in 2023
PureGym’s new CIO Andy Caddy plans for international expansion
CIO Leadership Live with George Eapen, Group Chief Information Officer at Petrofac
- Lenovo Late Night I.T. - Emmy-nominated host Baratunde Thurston is back at it for Season 2, hanging out after hours with tech titans for an unfiltered, no-BS chat.
- dtSearch® - INSTANTLY SEARCH TERABYTES of files, emails, databases, web data. 25+ search types; Win/Lin/Mac SDK; hundreds of reviews; full evaluations
- The world’s largest enterprises use NETSCOUT to manage and protect their digital ecosystems. Learn how—and get unstoppable.
- Hubspot Blog
Oh no! We couldn't find anything like that.
Try another search, and we'll give it our best shot.
What Is A Business Continuity Plan? [+ Template & Examples]
Published: December 30, 2022
When a business crisis occurs, the last thing you want to do is panic.
The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.
A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.
In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.
Table of Contents:
What is a business continuity plan?
- Business Continuity Types
- Business Continuity vs Disaster Recovery
Business Continuity Plan Template
How to write a business continuity plan.
- Business Continuity Examples
A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.
For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.
When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.
Business Continuity Planning
Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.
Don't forget to share this post!
Situational Crisis Communication Theory and How It Helps a Business
What Southwest’s Travel Disruption Taught Us About Customer Service
Showcasing Your Crisis Management Skills on Your Resume
What Is Contingency Planning? [+ Examples]
What Is Reputational Risk? [+ Real Life Examples]
10 Crisis Communication Plan Examples (and How to Write Your Own)
Top Tips for Working in a Call Center (According to Customer Service Reps)
How to Create a Social Media Crisis Management Plan [Free Template]
Service Reps on the Most Powerful De-Escalation Techniques [Expert Tips + Consumer Data]
Manage, plan for, and communicate during a corporate crisis.
- Articles and tools
- Business strategy and planning
- Manage your business
- 8 steps for planning your emergency and disaster plan
Whether it's a natural disaster such as an ice storm, or a serious accident in an industrial plant, an unforeseen event can disrupt business operations at any company.
After all, in an emergency situation, your employees may not be able to come to work. Your suppliers may face a shortage of the materials you need to continue your business activities, or demand for your services may simply decline.
The key benefits of a business continuity plan
No one can predict the future; however, you can be ready with a sound business continuity plan. Getting a plan in place shows your employees, shareholders and customers that you are a proactive organization; it improves overall efficiency in your company and helps you allocate the right financial and human resources to keep your firm up and running during a serious disruption.
Here are 8 basic steps to keep in mind when putting together your plan. Click on the link in each step to find more information and useful templates from BDC's complete Business Continuity Guide .
It is a good idea to clearly assign the responsibility for emergency preparedness to a team. Select a few managers/individuals or an existing committee to take charge of the project.
It is advisable to assign one person to lead the planning process. You should also ensure that this "emergency manager" has the authority to get things done.
As with other business aspects, planning for an emergency relies on the following:
- An understanding of the organizational objectives
- Solid research on the risks
- Creative alternatives to unique challenges
- Reliable decision-making process.
What are the key roles and responsibilities for your Emergency Preparedness team?
Planning and implementation.
- Develop the Business Continuity Plan (BCP)
- Establish alert levels and monitor
- Develop training and cross-training plans
- Identify key business partners such as suppliers and clients and determine if they have a BCP
- Assess potential financial impact of an emergency on the business
- Ensure adequate amount of supplies. (emergency safety equipment, such as personal protective equipment, or in the event of a pandemic, hygiene supplies like hand sanitizers, cleaning products, masks, protective barriers, etc.)
- Local site manager(s) implements the plan
- Perform trial run of the plan
Policies, procedures, organization
- Establish policies such as compensation and absences, return to work procedures, telecommuting, flexible work hours, travel restrictions
- Define chain of command for plan implementation
- Establish authorities' trigger points and when to implement BCP
- Establish emergency safety policies for the workplace. For example, in the event of a pandemic, policies that will help prevent the spread of influenza, such as promoting respiratory/ hygiene/cough etiquette, and prompt exclusion of people with influenza symptoms.
- Establish policies for employees who are directly affected by the emergency. For example, in the event of a pandemic, policies for employees who have been exposed.
- Maintain good communications and manage relations with all staff levels
- Advise senior management
- Instil importance of the BCP throughout the organization
- Liaison with local government agencies such as Health Canada and Public Safety Canada
- Prepare and disseminate timely and accurate information to all employees
- Educate staff about possible emergencies. For example, in the event of a pandemic, give information on signs and symptoms of influenza, modes of transmission, personal and family protection, and response strategies
- Evaluate using various forms of technology to maintain communications
- Help prepare training on the subject
- Local site managers implement the plan
- Setup systems to monitor employees for an emergency.
Use the Planning Team for Business Continuity in an Emergency form (DOC) to clearly identify the team members and coordinator who will create your BCP for emergencies, along with their respective contact information.
During an emergency, your business may experience a disruption in your operations due to:
- High staff absenteeism
- Unavailability of supplies and materials
- Interruptions to services like power, transportation and communications.
Objective of the business continuity planning process
Determine how your organization will maintain essential services/functions in the event of an emergency.
What are essential services
- A service when not delivered, creates an impact on the health and safety of individuals.
- A service that may lead to the failure of a business unit if activities are not performed in a specified time period.
- In some organizations, services that must be performed to satisfy regulatory requirements.
- A service where if not performed, the impact may be immediate or may occur over a certain time period.
This means that your business may be forced to modify, reduce, or even eliminate specific services/functions to cope with the impacts of the emergency. These impacts may be felt across the organization or localized to specific business units.
As you begin discussions, you may find that you have existing resources that you can use to extract information about essential services in your organization (e.g., pandemic influenza plans, Y2K plan, etc.)
How to determine and prioritize your essential services
1. complete the essential services ranking template.
This will help you create your list of essential services by department or business unit. You then need to rate the degree to which it will negatively impact the various key areas such as financial, employees, customers etc.
2. Prioritize and categorize, use the Essential Services Criticalness Factor template
For each essential service, assign a "degree of criticalness" (Priority A, B or C). Rate the impact on each service such as staff absenteeism, unavailability of critical supplies, or disruptions to essential systems.
- Priority A: Essential services/functions
- Priority B: Services that can be suspended for a short period of time (for example, services that can be suspended for one month).
- Priority C: Services that can be suspended for an extended period of time. This may require a corporate overview.
As part of your business continuity planning process, you'll need to identify the number of staff and skills required to perform and maintain the essential services/functions.
Use the Essential Services Criticalness Factor template to help you capture the information necessary to develop your plan.
Try to identify any special requirements necessary to perform the essential services/functions (for example, license to operate heavy machinery).
You may also wish to prepare a list of special tasks and skills required in emergency situations and assign them to appropriate employees, e.g. crisis management team, employee support, IT backup, defining security perimeters etc.
Additional sites with useful information:
- Public Safety Canada
- Canadian Center for Emergency Preparedness
- Canadian Red Cross
Discuss what will happen if you have to reduce, modify or eliminate essential services or functions. Document the following points:
- All the issues that are identified
- Action plans for each issue
- The responsibilities of designated people for each essential service or function.
Strategies and action plans
Use the Action Plan Template for Maintaining Essential Service (DOC) to write your plans for each essential service or function. This should include:
- A description of the service or function
- Individuals responsible for implementing the action plan
- Backup individuals
- Business impact issues
- Action plans: Include key items such as notification communication plan, staff relocation, alternate resources, suppliers, etc.
- Resource needs
Use the supplied templates to create lists of all your key contacts along with their contact information.
Being proactive in contacting important customers can go a long way in mitigating losses. Use the Action Plan Template for Key Customers (DOC) to list customers who would need and expect personal notification from you, or who would be offended or take their business elsewhere if they were not contacted.
Include the following information in your list:
- Product or service provided: A description of the product or service you provide. Use the comments main to indicate the reason that this customer should be contacted in an emergency.
- Contact person's name: For some customers, there may not be a specific person to list. As appropriate, you can list a title or department, e.g., "service representative on call" or "service department."
- Contact phone numbers: Include all possible ways to reach the customer, including fax, cellular, pager, after-hours number if different from the normal number, and toll-free numbers in addition to the normal number.
- Alternate names and numbers: Where possible, list alternatives to the primary contact person.
- 24-hour service: If your customer does not have 24-hour service, discuss with them how to contact them during off-hours. Reassure them that the information will have limited distribution, and ask for home telephone numbers if cellular or pager numbers are not sufficient.
- Comments: Include any significant information including the reason this customer should be contacted following an incident, instructions the customer would need, etc.
Suppliers and sub-contractors
Use the Action Plan Template for Critical Suppliers (DOC) to list essential information on your key suppliers. The information should be the same as that described for Key Customers, above.
Business partners and support providers
This main is for important partners who do not fall into the earlier categories, but that you would need to contact in the event of an emergency:
- Business partners (internal and external) that are neither vendors nor customers. These could include internal business units who rely on your business for information, your management, and internal business units that would support your recovery. Examples include corporate insurance, internal security, facilities, public relations and legal entities.
- Support providers include emergency-response agencies such as police, fire, utility companies, and the Canadian Red Cross (if your community uses the 911 system, that should be documented).
Use the Action Plan Template for Business partners (DOC) to list essential information about these other partners. The information should be the same as that described for Key Customers above.
Review your Business Continuity Plan to make sure that all issues have been addressed, and identify any areas in which you may need additional documentation.
The "Business Continuity Plan Checklist" (DOC) provided by Capital Health was developed to ensure that you've covered most aspects of your plan.
Impact on your business
Impact on your employees and customers, establishing policies to be implemented during an emergency.
- Allocating resources to protect your employees and customers
Communicating with employees
Coordinating with external organizations and helping your community.
- Have you identified an emergency coordinator or team and clearly defined their roles and responsibilities? Do you need to involve labour representatives?
- Have you identified the employees and critical inputs you need to maintain business operations during an emergency?
- Have you trained and prepared a backup workforce?
- Have you planned for scenarios that are likely to affect the demand for your products or services during an emergency?
- What is the potential impact of an emergency on company financials? On different product lines or production sites?
- What is the potential impact of an emergency on business-related domestic and international travel?
- Do you have access to up-to-date, reliable information on emergencies from community public health, emergency management, and other sources? Are the links to this information sustainable?
- Do you have an emergency communication plan?
- What mechanisms are in place to revise the plan periodically?
- Have you tested your plan?
- Have you forecasted and allowed for employee absences during an emergency?
- Do you have guidelines to reduce face-to-face contact in the workplace and with customers, in the event of a pandemic?
- Do you encourage and monitor annual employee flu vaccinations?
- Have you evaluated employee access to and availability of healthcare services during an emergency? Do these services need improvement?
- Have you evaluated employee access to and availability of mental health and social services during an emergency?
- Have you identified employees and key customers with special needs? Are their needs incorporated into your BCP?
- Have you established emergency policies for employee compensation and sick-leave absences?
- Have you established flexible policies regarding worksite and work hours?
- Have you established policies to prevent the influenza spread of disease at the worksite?
- Do you have policies for employees who have been exposed, are suspected to be ill, or become ill at the worksite?
- Have you established policies for restricting travel to affected geographic areas, evacuating employees working in or near an affected area when an emergency occurs, and guidance for employees returning from affected areas?
- Have you set up authorities, triggers, and procedures for activating and terminating the company's response plan, for altering business operations and for transferring business knowledge to key employees?
Allocating resources to protect your employees and customers during an emergency
- Do you provide sufficient and accessible emergency supplies?
- Do you need to enhance communications and information technology infrastructures to support employee telecommuting and remote customer access?
- Will medical consultation and advice be available for emergency response?
- Have you developed and disseminated programs and materials covering emergency fundamentals?
- Have you anticipated and planned for employee fear and anxiety, rumours and misinformation?
- Are your communications culturally and linguistically appropriate?
- Have you disseminated information to employees about your emergency preparedness and response plan?
- Have you provided information for the at-home care of ill employees and family members?
- Do you have a platform for communicating emergency status and actions to employees, vendors, suppliers, and customers inside and outside the worksite in a consistent and timely way? Have you included redundancies in the emergency contact system?
- Have you identified community sources for timely and accurate emergency information? Resources for obtaining safety equipment and counter-measures?
- Have you consulted insurers, health plans, and major local healthcare facilities to share your emergency plans and understand their capabilities and plans?
- Have you consulted federal, provincial, and local public agencies or emergency responders?
- Have you asked local or provincial public agencies or emergency responders what your business could contribute to the community?
- Do you share best practices with other businesses in your communities, chambers of commerce, and associations to improve community response efforts?
You should present a draft of the Business Continuity Plan to your emergency preparedness team for review and/or comment. Since the committee will have an understanding of the overall corporate impact of an emergency, they should review to ensure that your plan:
- Is consistent for all business units/departments.
- Addresses all critical elements .
The committee should also be in charge of monitoring the progress of the initiative .
Be proactive: put your plan to the test by performing trial runs. This will help you identify any missing aspects or weaknesses.
- 5 tips to minimize the risk of a disaster for your business
- What is strategic planning?
- Strategic planning: Realize your company's potential
- Business performance benchmarking tool
- Business continuity plan templates
- Business plan template
- Apply online for a flexible small business loan up to $100k
- Protect your cash flow with a working capital loan
- Advisory services
- Human Resources Growth
5 Essential Steps to Business Continuity Planning
While over half of small and midsize business owners say it would take at least three months to recover from downtime, 60% don't have an emergency response plan . However, according to Gartner , the average cost of downtime can climb up to $5,600 per minute.
When it comes to business continuity planning, there are several critical issues leaders should be addressing. You must lay out the steps you will take to react to business shocks now, but also entirely reshape your business continuity plan.
Now is the time to create an active recovery plan if your organization doesn't have one. It takes effort, but you will give your business the best chance at survival after (and during) an unexpected event.
Keep reading to learn the steps to effective business continuity planning.
What Is Business Continuity Planning?
Business Continuity Planning focuses on maintaining business functions or efficiently resuming them in the event of a major disaster. A major disaster can be anything from a flood, fire, malicious cybercriminal to a pandemic.
A business continuity plan (BCP) outlines the procedures your organization will follow in the face of such disasters. It covers crisis communication strategy, assets, business partners, human resources, and more.
You've likely heard of a disaster recovery plan that focuses on restoring IT infrastructure and operations after a disaster. However, disaster recovery is one small part of a complete BCP, as it seeks to ensure the continuity of the entire organization.
As time passes and the COVID-19 pandemic is controlled, organizations must review and renew business continuity plans. You will need to assess how your current BCPs are working—if you have any.
The best way to locate any gaps is through business continuity testing . If you spot deficiencies, you must highlight them and identify the root causes, whether it's external environmental issues, lack of infrastructure, or timeliness of action.
Agility Planner is an intuitive business continuity planning and preparation tool that streamlines, simplifies, and supports your BC management process. Agility Planner has been developed to help your business go from reactive to proactive with its business continuity planning.
Then, outline new procedures based on lessons learned, and contingency plans to build resilience and adequately respond to future disasters.
COVID-19 is unlike anything our economy has ever experienced, so it was impossible to prepare for with traditional wisdom and forecasting tools. However, you should view this disaster as something to learn from and carry the lessons learned forward once the pandemic has passed , and you've had time to analyze your response.
Top Threats to Your Organization's Continuity
Depending on your industry and level of risk, every organization will have different primary threats to daily business. Risk assessments before creating a BCP is helpful for this reason. You don't need to have a plan for every possible scenario, but you should watch out for the following common disruptors.
You've likely experienced how a global pandemic can throw a wrench in the best of business plans, from all angles.
Many employees must work from home, demand for specific items grows, and supplies decrease due to disturbances across the supply chain.
When considering how your organization will respond to a global pandemic, put in place a solid disaster communication plan. You'll need to envision how your employees will work together and conduct necessary business offsite.
It's also necessary to consider alternate suppliers and products to avoid a single point of failure.
Use what's happening now to determine what is and isn't working for your business, then plan for how you will handle similar scenarios in the future.
Imagine the disruption to your "business as usual" that would be caused by a loss of communication lines, power generation, or water shutoffs.
Unexpected utility outages can also potentially damage physical assets, causing a loss of productivity and downtime.
Power outages have been on the rise in the past couple of years . Particularly, the region that got affected the most was the state of California, with hundreds of thousands of customers being affected in April alone . A single power outage event can devastate an organization's revenue, productivity, capacity, and labor. Increasingly, utilities are practicing planned de-energization events, or Public Safety Power Shutoffs (PSPSs). As a last resort to prevent power lines from starting wildfires and putting human lives in danger, planned power outages are scheduled to take place during hot, dry days.
A natural disaster describes any weather-related disaster, such as hurricanes, tornadoes, ad tsunamis. It also refers to natural phenomena such as earthquakes, volcanic eruptions, and wildfires.
The worst disasters happen in an instant and are impossible to predict. Any business could experience grave damage to its physical structures and assets.
Natural disasters also disrupt supply chains in affected areas, causing a lack of supply for in-demand items.
A cyberattack is a malicious computer-based attack on a technical asset.
Cyberattacks include data theft, ransomware attacks, SQL injections, and distributed denial of services (DDoS) attacks.
If you have the right security measures in place, you may only experience limited IT functionality until the issue is resolved. If you don't have data backup or recovery, you could potentially lose access to valuable business data. We have developed a brief and actionable cybersecurity checklist to help your organization take the first steps to check for any signs that may lead to a data breach or a cyberattack at your organization and develop preventative measures to safeguard your operations.
Steps to Creating a Business Continuity Plan
While creating an effective BCP is a lot of work, it's a critical piece of operating a resilient business.
You, your appointed business continuity team, and your staff must take continuity planning seriously. Here are five steps to help you get started.
Step 1: Assemble a Business Continuity Management Team
The makeup of your team depends on your continuity objectives and the size of your company.
A good BCP should detail what your staff needs to do in the event of a disaster, what communication methods are required, and the timeframe in which critical IT services need to be available.
- Create a contact list of key people involved in your company's BCP, including names, titles, and communication info (both work and personal) such as phone numbers, email addresses.
- Provide a detailed overview of their roles and responsibilities so that everyone knows what is expected of them in an outage event.
- Have a process in place for how your BCP will be updated and how these updates will be communicated to the team.
This team will prepare standards for the project and train additional team members. They will also identify clear processes to improve project flow.
Step 2: Ensure the Safety and Wellbeing of Your Employees
- When planning, you must prepare to prioritize the safety of your employees amid a crisis. They will look to you, their community, and the government for guidance. Be proactive and transparently address their concerns. Right now, many companies have to decide to initiate or expand remote work arrangements and other policies that allow employees to work flexibly.
- Depending on your industry, you'll want to reallocate resources and reorganize teams, as well as establish employee wellbeing programs and procedures that support a safe working environment .
- Make sure you have proper communication channels in place to get in touch with all of your employees at the same time. Sending an email may not be sufficient if the wifi is down. Consider implementing a BC Planning software with an integrated emergency messaging tool to ensure all business processes are continuous, and everyone is safe. Communicate with your teams early and regularly. You want to engage your employees as you navigate through the current crisis.
Reimagining your usual business environment while minimizing disruptions requires a delicate balance. In some situations, telecommuting and flexible work arrangements aren't possible. In scenarios during which you'll have workers in direct contact with customers, you must prepare to provide personal protective equipment.
Step 3: Understand the Risks to Your Company
Once your business continuity management team is assembled, you must conduct a business impact analysis (BIA).
This type of analysis will help you identify specific threats to financial performance, operations, supply chains, reputation, employees. It can serve as a starting point when identifying risks.
You and your team should brainstorm a list of threats and potential risks to your business. Then discuss how the risks mentioned above could affect business operations.
Don't undermine the importance of this step—or how long it could take. A proper BIA will typically involve a comprehensive questionnaire to gather the breadth of information you will need. BCP production tools such as Agility Planner help get started with creating a BCP or a BIA and provide access to historical data and ready-to-use templates.
Step 4: Implement Recovery Strategies
Once a disaster occurs, and financial losses begin to grow, it can be challenging to get back on track without a BCP in place. Consider the following questions as you discuss options with your team:
- Do you have a way to get sales, HR, manufacturing, and support personnel back to work after a disaster to continue operating your business?
- How will you continue to meet the demand for products or services if your equipment or facility is damaged?
- If your facilities are impacted, will your employees work remotely at home or from an alternate location?
You'll address concerns like these and more in your business continuity plan.
Address Every Business Function
It's essential not to leave any business function out of your plan. Be sure to address the following:
- Level of risk
- Impact on customers and employees
- How you will communicate with stakeholders
- Financial resources available in the event of a disaster
- Emergency policy creation
- External partners who can work together with you in a mutually-beneficial way.
Set realistic timelines and intentions across your company's resilience journey to ensure you reach your goals and exceed expectations.
As you work through your plan, develop relevant reports to share with all stakeholders. Use highly visual reports to highlight areas that need attention and show progress.
Step 5: Test, Test Again and Make Improvements
No matter how long you spend perfecting it, a business continuity plan is never truly finished—just as the risks and requirements of your industry are never set in stone.
Testing your business continuity plan allows you to validate it as you manage risks. While 88% of companies test their strategies to identify gaps, 63% of them do so to validate their plans.
The result of this testing is not "pass or fail," yet continuous improvement by identifying findings through a live exercise. Prepare your organization for success by using this checklist for business continuity testing.
Prepare for Disruption with a Business Continuity Solution
While you may never encounter a significant disruption to your business, nothing is ever certain. The chances are that you'll have your fair share of hurdles.
Identify risks and what you need to do to keep your business in motion. Planning will give you a competitive edge and help alleviate any financial risk involved.
Sleep easier at night by knowing you have a plan to reduce the impact of business disruptions before, during, and after a disaster occurs. Request a demo today to learn how Agility Central can help your organization remain resilient.
Discover Agility's Software Suite
Agility offers business continuity tools to help you plan, train, and respond to disruptive incidents.
Subscribe to Our Newsletter
Get the latest business continuity news and insights
Central bc platform.
See how Agility is helping more than 4,000 businesses of all sizes across various industries plan, train, test, alert, and recover–all in one central platform.
Best Practices to Effectively Respond & Recover from Disasters
BIA Checklist for Critical Processes
How Power Loss Threatens Business Continuity
Get the Latest Business Continuity Insights
What Does a Business Continuity Plan Typically Include? [Complete Guide]
A business continuity plan (BCP) is your first line of defense against any challenge that threatens the core functionalities of your organization’s operations. When disaster strikes, your BCP should be there to reduce the time it takes to get things back up and running as usual again – as quickly as possible.
If you’re not able to react quickly to these types of incidents, your company could suffer physical harm, monetary losses, reputational damage, data integrity loss, litigation and much more.
Designing a BCP can feel overwhelming, as it’s such a critical document; where should you start? Who should be involved in the process? How should it be disseminated? These are all questions we’ll answer in this guide, including what is typically included in a BCP.
Bonus Material: Free BCP Checklist
How to Create a Business Continuity Plan
It’s important to actively invest time and energy into preparing for any potential risk before a potential event of a disaster so that if or when it does, your BCP directs you to the necessary resources to return to business as usual. That’s why creating and developing your BCP needs to involve a great deal of strategy and intention.
Taking a risk-based approach is the best way to go about developing your business continuity plan and avoid the need to use implement a disaster recovery plan. Through a risk-based approach, you follow the following steps: identify, assess, mitigate, monitor, connect and report. Here’s how to apply each of these steps during the lifecycle of your BCP:
- Start by identifying your most critical processes. When a business continuity event occurs, taking a risk-based approach ensures that you understand what the most critical processes to your organization are that need to be prioritized first to get back up and running to minimize any impacts.
- Next, assess your various risks. By evaluating all of the various types of risks that an incident could bring up – such as financial, reputational, customer, legal or strategic impact – you’re able to adequately determine which steps must be included in your BCP to minimize those impacts.
- Be sure to implement strategic mitigations as part of your business impact analysis. Building a business continuity plan through a risk-based lens empowers you to design more effective policies and procedures that simultaneously minimize the impact of the disruption at hand.
- Monitor the effectiveness of your controls over time. Otherwise, your BCP won’t align with your risks, leaving you likely to be caught off guard next time a business continuity event occurs.
- Your BCP does not exist in isolation, so be sure to connect departmental efforts. This allows you to identify interdependencies that must be known if an event occurs to ensure all steps are taken.
- Reporting is a key step in the risk-based approach, as it reveals patterns over time so that you can improve your BCP development where needed and keep your organization protected from any future disruption.
What Should my Business Continuity Plan Include?
Your BCP should include:
- An analysis of all critical functions within your business. This will allow for preparation of resources.
- A prioritized list of risks that pose a severe or even catastrophic threat to your business. These can be prioritized through risk tolerances and risk appetite so you can visualize which ones fall farthest out of that range.
- A list of specific strategies (or mitigation activities) that help protect the critical components you identified earlier in the BCP.
- Evidence that the strategies have been tested across critical business functions, using key metrics, indicators and financial scenarios.
- Dashboards and reports that uncover challenges and allow you to update the plan and your business processes over time.
Examples of Potential Unforeseen Risks
Naturally, your BCP will include risks that you deem a threat to your business. It can be difficult to begin writing that list when you’re not sure exactly what should be on it. In Risk Management, it’s important to consider potential risks that others may not have ever predicted to become reality (many people today say they never imagined in their lifetime that they would experience a pandemic).
Here is a list of potential unforeseen risks that pose a threat to business continuity:
- The sudden unavailability of a key vendor-provided service
- A regional power outage
- Abandonment in leadership
- Data protection issue
- Supply chain issues
- Getting sued
- An industry strike
- Pest infestation
- Natural disasters
- Winning the lottery
- Receiving a life-threatening diagnosis
- Getting in an accident
- A threat to national security, such as a terrorist attack
- Collapse of infrastructure
- And perhaps the most timely example of all, a pandemic (check out our complete guide to building a BCP for COVID-19 here )
BCP Best Practices
Like we mentioned earlier in this guide, it’s important to take a risk-based approach when creating your BCP. This will help you better preserve your business reputation, build up customer confidence and allow you to gain a competitive advantage. It will also ensure that you can avoid situations of disaster recovery. (Read our full guide on Business Continuity vs. Disaster Recovery )
To receive these benefits, it’s best practice to leverage robust business continuity planning software . This enables you to inherently take a risk-based approach and demonstrates to customers and stakeholders that you are prioritizing business continuity planning. This is especially true today amidst our ever-evolving disruptive business environment and the See-Through Economy.
Your business continuity plan will be different from anyone else’s, which is why it’s important to dedicate time and resources to creating one that fits your unique needs and risk factors. Working with a professional risk consultant is just one added benefit that’s included with your partnership with LogicManager. With their help, you’ll be able to better leverage the tools and resources included in our integrated ERM software, as well as our solution package for business continuity development .
FREE DOWNLOAD: BCP Checklist
Download our free BCP checklist to ensure that you are on the right track with your business continuity planning.
How Often Should A BCP Be Reviewed?
Business Continuity vs. Disaster Recovery: What Is The Difference?
Return To School Covid 19 Plan: Lessons In Pragmatic Risk Management as School Reopening Begins
Covid-19 Second Wave Risk Mitigation: Return To Work Negligence Waiting to Happen
My Favorites List
Submit your Favorites List and our experts will reach out to you with more information. You will also receive this list as an e-mail which you can share with others. Here are the solutions you've added to your list so far:
An official website of the United States government
Here’s how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Business Continuity Plan
Business Continuity Planning Process Diagram - Text Version
When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:
- Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
- Identify, document, and implement to recover critical business functions and processes.
- Organize a business continuity team and compile a business continuity plan to manage a business disruption.
- Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
Information technology (IT) includes many components such as networks, servers, desktop and laptop computers and wireless devices. The ability to run both office productivity and enterprise software is critical. Therefore, recovery strategies for information technology should be developed so technology can be restored in time to meet the needs of the business. Manual workarounds should be part of the IT plan so business can continue while computer systems are being restored.
Resources for Business Continuity Planning
- Standard on Disaster/Emergency Management and Business Continuity Programs - National Fire Protection Association (NFPA) 1600
- Professional Practices for Business Continuity Professionals - DRI International (non-profit business continuity education and certification body)
- Continuity Guidance Circular - Federal Emergency Management Agency
- Open for Business® Toolkit - Institute for Business & Home Safety
Business Continuity Impact Analysis
Business continuity impact analysis identifies the effects resulting from disruption of business functions and processes. It also uses information to make decisions about recovery priorities and strategies.
The Operational & Financial Impacts worksheet can be used to capture this information as discussed in Business Impact Analysis . The worksheet should be completed by business function and process managers with sufficient knowledge of the business. Once all worksheets are completed, the worksheets can be tabulated to summarize:
- the operational and financial impacts resulting from the loss of individual business functions and process
- the point in time when loss of a function or process would result in the identified business impacts
Those functions or processes with the highest potential operational and financial impacts become priorities for restoration. The point in time when a function or process must be recovered, before unacceptable consequences could occur, is often referred to as the “Recovery Time Objective.”
Resource Required to Support Recovery Strategies
Recovery of a critical or time-sensitive process requires resources. The Business Continuity Resource Requirements worksheet should be completed by business function and process managers. Completed worksheets are used to determine the resource requirements for recovery strategies.
Following an incident that disrupts business operations, resources will be needed to carry out recovery strategies and to restore normal business operations. Resources can come from within the business or be provided by third parties. Resources include:
- Office space, furniture and equipment
- Technology (computers, peripherals, communication equipment, software and data)
- Vital records (electronic and hard copy)
- Production facilities, machinery and equipment
- Inventory including raw materials, finished goods and goods in production.
- Utilities (power, natural gas, water, sewer, telephone, internet, wireless)
- Third party services
Since all resources cannot be replaced immediately following a loss, managers should estimate the resources that will be needed in the hours, days and weeks following an incident.
Conducting the Business Continuity Impact Analysis
The worksheets Operational and Financial Impacts and Business Continuity Resource Requirements should be distributed to business process managers along with instructions about the process and how the information will be used. After all managers have completed their worksheets, information should be reviewed. Gaps or inconsistencies should be identified. Meetings with individual managers should be held to clarify information and obtain missing information.
After all worksheets have been completed and validated, the priorities for restoration of business processes should be identified. Primary and dependent resource requirements should also be identified. This information will be used to develop recovery strategies.
If a facility is damaged, production machinery breaks down, a supplier fails to deliver or information technology is disrupted, business is impacted and the financial losses can begin to grow. Recovery strategies are alternate means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the recovery time objectives (RTO) developed during the business impact analysis .
Recovery strategies require resources including people, facilities, equipment, materials and information technology. An analysis of the resources required to execute recovery strategies should be conducted to identify gaps. For example, if a machine fails but other machines are readily available to make up lost production, then there is no resource gap. However, if all machines are lost due to a flood, and insufficient undamaged inventory is available to meet customer demand until production is restored, production might be made up by machines at another facility—whether owned or contracted.
Strategies may involve contracting with third parties, entering into partnership or reciprocal agreements or displacing other activities within the company. Staff with in-depth knowledge of business functions and processes are in the best position to determine what will work. Possible alternatives should be explored and presented to management for approval and to decide how much to spend.
Depending upon the size of the company and resources available, there may be many recovery strategies that can be explored.
Utilization of other owned or controlled facilities performing similar work is one option. Operations may be relocated to an alternate site - assuming both are not impacted by the same incident. This strategy also assumes that the surviving site has the resources and capacity to assume the work of the impacted site. Prioritization of production or service levels, providing additional staff and resources and other action would be needed if capacity at the second site is inadequate.
Telecommuting is a strategy employed when staff can work from home through remote connectivity. It can be used in combination with other strategies to reduce alternate site requirements. This strategy requires ensuring telecommuters have a suitable home work environment and are equipped with or have access to a computer with required applications and data, peripherals, and a secure broadband connection.
In an emergency, space at another facility can be put to use. Cafeterias, conference rooms and training rooms can be converted to office space or to other uses when needed. Equipping converted space with furnishings, equipment, power, connectivity and other resources would be required to meet the needs of workers.
Partnership or reciprocal agreements can be arranged with other businesses or organizations that can support each other in the event of a disaster. Assuming space is available, issues such as the capacity and connectivity of telecommunications and information technology, protection of privacy and intellectual property, the impacts to each other’s operation and allocating expenses must be addressed. Agreements should be negotiated in writing and documented in the business continuity plan. Periodic review of the agreement is needed to determine if there is a change in the ability of each party to support the other.
There are many vendors that support business continuity and information technology recovery strategies. External suppliers can provide a full business environment including office space and live data centers ready to be occupied. Other options include provision of technology equipped office trailers, replacement machinery and other equipment. The availability and cost of these options can be affected when a regional disaster results in competition for these resources.
There are multiple strategies for recovery of manufacturing operations. Many of these strategies include use of existing owned or leased facilities. Manufacturing strategies include:
- Shifting production from one facility to another
- Increasing manufacturing output at operational facilities
- Retooling production from one item to another
- Prioritization of production—by profit margin or customer relationship
- Maintaining higher raw materials or finished goods inventory
- Reallocating existing inventory, repurchase or buyback of inventory
- Limiting orders (e.g., maximum order size or unit quantity)
- Contracting with third parties
- Purchasing business interruption insurance
There are many factors to consider in manufacturing recovery strategies:
- Will a facility be available when needed?
- How much time will it take to shift production from one product to another?
- How much will it cost to shift production from one product to another?
- How much revenue would be lost when displacing other production?
- How much extra time will it take to receive raw materials or ship finished goods to customers? Will the extra time impact customer relationships?
- Are there any regulations that would restrict shifting production?
- What quality issues could arise if production is shifted or outsourced?
- Are there any long-term consequences associated with a strategy?
Resources for Developing Recovery Strategies
- The Telework Coalition (America’s leading nonprofit telework education and advocacy organization)
Telephones are ringing and customer service staff is busy talking with customers and keying orders into the computer system. The electronic order entry system checks available inventory, processes payments and routes orders to the distribution center for fulfillment. Suddenly the order entry system goes down. What should the customer service staff do now? If the staff is equipped with paper order forms, order processing can continue until the electronic system comes back up and no phone orders will be lost.
The order forms and procedures for using them are examples of “manual workarounds.” These workarounds are recovery strategies for use when information technology resources are not available.
Developing Manual Workarounds
Identify the steps in the automated process - creating a diagram of the process can help. Consider the following aspects of information and work flow:
Internal Interfaces (department, person, activity and resource requirements)
- External Interfaces (company, contact person, activity and resource requirements)
- Tasks (in sequential order)
- Manual intervention points
Create data collection forms to capture information and define processes for manual handling of the information collected. Establish control logs to document transactions and track their progress through the manual system.
Manual workarounds require manual labor, so you may need to reassign staff or bring in temporary assistance.
Last Updated: 05/26/2021
Return to top
- Technical Support
6 Things Your Business Continuity Plan Should Include
June 11, 2021 | by ThinkSecure Network
Downtime and disaster strike when we least expect it. The good news, however, is that there are steps you can take to prepare for the worst. That’s where business continuity planning comes in. Here’s what you need to know about business continuity planning, and 6 tips to prevent your business from becoming one of the 25% of SMBs that fail to reopen after a disaster.
What a business continuity plan is
A business continuity plan outlines how you plan on keeping your business operational if there’s an unplanned or severe disruption to your usual services.
The business continuity plan includes, for example, data recovery and backup procedures, strategies for resuming office productivity, and communication guidelines. This means, although a disaster recovery strategy is part of any good business continuity plan, it’s only one part of a much larger strategy for keeping things moving during times of operational difficulty.
Why you should have a business continuity plan
Downtime costs businesses money. It’s estimated that the average infrastructure failure costs SMBs up to $100,000 an hour . Depending on how long the downtime persists, it may be impossible to recover.
A business continuity plan is the only way to reduce the time you spend inactive after disaster strikes.
What are some things that a business continuity plan needs?
A business continuity plan is only as good as its contents. Here are 6 things that you’ll find in every solid business continuity plan.
The key contacts
You must have clear points of contact for your employees in the event of a disaster. This means appointing someone to oversee the business continuity plan and providing their contact details to every team member. You should also have a contingency plan in case your overseer is unreachable.
Know how you’ll communicate with staff, suppliers, and customers if the systems go down. Ensure you have a secondary line of communication in place to reach people and communicate vital messages.
Understand the threats that could affect your business, whether this is a natural disaster, major cybersecurity event, or employee error, and rank these threats based on:
- How likely they are to occur
- The impact they could have on your operations
Understanding the threat you’re dealing with, and its possible ramifications, tells you how to respond should the need arise.
Suppliers and merchants
Have a means of contacting your utility suppliers, merchants, and landlord, and IT service providers should the systems fail. Knowing how you’ll contact these individuals in advance reduces the stress associated with disaster recovery.
Understand what your critical business operations are, and prioritize getting them up and running again. This should be stage one of your recovery. Implement your system recovery in phases to reduce the risk of error, system malfunction, and miscommunication.
Every business continuity plan needs a specific plan for handling natural disasters, such as hurricane or storm damage. Be aware of how likely it is that a natural disaster will affect your business and plan accordingly. You should also be aware of what you’ll do if, for example, a plumbing disaster floods the entire office and makes it uninhabitable.
Protect your business today
Your business continuity plan is critical to keeping your company operational and your data secure if disaster strikes. By including these 6 things in your business continuity plan, you’ll reduce the chance of your SMB becoming another unfortunate statistic. For more information on how to design a business continuity plan that suits your particular business needs, contact us today.
Post Topic(s): MANAGED SERVICES
Share this article
Experience the impact the right technology partner will have on your business.
Subscribe To Our Blog
Related blog articles, managed services, we are complexity management specialists.
- Help Center
Ecommerce Business Continuity Planning: 7 Steps to Assess Risk and Plan for the Unexpected
Get The Print Version
Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.
Share this article
- Set Procedures for Testing Recovery and Response: Create test guidelines and schedules for testing. To review the plan, consider reaching out to people who did not write the plan. Put together the forms and checklists that attendees will use during tests.
A business continuity plan is governed by a business continuity policy. You can learn more about creating a business continuity policy and find examples by reading our guide on developing an effective business continuity policy .
How to Create a Business Continuity Plan
Creating a business continuity plan (BCP) involves gathering a team, studying risks and key tasks, and choosing recovery activities. Then write the plan as a set of lists and guidelines, which may address risks such as fires, floods, pandemics, or data breaches.
According to Alex Fullick, your best bet is to create a simple plan. “I usually break everything down into three key categories: people, places, and things. If you focus on a couple of key pieces, you will be a lot more effective. That big binder of procedures is absolutely worthless. You need a bunch of guidelines to say what you do in a given situation: where are our triggers for deciding we’re in a crisis and we have to stop doing XYZ, and just focus on ABC.”
“Post-pandemic, I think new managers will develop more policies and guidelines of all types than required, as a fear response,” cautions Michele Barry.
Because every company is different, no two approaches to business continuity planning are the same. Tony Bombacino, Co-Founder and President of Real Food Blends , describes his company’s formal and informal business continuity approaches. “The first step in any crisis is for our nerve center to connect quickly, assess the situation, and then go into action,” he explains.
“Our sales manager and our marketing manager might discuss what’s going on, and say, ‘Are we going to say anything on social media? Do we need to reach out to any of our customers? The key things, like maintaining stock levels or what if somebody gets sick? What if there's a recall?’ Those plans we have laid out. But we're not a 5,000-person multi-billion-dollar company, so our business continuity plan is often in emails and Google Docs.”
“I've done planning literally for hundreds of businesses where we've just filled out basic forms,” says Mike Semel, President and Chief Compliance Officer of Semel Consulting . “For example, noting the insurance company's phone number — you know, on the back of your utility bill, which you never look at, there's an emergency number for if the power goes out or if the gas shuts off. We've helped people gather all that information and put it down. Even if there's no other plan, just having that information at their fingertips when they need it may be enough.”
You can also approach your business continuity planning as including three types of responses:
- Proactive Strategies: Proactive approaches prevent crises. For example, you may buy an emergency generator to keep power running in your factory, or install a security system to prevent or limit loss during break-ins. Or you may create a bring-your-own-device (BYOD) policy and offer training for remote workers to protect your network and data security.
- Reactive Strategies: Reactive strategies are your immediate responses to a crisis. Examples of reactive methods include evacuation procedures, fire procedures, and emergency response strategies.
- Recovery Strategies: Recovery strategies describe how you resume operations to produce a minimum acceptable level of service. The recovery plan includes actions to stand up temporary processes. The plan also describes the longer-term efforts, such as relocation, data restoration, temporary workaround processes, or outsourcing tasks. Recovery strategies are not limited to IT and data recovery.
Quick-Start Guide Business Continuity Plan Template
If you don’t already have a business continuity plan in place, but need to create one in short order to respond to a disruption, use this quick-start business continuity template. This template is available in Word and Google Docs formats, and it’s simply formatted so that you can focus on brainstorming and problem-solving.
Download Quick-Start Guide Business Continuity Plan Template
Word | PDF | Google Docs | Smartsheet
For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.
Key Components of a Business Continuity Plan
Your company’s complete business continuity plan will have many details. Your plan may differ from other companies' plans based on industry and other factors. Each facility or business unit may also conduct an impact analysis and create disaster recovery and continuity plans . Consider adding these key components to your business plan:
- Contact Information: These pages include contact information for key employees, vendors, and critical third parties. Locate this information at the beginning of the plan.
- Business Impact Analysis: When you conduct business impact analysis (BIA), you evaluate the financial and other changes in a disruptive event (you can use one of these business impact templates to get started). Evaluate impact in terms of brand damage, product failure or malfunction, lost revenue, or legal and regulatory repercussions.
- Risk Assessment: In this section, assess the potential risks to all aspects of the organization’s operations. Look at potential risks related to such matters as cash on hand, stock levels, and staff qualifications. Although you may face an infinite number of potential internal and external risks, focus on people, places, and things to keep from becoming overwhelmed. Then analyze the effects of any items that are completely lost or need repairs. Also, understand that risk assessment is an ongoing effort that works in tandem with training and testing. Consider adding a completed risk matrix to your plan. You can create one using a downloadable risk matrix template .
- Critical Functions Analysis and List: As a faster alternative to a BIA, a critical functions analysis reveals what processes are critical to keeping your company running. Examples of critical functions include payroll and wages, accounts receivable, customer service, or production. According to Michele Barry, with a values-based approach to critical functions, you should consider who you really are as a company. Then decide what you must continue doing and what you can stop doing.
- Trigger and Disaster Declaration Criteria: Here, you should detail how your executive management will know when to declare an emergency and initiate the plan.
- Succession Plan: Identify alternate staff for key roles in each unit. Schedule time throughout the year to observe alternates as they make important decisions and complete recovery tasks.
- Alternate Suppliers: If your goods are regulated (i.e., food, toy, and pharmaceutical manufacturing), your raw resources and parts must always be up to standard. Source suppliers before a crisis to ensure that regulatory vetting and approval do not delay supplies.
- Operations Plan: Describe how your organization will resume and continue daily operations after a disruption. Include a checklist with such items as supplies, equipment, and information on where data is backed up and where you keep the plan. Note who should have copies of the plan.
- Crisis Communication Strategy: Detail how the organization will communicate with employees, customers, and third-party entities in the event of a disruption. If regular communications systems are disabled, make a plan for alternate methods. Download a free crisis communication strategy template to get started on this aspect.
- Incident Response Plan: Describe how your organization plans to respond to a range of likely incidents or disruptions, and define the triggers for activating the plan.
- Alternate Site Relocation: The alternate site is the location that the organization moves to after a disruption occurs. In the plan, you can also note the transportation and resources required to move the business and the processes you must maintain in this facility.
- Interim Procedures: These are the critical processes that must continue, either in their original or alternate forms.
- Restoration of Critical Data: Critical data includes anything you must immediately recover to maintain normal business functions.
- Vendor Partner Agreements: List your organization’s key vendors and how they can help you maintain or resume operations.
- Work Backlog: This includes the work that piles up when systems are shut down. You must complete this work first when processes start again.
- Recovery Strategy for IT Services: This section details the steps you take to restore the IT processes that are necessary to maintain the business.
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): RTO refers to the maximum amount of time that a company can stop its processes and the length of time without access to data before productivity substantially drops. Determine RTOs for each unit, factoring in people, places, and things.
- Backup Plans: What if plans, processes, or resources fail or are unavailable? Determine alternatives now, so you don't have to scramble. Decide on a backup roster for personnel who are unavailable.
- Manual Workarounds: This section details how a business can operate by hand, should all failsafe measures break down.
- External Audit Details: For regulated organizations, external audits may be compulsory. Your scheduled internal audits will prepare you for external audits.
- Test and Exercise Plan: Identify how and when you will test the continuity plan, including details about periodic tabletop testing and more complex real-world scenario testing.
- Change Management: Note how you will incorporate learnings from tests and exercises, disseminate changes, and review the plan and track changes.
Key Resources for Business Continuity
To fix problems, restore operations, or submit an insurance claim, you need readily available details of the human resources and other groups that can assist with business continuity. (Your organization's unique situation may also require specific types of resources.) Add this information to appendices at the back of your continuity plan.
Fullick suggests broadening the definition of human assets. "People are our employees, certainly. But we forget that the term ‘people’ includes executive management. Management doesn't escape pandemics or the flu or a car crash. Bad things can happen to them and around them, too."
Use the following list as a prompt for recording important information about your organization. Your unique situation may require other types of information.
- Lists of key employees and their contact information. Also, think beyond C-level and response team members to staff with long-term or specialized knowledge
- Disaster recovery and continuity team contact names, roles, and contact information
- Emergency contact number for police and emergency services for your location
- Non-emergency contact information for police and medical
- Emergency and non-emergency contact numbers for facilities issues
- Board member contact information
- Personnel roster, including family or emergency contact names and numbers for the entire organization
- Contractors for any repairs
- Client contact information and SLAs
- Insurance contacts for all plans
- Key regulatory contacts.
- Legal contacts
- Vendor contact information and partner agreements and SLAs
- Addresses and details for each office or facility
- Primary and secondary contact and information for each facility or office, including at least one phone number and email address
- Off-site recovery location
- Addresses and access information for storage facilities or vehicle compounds
- Funding and banking information
- IT details and data recovery information, including an inventory of apps and license numbers
- Insurance policy numbers and agent contact information for each plan, healthcare, property, vehicle, etc.
- Inventory of tangibles, including equipment, hardware, supplies, fixtures, and fittings (if you are a supplier or manufacturer, include an inventory of raw materials and finished goods)
- Lease details
- Licenses, permits, other legal documents
- List of special items that you use regularly, but don't order frequently
- Location of backup equipment
- Utility account numbers and contact information (for electric, gas, telephone, water, waste pickup, etc.)
Activities to Complete Before Writing the Business Continuity Plan
Before you write your plan, take these preliminary steps to assemble a team and gather background information.
- Incident Commander: This person is responsible for all aspects of an emergency response.
- Emergency Response Team: The emergency response team refers to the group of people in charge of responding to an emergency or disruption.
- Information Technology Recovery Team: This group is responsible for recovering important IT services.
- Alternate Site/Location Operation Team: This team is responsible for maintaining business operations at an alternate site.
- Facilities Management Team: The facilities management team is responsible for managing all of the main business facilities and determining the necessary responses to maintain them in light of a disaster or disruption.
- Department Upper Management: This includes key stakeholders and upper management employees who govern BCP decisions.
- Conduct business impact analysis or critical function analysis. Understand how the loss of processes in each department can affect internal and external operations. See our article on business continuity planning to learn more about BIAs.
- Conduct risk analysis. Determine the potential risks and threats to your organization.
- Identify the scope of the plan. Define where the business continuity plan applies, whether to one office, the entire organization, or only certain aspects of the organization. Use the BIA and risk analysis to identify critical functions and key resources that you must maintain. Set goals to determine the level of detail required. Set milestones to track progress in completing the plan. "Setting scope is essential," Barry insists. "You need to define the core and noncore aspects of the business and the minimum requirements for achieving continuity."
- Strategize recovery approaches: Strategize how your business should respond to a disruption, based on your risk assessment and BIA. During this process, you determine the core details of the BCP, add the key components and resources, and determine the timing for what must happen before, during, and after a disruptive event.
Common Structure of a Business Continuity Plan
Knowing the common structure should help shape the plan — and frees you from thinking about form when you should be thinking about content. Here is an example of a BCP format:
- Business Name: Record the business name, which usually appears on the title page.
- Date: The day the BCP is completed and signed off.
- Purpose and Scope: This section describes the reason for and span of the plan.
- Business Impact Analysis: Add the results of the BIA to your plan.
- Risk Assessment: Consider adding the risk assessment matrix to your plan.
- Policy Information: Include the business continuity policy or policy highlights.
- Emergency Management and Response: You can detail emergency response measures separately from other recovery and continuity procedures.
- The Plan: The core of the plan details step-by-step procedures for business recovery and continuity.
- Relevant Appendices: Appendices can include such information as contact lists, org charts, copies of insurance policies, or any supporting documents relevant in a crisis.
Keep in mind that every business is different — no two BCPs look the same. Tailor your business continuity plan to your company, and make sure the document captures all the information you need to keep your business functioning. Having everything you need to know in an emergency is the most crucial part of a BCP.
Disruptive Incident Quick-Reference Card Template
Use this quick-reference card template to write the key steps that employees should take in case of an emergency. Customize this template for each business unit, department, or role. Describe what people should do immediately and in the following days and weeks to continue the business. Print PDFs and laminate them for workstations or wallets, or load the PDFs on your mobile phone.
Download Disruptive Incident Quick-Reference Card Template
Expert Disaster Preparation Checklist
Business continuity and disaster planning aren’t just about your buildings and cloud backup — it’s about people and their families. Based on a document by Mike Semel of Semel Consulting, this disaster checklist helps you prepare for the human needs of your staff and their families, including food, shelter, and other comforts.
Tips for Writing a Business Continuity Plan
With its many moving parts and considerations, a business continuity plan can seem intimidating. Follow these tips to help you write, track, and maintain a strong BCP:
- Take the continuity management planning process seriously.
- Interview key people in the organization who have successfully managed disruptive incidents.
- Get approval from leadership early on and seek their ongoing championship of continuity preparedness.
- Be flexible when it comes to who you involve, what resources you need, and how you achieve the most effective plan.
- Keep the plan as simple and targeted as possible to make it easy to understand.
- Limit the plan to practical disaster response actions.
- Base the plan on the most up-to-date, accurate information available.
- Plan for the worst-case scenario and broadly cover many types of potential disruptive situations.
- Consider the minimum amount of information or resources you need to keep your business running in a disaster.
- Use the data you gather in your BIA and risk analysis to make the planning process more straightforward.
- Share the plan and make sure employees have a chance to review it or ask questions.
- Make the document available in hard copy for easy access, or add it to a shared platform.
- Continually test, review, and maintain your plan to keep it up to date.
- Keep the BCP current with organizational and regulatory changes and updates.
Empower Your Teams to Build Business Continuity with Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Preparing a financial plan for your business is important if you plan to pursue business finance options such as loans, according to Inc. Business finance companies look at the short-term viability as well as the long-term potential of a bu...
There are a few simple things you can do to make planning for the future easier. Things like establishing a savings habit, making it automatic, and calculating how much you’ll need.
It’s impossible to eliminate all business risk. Therefore, it’s essential for having a plan for its management. You’ll be developing one covering compliance, environmental, financial, operational and reputation risk management.
Anatomy of a business continuity plan · Identify the scope of the plan. · Identify key business areas. · Identify critical functions. · Identify dependencies
What are your top 5 most important processes? What systems or applications are needed to support your operations? How does [X department] depend
This should include: A description of the service or function; Individuals responsible for implementing the action plan; Backup individuals; Business impact
Steps to Creating a Business Continuity Plan · Step 1: Assemble a Business Continuity Management Team · Step 2: Ensure the Safety and Wellbeing of
What Should my Business Continuity Plan Include? · An analysis of all critical functions within your business. · A prioritized list of risks that
Resource Required to Support Recovery Strategies · Employees · Office space, furniture and equipment · Technology (computers, peripherals
The business continuity plan includes, for example, data recovery and backup procedures, strategies for resuming office productivity, and communication
for businesses based on three types of disruptions that could occur individually
Creating Your Ecommerce Business Continuity Plan · 1. Identify objectives and goals of the plan. · 2. Establish an emergency preparedness team. · 3. Perform a risk
Creating a business continuity plan (BCP) involves gathering a team, studying risks and key tasks, and choosing recovery activities. Then write
A business continuity plan is a written document outlining how a business will operate during an emergency. The Department of Homeland Security (DHS)