A Guide to Business Continuity Plan
The Only Business Continuity Plan Guide You Will Need
From the definition of business continuity and its related plans to the description of the planning involved in establishing the business continuity plan, right down to its management, we cover everything in this ultimate Business Continuity guide.
10 min Read
Index
What Is a Business Continuity Plan?
The business continuity plan is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters.
According to ISO 22301¹, a business continuity plan is defined as “documented procedures that guide organizations to complete the four R’s: Respond, Recover, Resume, and Restore to a pre-defined level of operations following disruption.”
The business continuity plan aims at meeting the four R’s against defined types of risks that can affect the organization's operations —such as floods, fires, disease outbreaks, weather-related events, cyber-attacks, and other external threats— for specified sites or geographical areas.
Key Elements of a Business Continuity Plan
There is unfortunately no one-size-fits-all template that can be applied but at least the elements listed should be considered as minimum requirements.
The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. The BCP should at a minimum contain the following elements:
- Contact information of the key individuals in charge of the BCP
- A revision log with reference to documentation that describes change management procedures - This is key for audit purposes and to ensure that only the latest versions of a BCP are available. It also enables to connect changes and BCP testing, by highlighting what elements of a test drove changes in the BCP.
- Information about and/or references to BC governance, policies and standards
- The purpose and scope of the BCP - As seen later there will most likely be multiple BCPs developed for a single organization, to address specific types of disruptions over specific entities or locations. So, it is key to know what is the intended application of a particular BCP.
- Instructions about how to use the plan end-to-end, from activation to de-activation phases
- Service Level Agreements (SLAs) over key business processes, defining the amount of time within which these processes must be restored.
- References to Disaster Recovery, Crisis Management and Emergency Response plans and procedures along with the identification of key roles and individuals.
- References to Runbooks detailing all applicable procedures step-by-step, with checklists and flow diagrams.
- A glossary of terms used in the plan
- A schedule showing dates for reviewing, testing and updating the plan, along with a record of past test dates and references to the results of these tests.
Each organization will have other items deemed important that will make it to their BCP. There is unfortunately no one-size-fits-all template that can be applied to meet every business needs.
The Lifecycle of an Active Business Continuity Plan
Great, you have a solid BCP. And now what? What happens when a crisis hits?
Business Continuity Plan Activation
A business continuity plan can be activated at multiple levels of the business continuity chain-of-command. This is how a business is best protected as it enables speed over its BCP activation when required. Obviously, this will vary with the type of disruption as not all disruptions are equal.
The response to a pandemic such as COVID-19 would provide more time to plan and decide what parts of a BC plan to activate. In this case, it is most likely that the activation decision would be taken at the highest level of the chain.
In contrast, the event of a shooting in a building office would most likely trigger the activation of that local BCP by the members of the teams located there. The activation would put in motion various elements of the BCP, including the reporting and potential further activations up the chain of command. The situation may end up being managed at a different level later for various reasons.
The BCP should ensure that many members of the BC team, at various level of the organization, are empowered to act as leaders and activate a BCP, in order to enable a swift response when needed. Proper availability and coverage of these individuals is essential (designated backups in case of absence, redundancy in locations, shifts, etc.).
Systems and procedures should also be in place to record events as they take place, or soon after (time stamps for events or decisions, people or agencies involved, etc).
Business Continuity Plan De-activation
It is the responsibility of the Crisis Management Team to decide when the BCP needs or can be de-activated. The highest “ranked” individual in the activated crisis management cell is the one to make the call.
The BCP should incorporate the criteria to be met to start the deactivation process, and during the step-down process itself (validate at each step that the situation meets set criteria and conditions). At this stage, it is usually easier to properly document all these steps, and record time stamps, decision-makers names, and any other pieces of information that may be valuable for a later review of the response to a disruption.
Another Consideration: BCP Accessibility
While it is impossible to list all the considerations that could apply to an organization’s BCP, there is one that is essential: the accessibility to the BCP, and any runbooks describing the applicable procedures step-by-step.
Training is of course important to make a lot of the activities and tasks feel like second nature for the individuals involved in executing the BCP, however it is still highly probable that during a crisis there will be a need to check some elements of the BCP.
However old-fashion this might feel, having print versions of the BCP available in designated locations is important, since some disruptions may bring down the IT infrastructure of an organization, or even the local grid, hence limiting or preventing any access to digital documents. Obviously, that adds another layer of management to ensure these documents are kept up-to-date. Other options can include having digital copies of a BCP hosted on other secured 3rd party systems or platforms.
Managing the Business Continuity Plan: The BC Management Team
While business continuity processes and strategies are designed to help organizations stay on track during unexpected disruptions, the success of these strategies depends largely on how well they are executed.
Business continuity management (BCM) teams are critical to the design and implementation of business continuity plans. They provide the insight, focus, and leadership that keeps a business on its feet when disaster strikes. As such, deciding who is responsible for business continuity planning, and collating the resources and technologies needed to help them operate effectively are indispensable parts of business continuity initiatives.
Putting together a strong BCM team is challenging. A world-class business continuity team is cross-functional and includes personnel drawn from pockets of expertise across the entire organization, from executives to team members drawn from legal, facilities, finance/accounting, IT, HR, etc. The roles and responsibilities of individual BCM team members are outlined in the business continuity policy.
Regardless of company size, industry vertical, or business objectives, the BCM team should comprise the following:
Sponsor
Every BCM team must be headed by a company leader with the skill and experience to oversee business continuity efforts and make high-level decisions on the focus of the BCM team. The sponsor is usually drawn from the ranks of senior management.
For large enterprises, the Risk Management Officer may lead the BCM team assisted by someone from the IT department. In smaller organizations, the CTO or CFO may be picked to head the BCM team.
The Business Continuity Steering Committee or Office
This is an interdisciplinary team at the C-suite level usually made of people overseeing key functions in the organization (COO, CIO, CSO, CISO, CPO, Legal Counsel, etc.). Their role is to ensure the BC program stays in lock-step with the corporate strategy, that proper resources are allocated and that goals are established and met within set timeframes.
In most instances, the BC Sponsor is also the chair of the Steering Committee when it exists.
The Business Continuity Plan Owners
In larger organizations, the Business Unit or group leaders are accountable for the creation and maintenance of their own BCP, under the established policies, standards and processes set at the BC program level.
Business Continuity Planners and Managers
The BC planners are the people in charge of developing the actual business continuity plan for their business unit or group. In larger enterprise, they will report to a BCP owner. In smaller organizations, they may just be reporting to the BC Program manager, and help to develop the BCP for various functions of the business.
The BC manager role is to ensure the BCP readiness by coordinating and organizing simulation exercises, training of the resources that would be involved in any BC activation plan. He also ensure a feedback loop into the process by bringing up any challenges that may arise during exercises testing the BCP.
BC planner and manager functions can be fulfilled by the same person. Again the size and global footprint of an organization will impact how these roles are set up.
Crisis Management Team (CMT) and Emergency Response Team (ERT)
These are the people who are responsible for executing the BCP when it gets activated and they :
1) Ensure all the activities get triggered and implemented,
2) Make sure the proper resources get allocated,
3) Make decisions to adjust the course of operations as needed,
4) Execute the workflows and steps of the BCP ,
5) Provide updates/reporting on the situation and its evolution on the ground .
In some organizations this might be two teams, working closely together outside of a crisis, and obviously during one. In that scenario, the CMT would mainly cover areas 1) to 3) while the ERT would take care of 3) and 4). The overlap over decision-making (3) considers that adjustments can be made on the ground but also at higher level.
Crisis Communication Management Team (CCMT)
Some organizations may also have a dedicated Crisis Communication Team that manages communication with the media and all key stakeholders of the organization (employees, customers, partners, etc.) during a crisis.
Other Plans in Business Continuity
Multiple plans result from the business continuity planning process. They are all considered part of the business continuity plan (BCP).
Disaster Recovery Plan (DRP)
This plan will focus on business continuity from an IT/technology infrastructure standpoint.
Crisis Management Plan (CMP)
This identifies the chain-of-command and provides criteria to determine if a crisis has occurred —and therefore the activation of the BCP and related emergency response— the reporting and response management of the crisis, along with a communication plan.
Emergency Response Plan (ERP)
Also called Incident Response Plan, this details the actions that need to take place to mitigate the immediate effects or consequences of an event responsible for business disruption. The priority of this plan is the safety of people directly or indirectly involved in the business. Then comes the protection of the business infrastructure (IT, building, equipment). Once the response phase is completed, it is possible to move to the Restore, Recover and Resume phases.
Business Continuity Plan (BCP) vs. Disaster Recovery Plan (DRP): What Are the Key Differences?
The Map to Recovery: The Business Continuity Plan (BCP)
Business continuity planning culminates in the production of a business continuity plan that usually becomes a living document, constantly evolving.
The BCP is the tangible asset an organization produces to translate its strategy and approach to deal with disruptions and ensure its business can continue to operate. Because it is the result of a cyclical process —business continuity planning— it will evolve over time. Regular testing of the BCP usually brings its own set changes and adjustments too, making the BCP an actual living document.
Developed by the business continuity managers and planners, it will become the recovery map the crisis and emergency teams will rely on when disaster strikes.
The Journey to a BCP: Business Continuity Planning
Business continuity planning is a top priority for any organization looking to minimize downtime and maintain the high availability of systems, products, and services, regardless of disastrous occurrences.
Business continuity planning describes the process of establishing risk management procedures and protocols (that should be followed in the event of a disaster) to prevent interruptions to mission-critical services and help re-establish full operational functionality as quickly as possible. It culminates in the production of a business continuity plan (BCP).
The Key Parts to Business Continuity Planning
To ensure that the most likely scenarios are covered, the planning process involves identifying critical functions and the possible risks and disasters that would cause the failure/downtime of said functions.
The nature and severity of these threats will guide the rest of the planning process. The key parts of the business continuity planning process are:
- Identification of critical functions or business processes - Reveals what processes are critical to maintaining and running in the event of an unplanned disruption in order to prioritize and focus recovery there
- Business Impact Analysis (BIA) - A systematic process used first to evaluate the disruptive effects of disasters, accidents, or emergencies on critical business processes.
- Risk Assessment - Identifies all potential hazards to a company such as technology failures, cyberattacks, or natural disasters. It is also used to determine risk mitigation strategies and implementations.
- Establishment of Service Level Agreements (SLAs) - Based on the information collected from the previous stages, realistic and appropriate SLAs must be defined for specific services/teams supporting particular business functions or processes. This will drive technology solutions and processes used to deliver on these SLAs.
- Communications - Crisis communication management involves many parts and must be well planned in order to ensure clear and consistent information to many stakeholders during a crisis, which include: media, employees, customers, partners, agencies, etc.
- Testing and Maintenance - Testing the resulting BCP is essential to identify gaps and make improvements. Planning BCP testing should help determine test frequency, but also how to partially or fully test the BCP, i.e. what method to use.
The various analysis and planning processes highlighted above will lead to the creation of other plans —and their related procedures— that are part of the business continuity plan, such as:
- Disaster Recovery Plan
- Crisis Management Plan, which will include the communication aspect.
- Emergency Response Plan
While driven and led by the BCM team, a lot of cross-organizational and cross-functional work and teams are involved to feed into and receive information from the various activities taking place to establish the BCP. This is not an easy task that requires a lot of coordination and alignment, hence the necessity to have a dedicated team managing that planning process.
Where To Begin Your Business Continuity Planning
Let’s take a look at the core steps company leaders must undertake when embarking on business continuity planning.
Start with aThorough Prep Work and a Strong Disaster Recovery Plan
The key parts of the business continuity planning —risk assessment, BIA, identification of critical functions— contribute to determining the business requirements for the DR plan, mainly through the establishment of SLAs. There is no shortcut: that is the tedious prep-work that has to be done in order to deliver a strong disaster recovery plan.
A strong disaster recovery plan is a core part of your business continuity strategy and is integral to its success. The DRP focuses on the technology infrastructure required as well as the specific steps organizations must take to resume operations and access their data easily following a disaster. The DRP should include the following
- plan goals and objectives
- authentication tools
- incident response and recovery steps
- the DR policy statement
- key action steps and guidelines for when to use the plan
- responsibilities of individual DR team members
- contact information of personnel needed to enact critical recovery tasks.
Train a Strong BCM Team
Designating who will manage and implement your BCP, and all its related plans, is of paramount importance to the success of business continuity initiatives. As mentioned previously, the BCM team is broad, considering it goes from the sponsor, steering committee, program manager, plan owners and planners to the crisis and emergency response teams spanning across all the areas of the business. Therefore training and simulation exercises are critical to help prepare your BCM team for when an actual disruption occurs.
Since it's difficult to know ahead of time how well your BCM team would perform during an actual crisis, continuous training will go a long way in ensuring they're ready to oversee and execute the BCP when disaster strikes. Training also includes getting BCM team members up to speed on the latest BCM best practices. The team can also leverage cloud-based or on-premise business continuity management software to help pinpoint areas of risk, create and update plans and conduct BIAs.
Have Something Small In Place, Test It And Grow From There
Traditionally, business continuity planning was largely the province of big businesses and most plans seem to be designed with large enterprises in mind. However, anyone can undertake BCP without breaking the bank or straining already limited company resources. Savvy business leaders can begin their BCP journey with a small but easily scalable plan.
The plan could target one specific area at a time (such as IT assets and sensitive business data) and expand to include other business areas and processes. Such a plan should be rigorously tested to minimize loopholes and vulnerabilities. Over time, company leadership can expand the initial BCP to ensure 360-degree business continuity across the entire organization.
Business Continuity Plan: How to Do It the Right Way
A solution that fits your BCDR strategy, and delivers on data protection and recovery.
BC planning takes inputs from the Risk Assessment, BIA, identification of critical functions and defined SLAs to establish the appropriate processes, procedures and technology solutions to be implemented and enabling the DR plan to achieve the defined SLAs.
To protect your data from disasters and instantly recover applications without data loss, companies need a reliable data protection mechanism and cost-effective BCDR solution in place. A lot of enterprise-grade applications and databases have the built-in capability to handle data replication synchronously and asynchronously.
However, this is not a viable option for business continuity purposes. Companies need a single data protection solution that supports their business continuity strategy and objectives, and that provides ransomware resilience, DR, restore and testing capabilities. This solution should be designed to work independently of any resource or host platform on a company's IT estate and scalable enough to protect single applications as well as large clusters or multisite environments.
Frequently Asked Questions about Business Continuity Plans
Q: How many business continuity plans, or BCPs, can a business have?
It all depends as no one business is similar to another. Based on the size and global footprint of an organization, there might be requirements to get specific BCPs by region, country or even site location. Also, some organizations may decide to have their BCP split into multiple ones to address specific types of risks, while others may decide to have everything under one master BCP. The BCM team will usually determine what is best for the business based on applicable compliance requirements and what the organization can manage from a complexity standpoint.
Q: How is a business continuity plan activated or de-activated?
A business continuity plan can be activated at multiple levels of the business continuity chain-of-command. This is to ensure speed over the business reaction to a disruption. Then the situation may end up being managed at a level different from where it started. The de-activation of an active BCP is usually driven by the crisis management team, based on specific criteria spelled out in the BCP, and is a step-down process (it is not an On-Off transition).
Q: Who should have access to the BCP?
Anybody should be able to access the BCP. However, it is crucial that the individuals involved in executing the BCP —because of their role in its execution— could access it at any time, and especially during a crisis. Indeed, even if access to the BCP is not a substitute for training, during a crisis there might be a need to check some of its elements. Old-fashion printed versions of a BCP should not be discarded, as some type of disruptions may prevent access to a BCP in a digital format.
Q: What is the difference between a business continuity plan (BCP) and a disaster recovery plan (DRP)?
A DR plan helps to reduce the impact and duration of unexpected disruptions by minimizing the data loss and downtime of key IT infrastructure, systems, and applications. The BCP details your organization’s entire prevention, mitigation, response, and recovery protocols for all kinds of threats and disasters. The DRP is part of the BCP.
What is Zerto Solution?
Short video (1 min 21 sec) explaining what Zerto does and how it helps to deliver business continuity.
Zerto Solution: Overview
To exit, click outside the image
Zerto Solution Overview
Introducing Zerto for Business Continuity
Zerto, built on a foundation of continuous data protection, enables continuous availability which is essential to achieve business continuity. Zerto's solution provides everything you need for ransomware resilience, disaster recovery, and data mobility while delivering the very best recovery time objective (RTO) and recovery point objective (RPO) possible.
With easy implementation and deployment, the Zerto solution can scale with your organization to ensure continuous data protection for all of your business-critical and lower tier applications.
Get in Touch!
Speak to one of our specialists today to find out how Zerto can help your business to achieve business continuity.
MORE RESOURCES ON BUSINESS CONTINUITY SEE ALL
Business Continuity & Disaster Recovery in Healthcare
Understand the unique challenges facing the healthcare industry and how, by adopting business continuity & disaster recovery, they can become more resilient.
Business Continuity and Disaster Recovery in the Cloud Era
Learn the different types of Cloud BCDR solutions along with their pros and cons, and then see how Zerto addresses these challenges and improves upon many of the traditional solutions that leave gaps in cloud-based BCDR.
Essential Guide: Disaster Recovery
After reviewing Business Continuity, let's look at what is involved in getting Disaster Recovery right in this online guide.