Building Resilience: Crafting Your Business Continuity Plan

Business Continuity Plan

To fully prepare for a crisis, your organization requires a business continuity strategy. We’ve extracted precise step-by-step instructions, along with professional suggestions for drafting a business continuity plan.

A business continuity plan describes the actions a company takes to ensure that it can continue operating during a crisis. To build a business continuity plan, first gather information on critical people, tools, and processes, and then write the plan as procedures and lists of resources. 

  • Create a Mission Statement for the Plan: Describe the plan’s aims. When should it be completed? What is the budget for disaster and recovery planning, including research, training, consultants, and tools? Make sure to include any assumptions about financial or other resources, such as government business continuity funding.
  • Establish Governance: Describe the business continuity team. Include names or titles, position designations, and contact information. Define roles, lines of power, succession, and accountability. Add an organizational or functional diagram. 
  • Prepare the Plan Procedures and Appendices: This is the foundation of your plan. There is no one right method to write a business continuity document, but it should incorporate procedures, agreements, and resources.Consider your plan to be a list of tasks or processes that must be completed by employees in order for your business to function. Use diagrams and pictures to provide clear instructions. Remember that checklists and work instructions are simple and effective instruments for conveying critical information during a crisis. You should also specify who on the team is in charge of knowing the plan’s details.
  • Detail a Training Program: Set the curriculum and schedules for first and refresher training. 
  • Establish procedures for testing recovery and response: Create test criteria and test schedules. Consider reaching out to folks who were not involved in the plan’s creation. Prepare the forms and checklists that attendees will utilize during testing.
  • Establish a process for capturing insights:Incorporate debriefs into your processes; these meetings should take place following training courses and as after-action reports for occurrences. 

How to Develop a Business Continuity Plan

Developing a business continuity plan (BCP) entails assembling a team, researching risks and critical tasks, and selecting recovery strategies. The strategy should then be written as a collection of lists and rules that handle potential hazards such as fires, floods, pandemics, and data breaches.

According to Alex Fullick, the greatest strategy is to devise a clear plan. “I normally classify everything into three categories: people, places, and stuff. You will be far more productive if you focus on a few important points. That huge binder of processes is completely pointless. You need a set of guidelines to say what you do in a certain situation: “Where are our triggers for deciding we’re in a crisis and we need to stop doing XYZ and just focus on ABC?” 

Michele Barry warns that following the pandemic, new managers will adopt more policies and guidelines of all types than necessary as a panic response. 

Because each firm is unique, no two approaches to business continuity planning are identical. Tony Bombacino, Co-Founder and President of Real Food Blends, discusses the company’s formal and informal business continuity plans. “The first step in any crisis is for our nerve center to connect quickly, assess the situation, and then go into action,” he said. 

You can also approach your business continuity planning with three types of responses:

  • Proactive Strategies: These tactics prevent crises. For example, you may purchase an emergency generator to keep power on in your facility or build a security system to avoid or restrict loss during break-ins. Alternatively, you can implement a bring-your-own-device (BYOD) policy and provide remote workers with training to protect your network and data.
  • Reactive Strategies: These are your instant answers to a crisis. Evacuation and fire procedures, as well as emergency response tactics, are examples of reactive methods.
  • Recovery strategies: These are details how you will resume operations to provide a minimum acceptable level of service. The recovery strategy comprises efforts to establish temporary processes. The strategy also outlines long-term activities like relocation, data restoration, temporary workaround processes, and outsourcing tasks. Recovery techniques aren’t just for IT and data recovery.

Key Components of Business Continuity Plan

Your company’s entire business continuity strategy will contain numerous specifics. Your plan may differ from other companies’ plans due to industry and other considerations. Each facility or business unit may conduct an impact assessment and develop catastrophe recovery and continuity strategies. Consider including these crucial components in your business plan:

  • Contact Information: These pages include contact information for key personnel, vendors, and critical third parties. Find this information at the beginning of the plan. 
  • Business Impact Analysis: (BIA) is the process of evaluating the financial and other changes caused by a disruptive event. Assess the impact in terms of brand harm, product failure or malfunction, lost revenue, and legal and regulatory consequences.
  • Risk Assessment: In this section, evaluate the possible hazards to all aspects of the organization’s activities. Consider potential hazards connected to cash on hand, stock levels, and employee credentials. Although there are an infinite amount of potential internal and external threats, focus on people, places, and things to avoid becoming overwhelmed. Then consider the impact of any objects that are completely lost or require repair. Understand that risk assessment is a continuous process that works in unison with training and testing.
  • Critical Functions Analysis and List: A critical functions analysis is a speedier alternative to a BIA that identifies which procedures are vital to keeping your business running. Critical functions include payroll and wages, accounts receivable, customer service, and production. According to Michele Barry, while applying a values-based approach to important functions, you should examine who you are as a firm. Then decide what you need to keep doing and what you can quit doing. 
  • Trigger and Disaster Declaration Criteria: Describe how your senior management will determine when to declare an emergency and implement the plan.
  • Succession Planning: Identify alternate personnel for important positions in each unit. Schedule time throughout the year to observe alternates making critical decisions and completing recovery chores.
  • Alternate suppliers: If your products are regulated (for example, food, toys, and pharmaceuticals), your raw materials and components must always be of high quality. Source suppliers ahead of a crisis to avoid delays in supply due to regulatory scrutiny and approval. 
  • Operations Plan: Describe how your organization will resume and maintain everyday operations following a disruption. Include a checklist of supplies and equipment, as well as details on where data is backed up and where the plan is stored. Make a note of who should have copies of the plan. 
  • Crisis Communication Strategy: Explain how the organization plans to communicate with employees, customers, and third-party organizations in the case of a disruption. Make a backup plan in case regular communication systems fail. 
  • Incident Response Plan: Describe how your organization intends to respond to a variety of potential incidents or interruptions, as well as the triggers that will activate the plan. 
  • Alternate Site Relocation: Following a disruption, the organization relocates to the alternate site. In the plan, you can also include the transportation and resources needed to relocate the firm, as well as the procedures that must be maintained in this facility.
  • Interim Procedures: These are vital processes that must continue, whether in their original or modified form.
  • Restoration of Critical Data: Critical data is anything that must be recovered immediately in order to continue routine business operations.
  • Vendor Partner Agreements: Make a list of your organization’s essential vendors and explain how they may help you sustain or resume operations.
  • Work backlog: This refers to the work that accumulates when systems are shut down. When the processes resume, you must first complete this work.
  • Recovery Strategies for IT Services: This section outlines the actions you follow to restore the IT processes required to run the business.
  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): RTO refers to the maximum period of time that a corporation can halt its activities and be without access to data before productivity suffers significantly. Determine RTOs for each unit, accounting for people, locations, and things. 
  • Backup Plans: What happens if plans, processes, or resources fail or become unavailable? Determine options now so you won’t have to scramble. Determine a backup roster for personnel who are unavailable.
  • Manual workarounds: This section describes how a business can function manually if all safety measures fail.
  • External Audit Details: External audits may be mandatory for regulated firms. Scheduled internal audits will help you prepare for external audits.
  • Test and exercise plan: Determine how and when you will test the continuity plan, including details on both periodic tabletop testing and more complicated real-world scenario testing.
  • Change Management: Consider how you will incorporate test and exercise results, disseminate adjustments, review the strategy, and track progress.

Key resources for business continuity.

To resolve issues, restore operations, or file an insurance claim, you must have easily available information on human resources and other entities that can help with business continuity. (Depending on your organization’s situation, particular types of resources may be required.) Include this information in the appendices at the back of your continuity plan.

Fullick proposes extending the scope of human assets. “Yes, people are our employees. However, we forget that the phrase ‘people’ encompasses senior management. Management does not avoid pandemics, the flu, or road accidents. Bad things can happen both to them and to those around them.” 

Use the list below as a cue to record critical facts about your organization. Your specific scenario may need the collection of additional data.

People:

  • Lists of significant personnel with contact details. Consider hiring professionals with long-term or specialized experience in addition to C-level and response team members.
  • Names, positions, and contact information for disaster recovery and continuity teams.
  • Emergency contact number for police and emergency services in your area.
  • Non-emergency contact information for police and medical personnel
  • Emergency and non-emergency contact information for facility issues
  • Board members’ contact information
  • Personnel roster, comprising family or emergency contact names and numbers for the whole organization.
  • Contractors for all repairs
  • Client contact details and SLAs
  • Insurance contacts for all policies.
  • Key regulatory contacts.
  • Legal contacts.
  • Contact information for vendors, as well as agreements and SLAs with partners

Places:

  • Addresses and information for each office or facility.
  • Primary and secondary contact information for each site or office, including at least one phone number and an email address.
  • Off-site recovery location.
  • Addresses and access to storage facilities or car complexes

Things:

  • Financial and banking information
  • IT and data recovery information, including an inventory of apps and licensing numbers.  
  • Insurance policy numbers and agent contact information for each plan, including healthcare, property, and vehicles.
  • (If you are a supplier or manufacturer, include an inventory of raw materials and finished goods.)
  • Lease Details
  • Licenses, permits, and more legal papers
  • List of special things that you use often but don’t order often.
  • The location of backup equipment
  • Utility account numbers and contact information (for electricity, gas, phone, water, waste pickup, etc.)

Common Structure of a Business Continuity Plan

Knowing the common structure should assist shape the plan and keep you from worrying about form when you should be thinking about substance. Below is an example of a BCP format:

  • Record the firm name, which is normally found on the title page.
  • day: The day the BCP is completed and signed off. 
  • Purpose and Scope: This part explains why the plan exists and what it will cover.
  • Business Impact Analysis: Include the outcomes of the BIA in your plan.  
  • Risk Assessment: Consider including the risk assessment matrix into your plan.
  • Policy Details: Include the business continuity policy or policy highlights.
  • Emergency Management and Response: You can segregate emergency response measures from other recovery and continuity plans.
  • The Plan: At its core, the plan outlines step-by-step methods for business recovery and continuation.
  • Relevant Appendices: Appendices may include contact lists, organizational charts, copies of insurance policies, or any other supporting documents that are relevant during a crisis.

Keep in mind that each business is unique, therefore no two BCPs will look the same. Customize your business continuity plan to your specific needs, and ensure that the document includes all of the information required to keep your firm running. The most important aspect of a BCP is having all of the information you need in an emergency.

Tips for Writing a Business Continuity Plan.

A business continuity plan might be scary due to all of the moving components and factors. Follow these guidelines to help you create, track, and maintain a strong BCP:

Process

  • Take the continuity planning process seriously.
  • Interview key members of the organization who have successfully handled disruptive occurrences.
  • Get leadership’s permission early on and seek their continuous support for continuity readiness.
  • Be adaptable in terms of who you involve, what resources you require, and how you implement the most effective approach.

Writing

  • Keep the plan as simple and focused as possible to make it easier to understand.
  • Focus the plan on realistic disaster response actions.
  • Ensure that the plan is based on the most recent and accurate facts available.
  • Plan for the worst-case scenario and cover a wide range of potential disruptive situations. 
  • Consider the lowest amount of information or resources required to keep your firm going after a calamity. 
  • Use the data from your BIA and risk analysis to simplify the planning process.

Training and Maintenance

  • Share the plan and ensure that staff have an opportunity to study it or ask questions. 
  • Make the document available in hard copy for convenient access, or upload it to a collaborative site. 
  • To keep your strategy current, test it on a regular basis, review it, and update it. 
  • Maintain the BCP in accordance with organizational and regulatory changes and upgrades.

Empower your employees to go above and above with a flexible platform that is tailored to your team’s needs — and adapts as those needs evolve. 

The Smartsheet platform makes it simple to plan, capture, manage, and report on work from anywhere, allowing your team to be more productive and complete more tasks. Roll-up reports, dashboards, and automated processes are designed to keep your team connected and informed, allowing you to report on crucial data in real time.