How to write a business continuity plan in 5 steps

    October 7, 2020

    Businesses face an endless stream of disruptions. Power outages and hardware failures. Floods and fires. Ransomware attacks and data breaches. Hurricanes, wildfires, and derechos. Pandemics and civil unrest. The list goes on and on.

    For some businesses, these events mean service outages, financial losses, broken customer relationships, and in some cases, business closure. Others have already thought through, prepared and tested business continuity (BC) plans to enact when disruptive incidents occur.

    A BC plan won’t prevent the event from happening, but it will help minimize the impact and duration of disruption, allowing you to continue creating value for your customers and enabling you to not only survive but bounce back more quickly.

    How do you write a BC plan that can help your business weather these disruptions? Let’s break down how to get started in five steps.

    1. Lay the foundation

    Before you can create a BC plan, you need to understand your business’ operations, needs and goals, along with the resources you depend upon, to develop a strong plan that best fits your circumstances.

    Start with:

    • Objectives and scope: Describe what the plan sets out to achieve, who it is for, and how it fits within your organization’s response structure.
    • Activation procedure: This includes the criteria for activating the BC plan, who is involved and what their roles and responsibilities are, as well as immediate actions to take. What resources and continuity solutions are available, from backups to work area recovery facilities to alternates for the main actors in the BC plan?
    • Communications: This section details requirements and procedures for communicating with staff, vendors, customers, shareholders, regulators, the media and other stakeholders should an event take place.
    • Priorities: What value-creating activities will you focus your efforts on when a disruption hits? You should be able to reference a business impact analysis (BIA) to identify the most important areas and describe the activities to support them.
    • Assumptions and limitations: Since you can’t possibly prepare for every disruption, you need to identify limitations in your plan, focusing on extent, duration and impact. Create a checklist to help with decision-making and information flow.
    • Standing down procedures: Identify the criteria that determines whether an incident is closed and create a procedure for pulling together lessons learned from the situation.

    The foundation is merely a framework, as each BC plan should be tailored to an organization’s specific needs. However, when creating your own plan, make sure you keep these elements in mind.

    1. Develop response strategies

    There’s always the possibility that key resources – i.e., your workplace, equipment, systems, data, third-party services, etc. - might become unavailable, so your BC plan must account for any potential disruptions to facilities, people, IT and partners.

    Create clear plans and steps for responding to the loss of each resource. Each requires a specific, well-defined business response at the individual resource level. For instance, if employees in a certain geography are unavailable, how are you going to ensure their responsibilities and workloads get taken care of?

    IT also has a role in each of these disruption response strategies. For example, if third-party services are unavailable, one business response might be to revert to using internal systems until that third-party resumes service. In this instance, IT might be responsible for suspending the network access rights of the troubled third-party service provider. Make sure IT understands its role in every scenario.

    IT should also develop and implement its own BC plans for key IT resources, including network and information security operation centers, disaster recovery (DR) teams and IT help desks.

    1. Gauge timing

    When responding to an incident, speed counts in some cases, while longevity counts in others. Make sure you can answer the following questions:

    • How long will it take you to implement each of your response strategies?
    • How long can each response strategy remain effective?

    Not all your strategies require the same timing. For some options, the main goal might be fast implementation times. For others, the priority might be making sure your response strategies will work for an extended period (like three to six months or longer).

    Be sure you’re properly identifying the requirements for each strategy.

    1. Establish communication protocols

    Communication is key.

    Your employees must always be well-informed before, during and after an event. Prior to an incident, make sure you relay the plan to all relevant staff. If they know what their roles are and how the company is going to respond, they’ll be better equipped to successfully carry out your plan when the time comes.

    Upon activating your BC plans, develop open lines of communication with all relevant parties and stakeholders. Provide them with real-time updates so that everyone knows what’s going on. If you’re taking certain steps to resume normal business activities, make sure you communicate this information as well.

    Once everything is back to normal, it’s time to identify what worked and what didn’t. Discuss lessons learned with your employees and identify ways to improve your plans for next time. Update and evolve your plans based on those findings.

    1. Test, test, and test some more

    Many organizations think they have effective BC plans in place. Then an incident strikes, and they quickly learn that’s not the case.

    You don’t want to find yourself in this position, so make sure to update your plans as your resources evolve and test the various response strategies in your plans regularly.

    Practice makes perfect.

    Bonus step: Working with a partner on your BC plan

    These five steps should aid in creating an effective BC plan, but many organizations turn to a partner to tap into expertise and knowledge of best practices to ensure they’ve covered every gap. While partners can be helpful, it’s important to find one that will work best with your organization.

    Before choosing a third-party provider, ask yourself the following questions about each candidate:

    • What’s the extent of their capabilities?
    • Do they treat their services as separate items or take a holistic approach?
    • Do they have a big-picture understanding of your business?
    • Are they adapting to current trends and changes?
    • What are their plans for getting the job done?

    The answers will help you select a partner that best aligns with your needs.

    Whether you’re working with a partner, or crafting and updating BC plans yourself, now is the time to get started. You never know when the unexpected will strike and having robust BC plans in place can go a long way toward ensuring you’re ready when it does.

    Other Posts You Might Be Interested In

    Getting To Know You: Building The Right Network

    Connections are essential in business. We’ve moved beyond simple networking to building relationships – creating close ties with customers, coworkers, and partners – that...

    The importance of disaster recovery testing

    There’s no way you’ll be successful in recovery without testing. Full stop. You might think you have a solid plan in place, but there are so many issues that can arise...

    Why Lift & Shift Is Not As Easy As It Sounds For Your Cloud Infrastructure – And Where To Get Help

    As more frequent and severe storms hit the U.S. each year, sea level rise and coastal flooding is a growing threat to communities and individuals. In fact, nearly 14.6...