Business Continuity Planning: What Is It And How Do You Create a BCP?
In this article you’ll learn what a Business Continuity Plan is, why they’re so vital for organisations, and how you can create one. We have also included a free BCP checklist to help you, so read on for more information.
What is a Business Continuity Plan?
A business continuity plan (BCP) is a document that contains all the information and processes that an organisation would need to continue operating during an unplanned event or disruption of service.
The purpose of a business continuity plan is to ensure that everything that could be affected, from productivity to human resources to business partners, can continue to run smoothly in the case of a disaster, outage, error or any other threat to the everyday running of the organisation.
Why Do Organisations Need a Business Continuity Plan?
Organisations need a business continuity plan because, the likelihood is, they can’t afford not to. In the event of a critical disaster, having a BCP can make the difference between an organisation being able to continue operating at close to normal levels, or having to shut down until the issue is resolved. This in turn results in reduced productivity, reduced service to customers or clients, and therefore reduced income and reduced reputation.
With a BCP in place, these issues can be mitigated or even prevented, allowing the organisation to carry on as normal, continuing to fulfil the tasks that make the organisation money and keep their customers and clients happy.
How is a Business Continuity Plan Different From a Disaster Recovery Plan?
If you know about disaster recovery for businesses, you may be thinking that a BCP sounds similar to a disaster recovery plan. In fact, a business continuity plan is quite different to a disaster recovery plan (which is itself different from a disaster recovery policy).
The main difference is that a business continuity plan’s aim is to keep the lights on and keep the organisation going during a time of disruption, whereas a disaster recovery plan aims to get operations back to normal and recover from a disruption.
A disaster recovery plan may form part of an organisation’s BCP, a step in the company’s wider processes to protect it against all emergencies and uncertainties.
What Are the Steps for Creating a BCP?
There are generally five key steps to creating a business continuity plan. These are:
- Perform a business Impact Analysis
- Plan & create a strategy to deal with the risks
- Implementation of the plan
- Testing and training
- Maintenance and updating
The first step is analysing the impacts that disruptions will have on the business, thinking about any potential risks or vulnerabilities the organisation might have.
Typical risks include:
- Loss of key staff or skills
- IT outages
- No building access (e.g. due to fire)
- Loss of key resources (e.g. due to supplier failure)
- Data Breach
- Loss or corruption of data
Acknowledge what could be affected, how severe the impact might be and how wide reaching the issues could reach, across the organisation and beyond e.g. business partners. This includes assessing what critical functions must continue during a crisis and what is required to ensure their continued operation. This will allow the organisation to assess and anticipate the cost of such issues, the effect it could have on essential business functions and the time needed to recover.
For example, thinking about user data in particular, do you know what personal data you currently hold? With most organisations holding customer or employee data across multiple systems, do you know which system holds which piece of the jigsaw? If one system goes down, will you still have enough data to be able to operate? What happens if one system feeds data to another system? If data is updated in one system during an outage, what happens when system access is restored?
This is just one area you need to think about, but the good news is we provide a number of different services to help make this part of the process easier for you, such as:
- Data mapping of personal data
- A more in-depth data management service
- Training for managing data breaches
Whilst we do provide an emergency, rapid response service to help you deal with data breaches, we always recommend that organisations have a well thought out and thorough plan in place in advance of any issues.
Now you know what the impacts could be, the next step is to devise a strategy that mitigates these issues and ensures the business can run smoothly. An effective BCP will develop an appropriate response strategy to each identified risk that will minimise the issue or prevent it.
Your plans should outline clearly what steps need to be taken and who in the organisation is involved in its implementation. Resources and the amount of time required to complete each step of the plan should also be clearly identified to ensure a swift and effective response.
The implementation of the plan involves ensuring the resources required are available, informing those involved about their roles and responsibilities within the BCP, and making sure the appropriate communication channels are in place.
This implementation stage should establish everything needed in the case of an unplanned disruption e.g. if an event occurred the day after implementation, the organisation would be prepared for it.
It is important to test the effectiveness of your BCP. This can be done by using realistic scenarios to assess how well the plans in place work to combat certain issues, and how prepared staff are in carrying out their BCP roles and responsibilities. Regular tests may expose areas where further training is required.
These tests may also reveal areas where an update or improvement to the business continuity plan is required. It is important to keep the plan up to date with your business and the rest of the world. The organisation may venture into different areas, and new threats may emerge, particularly in the world of cyber security and IT. An interesting example is preparing for pandemics, an issue that may not have been on many organisations’ BCPs, but will now be an important update.
What Should You Consider When Creating a Business Continuity Plan?
Here are a few things not to forget about when developing a business continuity plan, ensuring you consider the risks and threats to:
- Communication systems across the business
- Vital applications or software
- Industry-specific technology and infrastructure
- IT infrastructure, systems and networks (e.g. connection to the internet)
- Facilities and sites (in case the primary facilities and sites become unavailable)
- Stakeholders and business partners affected
What Should a Business Continuity Plan Include?
Although BCPs can vary in structure and content, there are some important sections that you should include in order to ensure your plan will be effective. Here are some important sections to include in a business continuity plan:
- Plan purpose
- Plan owner
- Plan distribution
- Dates to review the BCP
- Who can activate the plan
- Roles and responsibilities
- The ‘risk score’ for each potential threat - ‘likelihood score’ and ‘impact score’
- The type of impact a potential risk could have (e.g. a Regulatory, Operational or Strategic impact, or a combination of them)
- Timetable for each potential risk (e.g. tasks must be done ‘immediately’, ‘within 48 hours’, ‘within one week’, ‘within two weeks’ etc)
- Task list (with actions and timeframes)
- Risk assessment
- Key contact information (e.g. plan owner, incident response team members, key suppliers)
How Do You Test a Business Continuity Plan?
Once you’ve created your business continuity plan, you then need to test that it is effective and serves its intended purpose, as well as to identify any areas that need improving or updating. When carrying out a test, it is important to set clear objectives and outline exactly what is being tested.
There are three main ways of testing your business continuity plan:
- Checklist or walkthrough exercises
- Desktop scenarios
Checklist or Walkthrough Exercises
A checklist or walkthrough exercise is a fairly straightforward test, and it involves the organisation ‘checking off’ or ‘walking through’ the steps of the business continuity plan. This can involve key questions such as:
- Does the organisation have all the supplies required?
- Do key personnel know and have copies of the plan?
- Do employees know their specific roles and responsibilities?
- What are the areas of weakness? (Not to pin blame, but to identify areas for improvement)
To help get you started, we’ve provided a free BCP checklist at the end of this article.
A desktop scenario test looks at a more particular area of the plan. In this test, a specific scenario is carried out relevant to the business, e.g. IT outage or data loss, and the organisation can assess how they cope with this scenario, and whether the BCP needs amending.
Simulation tests are a more thorough form of testing the business continuity plan. These are full simulations of BCPs, re-enacting all of the procedures required, involving most, if not all of, the workforce.
The steps are physically demonstrated by the appropriate employees, including driving to other locations (where back-ups may be), making phone calls, and visiting server rooms. Due to the thoroughness and scale of these simulations, this form of testing may require more effort to organise and be less frequent, but are no less vital to ensuring a business continuity plan works as intended.
How Frequently Should You Review Your Business Continuity Plan?
There is no set rule for how often a business continuity plan should be tested.
Ultimately, it depends on the size and complexity of the organisation, the likelihood of it facing risks, and the level of impact of those risks. Large organisations with a high likelihood of high impact risks should test their BCP more than small businesses with a low likelihood of risks.
To help get you started, we have provided a free business continuity plan checklist in two formats You can either download this as an Excel document, or you can make a copy of our Google Sheets version.
- Download Excel Business Continuity Plan Checklist
- Make a copy of the Google Sheets Business Continuity Plan Checklist
Note: For the Google Sheets version, Google requires you to be logged into a Google account in order to make a copy.
If you have any questions about the checklist or need any assistance, please feel free to contact us.
Start Your Business Continuity Plan
Need a hand building your business continuity plan? Not sure where to start when thinking about how your data could be affected by a disaster or breach? Databasix provides an expert consultancy service to support you. Get in touch and see how we can help you and your organisation.