Business Continuity Planning: What Is It And How Do You Create a BCP?
Business Continuity Planning banner

Business Continuity Planning: What Is It And How Do You Create a BCP?

In this article you’ll learn what a Business Continuity Plan is, why they’re so vital for organisations, and how you can create one. We have also included a free BCP checklist to help you, so read on for more information.

What is a Business Continuity Plan?

A business continuity plan (BCP) is a document that contains all the information and processes that an organisation would need to continue operating during an unplanned event or disruption of service.

The purpose of a business continuity plan is to ensure that everything that could be affected, from productivity to human resources to business partners, can continue to run smoothly in the case of a disaster, outage, error or any other threat to the everyday running of the organisation.

Why Do Organisations Need a Business Continuity Plan?

Organisations need a business continuity plan because, the likelihood is, they can’t afford not to. In the event of a critical disaster, having a BCP can make the difference between an organisation being able to continue operating at close to normal levels, or having to shut down until the issue is resolved. This in turn results in reduced productivity, reduced service to customers or clients, and therefore reduced income and reduced reputation.

With a BCP in place, these issues can be mitigated or even prevented, allowing the organisation to carry on as normal, continuing to fulfil the tasks that make the organisation money and keep their customers and clients happy.

How is a Business Continuity Plan Different From a Disaster Recovery Plan?

If you know about disaster recovery for businesses, you may be thinking that a BCP sounds similar to a disaster recovery plan. In fact, a business continuity plan is quite different to a disaster recovery plan (which is itself different from a disaster recovery policy).

The main difference is that a business continuity plan’s aim is to keep the lights on and keep the organisation going during a time of disruption, whereas a disaster recovery plan aims to get operations back to normal and recover from a disruption.

A disaster recovery plan may form part of an organisation’s BCP, a step in the company’s wider processes to protect it against all emergencies and uncertainties.

What Are the Steps for Creating a BCP?

There are generally five key steps to creating a business continuity plan. These are:

  1. Perform a business Impact Analysis
  2. Plan & create a strategy to deal with the risks
  3. Implementation of the plan
  4. Testing and training
  5. Maintenance and updating

Perform a Business Impact Analysis

The first step is analysing the impacts that disruptions will have on the business, thinking about any potential risks or vulnerabilities the organisation might have. 

Typical risks include:

  • Loss of key staff or skills
  • IT outages
  • No building access (e.g. due to fire)
  • Loss of key resources (e.g. due to supplier failure)
  • Data Breach
  • Loss or corruption of data

Acknowledge what could be affected, how severe the impact might be and how wide reaching the issues could reach, across the organisation and beyond e.g. business partners. This includes assessing what critical functions must continue during a crisis and what is required to ensure their continued operation. This will allow the organisation to assess and anticipate the cost of such issues, the effect it could have on essential business functions and the time needed to recover.

For example, thinking about user data in particular, do you know what personal data you currently hold? With most organisations holding customer or employee data across multiple systems, do you know which system holds which piece of the jigsaw? If one system goes down, will you still have enough data to be able to operate? What happens if one system feeds data to another system? If data is updated in one system during an outage, what happens when system access is restored?

This is just one area you need to think about, but the good news is we provide a number of different services to help make this part of the process easier for you, such as:

Whilst we do provide an emergency, rapid response service to help you deal with data breaches, we always recommend that organisations have a well thought out and thorough plan in place in advance of any issues.

Plan & Create a Strategy To Deal with the Risks

Now you know what the impacts could be, the next step is to devise a strategy that mitigates these issues and ensures the business can run smoothly. An effective BCP will develop an appropriate response strategy to each identified risk that will minimise the issue or prevent it.

Your plans should outline clearly what steps need to be taken and who in the organisation is involved in its implementation. Resources and the amount of time required to complete each step of the plan should also be clearly identified to ensure a swift and effective response.

Implementation of the Plan

The implementation of the plan involves ensuring the resources required are available, informing those involved about their roles and responsibilities within the BCP, and making sure the appropriate communication channels are in place.

This implementation stage should establish everything needed in the case of an unplanned disruption e.g. if an event occurred the day after implementation, the organisation would be prepared for it.

Testing & Training

It is important to test the effectiveness of your BCP. This can be done by using realistic scenarios to assess how well the plans in place work to combat certain issues, and how prepared staff are in carrying out their BCP roles and responsibilities. Regular tests may expose areas where further training is required.

Maintenance & Updating

These tests may also reveal areas where an update or improvement to the business continuity plan is required. It is important to keep the plan up to date with your business and the rest of the world. The organisation may venture into different areas, and new threats may emerge, particularly in the world of cyber security and IT. An interesting example is preparing for pandemics, an issue that may not have been on many organisations’ BCPs, but will now be an important update.

What Should You Consider When Creating a Business Continuity Plan?

Here are a few things not to forget about when developing a business continuity plan, ensuring you consider the risks and threats to:

  • Communication systems across the business
  • Vital applications or software
  • Industry-specific technology and infrastructure
  • IT infrastructure, systems and networks (e.g. connection to the internet)
  • Facilities and sites (in case the primary facilities and sites become unavailable)
  • Stakeholders and business partners affected

What Should a Business Continuity Plan Include?

Although BCPs can vary in structure and content, there are some important sections that you should include in order to ensure your plan will be effective. Here are some important sections to include in a business continuity plan:

  • Plan purpose
  • Plan owner
  • Plan distribution
  • Dates to review the BCP
  • Who can activate the plan
  • Roles and responsibilities
  • The ‘risk score’ for each potential threat - ‘likelihood score’ and ‘impact score’
  • The type of impact a potential risk could have (e.g. a Regulatory, Operational or Strategic impact, or a combination of them)
  • Timetable for each potential risk (e.g. tasks must be done ‘immediately’, ‘within 48 hours’, ‘within one week’, ‘within two weeks’ etc)
  • Task list (with actions and timeframes)
  • Risk assessment
  • Key contact information (e.g. plan owner, incident response team members, key suppliers)
  • Stakeholders

How Do You Test a Business Continuity Plan?

Once you’ve created your business continuity plan, you then need to test that it is effective and serves its intended purpose, as well as to identify any areas that need improving or updating. When carrying out a test, it is important to set clear objectives and outline exactly what is being tested.

There are three main ways of testing your business continuity plan:

  • Checklist or walkthrough exercises
  • Desktop scenarios
  • Simulations

Checklist or Walkthrough Exercises

A checklist or walkthrough exercise is a fairly straightforward test, and it involves the organisation ‘checking off’ or ‘walking through’ the steps of the business continuity plan. This can involve key questions such as:

  • Does the organisation have all the supplies required?
  • Do key personnel know and have copies of the plan?
  • Do employees know their specific roles and responsibilities?
  • What are the areas of weakness? (Not to pin blame, but to identify areas for improvement)

To help get you started, we’ve provided a free BCP checklist at the end of this article.

Desktop Scenarios

A desktop scenario test looks at a more particular area of the plan. In this test, a specific scenario is carried out relevant to the business, e.g. IT outage or data loss, and the organisation can assess how they cope with this scenario, and whether the BCP needs amending.

Simulations

Simulation tests are a more thorough form of testing the business continuity plan. These are full simulations of BCPs, re-enacting all of the procedures required, involving most, if not all of, the workforce.

The steps are physically demonstrated by the appropriate employees, including driving to other locations (where back-ups may be), making phone calls, and visiting server rooms. Due to the thoroughness and scale of these simulations, this form of testing may require more effort to organise and be less frequent, but are no less vital to ensuring a business continuity plan works as intended.

How Frequently Should You Review Your Business Continuity Plan?

There is no set rule for how often a business continuity plan should be tested.

Ultimately, it depends on the size and complexity of the organisation, the likelihood of it facing risks, and the level of impact of those risks. Large organisations with a high likelihood of high impact risks should test their BCP more than small businesses with a low likelihood of risks.

Download our Free Business Continuity Plan Checklist

To help get you started, we have provided a free business continuity plan checklist in two formats You can either download this as an Excel document, or you can make a copy of our Google Sheets version.

Note: For the Google Sheets version, Google requires you to be logged into a Google account in order to make a copy.

If you have any questions about the checklist or need any assistance, please feel free to contact us.

Start Your Business Continuity Plan

Need a hand building your business continuity plan? Not sure where to start when thinking about how your data could be affected by a disaster or breach? Databasix provides an expert consultancy service to support you. Get in touch  and see how we can help you and your organisation.

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Contact Databasix

Email info@dbxuk.com
Tel 01865 346080

Get Data Protection Services t/a Databasix
is a registered company in England & Wales.
Registration No. 15292208

Unit B Oakwood
Oakfield Industrial Estate
Eynsham
Witney
OX29 4TH

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business