How to Develop an Effective Business Continuity Plan

Where the business continuity plan fits within the business continuity management capability

Business continuity management (BCM) has been around for some time now, emerging into what we now recognise as a holistic management process for identifying potential threats to an organisation and the operational impacts those threats would pose. A mainstay of the effort is the business continuity plan (BCP). The business continuity plan provides a collection of resources, actions, procedures, and information, designed to prepare organisations to maintain essential functions in the event of a disaster or other major disruption.

It’s executing on the business continuity plan specifically that enables the continuous delivery of critical services and products to customers. That makes the business continuity plan qualitatively different than other forms of all-hazards planning, like post-disaster recovery planning or business resumption planning.

The business continuity plan has two important objectives:

• Ensuring critical operations continue to be available
• Minimising impacts to the business, irrespective of the type of incident or disruption

Does my organisation need a business continuity plan?

Staggeringly high rates of post-disaster business closure point up the necessity of having a business continuity plan.

What’s more, rates of post-crisis business closure are heavily weighted towards companies who fail to develop a business continuity plan before major incidents. As many as three in every four organisations without a business continuity plan fail within three years of a disaster.

Nor is business extinction the only risk of not having a business continuity plan. Firms sit on a lot of financial exposure.

For instance, the potential financial loss due to downtime is extraordinary: estimates from IBM show up to USD 2.8 million per hour in certain industries, totalling a single day loss of some USD 67 million. That’s extraordinary.

A business continuity plan mitigates that financial cost by helping organisations return to normal operations more quickly. Another benefit of the business continuity plan: the planning effort itself tends to lead to better, overall organisational efficiency. Business continuity planning involves examining the precise relationship of business resources and assets to prioritised services.

What’s more, the demonstrated importance of business continuity management, especially in critical infrastructure sectors, has meant that jurisdictions have moved into mandate baseline business continuity management practices, often requiring firms to maintain a business continuity plan.

The international business continuity management system standard, ISO 22301, for one, is a means of signalling to legislators and regulators that the certified organisation is indeed adhering to best practices in the field.

Of course, governmental actors aren’t the only stakeholders. Customers, be they existing or prospective, also have a vested interest in transacting business with organisations that will continue to deliver products and services at acceptable levels. That’s one reason why developing a business continuity plan can offer firms a major competitive advantage in their market. It can also protect the brand in the eyes of shareholders and customers when an emergency does strike.

Key challenges to developing a business continuity plan

Despite its clear benefits, the business continuity plan isn’t as established a norm as it should be. IBM research shows that a disappointing 17 percent of Business Continuity Management and IT security specialists say their organisations have a formal business continuity plan. What’s everyone else thinking?

Well, it’s complicated. The challenges to developing an effective business continuity plan are myriad. For one, most organisations don’t have a best-practice business continuity management programme in place in the first place.

Why’s that? Well, practitioners often decry a lack of commitment and involvement from senior management. According to the survey data, that’s the crucial gateway to getting a major, cross-functional project off the ground.

The challenges to developing a business continuity plan don’t end there. Even when C-level sponsorship is secured, it’s not a given that senior leadership is fully invested in building a business continuity plan for the right reasons. Executives might be going through the motions, trying to feign compliance to regulators and customers.

The best-intentioned organisations can also get business continuity planning wrong, too. There’re plenty of variables that go into building a business continuity plan, so it’s easy to make the following common mistakes:

• Misjudge data recovery requirements
• Not properly tailor the risk assessment to organisational challenges
• Fail to question assumptions
• Fail to consider limiting factors

Developing an effective business continuity plan

So, what does it take to develop an effective business continuity plan? There’s a lot.

For one, business continuity planning involves documenting procedures to guide how your organisation will respond to and recover from a disruption. Putting together the actual business continuity plan will typically fall to the governance committee.

Here’s where C-suite involvement is crucial. Most governing committees are headed by an executive sponsor. That sponsor is nominally responsible for initiating, approving, auditing, overseeing, and testing the business continuity plan.

However, day-to-day management falls to a business continuity coordinator. Depending on the size of the company, that coordinator might have a dedicated staff. Other in-house members of the committee typically include:

• CIO
• CISO or other senior security officer
• Senior representatives from the remaining business units

Before drafting the business continuity plan, the governance committee will undertake a business impact analysis (BIA). The business impact analysis is a methodical accounting of business activities and the effect business disruptions would have on those activities. The business impact analysis is intended to help organisations isolate prioritised business activities in tandem with the processes and resources needed to support them.

That analysis is imperative. Sure, firms might have a good feel for the services and products they need to continue delivering in order to avoid severe revenue. But it’s not a given that senior managers have a deep understanding of the dependencies that underlie those services. A good business impact analysis, on the other hand, will capture all of those contingencies, then rank the order of priority of services or products for continuous delivery or rapid recovery.

Those business impact analysis findings then get fed into the business continuity plan proper. The plan will then cover the resources, services, activities, business continuity software solutions required to ensure the continuity of critical business functions.

Don’t get us wrong, the business continuity plan can take different forms. Usually, though, the following elements will be present:

• A list of relevant company, insurance, and supplier contacts
• References. Helpful information might include links to the appropriate state and federal regulator, e.g., Emergency Management Australia
• Relevant standards with which the plan complies, e.g., ISO 22301
• Organising objectives and driving principles.
  • The primary objective of your plan is to ensure maximum possible services levels are maintained. Meanwhile, assessing business risk for probability and impact might also be an important principle to document.
• The objectives and principles sections might be part of a longer executive summary, a comprehensive overview of the plan
• The contents of the business impact analysis, including a list of likely threats, e.g., building loss, document(s) loss, systems going offline, loss of key staff, etc.
• Scenario planning for the risks you’ve identified
  • Once a risk is listed, the plan will outline probability and impact of occurrence, likeliest scenario(s) to unfold, business functions affected, actions to take and preventative mitigation strategies, staff responsibilities, as well as operational constraints.

Drafting the plan isn’t the end of the story. Senior management still has to approve the draft, before the process of validating (and updating) the plan can even begin.

Validating the plan means running periodic exercises and trainings to test its assumptions. Those trainings aren’t just for practitioners. They should be mandatory for all employees, and companies should strive to secure partner participation at any stage in the business continuity plan lifecycle (depicted below). 

The lifecycle of the business continuity plan

Nor should testing exercises be treated as pro forma measures, either. To be effective, the business continuity plan must remain a dynamic document. Specifically, teams need to update the plan to incorporate key lessons learned from testing and exercises.

In conclusion, rates of business continuity plan adoption are alarmingly low. Don’t get caught napping. To protect your brand and bottom line, delve into requirements for the ISO 22301 standard, and start building your best-practice business continuity plan today.

Have a plan in place already but need help making the business case for flexible business continuity software that scales with crisis? Download our guide, When Business Continuity Events Become Crises.