- Artificial Intelligence
- Generative AI
- Business Operations
- Cloud Computing
- Data Center
- Data Management
- Emerging Technology
- Enterprise Applications
- IT Leadership
- Digital Transformation
- IT Strategy
- IT Management
- Diversity and Inclusion
- IT Operations
- Project Management
- Software Development
- Vendors and Providers
- United States
- Middle East
- Italia (Italy)
- United Kingdom
- New Zealand
- Foundry Careers
- Member Preferences
- About AdChoices
- Your California Privacy Rights
- Network World
How to create an effective business continuity plan
A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood or cyberattack. Here's how to create one that gives your business the best chance of surviving such an event.
We rarely get advance notice that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.
This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn’t just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.
What is business continuity?
Business continuity refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood or malicious attack by cybercriminals. A business continuity plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.
Many people think a disaster recovery plan is the same as a business continuity plan, but a disaster recovery plan focuses mainly on restoring an IT infrastructure and operations after a crisis. It’s actually just one part of a complete business continuity plan, as a business continuity plan looks at the continuity of the entire organization.
Do you have a way to get HR, manufacturing and sales and support functionally up and running so the company can continue to make money right after a disaster? For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? The BC plan addresses these types of concerns.
Note that a business impact analysis is another part of a business continuity plan. A business impact analysis identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your business continuity plan, which can come with its own risks. The business impact analysis essentially helps you look at your entire organization’s processes and determine which are most important.
Why business continuity planning matters
Whether you operate a small business or a large corporation, you strive to remain competitive. It’s vital to retain current customers while increasing your customer base — and there’s no better test of your capability to do so than right after an adverse event.
Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.
“There’s an increase in consumer and regulatory expectations for security today,” says Lorraine O’Donnell, global head of business continuity at Experian. “Organizations must understand the processes within the business and the impact of the loss of these processes over time. These losses can be financial, legal, reputational and regulatory. The risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence. Build your recovery strategy around the allowable downtime for these processes.”
Anatomy of a business continuity plan
If your organization doesn’t have a business continuity plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a business impact analysis.
Next, develop a plan. This involves six general steps:
- Identify the scope of the plan.
- Identify key business areas.
- Identify critical functions.
- Identify dependencies between various business areas and functions.
- Determine acceptable downtime for each critical function.
- Create a plan to maintain operations.
One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.
Remember that the disaster recovery plan is part of the business continuity plan, so developing a disaster recovery plan if you don’t already have one should be part of your process. And if you do already have a disaster recovery plan, don’t assume that all requirements have been factored in, O’Donnell warns. You need to be sure that restoration time is defined and “make sure it aligns with business expectations.”
As you create your plan, consider interviewing key personnel in organizations who have gone through a disaster successfully. People generally like to share “war stories” and the steps and techniques (or clever ideas) that saved the day. Their insights could prove incredibly valuable in helping you to craft a solid plan.
The importance of testing your business continuity plan
Testing a plan is the only way to truly know it will work, says O’Donnell. “Obviously, a real incident is a true test and the best way to understand if something works. However, a controlled testing strategy is much more comfortable and provides an opportunity to identify gaps and improve.”
You have to rigorously test a plan to know if it’s complete and will fulfill its intended purpose. In fact, O’Donnell suggests you try to break it. “Don’t go for an easy scenario; always make it credible but challenging. This is the only way to improve. Also, ensure the objectives are measurable and stretching. Doing the minimum and ‘getting away with it’ just leads to a weak plan and no confidence in a real incident.”
Many organizations test a business continuity plan two to four times a year. The schedule depends on your type of organization, the amount of turnover of key personnel and the number of business processes and IT changes that have occurred since the last round of testing.
Common tests include tabletop exercises , structured walk-throughs and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.
A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.
In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
It’s also a good idea to conduct a full emergency evacuation drill at least once a year. This type of test lets you determine if you need to make special arrangements to evacuate staff members who have physical limitations.
Lastly, disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine if you can carry out critical business functions during the event.
During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.
Review and improve your business continuity plan
Much effort goes into creating and initially testing a business continuity plan. Once that job is complete, some organizations let the plan sit while other, more critical tasks get attention. When this happens, plans go stale and are of no use when needed.
Technology evolves, and people come and go, so the plan needs to be updated, too. Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.
Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units. If you’ve had the misfortune of facing a disaster and had to put the plan into action, be sure to incorporate lessons learned. Many organizations conduct a review in tandem with a table-top exercise or structured walk-through.
How to ensure business continuity plan support, awareness
One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.
Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts? Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.
The 15 most valuable it certifications today, germany’s itzbund is moving federal it into the cloud, 400g: building bandwidth for the next lap, beyond gigabit: the need for 10 gbps in business networks, from our editors straight to your inbox, show me more, what cios can learn from the massive optus outage.
A forensic look to modernize tech at South Africa’s SIU
Thrive with Digital, Accelerating Intelligence for Electric Power
It's a Wrap: Maryfran Johnson, host of CIO Leadership Live & CEO of Maryfran Johnson Media
CIO Leadership Live Australia with Michael Fagan, Chief Transformation Officer, Village Roadshow
CIO Leadership Live Middle East with Sheeba Hasnain, Senior Digital Transformation Specialist
Innovating at Speed: Control & Risk Management Guidance
- Organizations are accelerating AI initiatives to optimize digital experience—Watch Now
- 81% of IT leaders are planning to use AI in cybersecurity—Get the Report
- Leverage 25 years of AWS developing AI to advance your team’s knowledge.
What Is A Business Continuity Plan? [+ Template & Examples]
Published: December 30, 2022
When a business crisis occurs, the last thing you want to do is panic.
The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.
A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.
In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.
Table of Contents:
What is a business continuity plan?
- Business Continuity Types
- Business Continuity vs Disaster Recovery
Business Continuity Plan Template
How to write a business continuity plan.
- Business Continuity Examples
A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.
For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.
When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.
Business Continuity Planning
Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.
Do you have a plan in place to manage your reputation, and do you know the biggest risks for negative publicity in your space? The example plan above outlines the steps for handling a media or reputation crisis.
Once you create a business continuity plan, your work isn't over. Continue to iterate on the plan and identify new risks that become possible over time and/or with increased experience.
Business continuity planning isn't a one-time feat. Your plans need to be constantly reassessed if you want to adequately prepare for every situation. Consider adopting a business continuity management team to oversee your continuity plans and keep them up-to-date.
Here are examples of reputation issues that can affect business continuity:
- Negative publicity
- Company layoffs
- Negative reviews
Create a Business Continuity Plan Before Disaster Strikes
The more time you put into your business continuity plan, the better it's going to be. The more often you test, the stronger your plan will be, as you'll be able to quickly identify problem areas and correct them before you're forced to deal with them during a crisis.
Editor's note: This post was originally published in March 2019 and has been updated for comprehensiveness.
Don't forget to share this post!
Social Media Crisis Management: Your Complete Guide [Free Template]
De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]
Situational Crisis Communication Theory and How It Helps a Business
What Southwest’s Travel Disruption Taught Us About Customer Service
Showcasing Your Crisis Management Skills on Your Resume
What Is Contingency Planning? [+ Examples]
What Is Reputational Risk? [+ Real Life Examples]
10 Crisis Communication Plan Examples (and How to Write Your Own)
Top Tips for Working in a Call Center (According to Customer Service Reps)
Top 5 Crisis Management Skills for Business Leaders (& How to Apply Them)
Manage, plan for, and communicate during a corporate crisis.
How to Write a Business Continuity Plan Step-by-Step: Our Experts Provide Tips
By Andy Marker | October 21, 2020 (updated August 17, 2021)
In order to adequately prepare for a crisis, your company needs a business continuity plan. We’ve culled detailed step-by-step instructions, as well as expert tips for writing a business continuity plan and free downloadable tools.
Included on this page, find the steps to writing a business continuity plan and a discussion of the key components in a plan . You’ll also find a business continuity plan quick-start template and a disruptive incident quick-reference card template for print or mobile, and an expert disaster preparation checklist .
Step by Step: How to Write a Business Continuity Plan
A business continuity plan refers to the steps a company takes to help it continue operations during a crisis. In order to write a business continuity plan, you gather information about key people, tools, and processes, then write the plan as procedures and lists of resources.
To make formatting easy, download a free business continuity plan template . To learn more about the role of a business continuity plan, read our comprehensive guide to business continuity planning .
- Write a Mission Statement for the Plan: Describe the objectives of the plan. When does it need to be completed? What is the budget for disaster and recovery preparation, including research, training, consultants, and tools? Be sure to detail any assumptions about financial or other resources, such as government business continuity grants.
- Set Up Governance: Describe the business continuity team. Include names or titles and role designations, as well as contact information. Clearly define roles, lines of authority and succession, and accountability. Add an organization or a functional diagram. Select one of these free organizational chart templates to get started.
- Write the Plan Procedures and Appendices: This is the core of your plan. There's no one correct way to create a business continuity document, but the critical content it should include are procedures, agreements, and resources.Think of your plan as lists of tasks or processes that people must perform to keep your operation running. Be specific in your directions, and use diagrams and illustrations. Remember that checklists and work instructions are simple and powerful tools to convey key information in a crisis. Learn more about procedures and work instructions . You should also note who on the team is responsible for knowing plan details.
- Set Procedures for Testing Recovery and Response: Create test guidelines and schedules for testing. To review the plan, consider reaching out to people who did not write the plan. Put together the forms and checklists that attendees will use during tests.
A business continuity plan is governed by a business continuity policy. You can learn more about creating a business continuity policy and find examples by reading our guide on developing an effective business continuity policy .
How to Create a Business Continuity Plan
Creating a business continuity plan (BCP) involves gathering a team, studying risks and key tasks, and choosing recovery activities. Then write the plan as a set of lists and guidelines, which may address risks such as fires, floods, pandemics, or data breaches.
According to Alex Fullick, your best bet is to create a simple plan. “I usually break everything down into three key categories: people, places, and things. If you focus on a couple of key pieces, you will be a lot more effective. That big binder of procedures is absolutely worthless. You need a bunch of guidelines to say what you do in a given situation: where are our triggers for deciding we’re in a crisis and we have to stop doing XYZ, and just focus on ABC.”
“Post-pandemic, I think new managers will develop more policies and guidelines of all types than required, as a fear response,” cautions Michele Barry.
Because every company is different, no two approaches to business continuity planning are the same. Tony Bombacino, Co-Founder and President of Real Food Blends , describes his company’s formal and informal business continuity approaches. “The first step in any crisis is for our nerve center to connect quickly, assess the situation, and then go into action,” he explains.
“Our sales manager and our marketing manager might discuss what’s going on, and say, ‘Are we going to say anything on social media? Do we need to reach out to any of our customers? The key things, like maintaining stock levels or what if somebody gets sick? What if there's a recall?’ Those plans we have laid out. But we're not a 5,000-person multi-billion-dollar company, so our business continuity plan is often in emails and Google Docs.”
“I've done planning literally for hundreds of businesses where we've just filled out basic forms,” says Mike Semel, President and Chief Compliance Officer of Semel Consulting . “For example, noting the insurance company's phone number — you know, on the back of your utility bill, which you never look at, there's an emergency number for if the power goes out or if the gas shuts off. We've helped people gather all that information and put it down. Even if there's no other plan, just having that information at their fingertips when they need it may be enough.”
You can also approach your business continuity planning as including three types of responses:
- Proactive Strategies: Proactive approaches prevent crises. For example, you may buy an emergency generator to keep power running in your factory, or install a security system to prevent or limit loss during break-ins. Or you may create a bring-your-own-device (BYOD) policy and offer training for remote workers to protect your network and data security.
- Reactive Strategies: Reactive strategies are your immediate responses to a crisis. Examples of reactive methods include evacuation procedures, fire procedures, and emergency response strategies.
- Recovery Strategies: Recovery strategies describe how you resume operations to produce a minimum acceptable level of service. The recovery plan includes actions to stand up temporary processes. The plan also describes the longer-term efforts, such as relocation, data restoration, temporary workaround processes, or outsourcing tasks. Recovery strategies are not limited to IT and data recovery.
Quick-Start Guide Business Continuity Plan Template
If you don’t already have a business continuity plan in place, but need to create one in short order to respond to a disruption, use this quick-start business continuity template. This template is available in Word and Google Docs formats, and it’s simply formatted so that you can focus on brainstorming and problem-solving.
Download Quick-Start Guide Business Continuity Plan Template
Word | PDF | Google Docs | Smartsheet
For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.
Key Components of a Business Continuity Plan
Your company’s complete business continuity plan will have many details. Your plan may differ from other companies' plans based on industry and other factors. Each facility or business unit may also conduct an impact analysis and create disaster recovery and continuity plans . Consider adding these key components to your business plan:
- Contact Information: These pages include contact information for key employees, vendors, and critical third parties. Locate this information at the beginning of the plan.
- Business Impact Analysis: When you conduct business impact analysis (BIA), you evaluate the financial and other changes in a disruptive event (you can use one of these business impact templates to get started). Evaluate impact in terms of brand damage, product failure or malfunction, lost revenue, or legal and regulatory repercussions.
- Risk Assessment: In this section, assess the potential risks to all aspects of the organization’s operations. Look at potential risks related to such matters as cash on hand, stock levels, and staff qualifications. Although you may face an infinite number of potential internal and external risks, focus on people, places, and things to keep from becoming overwhelmed. Then analyze the effects of any items that are completely lost or need repairs. Also, understand that risk assessment is an ongoing effort that works in tandem with training and testing. Consider adding a completed risk matrix to your plan. You can create one using a downloadable risk matrix template .
- Critical Functions Analysis and List: As a faster alternative to a BIA, a critical functions analysis reveals what processes are critical to keeping your company running. Examples of critical functions include payroll and wages, accounts receivable, customer service, or production. According to Michele Barry, with a values-based approach to critical functions, you should consider who you really are as a company. Then decide what you must continue doing and what you can stop doing.
- Trigger and Disaster Declaration Criteria: Here, you should detail how your executive management will know when to declare an emergency and initiate the plan.
- Succession Plan: Identify alternate staff for key roles in each unit. Schedule time throughout the year to observe alternates as they make important decisions and complete recovery tasks.
- Alternate Suppliers: If your goods are regulated (i.e., food, toy, and pharmaceutical manufacturing), your raw resources and parts must always be up to standard. Source suppliers before a crisis to ensure that regulatory vetting and approval do not delay supplies.
- Operations Plan: Describe how your organization will resume and continue daily operations after a disruption. Include a checklist with such items as supplies, equipment, and information on where data is backed up and where you keep the plan. Note who should have copies of the plan.
- Crisis Communication Strategy: Detail how the organization will communicate with employees, customers, and third-party entities in the event of a disruption. If regular communications systems are disabled, make a plan for alternate methods. Download a free crisis communication strategy template to get started on this aspect.
- Incident Response Plan: Describe how your organization plans to respond to a range of likely incidents or disruptions, and define the triggers for activating the plan.
- Alternate Site Relocation: The alternate site is the location that the organization moves to after a disruption occurs. In the plan, you can also note the transportation and resources required to move the business and the processes you must maintain in this facility.
- Interim Procedures: These are the critical processes that must continue, either in their original or alternate forms.
- Restoration of Critical Data: Critical data includes anything you must immediately recover to maintain normal business functions.
- Vendor Partner Agreements: List your organization’s key vendors and how they can help you maintain or resume operations.
- Work Backlog: This includes the work that piles up when systems are shut down. You must complete this work first when processes start again.
- Recovery Strategy for IT Services: This section details the steps you take to restore the IT processes that are necessary to maintain the business.
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): RTO refers to the maximum amount of time that a company can stop its processes and the length of time without access to data before productivity substantially drops. Determine RTOs for each unit, factoring in people, places, and things.
- Backup Plans: What if plans, processes, or resources fail or are unavailable? Determine alternatives now, so you don't have to scramble. Decide on a backup roster for personnel who are unavailable.
- Manual Workarounds: This section details how a business can operate by hand, should all failsafe measures break down.
- External Audit Details: For regulated organizations, external audits may be compulsory. Your scheduled internal audits will prepare you for external audits.
- Test and Exercise Plan: Identify how and when you will test the continuity plan, including details about periodic tabletop testing and more complex real-world scenario testing.
- Change Management: Note how you will incorporate learnings from tests and exercises, disseminate changes, and review the plan and track changes.
Key Resources for Business Continuity
To fix problems, restore operations, or submit an insurance claim, you need readily available details of the human resources and other groups that can assist with business continuity. (Your organization's unique situation may also require specific types of resources.) Add this information to appendices at the back of your continuity plan.
Fullick suggests broadening the definition of human assets. "People are our employees, certainly. But we forget that the term ‘people’ includes executive management. Management doesn't escape pandemics or the flu or a car crash. Bad things can happen to them and around them, too."
Use the following list as a prompt for recording important information about your organization. Your unique situation may require other types of information.
- Lists of key employees and their contact information. Also, think beyond C-level and response team members to staff with long-term or specialized knowledge
- Disaster recovery and continuity team contact names, roles, and contact information
- Emergency contact number for police and emergency services for your location
- Non-emergency contact information for police and medical
- Emergency and non-emergency contact numbers for facilities issues
- Board member contact information
- Personnel roster, including family or emergency contact names and numbers for the entire organization
- Contractors for any repairs
- Client contact information and SLAs
- Insurance contacts for all plans
- Key regulatory contacts.
- Legal contacts
- Vendor contact information and partner agreements and SLAs
- Addresses and details for each office or facility
- Primary and secondary contact and information for each facility or office, including at least one phone number and email address
- Off-site recovery location
- Addresses and access information for storage facilities or vehicle compounds
- Funding and banking information
- IT details and data recovery information, including an inventory of apps and license numbers
- Insurance policy numbers and agent contact information for each plan, healthcare, property, vehicle, etc.
- Inventory of tangibles, including equipment, hardware, supplies, fixtures, and fittings (if you are a supplier or manufacturer, include an inventory of raw materials and finished goods)
- Lease details
- Licenses, permits, other legal documents
- List of special items that you use regularly, but don't order frequently
- Location of backup equipment
- Utility account numbers and contact information (for electric, gas, telephone, water, waste pickup, etc.)
Activities to Complete Before Writing the Business Continuity Plan
Before you write your plan, take these preliminary steps to assemble a team and gather background information.
- Incident Commander: This person is responsible for all aspects of an emergency response.
- Emergency Response Team: The emergency response team refers to the group of people in charge of responding to an emergency or disruption.
- Information Technology Recovery Team: This group is responsible for recovering important IT services.
- Alternate Site/Location Operation Team: This team is responsible for maintaining business operations at an alternate site.
- Facilities Management Team: The facilities management team is responsible for managing all of the main business facilities and determining the necessary responses to maintain them in light of a disaster or disruption.
- Department Upper Management: This includes key stakeholders and upper management employees who govern BCP decisions.
- Conduct business impact analysis or critical function analysis. Understand how the loss of processes in each department can affect internal and external operations. See our article on business continuity planning to learn more about BIAs.
- Conduct risk analysis. Determine the potential risks and threats to your organization.
- Identify the scope of the plan. Define where the business continuity plan applies, whether to one office, the entire organization, or only certain aspects of the organization. Use the BIA and risk analysis to identify critical functions and key resources that you must maintain. Set goals to determine the level of detail required. Set milestones to track progress in completing the plan. "Setting scope is essential," Barry insists. "You need to define the core and noncore aspects of the business and the minimum requirements for achieving continuity."
- Strategize recovery approaches: Strategize how your business should respond to a disruption, based on your risk assessment and BIA. During this process, you determine the core details of the BCP, add the key components and resources, and determine the timing for what must happen before, during, and after a disruptive event.
Common Structure of a Business Continuity Plan
Knowing the common structure should help shape the plan — and frees you from thinking about form when you should be thinking about content. Here is an example of a BCP format:
- Business Name: Record the business name, which usually appears on the title page.
- Date: The day the BCP is completed and signed off.
- Purpose and Scope: This section describes the reason for and span of the plan.
- Business Impact Analysis: Add the results of the BIA to your plan.
- Risk Assessment: Consider adding the risk assessment matrix to your plan.
- Policy Information: Include the business continuity policy or policy highlights.
- Emergency Management and Response: You can detail emergency response measures separately from other recovery and continuity procedures.
- The Plan: The core of the plan details step-by-step procedures for business recovery and continuity.
- Relevant Appendices: Appendices can include such information as contact lists, org charts, copies of insurance policies, or any supporting documents relevant in a crisis.
Keep in mind that every business is different — no two BCPs look the same. Tailor your business continuity plan to your company, and make sure the document captures all the information you need to keep your business functioning. Having everything you need to know in an emergency is the most crucial part of a BCP.
Disruptive Incident Quick-Reference Card Template
Use this quick-reference card template to write the key steps that employees should take in case of an emergency. Customize this template for each business unit, department, or role. Describe what people should do immediately and in the following days and weeks to continue the business. Print PDFs and laminate them for workstations or wallets, or load the PDFs on your mobile phone.
Download Disruptive Incident Quick-Reference Card Template
Expert Disaster Preparation Checklist
Business continuity and disaster planning aren’t just about your buildings and cloud backup — it’s about people and their families. Based on a document by Mike Semel of Semel Consulting, this disaster checklist helps you prepare for the human needs of your staff and their families, including food, shelter, and other comforts.
Tips for Writing a Business Continuity Plan
With its many moving parts and considerations, a business continuity plan can seem intimidating. Follow these tips to help you write, track, and maintain a strong BCP:
- Take the continuity management planning process seriously.
- Interview key people in the organization who have successfully managed disruptive incidents.
- Get approval from leadership early on and seek their ongoing championship of continuity preparedness.
- Be flexible when it comes to who you involve, what resources you need, and how you achieve the most effective plan.
- Keep the plan as simple and targeted as possible to make it easy to understand.
- Limit the plan to practical disaster response actions.
- Base the plan on the most up-to-date, accurate information available.
- Plan for the worst-case scenario and broadly cover many types of potential disruptive situations.
- Consider the minimum amount of information or resources you need to keep your business running in a disaster.
- Use the data you gather in your BIA and risk analysis to make the planning process more straightforward.
- Share the plan and make sure employees have a chance to review it or ask questions.
- Make the document available in hard copy for easy access, or add it to a shared platform.
- Continually test, review, and maintain your plan to keep it up to date.
- Keep the BCP current with organizational and regulatory changes and updates.
Empower Your Teams to Build Business Continuity with Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.
- Español (LATAM)
- Português (LATAM)
- English (APAC)
6 Steps for Developing a Business Continuity Plan
Every minute that your business is offline is expensive. While every business is different, you'll find some guidelines for projecting your downtime costs in this post . But there are other costs beyond dollars. Your reputation, for example, is hard to repair if you're not available when your customers need you and your company name is front-page news. No company wants to be responsible for delivering a lesson in security to the rest of its industry, as noted in the headline of a Forbes article about the Colonial Pipeline hack.
The best way to avoid these costs is through business continuity planning. That way, if any disaster strikes—from a ransomware attack to a hurricane—you know what to do, and you have the tools in place to keep your business running . With that in mind, let's look at the specific areas you need to address as you develop your plan—and how you can ensure it will be effective if and when it is required.
1. Assess Your Risks
Regardless of your company's size or structure, you need to understand where your risks lie so you can reduce or eliminate them . You'll want to list every potential threat to your business operations so you can consider how to mitigate those risks most effectively. Risk assessment should be a team effort, addressing every aspect of your operations and every kind of threat , including:
- Natural disasters
- Human error
- Unplanned downtime
- Power outages
- Data corruption
- System failures
- Hardware failures
2. Perform a Business Impact Analysis
As noted on Ready.gov, the business continuity planning process should include a business impact analysis that addresses lost revenues, increased expenses, regulatory impacts, and other factors. You'll also find a helpful business impact analysis worksheet on the Ready.gov site . As part of this analysis, you need to establish or update your recovery time objective (RTO)—the amount of downtime your business can tolerate—and your recovery point objective (RPO) —the amount of data your business can afford to lose before the impacts are just too great.
3. Identify Critical Systems
With a clear understanding of your risks and the potential impacts on your business, the next step is to identify those systems and functions that are mission critical . This list will help you ensure that these systems are prioritized for protection and recovery. As you build out your business continuity plan, mapping your network, hardware, and software topology and dependencies can be an invaluable tool for locating and troubleshooting issues , thus accelerating recovery.
4. Back Up Your Data
While you are already likely to be backing up your data in some form, your risk assessment and business impact analysis should give you a solid foundation for choosing the most effective backup strategy and solution for your needs . At a minimum, you should adhere to Arcserve's recommended 3-2-1-1 backup rule : Keep three copies of your data, in two media types, with at least one copy offsite in the cloud or secure storage, and one copy in immutable storage.
5. Plan for Recovery
Every business continuity plan should include a disaster recovery (DR) plan . Your plan should account for procuring the technologies you need to meet your RPOs and RTOs. It should also designate your recovery strategy—from file-based recovery to virtual machine (VM) and cloud-based recovery. With cloud-based backup and disaster recovery, Arcserve Cloud Service ensures business continuity, no matter what.
6. Test Your Plan (Regularly)
If you need to put your business continuity and disaster recovery plans into action, there's no time to waste. It's essential to test your plan to ensure it will perform as expected if disaster strikes. Arcserve Cloud Services allows you to test (or start) a site-wide failover process by pressing a single button.
There's a lot to consider when developing your business continuity plan. And when it comes to backup and disaster recovery, it's worth talking to an expert. Choose an Arcserve technology partner and get the product information you need to make an informed decision.
You May Also Like
How all-in-one appliances deliver cyberattack protection and data loss prevention, 7 crucial questions to ask your disaster recovery as a service provider: business continuity matters most, arcserve wins hardware solution of the year and one to watch security at computing security awards 2023.
- 1300 249 268
- [email protected]
What is a business continuity plan? Inclusions, benefits and setup guide
- Small Business Tips
- May 09, 2023
- By deependra
Small business owners have a lot to deal with, and business recovery in tough times is rarely easy because there are many things to manage. While you may follow all the recommended business practices and procedures to ensure that your business will stand the test of time, it is nigh on impossible to control all of the variables.
The reality is that business owners can benefit from expecting the unexpected. Unwanted challenges such as natural disasters and even cyber attacks on your business can pop up out of nowhere and cause major havoc to your business.
However, having a business continuity plan (BCP) can help prepare your business for those unpredictable moments. Continue reading to learn more about business continuity plans and some of the key things you may consider including in your business continuity plan to help your business prepare for whatever comes its way.
What is a business continuity plan (BCP)?
While those three words (business continuity planning) may sound a little intimidating, they needn’t be. Business continuity planning and business continuity management is simply a framework for helping your business respond to unexpected events and situations that can interrupt your business.
One of the most common forms of business continuity planning is the PPRR model. PPRR is shorthand for, “prevention preparedness recover response”.
Why is a business continuity plan important?
A small business continuity plan provides a formal system and structure to help reduce the risks to your business. A BCP also provides a defined path for recovering from potential threats to your business. It is a clearly defined plan that helps ensure that your staff and your business assets are protected. The ultimate goal of a business continuity plan is to help your business get back up and running quickly.
Five key inclusions for an effective business continuity plan and management
Now that you know what is BCP, let’s dig a little deeper into the essential elements for a successful business continuity action plan. An ideal BCP example will likely include the following.
1. Scope and objectives: A BCP will outline the departments, functions, and locations that it will cover. The plan also highlights its objectives, such as minimising downtime and protecting assets.
2. Risk assessment and business impact analysis: Risk assessment and business impact analyses (BIAs) are used to identify threats and vulnerabilities as well as potential disruptions.
3. Recovery strategies: The BCP outlines the recovery strategy of each critical function. It focuses on the resources, personnel, and technology required to restore operations. The BCP also includes the company’s Recovery Time Objective – which is the maximum amount of time that IT systems can be down following a failure.
4. Incident response plan: A BCP includes a detailed plan for incident response that details the steps to be taken during a disruption. This includes communication protocols, roles and responsibilities, and emergency management procedures. Also consider including contact information for everyone involved.
5. Training and awareness: Through training and awareness, a BCP helps employees understand their roles within the business continuity action plan.
Business continuity plans focus on what to do when things go wrong. They are the plan B for your business. A disaster recovery plan, on the other hand, is focused on “returning to normal” after an unexpected event. Disaster recovery is the way to get back on track with Plan A.
What are the benefits of having a business continuity plan?
A carefully considered business continuity plan provides a roadmap for reducing the impact of unanticipated events on your business so you can continue trading.
A business continuity plan (BCP) – whether based on the PPRR model or on another model – provides a formal system of prevention and recovery from potential threats to your business. It helps ensure that personnel and assets are protected and are able to function quickly in the event of a disaster.
Businesses can potentially be exposed to a host of disasters that can vary in degree, from minor to catastrophic. And this is why business continuity plans exist and are an important feature of business strategy. A BCP is typically meant to help a company continue operating in the event of threats and disruptions.
This could result in a loss of revenue and higher costs, which could lead to a drop in profitability. And businesses can’t rely on insurance* alone because it doesn’t cover all the costs and the customers who move to the competition.
Taking the right steps to mitigate and eliminate a risk before it becomes a problem is a valuable step you can take when protecting your business. This can be done with things like ensuring your business premises is secure, that your staff are properly trained and aware of what to do in an emergency and having business insurance in place, such as Public Liability , Professional Indemnity insurance , Business Interruption and Business Insurance .
Develop an action plan
Outlining the steps for what needs to be done if an incident does occur can help everyone in your workplace. Things like fire drills, access to first aid kits, a list of emergency contact numbers, and a clear process can help keep the risk of the incident from escalating. Ensure that these steps and processes are regularly communicated to your team.
Seven steps for creating your small business continuity plan
1. set the goals of your plan.
Your small business continuity plan may be designed to protect your employees and assets and to prevent financial loss in the event of a crisis. Some business continuity plans are created as a reaction to a specific incident that occurred. In this case, you may consider focusing on preventing one type of disaster while also considering other types that could disrupt your small business.
2. Create a business continuity team
Create a list of responsibilities before selecting a team to execute your business continuity planning. The responsibilities could include the following:
- A business continuity steering group of select employees from different areas of your business to create a list of all the assets or risks that could be included in the plan.
- A business continuity manager who manages daily responsibilities for the business continuity plan, such as employee education, crisis management and safety assessments.
- Members of the business continuity team, who support the business continuity program manager by following the instructions given by the business continuity program manager.
- Business continuity plan owners are key stakeholders such as HR, payroll, cybersecurity, health and safety, and other individuals who contribute to the business continuity plan for their area.
- Business continuity planners who execute instructions directly from the business continuity plan owners to support the rollout of plans.
3. Determine risks, assets, functions, and impact
The next step in developing your BCP plan is compiling a list of the most common threats and risks to your business, which may include several of the following:
- Fires, natural disasters and power outages;
- Public health crises;
- Cyber attacks and data loss;
- Economic downturns;
- Cash flow problems, including bankruptcy;
- Licence cancellations, government regulations and legal disputes; and
- Workplace accidents.
Next, do the same for your most at-risk assets, which may include your:
- company property;
- brand loyalty and customer relationships;
- license agreements;
- data centers;
- IT Infrastructure;
- supply chain; and
- intangibles, such as brand loyalty and customer relationships.
4. Set mandatory training timelines
You can ensure that your staff are prepared in the event of a disaster, even when key management staff are not present. Training is important for all stakeholders in areas that affect their work. Your cyber security employee, for example, should know who to contact if their data back-up solution fails, even when their department head is on holidays.
After you have completed your risk assessment, ensure that all stakeholders are trained in business continuity. Training employees can begin when they are hired, and you may also consider quarterly drills as a reminder. Employee training may cover fire safety, CPR, and other safety issues. In the best-case scenario, you won’t need to activate your BCP plan.
5. Identify vulnerabilities, and alternative solutions
After you have created your plan, identify the main vulnerabilities in your business. For example, an ecommerce business may be most vulnerable due to their dependence on a third-party supplier, delays in overseas shipping, or due to a cyber attack.
Consider using a scale of 1-10 to determine the likelihood that each vulnerability will occur. List potential back-up solutions and prioritise each item in your BCP plan according to the likelihood of it occurring.
6. Detail your actions for each vulnerability in your continuity plan
Structure your list of possible fixes into if/then statements with a list that includes potential solutions. A continuity plan in the event of a server crash may look like this:
If our server goes down during a weekend holiday sale, we can still increase our revenue by directing our e-newsletter subscribers to our online store, or by selling product via our social media.
You may also start considering recovery strategies that can get your business back on its feet, while also reducing the chances of the same issue happening again moving forward.
7. Request feedback
By asking for feedback from all stakeholders in your business, you can ensure sure that there are no stones left unturned in your business continuity plan. It is important that your plan is comprehensive and takes into consideration all possible risks.
A business interruption plan using the BCP example can help your business survive an emergency. Understanding your stakeholders, the risks that make your business vulnerable, and how to minimise those risks will help protect your brand, increase employee safety, and reduce financial losses. A missed vulnerability or a non-working solution can lead to a larger crisis, for which there is no continuity plan or recovery plan.
Getting back to business
Another important feature of your business continuity plan is outlining how you will get your business back up and running. Prioritise what needs to be done, what resources will be required, and create an outline of the steps needed to help you get there.
The prevention preparedness recover response (the PPRR model) is one way to approach business continuity planning, but there are others that you may consider for your business. The important thing is being comfortable and confident with your business interruption plan.
If you are reviewing your business interruption plan and how you handle business continuity management, this can also be a great time to review your business insurance . And BizCover is here to help you get your business insurance sorted fast.
We do the shopping around for you and cover many, many different types of occupations. Compare competitive business insurance quotes by jumping online . Get covered in 10 minutes flat and get on with your day.
Compare multiple quotes online in minutes
Trusted by over 220,000 Australian small businesses.
- Search Search Please fill out this field.
- Business Continuity Plan Basics
- Understanding BCPs
- Benefits of BCPs
- How to Create a BCP
- BCP & Impact Analysis
- BCP vs. Disaster Recovery Plan
Frequently Asked Questions
- Business Continuity Plan FAQs
The Bottom Line
What is a business continuity plan (bcp), and how does it work.
Pete Rathburn is a copy editor and fact-checker with expertise in economics and personal finance and over twenty years of experience in the classroom.
Investopedia / Ryan Oakley
What Is a Business Continuity Plan (BCP)?
A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.
- Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
- BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
- BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.
Understanding Business Continuity Plans (BCPs)
BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:
- Determining how those risks will affect operations
- Implementing safeguards and procedures to mitigate the risks
- Testing procedures to ensure they work
- Reviewing the process to make sure that it is up to date
BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.
Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.
Benefits of a Business Continuity Plan
Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.
Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.
An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.
How to Create a Business Continuity Plan
There are several steps many companies must follow to develop a solid BCP. They include:
- Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
- Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
- Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
- Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.
Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.
Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be identified and corrected.
In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.
Business Continuity Impact Analysis
An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.
FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:
- The impacts—both financial and operational—that stem from the loss of individual business functions and process
- Identifying when the loss of a function or process would result in the identified business impacts
Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”
Business Continuity Plan vs. Disaster Recovery Plan
BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain.
BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes.
Why Is Business Continuity Plan (BCP) Important?
Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.
What Should a Business Continuity Plan (BCP) Include?
Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.
What Is Business Continuity Impact Analysis?
An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.
FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.
These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.
Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.
Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ," Pages 15 - 17. Accessed Sept. 5, 2021.
- Terms of Service
- Editorial Policy
- Your Privacy Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.