How to Write a Business Continuity Plan
Except for time-bound enterprises, or business ventures that are started with the intention of terminating operations and liquidating the business at the end of a year or two, businesses are established with a long-term outlook.
They would want their business to earn profits, and to continue operating profitably for an indefinite, but long period of time. When drawing up their business plans, they see their business continuing to exist and operate in the many years to come.
Thus, they make every decision with continuity of the business in mind, while taking into account the possible effects of unexpected events that may lead to disruptions and interruptions in business operations.
INTRODUCTION TO BUSINESS CONTINUITY
If we are to take the phrase “business continuity” for its surface value, the most obvious meaning would be the ability of the business or enterprise to continue operating as a going concern for a very long time. But the term actually means more than what the words literally mean.
The International Organization for Standardization, in ISO 22300, defined “business continuity” as the capability of an organization to continue the delivery of its products or services, at acceptable predefined levels, following a disruptive incident. It implies the responsibility of the business owners and management for the business in ensuring that it stays afloat and “on course” despite any obstacles or stumbling blocks it encounters along the way. This responsibility is incorporated into the greater management process of the business, and what is also referred to as “Business Continuity Management”or BCM.
The Business Continuity Institute hit the nail right on the head when it described business continuity to be about “building and improving resilience in the business”. Organizational resilience means that the business can weather any storm and withstand any hits, and still remain operational, productive and profitable. Being resilient means that the business is still able to recover and grow, bigger and stronger than ever.
BCM is clearly described by the ISO to provide a framework for building organizational resilience, which will allow the organization to respond accordingly, in a way that protects the business, its reputation, and all other stakeholders. As a management process, BCM involves several key activities:
- Identification and analysis of key products and services of the business
- Identification and analysis of the most urgent activities and processes of the business
- Identification of potential threats, and their impacts to business operations
- Devising of plans and strategies for quick and effective recovery from any disruption, and the continuation of business operations
Business Continuity Planning
In recognition of the reality of the economic and business landscape being unpredictable and volatile, businesses are now taking a lot of precautions to ensure that their operations will still stand a chance against unexpected disruptions. We usually hear of these precautions in the form of disaster recovery planning, which is primarily focused on the restoration of a firm’s IT infrastructure and IT operations. This view is rather limited, when you look at the bigger picture, since a business and its operations are more than just its IT infrastructure.
Thus, more attention is put on business continuity planning (BCP), which puts the company in a proactive position in planning how to ensure that it will still be able to deliver its critical products and services safely and smoothly, while meeting its legal, regulatory, and other obligations.
We can probably enumerate more than a dozen reasons why businesses should create and maintain BCP initiatives but, at the end of the day, there is only one ultimate goal or purpose for it, and that is to help ensure that the organization, business or company has the required resources, information, and capabilities to deal with emergencies and similar unexpected events, particularly their aftermath.
Benefits of Business Continuity Planning
You will probably be able to appreciate BCP even more if you have a clearer idea of what the business can gain from it.
- BCP improves public perception and acceptance of the company. By displaying a proactive attitude and demonstrating the initiative to be well-prepared, customers and the general public will have a favorable and positive impression of the organization. This will lead to a certain level of trust, which is likely to convert them into loyal, buying, customers.
- BCP will boost employee’s morale and command their loyalty to the company. Employees are inclined to seek stability in the organization they belong to or the company that employs them, and a solid BCP is one way for management to give them the assurance that they are looking for. It will also give them pride in their work and motivate them to increase their productivity as members of the organization.
- BCP enhances the relationship of the business with its shareholders and other stakeholders. Shareholders will trust the company enough to encourage them to keep investing in the company, and partners will have no reason to stop working and collaborating with the business if they know that every effort to be prepared for the unexpected is made.
- BCP improves the overall efficiency of the organization. In the event that a crisis does arise, resulting to a disruption in operations, having a solid BCP will allow the company to respond quickly and appropriately, keeping losses and costs to a minimum because there is already a plan in place.
Threats to Business Continuity
Risks are inherent in businesses, and the risk of being faced with potential disasters and disruptive emergencies is one of them. What are some examples of these potential risks or threats?
- Natural disasters (force majeure, or “acts of God”), such as hurricanes or typhoons, storm surges or tsunamis, floods, earthquakes, bushfires, blizzards, sandstorms
- Man-made disasters with environmental repercussions, such as oil spills, hazardous materials spills, pollution, improper disposal of chemical and other industrial wastes
- Accidents brought about by fortuitous events, such as factory fires and similar incidents in the workplace
- Failure of utility and other similar service providers to deliver their services, such as when power and energy providers shut down, water services are interrupted, and communication lines go out of order
- Results of sabotage and similar crimes (with the intention of putting the business at risk), such as arson,
- Cybersecurity attacks, with the information system of the business falling prey to hacker and other similar intrusive activities
All these threats must be taken seriously by companies, considering their various effects or impacts when they result in the disruption of business operations. Some of the most likely effects are:
Lost revenues and profits
When a retail store does not open for a week, the potential income that it usually earns in a one-week period is gone. Similarly, when a manufacturing plant is unable to operate even for a couple of days, the company will not be able to produce the average output of finished goods for distribution. Reduced finished goods inventory means reduced number of products to be sold, which will ultimately result to reduced sales and revenues.
What the company is looking at is a profit level that is much lower than their usual level of earnings. Of course, if profitability gets a major hit, this will also have adverse effects on business growth strategies.
Higher costs and expenses
Business disruptions usually lead to the company spending more on incidental expenses in order to do some damage control. For example, if the disruption is caused by a blizzard leading to the closure of manufacturing facilities, there is a high chance that the facilities have been damaged, and will require some major repairs.
Salvaging remaining equipment and machinery will also entail spending on transportation and hauling services. Incidentally, if the factory workers are paid on a monthly basis instead of on an output basis, they will still be paid their regular compensation rates. This, on top of the lost revenue, will further cause a drop in the profits of the business.
In a study of mid-sized companies that suffered a major disaster and had no contingency planning in place, it was revealed that, on average, their downtime cost amounted to $70,000 per hour. For small businesses, this is catastrophic.
Loss of customers
When their usual source of a specific product or service becomes unavailable, or unable to deliver their goods, customers will naturally look elsewhere for other sources. Even the most loyal customers may be swayed out of their loyalties if the business fails to rise to the occasion.
Soon, the business will be unable to do anything except watch helplessly as its customers shift to the competition while it is still in the middle of figuring out how to deal with the fallout of the crisis that caused the interruption of business operations.
Drop in business reputation
The reputation of the business will be on the verge of ruin. The moment it is unable to deliver the products and services that it promised, the trust levels of customers, stakeholders and other industry players for the company will suffer greatly. Lending institutions will think twice before granting any loans. Other businesses will have apprehensions about continuing any partnership they have with the company, and they may even consider severing any ties they have with that business. This will definitely make recovery more difficult for the business, even long after the crisis has passed.
The worst case scenario for businesses without BCP is the permanent end of operations. According to Agility Recovery’s Paul Sullivan, 80% of companies that have no plans whatsoever and were subsequently hit with a crisis or major disaster had to call it a day without having gone past 18 months of operations. 50% of companies that experienced inaccessibility of their business data for at least 10 days filed for bankruptcy right after.
In the BCM lifecycle, the first stage is all about policy and program management, which is essentially the phase for planning the business continuity program of the business. In the succeeding discussion, we will focus on the Business Continuity Plan – what it is, what it is for, and how to write it.
THE BUSINESS CONTINUITY PLAN
The Business Continuity Plan, which we will refer to from here on as “The Plan”, is the documentation of the outputs or results of a company’s BCP, presenting the processes and strategies that aim to help the company minimize, if not eliminate, the negative impact of disruptions to its business operations.
The Plan has two components:
- Plans: These plans refer to the arrangements, measures, tactics and policies designed to ensure continuity of business operations, so that critical products and services are still delivered to customers.
- Resources: The second component refers to the resources or assets that are necessary for recovery measures, thereby supporting business continuity. These resources often include manpower or personnel, information, facilities, machinery and equipment, physical security tools, legal support, and funding.
STEPS IN DEVELOPING A BUSINESS CONTINUITY PLAN
Before you can get down to writing The Plan, there are several steps that must be performed.
Step 1: Identify the scope of The Plan.
As in most business planning processes, the first thing that must be done is to define the scope and objectives of the plan being made. In this case, it is the Business Continuity Plan.
In addition, there is also a need to define the assumptions that will prevail in the conduct of BCP. It is also during this phase that budgeting is conducted, with the initial program budget taking into consideration the expenses that may be incurred in the process of developing the plan. These include costs of research, trainings and seminars, and other services sought in the process of moving the plan along.
Step 2: Form your business continuity team.
There is a need to establish a governance structure within the BCP in order for management to have order and control in its conduct. This implies care and prudence in choosing the people who will be assigned the task of planning for the continuity of the business.
This involves identification of the key roles in the team, and their functions or roles and responsibilities. In addition, the qualifications for each role should also be identified, in order to justify the choice of personnel to fill the roles within the team. Lines of authority and accountability, as well as management succession, should also be defined clearly.
The usual composition of a typical BCP team includes:
- BCP senior or executive manager – He is the overall leader of the committee, and the major link between top management and the BCP team.
- Program Coordinator – His responsibility includes BCP budgeting and budget implementation and monitoring, development of BCP policies, and coordination of BCP activities, such as the conduct of BIA, quality assurance, staffing, and training of BCP team members. In short, he is the team leader.
- Information officer – He will be responsible in ensuring the smooth and steady flow, as well as access to and retrieval of data to be used in BCP.
- Representatives from the various business units or divisions of the company – They are excellent sources of input and relevant information, and will also aid in the analysis of BCP data. Usually, there is a representative for every critical process or function, as well as support processes or functions.
There is no limit to how many people should comprise the business continuity team or committee. A team could have only five people on board, or it could have as much as 20 or even 30 members. The number of people and the size of the team will largely depend on the nature of the business and the size and scale of its operations.
Step 3: Conduct a Business Impact Analysis (BIA)
Conducting a BIA is crucial since its results will be the major input in business continuity planning. Through BIA, the team will be able to predict or forecast the potential impacts or consequences of business operations. It will also aid the team in gathering information that will be helpful when it comes to developing strategies that can be adopted by the company for its recovery from the crisis.
Briefly, let us take a look at the core concerns of BIA:
- Key business areas, or the core operations of the business;
- Functions and processes of the business that are considered critical and/or time-sensitive;
- The resources required to ensure the continuity of these key business areas and critical processes and functions;
- The dependencies (and interdependencies) between and among the business areas and functions or processes;
- The acceptable or tolerable downtimes for each critical process or function
The BIA will facilitate the prioritization of critical processes and functions (or critical products and services) of the company, so management will have a clearer idea on which areas need more resource allocation in case of an emergency. Usually, estimates and approximations are made with respect to financial variables, such as lost revenues, additional costs, and other possible losses.
Step 4: Strategizing and Planning
Based on the results of BIA, the team will then identify response and recovery strategies and plans to address the effects of the disruption, and present them in detail. It is in this phase where the team will provide details on the arrangements and measures that the company will undertake in order to mitigate threats and risks.
For every critical function, process, service, or product, there should be corresponding continuity responses, measures or plans. Cost estimates should also be included. That is how detailed this phase should be.
It should also talk about the readiness procedures that must be implemented, and how they will be implemented.
Step 5: Compilation and Documentation
This involves the writing of the Business Continuity Plan. Usually, there will be a first draft, since the succeeding steps involve testing the recovery plans and strategies, making adjustments and re-testing until such time that The Plan can be finalized.
Also, it is important to note that BCP is an ongoing process. That means that The Plan must be tested frequently, and updated when necessary. Thus, The Plan is subject to changes, as applicable.
Step 6: Implementation and Testing
The prevention and mitigation strategies formulated in Step 4 will now be implemented. This involves communication of the plan to all members of the organization, making them aware of their part in it. This involves training them on their roles if the event does happen. External stakeholders should also be made aware of the plan.
The emergency response and recovery strategies will undergo testing, mostly through drills and scenario exercises that will require the participation of the concerned employees or members of the organization. Through testing, the business continuity team will be able to assess whether the plan will be effective or not. This is their opportunity to make the necessary adjustments and corrections.
Testing and evaluation must be done periodically in order to take into account the ever-changing nature of businesses.
Step 7: Adjustments and Improvements
The program may need to be adjusted due to the following:
- Evaluation and testing of the strategies may reveal that they are ineffective or inefficient
- There may be deficiencies in the strategies
- Some roles and responsibilities are vague and need clarification
- Change in the roles and members of the business continuity team
- Introduction or occurrence of new or additional factors or circumstances, such as new equipment, opening of a new branch, relocation of operations, and new technology or system that modified critical processes.
Since testing and evaluations are done periodically, there is an equal chance that the program has to be adjusted several times. It follows that the Business Continuity Plan will have to be rewritten to accommodate or reflect these adjustments.
WRITING THE BUSINESS CONTINUITY PLAN
After performing the first three steps mentioned above, you are now ready to compile and document your business continuity planning activities in the Business Continuity Plan, modifying it for finalization purposes after testing and audit. Basically, everything that you performed in BCM will be documented in The Plan.
Depending on the nature of the business, The Plan may have special features or additional parts. But generally, a Business Continuity Plan has the following sections:
1. Program Administration
Usually, this comes in the form of a Mission Statement which contains the following:
- The purpose of the plan, stated to benefit and involve the organization as a whole and not in parts
- The scope, goals and objectives of the company’s BCP
- The methods of evaluation that will be employed
- The budget, specifically the anticipated and estimated costs that will be required
- Other resource requirements
- Anticipated timeline of the conduct of BCP
- Compliance with any relevant legal and/or regulatory requirements
This will detail the formation of the business continuity team. Emphasis must be placed on the following information:
- The team members, their titles or designations, as well as their roles and responsibilities as members of the BCP team. Include their contact details.
- The lines of authority and succession of management, clearly demonstrating the delegation of authority and accountabilities.
- External entities or organizations that the business will interact with in the conduct of BCP. They include vendors, distributors, contractors, suppliers, and the like.
Presentation of this section is reinforced by including an organizational or functional chart showing the lines and interconnections among the members of the team and external parties.
3. Business Impact Analysis
Document all the results of the BIA conducted by the team. Again, be as detailed as you possibly can.
Results of any prior risk assessment procedures undertaken by the company should be included, as these will figure greatly in the conduct of BIA. By identifying the vulnerabilities of the company and their potential impact on its operations, the company will be able to determine its state of readiness and responsiveness in the event a disaster does happen that may cause disruptions.
Other points that must be highlighted in this section are:
- Recovery Time Objectives (RTO) for business processes and functions, in case of disruption. This is basically the estimate of the maximum duration or length of time that disrupted processes and functions must be recovered or restored, before the continuity of the business is seriously threatened.
- Recovery Point Objective (RPO) for data restoration. This is the maximum length of time in which data in a company’s IT infrastructure or database might be lost or inaccessible because of an emergency or disaster. When system designers and analysts are called in to work on recovery or restoration of data, they will know how much time they are given to accomplish that.
4. Business continuity strategies and requirements
All the plans, measures, procedures and arrangements, as well as the resources and other requirements to implement them, must be documented in this section, in great detail.
Take note that BCM is an ongoing process, which means planning strategies that will be employed before, during, and after a disruptive event.
Examples are detailed strategies and resource requirements for:
- Implementation and execution of prevention and control strategies, or the activities that will be undertaken before the event takes place. Examples are:
- Installing physical protection facilities, systems and measures, such as emergency generators and storm shutters.
- Diversification of resource providers and expanding the supply chain, maybe by looking for other alternative suppliers and vendors so as to not be entirely dependent on a single source.
- Setting up off-site facilities as backups or alternates for servers, storage and warehousing, among other things
- Implementation and execution of emergency response strategies, or the activities during the event. Examples of these emergency responses are:
- Set up of an incident response command center
- Evacuation procedures
- Information dissemination to the media and the general public
- Delivery of notifications and status updates to suppliers, vendors, distributors and customers
- Implementation and execution of recovery strategies, or activities after the event has taken place and efforts are made to resume operations. Example strategies are:
- Relocation or transfer of operations to another geographical area
- Alternative methods or processes, such as manual workarounds, or temporary methods employed or used by the company to facilitate the continuation of critical processes and functions in the absence of normal systems and personnel
- Data restoration, especially when the company’s information technology units received the brunt of the disruption
5. Training, Testing and Evaluation
With respect to Training, the Plan should include details of the following:
- Training program or curriculum that will be followed by the members of the business continuity team and the other members of the organization.
- Timeline or training schedule of the team members and other personnel
When evaluating the planned strategies, the following should be in The Plan as well:
- Testing procedures for the recovery and response strategies
- Testing schedule or timeline for the conduct of the procedures
- Forms and documents that will be used in the testing and evaluation
- Description and the finer details on the exercises that will be conducted
6. Program Maintenance
The Plan will also serve as a historical record or reference to trace how the business continuity management process went about. Thus, when writing about updates or adjustments made, there should be a reference on the deficiencies or issues that were addressed by the adjustments or corrective actions.
The Business Continuity Plan is essentially the Bible of the company during times of crisis or when it has to deal with the fallout of a disaster. Usually, people have trouble thinking straight during such major events and upheavals, and The Plan will serve as the guide that will steer the company in the right direction.
When writing a Business Continuity Plan, accuracy is of high importance, from the personal information of all individuals and entities involved to their roles and responsibilities. It should also remain relevant at all times, and that can be achieved by making sure that it is kept up to date. Finally, when writing The Plan, do it in such a way that it can be easily understood by everyone who reads it, from senior management to the lowliest employee in the organization. It won’t be of any use if trying to make sense of what it written on it becomes a hardship.