What is a Business Continuity Plan (BCP)?
A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event.
The BCP states the essential functions of the business, identifies which systems and processes must be sustained, and details how to maintain them. It should consider any possible business disruption.
A BCP covers risks including cyberattacks, pandemics, natural disasters and human error. The array of possible risks makes it vital for an organization to have a business continuity plan to preserve its health and reputation. A BCP decreases the chance of a costly power or IT outage.
IT administrators often create the plan. However, the executive staff participate in the process, providing knowledge of the company and oversight. They also ensure the BCP is regularly updated.
Importance of business continuity planning
Business continuity planning is a proactive business process that lets a company understand potential threats, vulnerabilities and weaknesses to its organization in times of crisis. The creation of a business continuity program ensures company leaders can react quickly and efficiently to a business interruption.
A BCP lets a company continue to serve customers during a crisis and minimize the likelihood of customers going to competitors. These plans decrease business downtime and outline the steps to be taken before, during and after an emergency to maintain a company’s financial viability.
Elements of a business continuity plan
According to business continuity consultant Paul Kirvan, a BCP should contain the following items:
- Initial data at the beginning of the plan, including important contact information.
- A revision management process that describes change management procedures.
- The purpose and scope.
- How to use the plan, including guidelines as to when the plan will be initiated.
- Policy information.
- Emergency response and management procedures.
- Step-by-step procedures.
- Checklists and flow diagrams.
- A glossary of terms used in the plan.
- A schedule for reviewing, testing and updating the plan.
In the book Business Continuity and Disaster Recovery Planning for IT Professionals, Susan Snedaker recommends asking the following questions:
- How would the organization function if desktops, laptops, servers, email and internet access were unavailable?
- What single points of failure exist?
- What risk controls and risk management systems are in place?
- What are the critical outsourced relationships and dependencies?
- During a disruption, what workarounds are there for key business processes and internal functions, such as human resources?
- What is the minimum number of staff needed to run data center and other operations, and what functions would they need to carry out?
- What are the key skills, knowledge and expertise needed to recover?
- What critical security or operational controls are needed if computer systems are down?
Business continuity planning steps
The business continuity planning lifecycle is a procedure for putting BCP elements into practice. The lifecycle contains the following five steps:
- Information gathering and analysis. This step consists of both a risk assessment (RA) and business impact analysis (BIA). An RA identifies the possible disruptions that could happen to specific processes. A BIA explains the impact that disrupting a certain process has on a business.
- Plan development and design. The plan covers all possible disruptions and provides solutions to them.
- Implementation. In this step, employees learn the details of the BCP and what they must do if it should ever need to be implemented.
- Testing. The plan undergoes a simulation to test how effective it is. Areas of improvement are identified and addressed.
- Maintenance and updating. The plan must be regularly reviewed and updated to reflect changing threats, risks and new ways to address and recover from specific disruptions.
BCP implementation
Once the business has started the planning process, it launches the BIA and RA processes to collect important data. The BIA defines the critical functions that must continue during a crisis and the resources needed to maintain those operations. The RA details the potential internal and external risks and threats, the likelihood of them happening and the possible damage they could cause.
The next step determines the best ways to deal with the risks and threats outlined in the BIA and RA, and how to limit damage from an event. A successful business continuity plan defines step-by-step procedures for response.
The BCP shouldn’t be overly complex and doesn’t need to be hundreds of pages long. It should contain just the right amount of information to keep the business running. Small businesses can use a one-page plan with all the necessary details.
A short and simple plan can be more helpful than a long one that’s difficult to use. Details should include the following:
- Minimum resources needed for business continuity.
- Locations where the plan must take place.
- Personnel needed to accomplish it.
- Potential costs.
Four key BCP implementation steps
There are four steps involved in implementing an effective business continuity plan:
- Oversight. Decide who will oversee the plan. Ideally, a BCP committee or business continuity team includes business, security and IT leaders.
- Analysis. Conduct the BIA.
- Details. Answer business continuity questions, such as the following:
- Who is affected by a business disruption?
- Who holds a hard copy of contact information for top customers and clients?
- How and when will customers, employees and management be notified?
- What are the alternative means of communication if phones go down?
- Which employees are needed for the restoration of critical business functions and how will they be reached or relocated?
- Which critical products and services should the company focus on restoring first?
- What issues must be addressed within the first 24 to 48 hours?
- Does every team and department have its own BCP? Who is in charge of each?
- What’s the emergency succession plan for senior staff, including the CEO?
- Which employees will perform emergency tasks?
- Where will off-site crisis meetings take place?
- Who will interact with local emergency responders, such as firefighters and police?
- Who are the key vendors, including data backup providers?
- Action. Create a BCP that includes specific actions and assigned roles for each stage of the emergency, including the following:
- Initial response. This defines how the company will respond to a business interruption within the first hours. This is the period when team members are contacted and the BCP is activated.
- Relocation. During this stage, alternate facilities are activated and work-at-home policies implemented.
- Recovery. Once personnel and equipment are relocated, the assessment of damage and monitoring of business recovery begins. The recovery strategy must consider the organization’s recovery time objective (RTO), which is the maximum time IT systems can be down after a failure, as well as its recovery point objective (RPO), which is the maximum data loss the organization can tolerate.
- Restoration. Personnel return to the original workplace or an alternate site. The company undertakes infrastructure verification, documents the incident and reviews lessons learned.
BCP testing
An organization’s technology, processes, staff and facilities constantly change. Therefore, regular testing, reviewing and updating of a BCP is critical. Plan testing should be undertaken using tabletop exercises, walk-throughs, crisis management communication plans and emergency enactments to test the viability of the plan and to see how employees and executives react under stress.
Regular testing and maintenance ensure the BCP is current and accurate. A simple test of a business continuity plan might involve talking through it. A complex test requires a full run-through of what happens in the event of a business disruption.
The test is either planned or done on the spur of the moment to better simulate an unplanned event. If issues arise during testing, the plan is corrected accordingly during the maintenance phase. Maintenance also includes a review of the critical functions outlined in the BIA and the risks described in the RA, as well as plan updating if necessary.
A BCP must be continually improved; updates shouldn’t wait for a crisis. Staff members involved in the plan must get regular updates and business continuity training. An internal or external business continuity plan audit should be done to evaluate the effectiveness of the plan and highlight areas of improvement.
Business continuity planning software, tools and trends
There is help available to guide organizations through the business continuity planning process, from consultants to tools to full software. Which approach an organization takes depends on the complexity of the business continuity planning task, the amount of time and personnel available, and the budget.
Before making a purchase, it’s advisable to research both products and vendors, evaluate demos and talk to other users.
For more complicated functions, business continuity software uses databases and modules for specific exercises. The U.S. Department of Homeland Security, through its Ready.gov website, offers software in its Business Continuity Planning Suite. Vendors that offer BCP software with a range of useful features include Agility Recovery, Archer, Everbridge, Fusion Risk Management, LogicManager and Riskonnect.
The Federal Financial Institutions Examination Council’s Business Continuity Management booklet contains guidance on plan development, testing, standards and training for both financial and nonfinancial organizations.
Free download of BCP template
The role of the business continuity professional has changed and continues to evolve. As IT administrators are increasingly asked to do more with less, it’s advisable for business continuity professionals to be well versed in technology, security, risk management, emergency management and strategic planning.
Business continuity planning must also take into account emerging and growing technologies, such as generative AI and quantum computing. It also has to consider new and increasing threats, such data poisoning attacks that target artificial intelligence and machine learning training data.
Business continuity planning standards
Business continuity planning standards provide a starting point for building a BCP.
The International Organization for Standardization (ISO) 22301:2019 standard is regarded as the global standard for business continuity management. ISO 22301 is often complemented by other standards, such as the following:
- ISO 22313:2020 guidance on the use of ISO 22301.
- ISO/TS 22317:2021 guidelines for business impact analysis.
- ISO/TS 22318:2021 continuity of supply chains.
- ISO 22398:2013 exercise guidelines.
Other standards include the following:
- National Fire Protection Association 1600 emergency management and business continuity.
- National Institute of Standards and Technology SP 800-34 IT contingency planning.
- British Standards Institution BS 25999 standard for business continuity.
Emergency management and disaster recovery plans
An emergency management plan is a document that helps to lessen the damage of a hazardous event. Proper business continuity planning includes emergency management as an important component. The appointed emergency management team takes the lead during a business disruption.
An emergency management plan, like a BCP, should be reviewed, tested and updated regularly. It should be simple and provide the steps needed to get through an event. The plan also should be flexible because situations are often fluid. Teams involved in an event designated as an emergency should communicate frequently during the incident.
Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR plan is reactive, as it details how an organization recovers after a business disruption. A business continuity plan is a proactive approach that describes how an organization can maintain business operations during an emergency.
Real-world use cases of business continuity plans
BCPs are essential across various industries and tailored to suit each organization’s needs. A few examples of industries that benefit from implementing BCPs — and situations where those BCPs are required — include the following:
- Healthcare. A BCP plan used in healthcare addresses various threats to databases that house patient data. These include cyberattacks, natural disasters causing power outages and human error. The plan outlines data backup and protection strategies. The BCP also must ensure the healthcare company’s employees are able to continue to adhere to the Health Insurance Portability and Accountability Act during a setback.
- Manufacturing. Manufacturing plants are susceptible to natural disasters and man-made cyberthreats. A BCP would include not just data backups but also equipment, such as backup generators in the event of a power outage. Designated secondary manufacturing sites are included as well. Finally, it would feature procedures for simple repairs workers can make to production lines.
- Finance. In finance, cyberthreats and data theft are increasingly common, as are technical issues that cause data loss. A BCP in finance should outline compliance and regulatory considerations for employees managing and safeguarding financial information during an emergency or disaster. It must also include methodologies for using data backups and other functions during business continuity events.
BCPs are one essential component in managing crises that affect large enterprises. Learn more about responding to unplanned emergencies in this complete guide to managing crises.