Start Your Disaster Planning with this Business Continuity Plan Template
Preparing for disaster is one of the best things a business can do to avoid downtime when disruptive events occur. But for smaller companies, it’s not always clear how to approach that planning.
We’ve created this business continuity plan template to guide you in creating the single most important resource in your disaster-planning toolbox: the business continuity plan (BCP).
What is a business continuity plan?
A business continuity plan is a document that outlines an organization’s approach to disaster prevention, planning and recovery. It is designed to help businesses understand the risks that threaten their operations and provide a framework for resolving disruptions.
In short, a BCP helps companies maintain business continuity after a disaster.
Federal agencies estimate that 90% of small companies fail within a year when a disaster shutters the business for more than 5 days. This is why business continuity plans are so important.
Sample Business Continuity Plan Template
The following business continuity plan template provides a basic overview of what your BCP should include. But ultimately, every plan is different. BCPs can be structured differently depending on the business, operations and industry.
Use this template as a rough guide to what should go in your plan, rather than a hard-and-fast rulebook.
a) Contact Information
Most business continuity plan templates include key contact information at the beginning of the document, because it needs to be clear who should be contacted in an emergency. These personnel could be company stakeholders, managers or the individuals on your recovery teams. They’re the people who “need to know first” about a disruption, so that emergency protocols can be properly activated and critical business decisions can be made quickly.
This section is also a good place to include the names and contact details of those who developed the BCP, so that they can be contacted if any questions come up during a disaster.
What to include:
· Role or job title
· Location (if company has multiple)
· Phone (work, mobile and home)
It’s a good idea to include all available contact information for each individual to ensure that they can be reached. Remember that in the most devastating events, such as a natural disaster, some lines of communication may be broken. Including multiple contact details increases the chances that critical personnel can be reached.
If the list of contacts is long, consolidate them into distinct categories or sections of your BCP, i.e. for the recovery teams, board members, etc., prioritized by who should be contacted.
The beginning of your BCP should make it clear what the plan aims to accomplish. This is useful for several reasons:
· Defining the scope of the planning, i.e. whether it’s focused on company-wide operations or limited to continuity concerns within specific departments such as IT
· Providing a broad overview of financial impact and other consequences of a disruption
· Educating stakeholders and other personnel on the importance of the planning and how it helps to ensure continuity
This section can sometimes look like a brief breakdown of what’s included in the BCP. But generally, the fundamental objective of the plan will be similar for every business: Identifying risks and solutions for preventing various disaster scenarios and recovering rapidly when they occur.
c) Risk Assessment
A thorough risk assessment should be completed as part of every BCP. In order to determine the most effective steps for disaster prevention and recovery, you need to first understand what those disasters are.
A risk assessment aims to answers the question: which events could disrupt operations?
These events can be different for each business, depending on numerous factors. For example, a business located along the coast will be more at risk of hurricanes and coastal flooding than companies that are further inland. A business located in a major metropolitan area may be more at risk of transportation blockages and terrorist activity than those in more rural areas.
The risk assessment should clearly define the following:
· Specific risks posed to the business
· How and why those events pose a threat to operations
· Likelihood of the event actually occurring
d) Impact Analysis
While the risk assessment provides a basic definition of each disaster and how it affects the business, a more thorough impact analysis is needed to truly understand the fallout from these events.
An impact analysis provides a more in-depth perspective of how a disaster negatively impacts the business.
Each risk needs to be evaluated in these terms:
· Which business process(es) would be disrupted
· Estimated lapse in continuity or timeframe for recovery
· Extended effects on other business units
· Financial impact
The financial impact is a key metric here. An impact analysis must calculate the specific costs of a disruption in the numerous ways it impacts the business: wages for idle workers, productivity losses, revenue disruptions, IT expenses, recovery costs, reputation damage and so on.
These costs help to prioritize the severity of each disaster, so that organizations can better identify solutions for prevention and recovery.
e) Preventive Solutions
Preventing disruptions is an important component of all business continuity planning. While recovery protocols will always be necessary, businesses should attempt to mitigate risks as much as possible.
This section should outline all preventive solutions that have been implemented to stave off the disaster scenarios uncovered in the risk assessment, including:
· Existing processes and measures taken by the company to prevent operational disruptions
· Technologies and systems that prevent disasters, such as antimalware software, data backup solutions, backup power generators, etc.
· Emergency tools and devices, such as smoke & fire suppression systems, location of fire extinguishers, exit routes, etc.
Depending on the layout of your business continuity plan, these preventative solutions can be included within the risk assessment or they can be broken out into their own section.
f) Incident Response
The first few minutes following an incident are the most critical for initiating an effective response. This initial response can set the stage for how effective the entire recovery is.
A key question that will need to be asked following a disruption is: Does this event warrant activating the recovery plan? In other words, is it a true disaster event that requires following all recovery procedures, or is it a more minor event that can be resolved independently from those protocols?
The incident response section should thus make it clear:
· What are the parameters for declaring a disaster?
· When should the recovery plan be activated; what justifies activation?
· How should the plan be activated?
The incident response is not the same as the full recovery procedures, which we discuss below. If personnel determine that a disruption has occurred, they will follow the protocols in this section to effectively activate the response and communicate the event to all applicable parties.
g) Recovery Procedures
A complete list of recovery procedures is needed to ensure that personnel know exactly how to resolve issues as quickly as possible. It is the responsibility of the BCP writers to determine what those steps are, based on careful analysis.
What to include:
· Step-by-step instructions for responding to each type of disaster
· Any specific recovery objectives, such as recovery time objective (RTO) or recovery point objective (RPO)
· Guidelines for communication between recovery teams
Again, depending on your unique business continuity plan template, these procedures can be included alongside your risk assessment and business impact analysis, or they can be broken out into their own sections or appendices.
Severe on-premise disasters will require the business to have contingencies for maintaining continuity with other spaces and physical assets.
For example, if the business location has been destroyed, a secondary location, as well as equipment, will be needed to restore operations. All such contingencies should be outlined in this section so that it’s clear to recovery teams which resources are available and how to secure them.
Contingencies and protocols to consider:
· Backup locations where emergency personnel can oversee critical operations
· Availability of backup IT infrastructure components, such as network hardware or servers after on-site components have been destroyed
· Backup equipment to be used at the secondary location, such as computers, desks, etc.
· Specific instructions for securing these assets when the need arises, as well as contact information for third-party agencies who are needed for the transition (i.e. office managers, real estate professionals, etc.)
Maintaining communication during a disruption is critical to a successful recovery. Even if primary lines of communication have been cut (as when a storm knocks out office telecommunications, Internet and power), recovery teams must be able to communicate with each other and with other external contacts.
It’s equally important that updates are effectively communicated to all company personnel, so that employees know the status of the recovery and when/where/how to report to work. This is especially important during outages in which the business has been temporarily shuttered by the disaster.
What to include:
· Procedures for maintaining communication internally and externally
· Systems and processes for communicating messages to all personnel, such as mobile SMS messages, email notifications, company website/extranet or even old-fashioned calling trees
· Who will oversee this communication?
During the development of the BCP, most companies will identify gaps in the planning. This could be in the form of missing systems, technologies or tools that are needed to ensure continuity but haven’t yet been implemented.
These systems should be listed as recommendations for future implementation, in order of priority.
Examples could include:
· Newer BC/DR solutions that allow for more frequent backups and faster recovery
· Stronger cybersecurity technologies to thwart evolving threats
· Employee training programs to help minimize the risk of events such as data loss, phishing attacks, ransomware infections, etc.
Recommendations should include overviews of their importance, priority and estimated timelines for their implementation.
k) Testing Schedule
Testing the protocols in your BCP is necessary for determining if they will be effective during a real-world event. Businesses should thus maintain an ongoing schedule for testing the various systems and procedures outlined in the plan.
Some examples of testing can include:
· Data backup and recovery tests to ensure data can be fully restored when needed (and that it meets your recovery objectives).
· Malware & hacker penetration tests to ensure that cyber-threats are effectively blocked.
· Disaster simulations to ensure that recovery teams know what to do and follow procedures accordingly.
l) Plan Review Schedule
Overtime, the information within the BCP will become outdated. Newer procedures and IT deployments will replace old systems. Recovery personnel will leave the company. Contact information will no longer be accurate.
It is therefore pertinent that the BCP is thoroughly reviewed on a periodic basis to correct inaccurate information and update it with any recent changes in continuity planning.
The plan review schedule should include guidelines for how and when those reviews should take place, and by whom.
Reevaluate your BC/DR deployments
For information on securing your data with the latest business continuity & disaster recovery technologies, contact our experts at Invenio IT. Request a free demo of SMB data backup solutions from Datto, or contact us by calling (646) 395-1170 or by emailing [email protected].