Data Protection Tool

The Ultimate Business Continuity Plan, Guide Template & FAQ [Updated]

Picture of Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT

Published

Business Continuity Plan

What exactly is business continuity and why is it so important?

When disaster strikes, businesses must be able to continue their operations. Every minute of downtime costs money, and if the disruption takes too long, a full recovery may not be feasible.

In this post, we outline everything you need to know about business continuity and how to achieve it. Plus, you’ll find a business continuity plan template for small businesses, answers to frequently asked questions, tips for disaster recovery and more. So you can be fully prepared for a disaster and keep the business running.

What is business continuity?

Business continuity is the concept of being able to keep a business operating through an adverse event. The term also refers to the strategies that a business takes to prepare for operational disruptions.

Business continuity planning can refer to:

  • Preparing for various types of disruptions, such as IT failures or natural disasters.
  • Understanding the risks of different disasters and their likelihood of occurring.
  • Projecting the potential impact of those disasters on operations, including financial costs.
  • Responding to disasters with established procedures and emergency protocols.
  • Recovering fully from a disaster in the shortest amount of time possible.

Below, we provide an in-depth overview of each aspect of this planning. But ultimately, the fundamental definition of business continuity is the idea that a business can keep its doors open and continue functioning in spite of a disruptive event.

When a disaster causes a halt in operations, this is referred to as a break in continuity. An example would be an e-commerce website that loses revenue because of a web server outage, or a business that closes because of an impending hurricane.

The goal of every business is to be able to maintain continuity in its operations. But a lack of continuity planning is the most common reason why businesses are severely disrupted (or forced to close entirely) by unexpected disruptions.

Why business continuity is important

Any break in continuity can be enormously costly. According to figures from Datto, a single hour of operational downtime can cost anywhere from $10,000 to more than $5 million, depending on the size of the business.

When disaster strikes, an unprepared business can be affected in several ways:

  • Employees are idled
  • Revenue streams are severed
  • IT infrastructure is damaged and/or needs replacement
  • Physical buildings are damaged
  • Products/services cannot be delivered
  • The company reputation is damaged in the long term

The costs of these outcomes tend to increase with each additional hour of downtime. So, the longer a business is sidelined, the costlier the damage and the harder it becomes for the business to recover.

Approximately 1 in 4 businesses do not reopen after a disaster, according to figures from FEMA (Federal Emergency Management Agency). The agency advises: “Having an emergency disaster plan and a continuity of operations plan in place can reduce that risk and help the business recover faster.”

What are examples of business continuity?

Above, we highlighted some examples of breaks in continuity: when an adverse event disrupts a business’s operations. Examples of business continuity would be just the opposite, such as:

  • A business continuing to operate during a ransomware attack by isolating infected systems and restoring encrypted data from backups.
  • A company using backup generators to restore power during an outage, so that critical operations are not interrupted.
  • A business relocating operations to a secondary location after a fire at its headquarters.

Any situation in which a business can keep operating through a disaster would be an example of business continuity.

A prime example is how businesses responded to the Covid-19 pandemic by switching to a remote work environment, instituting social distancing and implementing other safety measures in the workplace.

Does your business have a business continuity plan?

Image courtesy of Workable

What does business continuity include?

Business continuity includes all forms of planning, procedures and systems that help a business continue operating through a disaster. Some examples include:

  • Planning documentation: To maintain continuity, businesses need clear documentation on how to appropriately plan for the risks of various types of disruptions. This documentation is commonly referred to as a business continuity plan.
  • Risk assessments: Businesses must evaluate their risk level for various adverse events. This helps guide all other aspects of continuity planning. With a risk assessment, a business gains a deeper understanding of the events that are most likely to occur and how to respond to them.
  • Impact analyses: Analyzing the potential impact of different disasters helps a business know how to prioritize its continuity planning, where to allocate resources and how to create effective recovery procedures.
  • Disaster protocols: A business must have clear, documented procedures for responding to different types of disasters. This ensures that the response is fast and effective, helping the business recover from adverse events and avoid a break in continuity.
  • Cross-organization collaboration: For continuity planning to be effective, all parties must be involved. Leaders from each business unit must collaborate closely to document the department-specific risks, protocols and technology needs.

What do these components actually look like in practice?

Below, we provide a deeper overview of each component in the section “Anatomy of a business continuity plan” and within our business continuity plan template for small businesses.

Business continuity and disaster recovery (BCDR)

Business continuity and disaster recovery are two distinct approaches to disaster management, but they often go hand in hand. While business continuity refers to the idea of keeping a business open during a disruption, disaster recovery refers to the systems and protocols that help a business recover after a disaster. As such, disaster recovery is an important component of business continuity.

Additionally, the term business continuity and disaster recovery (typically shortened as BCDR) is often used in reference to the technologies that help a business recover from a disaster, such as data backup systems.

The role of a business continuity plan

A business continuity plan (BCP) is a central planning document that outlines a business’s continuity strategies and disaster recovery procedures.

A BCP documents everything a business does to prevent, mitigate, respond to and recover from a disaster. As part of this documentation, a business thoroughly assesses the unique risks to its operations. These risks can include everything from IT disruptions, such as data loss, to physical damage from natural disasters. The document also identifies the operational and financial impact of each of those threats, so that the business can prioritize its continuity planning appropriately.

The document identifies the systems and technologies implemented at the business to help maintain continuity, such as data backup solutions. Crucially, a BCP outlines the specific steps that must be taken following each type of disaster, such as the procedures for responding to a ransomware attack.

A business continuity plan thus plays an integral role in a business’s disaster readiness. As the U.S. Department of Homeland Security warns, “When business is disrupted, a business continuity plan is essential to weathering the storm.”

But it’s important to remember that “the storm,” in this case, can mean many different types of disasters beyond just weather events. In fact, compared to the everyday threats like malware infections or accidentally deleted files, damage from natural disasters is actually far less common for most businesses.

Anatomy of a business continuity plan

What goes in a business continuity plan?

While every business has its own needs and documentation, most business continuity plans should include the following sections:

  • Objective
  • Contact Information
  • Risk Assessment
  • Business Impact Analysis
  • Preventative Measures
  • Disaster Response Plan
  • Business Continuity & Disaster Recovery Systems
  • Backup Locations & Contingency Assets
  • Communication Plan
  • Continuity Testing
  • Continuity Gaps & Recommendations
  • Plan Review & Update Schedule

Together, these sections provide an effective framework for documenting an organization’s business continuity planning. They identify the scope of the BCP, risks to the business, the impact of those events, how the business is preparing for them and how it must respond to avoid a break in continuity.

In the following template, we outline what should go in each of these sections.

Business continuity plan template for small businesses

There are no hard and fast rules for how a business continuity plan should be structured. Each organization has their unique planning objectives and needs. As such, not all BCPs will be formatted the same way or contain the same information.

However, as mentioned above, most BCPs will need to include the core sections that provide a complete picture of an organization’s continuity planning. The following business continuity plan template for small businesses can be used as a basic guide for structuring your BCP. (The same plan structure can be used for larger organizations too. However, larger companies will often need to create multiple BCPs tailored to its many different operational units.)

1) Objective

Purpose of this section: To identify the core goals of the business continuity plan, its scope and its limitations.

The “Objective” section opens the BCP with a brief description of the goals of the document. In this section, you’ll describe the scope of the planning: what it aims to accomplish, how and why this documentation and planning are necessary. This section is an important start to the plan because it ensures that all parties are on the same page about the organization’s approach to continuity, what’s included in the plan and what isn’t. Documenting the objective(s) also helps to keep those objectives on track.

TIP: Keep the Objective section succinct, but use as much space as needed to describe any important limitations. This section could be anywhere from a paragraph to a few pages.

 

It’s important to remember that not all business continuity plans have the same areas of focus. For example, one type of BC plan might focus narrowly on information technology-related disasters like malware or server outages. A plan could even be focused only on continuity within specific, mission-critical departments, such as accounting. This type of plan will naturally be heavy on information about IT systems and protocols for system recovery. What it will lack is the human element of crisis response and management (such as safeguarding employees from fire or natural disasters).

Other types of BC plans will include comprehensive planning that’s focused on the entire organization. Because of these differences, it’s important to identify the scope at the start of the BCP. If the plan is focused solely on specific operations like IT, for example, then the Objective section should clearly state this. (Doing so will also make it clear that additional continuity planning is needed for other areas of the business.)

2) Contact Information

Purpose of this section: To identify who wrote the plan, who’s responsible for maintaining it and/or which stakeholders must be contacted during an emergency situation.

The “Contact Information” section of a BCP lists the most important people in a business’s planning strategy. The people included in this list may vary depending on the objective of the plan. For example, you might use this section to identify the business’s key stakeholders, principals, personnel on your disaster recovery teams, those who created the document or those who actively oversee the planning.

In general, this is usually a relatively short list. The core goal is to identify only the people who are most critical to the organization’s disaster planning, response and recovery. The names of each person should be accompanied by their contact information.

What about everyone else in the organization? How should they be notified of what to do in a disaster? That information should be included in the Communication Plan section, which we outline further below. That section is where you’ll describe how critical messages should be communicated to personnel during an emergency.

In our experience, you cannot go overboard with contact methods for each individual listed in this section. The more ways you have to reach key stakeholders, the greater the chance those individuals will be reached in a disaster. (However, these details should be reviewed frequently as contact information tends to change frequently.)

Here’s a basic example of the contact information to include for each person in this section:

  1. Name of the individual
  2. Job title / position
  3. Locations (Office locations & home addresses)
  4. Phone numbers (work, mobile, home & alternative)
  5. Email (work, home & alternative)
  6. Messaging handles (i.e. Slack, Skype, etc.)

3) Risk Assessment

Purpose of this section: To assess the types of threats and events that have the potential to disrupt the business and cause a break in operational continuity.

The Risk Assessment is arguably one of the most important sections in a business continuity plan. It is used to identify the wide range of disaster scenarios that pose a threat to operations or your critical IT systems.

Why is it so important?

Preparing for disaster is virtually impossible when you have no insight into what those disasters look like. A comprehensive risk assessment ensures that you’re carefully considering all the possible scenarios that threaten your operations. And since every business faces its own unique risks, these assessments look different for every organization.

Just as one example, a coastal business will naturally face the risk of hurricanes, whereas companies further inland would not. Similarly, a hospital or healthcare organization facing the risk of ransomware will also face the unique risk of losing patient data, which would have a direct effect on the delivery of health services (and could potentially result in costly HIPAA violations, too).

Risks for businesses can vary due to numerous factors, including:

  • The nature of the business / industry
  • Location of the business
  • Reliance on certain types of technologies or infrastructure
  • History of previous incidents
  • Heightened exposure to certain types of threats
  • On-site dangers
  • Vulnerability of IT systems

Given the wide range of possible threats, and the varying degrees of risk level for each business, it’s imperative that every organization performs a thorough risk assessment as part of its continuity planning.

Here are some key recommendations from Ready.gov for conducting a risk assessment:

  • Injuries to individuals should be the first consideration of the risk assessment: “Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place.”
  • Many other physical assets may be at risk, including IT, buildings, machinery, utility systems, finished goods and raw materials.
  • Don’t forget the potential for environmental impact. “Consider the impact an incident could have on your relationships with customers, the surrounding community and other stakeholders.”
  • Identify scenarios that would cause customers to lose confidence in your organization and its services or products.
  • Look for vulnerabilities that would make an asset more susceptible to damage from a hazard: “Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs.”

In the following section, we illustrate a way to format each risk within your BCP, while also identifying the likelihood, severity and impact to the business. But regardless of how the risk assessment is presented, what’s most important is that each threat is clearly defined.

For example:

  1. Clearly identify what the risk is (for example, data loss due to server outage)
  2. Describe what the risk entails (i.e. ransomware that encrypts data, causing systems and applications to become inoperable)
  3. Probability of the event: generally identified by a scale of 1 to 5, where 5 signifies the highest likelihood.

4) Business Impact Analysis

Purpose: To define how each type of threat identified in the Risk Assessment will affect operations. The impact of each event should be defined in terms of costs and disruption to operations (both immediate and in the long term).

Think of the Business Impact Analysis as an offshoot of the Risk Assessment. It identifies the tangible impact and consequences of each event in clear, understandable terms. As such, this section is just as important as the Risk Assessment. Without a deep understanding of how each threat will disrupt the business, you won’t be able to prioritize your business continuity planning accordingly.

As the U.S. Department of Homeland Security writes, “The [Business Impact Analysis] should identify the operational and financial impacts resulting from the disruption of business functions and processes.”

Examples of impacts to consider:

  • Lost or delayed revenue
  • Increased costs (i.e. recovery costs, repairs, consultants, etc.)
  • Wasted expenses (i.e. wages for idled workers)
  • Regulatory fines
  • Loss of contractual business
  • Customer dissatisfaction, defection or reputational damage
  • Delay of new business plans

It’s important to define the financial impact of each event, in addition to a thorough description of the situation. The financial impact makes it clear how the disaster translates into tangible losses for the business. In the business continuity plan, these losses are often presented in hourly and/or daily terms.

Additionally, many organizations will use this section to rate the severity of the incident on a scale of 1 to 5, alongside its likelihood of occurring. Thus, you can display the high-level information from your Risk Assessment and Business Impact Analysis in a simplified table, making it easier to understand at a glance.

Here is a basic example of what this table might look like:

Risk Probability Rating Impact Rating Impact / Consequences
Ransomware (IT):
Malware infection that encrypts data on servers and PCs, making it inaccessible and rendering devices inoperable.
4 5 • Prolonged interruption to critical IT systems, including server access, applications, network & Internet connections.

• 2-8 weeks for full data recovery, depending on the severity of infection.
• Estimated cost of idle staff during the disruption: $22,970 per hour of inactivity.
• Inability to render services to customers.
• Estimated partial recovery time: 2-12 hours, if backups are viable.

Server failure (IT):
Server outage due to hardware failure, preventing access to data stored on the affected server.
3 3 • Interruption to business units that depend on data stored on the affected server.

• 1-3 weeks for full recovery of data, depending on the volume of data loss and availability of backups.
• Estimated cost: $3,290 per hour of server downtime.
• Temporary loss of data critical to Finance/HR, Marketing and Sales teams.

 

The above table has been simplified for illustrative purposes. However, the objective of using such a table is to quickly highlight the most pertinent information about the risk level and impact of each disaster. Each scenario should ideally be further defined in its own section of the analysis, where you can expand on the full impact of the event.

5) Preventative Measures

Purpose of this section: To identify the preventative measures and systems that help to prevent and mitigate the risks outlined in earlier sections.

Maintaining business continuity requires an ongoing commitment to disaster prevention. With the proper planning, the majority of disruptions can be prevented altogether, thus eliminating the risk of operational downtime or costly recoveries.

In the Preventative Measures section of your business continuity plan, you’ll outline all of the steps and systems that help to prevent the disasters you’ve listed in the Risk Assessment. Typically, these will be systems that are already implemented. (If you identify the need for additional planning or technologies, you can outline these in the Continuity Gaps section, as we discuss below.) Preventative measures should be clearly defined to describe their role and impact, so that it’s clear how they help to prevent disaster and achieve business continuity.

Preventative measures can take many forms. If the BCP is principally IT-oriented, then you’ll use the section to define systems such as:

  • Anti-malware software that actively prevents infections and scans devices for known threats to eliminate them before problems occur.
  • Network firewalls that prevent malicious data from entering the network and block access to known malicious IP addresses.
  • File access controls that restrict users to only the directories they need, thus preventing the spread and damage of threats like ransomware.
  • Application whitelisting configurations that prevent applications from executing on machines unless they are whitelisted.

Beyond IT, preventative measures can include a wide range of other protocols and systems, including:

  • Employee training to educate staff on the importance of safe email & web practices and how to prevent becoming a victim of a phishing attack.
  • Emergency preparedness drills that help personnel understand what to do during a potential disaster and how to prevent the situation from worsening.
  • Preventative alarm systems, such as smoke detectors, fire suppression systems and security alarm systems.
  • Security and surveillance equipment, such building access control systems, camera systems and corporate campus patrols.

It’s important to remember that a comprehensive BCP should never ignore the human element. A business’s preventative measures can substantially reduce the risk of common disasters that put your people at risk.

As Ready.gov explains: “A comprehensive accident prevention program can reduce the frequency of accidents dramatically. Most fires can be prevented. Spills of hazardous chemicals can be avoided. Business disruptions resulting from machinery breakdown can be prevented by following the manufacturer’s recommendations for inspection and maintenance.”

6) Disaster Recovery Plan

Purpose of this section: To outline the specific steps for responding to a disruption and performing a recovery in the shortest amount of time possible.

A disaster recovery plan (DRP) is typically considered a separate document from a business continuity plan, focused specifically on a business’s recovery efforts. However, every BCP should include its own section on recovery procedures. We have therefore included the DRP as its own section in this BCP template to illustrate the types of key information that should appear here.

The Disaster Recovery Plan section includes all the procedures for recovering systems and operations after a disaster has occurred. It spells out the specific steps to be followed for each of the disaster scenarios listed in earlier sections of the BCP. It should also specify the desired timelines for completing those efforts, so that recovery teams understand what is needed to prevent the situation from getting worse.

Two such recovery objectives that are often included in DR planning are:

  • Recovery time objective (RTO): This objective sets forth the desired length of time for the recovery to be completed (i.e. 60 minutes). Often, the RTO is used to identify the maximum timeframe, after which a disaster is expected to become insurmountable. RTOs can be used for virtually any recovery protocol or system.
  • Recovery point objective (RPO): This objective focuses specifically on data backup systems. It sets forth the desired maximum age of a backup recovery point (i.e. 24 hours) to avoid a disruptive amount of data loss. Jump to the next section on Business Continuity & Disaster Recovery Systems for more about data backups.

Given the granular nature of recovery procedures, it may be appropriate to include brief overviews of each recovery protocol here, and then use appendices to elaborate on the detailed instructions for each scenario.

What’s most important is that the recovery procedures are clear and actionable. Here are some tips for ensuring that the procedures are effectively written:

  • Be clear about the specific events and scenarios that must occur for these protocols to be activated.
  • Don’t be vague. Include the parameters for each disruption, along with who should respond and how.
  • Identify whether the instructions are intended to produce a partial, temporary or full recovery. In many disaster scenarios, an emergency response plan will need to be facilitated in the immediate aftermath of a disaster. Those protocols will often be separate and different from the instructions to carry out a full recovery.

Many disaster recovery plans are focused specifically on IT, but they can also include recovery protocols for non-IT events, such as building evacuations, structural damage, emergency relocation of operations and so on.

In terms of IT, Ready.gov has the following advice:

“An IT DRP should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.”

7) Business Continuity & Disaster Recovery Systems

Purpose of this section: To outline the technologies and systems that help facilitate a recovery after a break in business continuity has occurred.

Consider how your organization is prepared to respond to the following scenarios affecting your IT infrastructure:

  • What happens after ransomware locks up your computers?
  • What if an entire storage array suddenly fails?
  • What if your online revenue streams are cut off by a cyberattack or website outage?
  • What if staff lose access to the network or the Internet?

Each of these scenarios requires a dependable IT solution that enables a quick recovery. Together, these solutions are typically referred to as BCDR, or business continuity and disaster recovery.

Further below, we highlight some of the best solutions for BCDR. But in your BCP, this section will be used to list all of the deployed technologies that help to recover systems critical to your operations. The foundation of these BCDR systems is data backup.

The importance of data backups cannot be overstated. Unexpected data loss can cost businesses upwards of $7,900 per minute according to some estimates.

As the U.S. Department of Homeland Security explains: “Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption.”

In the BCDR section, you’ll want to define your entire backup strategy as it relates to your deployed systems and the value of your data.

What to include:

  • Identify what data needs to be backed up
  • Outline the implemented or planned BCDR systems that will perform those backups (hardware, software, DRaaS, etc.)
  • Define where and how backups are stored (local, private or public cloud, location of data centers, etc.)
  • Identify the backup schedule(s) and/or frequency for various types of data
  • Include backup testing & validation processes, schedules and objectives

Aside from data backup, BCDR can also encompass systems for any part of your technical infrastructure, including network recovery systems, endpoint device protection and communications systems.

8) Backup Locations & Contingency Assets

Purpose of this section: To ensure that operations can be sustained at a secondary location if the primary site has been disrupted by disaster, and to identify the backup assets or equipment that will be needed at the secondary facility.

Think of this section like a “Plan B” (or Plan C, Plan D, etc.) for your critical operations. The section should identify the backup locations and contingencies that must be in place for the business to continue operating if the primary location is no longer viable.

The backup location does not necessarily have to be a single physical site, though some types of operations will require it. (Consider the fact that many NYC businesses, particularly financial services firms, had to quickly move operations to backup sites in the wake of 9/11.) The ability for staff to work remotely from their homes is a prime example of how operations can be sustained without the need for a single backup location.

As we saw during the COVID-19 pandemic, the businesses that experienced the least disruption were those that quickly adapted to a remote/hybrid work configuration. Ideally, making such a shift should not require last-minute scrambling. Rather, a business continuity plan should already identify the probability of such a scenario and outline the necessary measures to ensure the business is prepared. That is exactly the purpose of the Backup Locations & Contingency Assets section of your BCP.

Here are some examples of what should be included here:

  • Backup location(s) where operations can be conducted in an emergency
  • Remote desktop capabilities, networking and meeting solutions that allow workers to work remotely while also securely connecting to the company network
  • Backup equipment for secondary locations, such as computers, servers and networking infrastructure replacement or mobility of current computers, devices and other equipment
  • Other physical assets for secondary locations, such as office desks and other furniture
  • Backup power generators for electricity outages, redundant telecommunications / ISP lines, etc.

The U.S. General Services Administration provides a great example here of what this section can look like when thoroughly planning an “alternate site” for continuity of operations.

9) Communication Plan

Purpose of this section: To provide a clear framework for maintaining communication to all stakeholders and/or applicable audiences throughout all stages of a disaster.

Maintaining communication during a crisis is critical. Without it, recovery becomes much more challenging. As the Department of Homeland Security writes:

“An important component of the preparedness program is the crisis communications plan. A business must be able to respond promptly, accurately and confidently during an emergency in the hours and days that follow. Many different audiences must be reached with information specific to their interests and needs. The image of the business can be positively or negatively impacted by public perceptions of the handling of the incident.”

Internal communication is an important component here, but it’s not the only one. Depending on the nature of the organization or industry, there are several different audiences that may need to be communicated with, such as:

  • Clients / customers
  • Employees (and their families / emergency contacts)
  • Company management
  • Suppliers and vendors
  • News media
  • Local communities
  • Government officials

Ultimately, this section should answer the following questions:

  • How will recovery teams stay in contact during a disaster, especially if primary lines of communication are disrupted?
  • How will employees stay informed of updates?
  • What messages will need to be delivered to external sources, such as suppliers, and who will be responsible for those communications?

The Communications Plan should thus identify all relevant communication systems and protocols that should be used throughout a disaster, such as:

  • Emergency alert systems, such as a corporate intranet, SMS texting systems, company website or email protocols for delivering updates
  • Calling plans and procedures for communication between recovery personnel and other audiences
  • Processes for communicating with external parties

10) Continuity Testing

Purpose of this section: To define how and when business continuity systems and procedures will be tested to ensure they are effective.

By now, your business continuity plan should contain a wide range of protocols and systems designed to prevent, mitigate and recover from a disaster. But a lot can go wrong in a real-world scenario. This is why it’s crucial to test your continuity and recovery systems on a regular basis. Routine testing ensures that your continuity planning actually works, and it helps to identify any problems that must be resolved before an actual disaster occurs.

Continuity testing can encompass virtually any aspect of your BCP or DRP, including implemented technologies or procedures.

Types of disaster recovery testing:

  • Data backups and restore processes (via all recovery methods available)
  • Drills for scenarios that activate the disaster recovery plan
  • Network performance and load testing
  • Emergency evacuation or safety drills that ensure the safety of employees
  • Backup power generators or other redundancies

All tests should be clearly defined and the test processes should be outlined. Thorough documentation is extremely important, not only prior to the testing, but also during and after. Those responsible for the testing should document whether the tests were effective and note any issues that require further fine-tuning.

How to structure testing in your BCP:

  • List all tests by priority, along with specific instructions for performing each one.
  • Consider using appendices to document and keep a record of the results of each test. If the need for improvements is identified, these records should be used to further refine the BCP as needed.
  • Specify the frequency and schedule for conducting each type of test.

The Dept. of Homeland Security provides the following guidance for effective training:

“Tests of information technology systems and recovery strategies should be conducted in a manner that resembles the everyday work environment. If feasible, an actual test of the components or systems used should be employed. Since tests can potentially be disruptive, tests may be performed on systems that mimic the actual operational conditions.”

11) Continuity Gaps & Recommendations

Purpose of this section: To identify weaknesses in the current BCP that were uncovered during the planning, and to outline the action items and recommendations that are needed to fill those continuity gaps.

No business continuity plan is perfect from the start. In fact, for continuity planning to be effective, it needs to be an ongoing and evolving process that seeks to uncover new risks and outline the necessary steps to mitigate them. That is the objective of the Continuity Gaps & Recommendations sections. It provides recommendations for additional protocols, systems or revisions to documentation as warranted to strengthen continuity even further.

For example, suppose you discover during the creation of the BCP that the company’s data backup systems are inadequate. They are simply incapable of meeting the desired recovery objectives, leaving the company at risk of major data loss during a ransomware attack. You would use this section to document how and why the systems are inadequate and propose new technology investments that would eliminate the risk.

Tips:

  • Clearly describe any weaknesses and their potential impact on operations.
  • Use data from the Business Impact Analysis to further define how the business would be affected if no action is taken.
  • Outline the necessary steps and/or solutions needed to eliminate those vulnerabilities.

12) Plan Review & Update Schedule

Purpose of this section: To outline the schedule and steps for routinely reviewing the business continuity plan and updating its contents.

The information in a business continuity plan can become quickly outdated if it’s not actively maintained. For example, people who are listed as recovery personnel may leave the company. Documented data recovery processes may become inaccurate after software updates. New threats may emerge that aren’t identified in the Risk Assessment.

A routine review of the BCP helps to ensure that all the documentation is still accurate and up to date. It defines a schedule for reviewing the plan. It also designates the team members who are responsible for conducting this review and making updates to the documentation.

Top business continuity & disaster recovery solutions

Above, we highlighted the importance of deploying dependable BCDR solutions that ensure you can quickly restore lost data from backups. But since there are significant differences between BCDR systems, it’s important to select the right solution for your organization.

Today, some of the biggest names in BCDR include Datto, Veeam, Intronis, Axcient and Unitrends, just to name a few. In this competitive analysis, we break down some of the primary differences between these systems. But from a high-level perspective, there are several key features and capabilities that businesses should look for when evaluating a BCDR platform.

Recommended capabilities:

  • High-frequency or continuous backups: For many organizations, even 1 hour of data loss can be catastrophic. Today’s top BCDR solutions are capable of backing up data every 5 minutes or even more frequently.
  • Hybrid backups: For greater protection, backups should be stored in the cloud in addition to any local devices. Some platforms will require you to configure third-party public cloud storage, while some, like Datto, include cloud backups as a fully unified DRaaS.
  • Backup resilience: Conventional incremental backups are notoriously unreliable during the restore process due to the way that the backup chain needs to be reconstructed. Newer methods, like Datto’s Inverse Chain Technology, store each new backup in a fully constructed state, eliminating the need to reconstruct the chain.
  • Backup virtualization: Backup virtualization provides the ability to boot backups as virtual machines, providing instant access to protected data, operating systems and applications.
  • Greater restore methods: The more, the better. Look for BCDR systems that allow numerous ways to restore your data based on the specific type of data-loss event that has occurred: file/folder-level restore, volume restore, bare metal restore, virtualization (local and off-site), image export and so on.
  • Ransomware protection: Given that ransomware has become the biggest threat to businesses’ data today, some BCDR providers like Datto include built-in protection to actively scan backups for signs of an infection.
  • SaaS backup: In addition to your local data, make sure you’re actively backing up data that lives in your cloud-based SaaS solutions, such as Microsoft 365 and Google Workspace.

Business continuity statistics

Year after year, statistics on business continuity reveal that many industries are falling behind in their disaster planning. The emergence of ransomware, along with more sophisticated malware and social engineering strategies, has greatly increased the risks to businesses of all sizes. For organizations that are using outdated BCDR technology, the risks are even higher.

Here are some of the more telling statistics:

  • Downtime can cost $10,000+ per hour. As we highlighted above, a break in business continuity can cost $10,000/hour on the low end. For enterprise businesses, that figure can balloon to $5 million an hour or higher.
  • 54% of businesses failed to maintain continuity. In a recent survey, over half of respondents said they experienced a break in operational continuity that lasted 8 hours or more.
  • 90% of small businesses close after 5 days of downtime. Data from FEMA shows that 9 in 10 small companies are forced to close permanently if they cannot restore operations within 5 days after a disaster.
  • 51% of organizations have no BCP. This shocking statistic from 2020 revealed that over half of companies surveyed around the globe had no business continuity plan at all.
  • 30% of data breaches were initiated internally. A comprehensive survey by Verizon found that nearly a third of data breaches and malicious cyberattacks were perpetrated by internal employees or third-party partners who had access to the systems.
  • Covid forced 200,000 businesses to close permanently. Not surprisingly, many businesses simply hadn’t accounted for the possibility of a global pandemic in their continuity plans. A 2021 Fed study found more than 200,000 U.S. businesses were forced to close as a result of Covid (that’s on top of the 600K businesses that close every year).
  • 45% of downtime incidents are caused by hardware failure. This figure from Veritas underscores the importance of having contingencies for all your IT infrastructure, including backup storage devices, networking gear and other hardware.
  • 20% of businesses have been sidelined by ransomware. A survey by Datto found that 1 in 5 businesses has experienced a break in continuity due to a ransomware attack. According to ZD Net, companies hit by ransomware experience an average of 16 days of downtime.
  • 37% of small businesses have lost cloud data. This statistic is a great example of why we stressed the importance of SaaS backup in the BCDR section above. The cloud data that you store in SaaS platforms is still vulnerable to accidental deletion, malicious deletion, expired SaaS licenses, malware and other threats.
  • 93% of businesses without a DR plan close within a year following a major disaster. Simply put: when organizations fail to conduct business continuity planning, most don’t stand a chance when disaster strikes.

What is business continuity management?

Business continuity management is the process of managing the planning, documentation and systems that help a business stay open during a disruption. This role can performed by internal teams or by third-party business continuity managers.

BC management typically involves the creation and ongoing review of a business continuity plan. However, it can also refer to specific components of the planning.

For example, a third-party provider of business continuity management may focus narrowly on a single aspect, such as:

  • Business continuity plan management
  • Risk assessments
  • Impact analyses
  • Technology solutions such as data backup
  • Emergency preparedness training

When handled internally, BC management would encompass all of these areas.

Business Continuity Frequently Asked Questions (FAQ)

The realm of business continuity can be overwhelming to smaller companies that have not yet conducted any disaster planning. But it’s important to remember that continuity planning, on the most basic level, is simply documenting ways that the business can continue operating through a disruptive event. Here are some of the most frequently asked questions about this process to help you get on the right track with your planning.

  1. What is the main purpose of business continuity?

The main purpose of business continuity is to be prepared for an unexpected disruption to your business. Businesses that do not plan for the risk of disaster are more likely to experience costly downtime that could shutter operations permanently. Business continuity planning helps to identify risks and implement solutions that enable you to continue operating through a disaster.

  1. Does every business need a business continuity plan?

Yes. Every business is vulnerable to disaster. If a business wants to ensure it can survive a catastrophic event, then it must implement a business continuity plan that outlines what that recovery looks like and how it can be achieved.

  1. What’s the difference between a BCP, DRP and COOP?

BCP stands for business continuity plan. A BCP is largely synonymous with a COOP, which stands for Continuity of Operations Plan. However, the term COOP is more commonly used in healthcare and government sectors. DRP stands for Disaster Recovery Plan. A DRP is focused specifically on recovery systems and protocols, though it is sometimes included as part of a larger BCP document.

  1. How do you ensure business continuity?

Ensuring business continuity involves a series of planning that is unique for every business. However, the four universal components of that planning include 1) disaster prevention, 2) preparedness, 3) response and 4) recovery. This is often referred to as the 4 stages of disaster management. Together, they encompass all the planning that a business must do to ensure it can maintain continuity through a disaster.

  1. What IT systems are needed for business continuity?

Data backup is considered the most essential technology for business continuity, but there are several other important systems. Network firewalls, antivirus software, backup server hardware, power generators and redundant Internet/telecommunications systems are just a few examples of other systems that can help maintain continuity after a disruption.

Conclusion

Business continuity planning is often an afterthought, especially for smaller companies. But this is exactly why small businesses have a higher risk of being permanently shuttered by an unexpected disaster. By taking the time to create a comprehensive business continuity plan, organizations can ensure they are adequately prepared to prevent or recover from a major operational disruption.

Our take: As experts in data protection here at Invenio IT, we’ve seen first-hand how companies can be derailed when disaster strikes – especially in the age of ransomware. When an organization has no business continuity plan, it becomes infinitely harder to recover (and way more costly). On the other hand, when businesses have done their due diligence and appropriately planned for the risk of disaster, they can rapidly recover from adverse events with minimal impact on critical operations. That’s how business continuity should be.

Make sure your company is prepared for disaster

For more information on business continuity solutions that can safeguard your business from data loss, ransomware and other threats, contact our experts at Invenio IT. Call (646) 395-1170, email us at success@invenioIT.com or request a free demo of robust BCDR solutions from Datto.

Get the Ultimate Cybersecurity Handbook for Employees
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles