Identifying your business continuity plan objectives is an important first step in creating a comprehensive plan. Putting these objectives into words serves two purposes:

• It gives the plan administrators a guide to what the plan should accomplish by providing a high-level overview of the areas that must be addressed in the document as it is being created and maintained.
• It gives stakeholders and other personnel a clearer understanding of the document’s purpose and scope.

By clearly defining these objectives prior to starting your business continuity planning process, you increase the likelihood that you will achieve the core goal of your plan: preparing the business for a disaster scenario to minimize downtime when such an event occurs.

Based on our experience as a business continuity services provider, we have identified 9 business continuity plan objectives that are critical for focusing your team’s energies on the activities that will create the policies and procedures that will build lasting resilience into your business operations. We recommend communicating these objectives at your project launch meeting, emphasizing them in your project communications, and listing them at the opening of your business continuity plan (BCP) document.

Business Continuity Plan Objectives Aligned to Template

To add structure to our recommendations, we have aligned these objectives with the format of the Business Continuity Plan template developed by the Ready.gov organization. Ready.gov is an organization within   Federal Emergency Management Administration (FEMA) that was created to marshal the resources of FEMA and the Department of Homeland Security (DHS). It’s mission is to deliver materials to the public to improve the nation’s ability to respond to emergencies including natural and man-made disasters. This site includes a section devoted to business issues, which is where the business continuity plan template is found.

The sections of the BCP template provided by Ready.gov are:

• Program Administration
• Business Continuity Organization
• Business Impact Analysis
• Business Continuity Strategy & Requirements
• Manual Workarounds
• Incident Management
• Training Testing and Exercising
• Program Maintenance and Improvement

At the conclusion of the discussion of each of the objectives, we designate which section or sections of the plan where you can have the greatest impact on achieving these objectives. The section name is listed in italics.

9 Critical Business Continuity Plan Objectives

Objective 1: Identify Disaster Recovery Personnel

Identifying the personnel who will be staffing your disaster recovery team is one of the most important goals of your business continuity planning. Some of the questions that need to be addressed are:

• Who is on those disaster recovery teams?
• What are their roles?
• How can they be reached in an emergency?
• Who are the alternates in the event the designated primary is unavailable?

One of the most important roles in your disaster recovery organization is the crisis management coordinator. This person can also be referred to as the disaster recovery coordinator. The person is granted authority to make decisions and is responsible for initiating recovery plan protocols and directing the recovery of business operations. The coordinator is also responsible for communicating with the company’s insurance companies about policies related to disaster impacts, including the company’s cyber insurance policy, which will play an important role in mitigating the financial effect of disaster impacts on ongoing operations.

BCP Template Section: Business Continuity Organization

Objective 2: Assess Risks and Impact

Another crucial purpose of creating a BCP is identifying the various internal and external threats to your operations through a risk assessment. The results of the risk assessment will be incorporated into a business impact analysis that will specify different types of disasters that could disrupt your business and quantify the impact of each scenario: how much damage would be caused, how long the recovery would take, the cost of operational losses, and so on.

As the graphic below demonstrates, the Business Impact Analysis (BIA) lays the foundation for the remainder of your BCP. All your recovery strategies, continuity plans, and update processes derive from the work that occurs during the business impact analysis phase.

Source: Ready.gov

The purpose of the BIA is to allow companies to uncover all the linkages among internal business operations and with suppliers and customers to anticipate to the greatest degree possible what can possibly become de-linked and quantify the potential impact. In a Business Continuity Institute (BCI) article entitled, “Why the BIA Provides the Foundation Stone for Business Continuity,” the author states:

“It never fails to amaze me the labyrinth of intricate parts that goes into making up an organisation, and it can often be difficult for individual teams to understand how they contribute to the success and vision of the business. I liken it to a delicate ecosystem where everything needs to work in balance and harmony to work efficiently and effectively. When you start changing or removing parts of the organisation, whether that is through structural change or an incident, that ecosystem becomes out of balance and therefore we need to understand the impact.”

Business continuity consultants can play a constructive role in ensuring that all interactions are surfaced and discussed. As outsiders to your operations, they have an ability to pick up on linkages that employees in the system can overlook as they are simply too close to particular functions to see all potential implications for your business and customers.

One of the outcomes of the BIA is the establishment of the plan’s Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). These two metrics are defined in the following way:

• RTO – The amount of time in which, following a serious event or outage, a business process and its associated applications must be restored in order to prevent a defined amount of impact.
• RPO – The amount of data that could be manually recovered following the restoration of an application following a serious event or outage.

The importance of establishing these measurements lies in the fact that they are used as a basis for defining your recovery strategies. MHA Consulting, a business continuity consultant, stresses  the importance of RTO and RPO concepts in guiding your recovery processes investment decisions: “Knowing them helps ensure that your strategies, implementation, and plans are neither overly aggressive (wasting resources) or inadequate (providing insufficient protection).”

BCP Template Section: Business Impact Analysis

Objective 3: Outline Existing Preventive Measures

A business stakeholder wants to know, “what are we doing to prevent ransomware situations like the one I just read about in the news?” This is another reason for your BCP. It will outline the technologies, tools, and protocols that are already in place to prevent or mitigate the effects of a disaster. Technologies for premises-based data backup and cloud services backup are included in the preventive measures analysis.

By demonstrating to all members of the business continuity organization what assets are already in place, the preventive measures analysis provides a means of gaining agreement among team members about what investments the company needs to make in additional preventative measures. Often referred to as a gap analysis, the process will build consensus amongst team members so the BCP findings can then be used as a tool to pitch executive decision-makers for the investment capital to improve business resilience.

BCP Template Section: Business Impact Analysis

Objective 4: Provide the Step-by-Step Protocols

Your plan will provide the specific procedures that need to be followed to assist in recovery. Chances are, when a disaster strikes, personnel won’t remember exactly what they’re supposed to do. Your disaster teams should have a general idea, but if needed they’ll be able to consult the document to follow the exact procedures as they’re listed.

At this point, it is important to draw the distinction between a business continuity plan and a disaster recovery plan. In our previous post on this topic, we noted that, “a comprehensive business continuity plan will actually have a disaster recovery plan built into it.” The disaster recovery plan is an element of your business continuity plan but is also a standalone document.

The disaster recovery plan includes granular instructions covering such items as definition of plan triggering events, emergency alert and escalation procedures, steps in activating emergency response teams, and team assembly points are all elements of a plan with well-constructed response protocols.

BCP Template Section: Business Continuity Strategies and Requirements

Objective 5: Identify the Location of Critical Data and Assets

One of the most important IT business continuity plan objectives is to identify where critical data and other assets are being stored. This allows recovery teams to begin recovery even if key IT personnel are unavailable. Imagine, for example, a scenario in which you had no IT workforce. There must be, at least, a footprint for other personnel or stakeholders to follow. Any confusion will significantly impede the recovery process.

An IT asset management system offers companies a way to automate tracking of assets and reduce errors resulting from out-of-date information, duplicates, inaccurate serial numbers and tag overlaps. Asset management systems also play a role in cyber security preventive measures. Without a complete asset management list, a device could be overlooked that connects to the network without virus protection or the latest patch to meet a known security threat. IT asset management systems have facilitated the tracking of the great dispersion of devices that resulted from the COVID-19 pandemic.

BCP Template Section: Business Continuity Strategies and Requirements

Objective 6: Identify Back-up Locations and Resources

Recovery teams need to know where and how to relocate operations and with what resources. Your BCP will outline the availability of any back-up office space or the procedures for securing a new space rapidly. Additionally, it will cite the availability of back-up physical resources, such as workstations and devices.

There are several different types of disaster recovery backup sites that are generally classified in one of four ways: cold site, warm site, cold site, and mobile site. These types are described below:

• Cold Site – A facility with adequate space and infrastructure (electric power, telecommunications connections, and environmental controls) to support the IT systems, which may have raised floors and other attributes suited for IT operations.
• Warm Site – A partially equipped office space that houses some or all of the system hardware, software, telecommunications and power sources.
• Hot Site – An office space appropriately sized to support system requirements and configured with the necessary system hardware, supporting infrastructure, and support personnel that work 24 hours a day, seven days a week.
• Mobile Site – A self-contained, transportable shell custom-fitted with specific telecommunications and IT equipment necessary to meet system requirements.

BCP Template Sections: Business Continuity Strategies and Requirements; Incident Management

Objective 7: Prioritize Emergency Communications

Who communicates with the client during an emergency? Who notifies the workforce? Who speaks to the media? By having a business continuity management policy in place, recovery personnel will understand their roles in both internal and external emergency communications.

One of the goals of your crisis communications plan is to help maintain calm within your workforce so all parties can fulfill their responsibilities and continue to serve customers. Disaster events can eliminate ordinary methods of communications, so alternative communications channels should be specified.

Identifying and understanding your audiences, or stakeholders, is the necessary first step in formulating your crisis communications plan. The following is a list of potential audiences:

• Customers
• Survivors impacted by the incident and their families
• Employees and their families
• News media
• Community—especially neighbors living near the facility
• Company management, directors and investors
• Government elected officials, regulators and other authorities
• Suppliers

A clear definition of who will be the spokesperson aligned to each of these audiences is necessary in order to provide speed of response and to ensure consistency of message.

BCP Template Sections: Business Continuity Strategies and Requirements; Incident Management 

Objective 8: Find Weaknesses and Propose Solutions

Any holes in your continuity planning must be addressed. The BCP is as much a process as it is a static document. It’s a work in progress requiring ongoing risk assessment, identification of scenarios that would leave operations unprotected, and the development of action steps to address weaknesses that call for immediate attention.

Business continuity plan testing is an important element of keeping your plan current and responsive to changing conditions. There are four categories of testing described below:

• Plan Review – Senior management and department heads analyze the Business Continuity Plan and discuss potential improvements
• Tabletop Exercise/Structured Walk-Through Test – In this scenario-based, role-playing exercise, the objective is to ensure all critical personnel in your organization are aware of and familiar with the relevant portions of the BCP, as well as their role in a disaster.
• Walk-Through Drill/Simulation Test – The Walk-Through/Simulation can incorporate actual recovery actions such as restoring backups, live testing of redundant systems, a simulated response at alternate locations, and actual notification and resource mobilization.
• Functional/Full Recovery Test – A BCP Functional/Full Recovery Test involves a complete test of your backup systems with parallel testing (running your live and backup systems in conjunction) or a full failover test (completely transitioning operations to your backup systems).

Your testing schedule is highly dependent on such factors as company size, your pace of new equipment and upgrade installations, and the amount of turnover in your IT staff, but most business continuity professionals recommend annual testing at a minimum.

BCP Template Sections: Testing, Testing & Exercising; Program Maintenance and Improvement 

Objective 9: Fulfill External Requirements

The final objective does not link to any particular section of the plan itself, but instead addresses the reality that your company may be required to provide a BCP to satisfy external requirements from regulators, vendors, and insurance companies.

As noted by the Disaster Recovery Institute (DRI), there are over 120 regulations that mandate business continuity management across a variety of industries. These are mandated by regulatory authorities and legislation such as the Financial Industry Regulatory Authority (FINRA) and the Health Insurance Portability and Accountability Act (HIPAA).

RFPs increasingly include a requirement to demonstrate an active business continuity management program and insurers will want see evidence of a BCP as a part of the underwriting process.

Conclusion

Gaining organizational commitment to achieving these critical business continuity plan objectives is a significant challenge, as business continuity leadership has to find a way to motivate employees to commit to spending time on issues that don’t contribute to achieving daily goals. Recruiting the right team, adopting a collaborative approach with participants, engaging senior management early in the process, and investing in training and certification will contribute to long-term commitment to planning success.

Learn More

As a provider of business continuity services, Invenio IT has helped clients manage through disaster incidents. To learn more about how we can put this experience to work for your company to minimize downtime from disruptive incidents, contact our disaster recovery teams at (646) 395-1170 or success@invenioIT.com.

Sign up on our blog home page to join our community of 17,000+ readers who receive our updates on topics related to business continuity, disaster recovery, data backup, and cybersecurity.