Start Disaster Planning with this Business Continuity Plan Template
Preparing for disaster is one of the best things a business can do to avoid downtime when disruptive events occur. But for smaller companies, it’s not always clear how to approach that planning.
We’ve created this business continuity plan template to guide you in creating the single most important resource in your disaster-planning toolbox: the business continuity plan (BCP).
What is a business continuity plan?
A business continuity plan is a document that outlines an organization’s approach to disaster prevention, planning and recovery. It is designed to help businesses understand the risks that threaten their operations and provide a framework for resolving disruptions.
In short, a BCP helps companies maintain business continuity after a disaster.
Federal agencies estimate that 40% of companies fail to reopen after a disaster. This is why business continuity plans are so important.
Sample Business Continuity Plan Template
The following business continuity plan template provides a basic overview of what your BCP should include. But ultimately, every plan is different. BCPs can be structured differently depending on the business, operations and industry.
Use this template as a rough guide to what should go in your plan, rather than a hard-and-fast rulebook.
Sections to include in your plan:
- Contact information
- Risk assessment
- Impact analysis
- Preventative solutions
- Incident response
- Recovery procedures
- Testing schedule
- Plan review schedule
Larger business continuity plans will also typically include appendices, where more comprehensive details can be placed to expand on any of the sections.
For example, the recovery procedures for various operations are likely to be expansive for larger organizations. They could include protocols for recovering lost data (which itself can include a myriad of different options, each comprised of detailed instructions and flow charts), recovering failed servers, networks, resolving website outages and so on. As such, it makes more organizational sense to include these subsections in appendices attached to the end of the plan.
a) Contact Information
Most business continuity plan templates include key contact information at the beginning of the document, because it needs to be clear who should be contacted in an emergency. These personnel could be company stakeholders, managers or the individuals on your recovery teams. They’re the people who “need to know first” about a disruption, so that emergency protocols can be properly activated and critical business decisions can be made quickly.
This section is also a good place to include the names and contact details of those who developed the BCP, so that they can be contacted if any questions come up during a disaster.
What to include:
- Role or job title
- Location (if company has multiple)
- Phone (work, mobile and home)
It’s a good idea to include all available contact information for each individual to ensure that they can be reached. Remember that in the most devastating events, such as a natural disaster, some lines of communication may be broken. Including multiple contact details increases the chances that critical personnel can be reached.
If the list of contacts is long, consolidate them into distinct categories or sections of your BCP, i.e. for the recovery teams, board members, etc., prioritized by who should be contacted.
The beginning of your BCP should make it clear what the plan aims to accomplish. This is useful for several reasons:
- Defining the scope of the planning, i.e. whether it’s focused on company-wide operations or limited to continuity concerns within specific departments such as IT
- Providing a broad overview of financial impact and other consequences of a disruption
- Educating stakeholders and other personnel on the importance of the planning and how it helps to ensure continuity
This section can sometimes look like a brief breakdown of what’s included in the BCP. But generally, the fundamental objective of the plan will be similar for every business: Identifying risks and solutions for preventing various disaster scenarios and recovering rapidly when they occur.
c) Risk Assessment
A thorough risk assessment should be completed as part of every BCP. In order to determine the most effective steps for disaster prevention and recovery, you need to first understand what those disasters are.
A risk assessment aims to answer the question: which events could disrupt operations?
These events can be different for each business, depending on numerous factors. For example, a business located along the coast will be more at risk of hurricanes and coastal flooding than companies that are further inland. A business located in a major metropolitan area may be more at risk of transportation blockages and terrorist activity than those in more rural areas.
The risk assessment should clearly define the following:
- Specific risks posed to the business
- How and why those events pose a threat to operations
- Likelihood of the event actually occurring
d) Impact Analysis
While the risk assessment provides a basic definition of each disaster and how it affects the business, a more thorough impact analysis is needed to truly understand the fallout from these events.
An impact analysis provides a more in-depth perspective of how a disaster negatively impacts the business.
Each risk needs to be evaluated in these terms:
- Which business process(es) would be disrupted
- Estimated lapse in continuity or timeframe for recovery
- Extended effects on other business units
- Financial impact
The financial impact is a key metric here. An impact analysis must calculate the specific costs of a disruption in the numerous ways it impacts the business: wages for idle workers, productivity losses, revenue disruptions, IT expenses, recovery costs, reputation damage and so on.
These costs help to prioritize the severity of each disaster, so that organizations can better identify solutions for prevention and recovery.
e) Preventive Solutions
Preventing disruptions is an important component of all business continuity planning. While recovery protocols will always be necessary, businesses should attempt to mitigate risks as much as possible.
This section should outline all preventive solutions that have been implemented to stave off the disaster scenarios uncovered in the risk assessment, including:
- Existing processes and measures taken by the company to prevent operational disruptions
- Technologies and systems that prevent disasters, such as antimalware software, data backup solutions, backup power generators, etc.
- Emergency tools and devices, such as smoke & fire suppression systems, location of fire extinguishers, exit routes, etc.
Depending on the layout of your business continuity plan, these preventative solutions can be included within the risk assessment or they can be broken out into their own section.
f) Incident Response
The first few minutes following an incident are the most critical for initiating an effective response. This initial response can set the stage for how effective the entire recovery is.
A key question that will need to be asked following a disruption is: Does this event warrant activating the recovery plan? In other words, is it a true disaster event that requires following all recovery procedures, or is it a more minor event that can be resolved independently from those protocols?
The incident response section should thus make it clear:
- What are the parameters for declaring a disaster?
- When should the recovery plan be activated; what justifies activation?
- How should the plan be activated?
The incident response is not the same as the full recovery procedures, which we discuss below. If personnel determine that a disruption has occurred, they will follow the protocols in this section to effectively activate the response and communicate the event to all applicable parties.
g) Recovery Procedures
A complete list of recovery procedures is needed to ensure that personnel know exactly how to resolve issues as quickly as possible. It is the responsibility of the BCP writers to determine what those steps are, based on careful analysis.
What to include:
- Step-by-step instructions for responding to each type of disaster
- Any specific recovery objectives, such as recovery time objective (RTO) or recovery point objective (RPO)
- Guidelines for communication between recovery teams
Again, depending on your unique business continuity plan template, these procedures can be included alongside your risk assessment and business impact analysis, or they can be broken out into their own sections or appendices.
Severe on-premise disasters will require the business to have contingencies for maintaining continuity with other spaces and physical assets.
For example, if the business location has been destroyed, a secondary location, as well as equipment, will be needed to restore operations. All such contingencies should be outlined in this section so that it’s clear to recovery teams which resources are available and how to secure them.
Contingencies and protocols to consider:
- Backup locations where emergency personnel can oversee critical operations
- Availability of backup IT infrastructure components, such as network hardware or servers after on-site components have been destroyed
- Backup equipment to be used at the secondary location, such as computers, desks, etc.
- Specific instructions for securing these assets when the need arises, as well as contact information for third-party agencies who are needed for the transition (i.e. office managers, real estate professionals, etc.)
Maintaining communication during a disruption is critical to a successful recovery. Even if primary lines of communication have been cut (as when a storm knocks out office telecommunications, Internet and power), recovery teams must be able to communicate with each other and with other external contacts.
It’s equally important that updates are effectively communicated to all company personnel, so that employees know the status of the recovery and when/where/how to report to work. This is especially important during outages in which the business has been temporarily shuttered by the disaster.
What to include:
- Procedures for maintaining communication internally and externally
- Systems and processes for communicating messages to all personnel, such as mobile SMS messages, email notifications, company website/extranet or even old-fashioned calling trees
- Who will oversee this communication?
During the development of the BCP, most companies will identify gaps in the planning. This could be in the form of missing systems, technologies or tools that are needed to ensure continuity but haven’t yet been implemented.
These systems should be listed as recommendations for future implementation, in order of priority.
Examples could include:
- Newer BC/DR solutions that allow for more frequent backups and faster recovery
- Stronger cybersecurity technologies to thwart evolving threats
- Employee training programs to help minimize the risk of events such as data loss, phishing attacks, ransomware infections, etc.
Recommendations should include overviews of their importance, priority and estimated timelines for their implementation.
k) Testing Schedule
Testing the protocols in your BCP is necessary for determining if they will be effective during a real-world event. Businesses should thus maintain an ongoing schedule for testing the various systems and procedures outlined in the plan.
Some examples of testing can include:
- Data backup and recovery tests to ensure data can be fully restored when needed (and that it meets your recovery objectives).
- Malware & hacker penetration tests to ensure that cyber-threats are effectively blocked.
- Disaster simulations to ensure that recovery teams know what to do and follow procedures accordingly.
l) Plan Review Schedule
Overtime, the information within the BCP will become outdated. Newer procedures and IT deployments will replace old systems. Recovery personnel will leave the company. Contact information will no longer be accurate.
It is therefore pertinent that the BCP is thoroughly reviewed on a periodic basis to correct inaccurate information and update it with any recent changes in continuity planning.
The plan review schedule should include guidelines for how and when those reviews should take place, and by whom.
What to include:
- Who is responsible for reviewing the BCP
- How often should the plan be reviewed?
- What is the process for updating the plan? How will updates be prioritized?
Frequently Asked Questions (FAQ)
1) How do you write a business continuity plan?
The key to writing a business continuity plan is understanding the ways that your business can be disrupted and then identifying how to prevent those disruptions, minimize them and recover from them. The plan should document those risks in detail, along with the steps and systems for recovery.
Most business continuity plans should include an introduction, the stated objective of the plan, a risk assessment, a business impact analysis and procedures for disaster prevention, response and recovery.
2) What are three essential elements of a BCP?
Three essential elements of a business continuity plan are: risk assessment, business impact analysis and recovery. Together, these elements identify the potential disruptions to a business, the financial impact and the systems and procedures needed to recover after those incidents occur.
In addition to those 3 essential elements, a BCP should document the people and processes that manage the continuity planning process, as well as schedules for updating and testing the plan.
3) What is the purpose of a business continuity plan?
The main purpose of a business continuity plan is to document the ways in which a company can continue operating after an unexpected disruption. It helps businesses prepare for those disruptions and have a pre-determined plan for responding to them, which greatly reduces the risk of operational downtime.
In short, a BCP helps a business stay in business.
4) Who is responsible for a business continuity plan?
Many companies designate a business continuity manager, who is responsible for writing and updating the business continuity plan. This individual will typically coordinate with other members of the company’s disaster recovery teams and/or business unit leaders to develop the plan.
Given the complexity of continuity planning, many companies choose to hire an outside business continuity consultant to oversee the process or certain components, such as data backup deployments.
5) What is a BCP lifecycle?
A business continuity planning lifecycle refers to the distinct stages that make up the planning process. These stages include: 1) risk assessments, 2) impact analyses, 3) continuity strategy development, 4) plan execution and 5) plan testing.
The term “lifecycle” refers to the cyclical nature of the planning and how each stage depends on the next. For example, the final stage for plan testing is designed to identify problems or weaknesses that inform the next stages of assessment, impact analysis and so on. The cycle thus repeats itself, which in essence is the definition of business continuity management.
Using a business continuity plan template is a good way to start your planning and ensure that you’re including the most important information. Without a BCP of any kind, organizations face a greater risk of being derailed by an operational disruption, such as data loss, natural disasters or even an extended power outage. However, it’s important to remember that every organization is unique, with its own risks, objectives and continuity needs. As such, the template above should be used chiefly as a foundation for companies to build out a comprehensive business continuity plan tailored to its operations.
Reevaluate your BC/DR deployments
For information on securing your data with the latest business continuity & disaster recovery technologies, contact our experts at Invenio IT. Request a free demo of SMB data backup solutions from Datto, or contact us by calling (646) 395-1170 or by emailing success@invenioIT.com.