The Easy Way to Develop a Business Continuity Plan
Planning for disaster is serious business. But that doesn’t mean creating your business continuity plan (BCP) has to be difficult. In this post, you’ll learn how to develop a business continuity plan.
Here’s the thing about continuity plans. Everybody needs them, but nobody wants to do them. That’s because these crucial documents tend to be massive. They often require months of research and collaboration with multiple departments across your organization—not to mention ongoing updates over time.
So, why not make the process as easy as can be? In this post, we show you how.
Like a carpenter about to build a shed, you’re going to need some tools before you get started. A good place to start is a sample business continuity plan template. This will provide a basic outline for what goes in your BCP and how to structure it.
Here are the key sections to include:
- Contact information
- Plan objectives
- Risk assessment
- Impact analysis
- Areas for improvement
Below, we show you how easy it is to complete these sections by starting with simple questions. Here are a few other things you’ll want to have in your BCP toolbox before digging in:
- A calculator
- Extensive knowledge of the business
- Contact info for other stakeholders who will help you fill in the blanks throughout
Okay, let’s dive in!
How to develop a business continuity plan
Once you have the general outline created, it’s time to enter all the details. Don’t get overwhelmed. Use the questions below to guide you as you complete each section. Hint: The letters next to each question correspond to the sections listed above.
a) Who’s in charge here?
The section for “Contact information” should include contact info on you—the BCP writer(s)—and whoever should be contacted when disaster strikes.
This is a good place to list who’s on your disaster recovery team—the folks in charge of “activating” the recovery plan after a disaster and managing the response. Key stakeholders or third-party firms that manage your business continuity can also be included here.
b) What are you trying to accomplish with this plan?
Pretend like nobody knows what the BCP is for (because many don’t). In the introductory “Plan objectives” section, you should make it clear what the goal is. For example: to minimize the risks of probable disasters and provide the appropriate procedures for responding to them, for the purposes of ensuring continuity.
If your BCP is focused solely on the technology component of business continuity, then you’ll specify that in the objective.
c) What events could disrupt the business?
This is where you’ll include a detailed “Risk assessment.” These are all the risks that threaten your business, prioritized by their likelihood of occurring.
Risks can include fire, natural disasters, cyberattacks, data loss, transportation stoppages, terrorist attacks, IT infrastructure failure, public utility outages and so on.
d) How would they impact the business?
Time to get out that calculator! Once you’ve identified the risks, you need to determine the real-world impact on the business. This is called a Business Impact Analysis.
The analysis should be very clear about how the company would be disrupted and what it will cost. Describe which divisions will be affected, how long the disruption could last, how customers could be affected and so on. Operational downtime can be extremely costly. Use the calculator to approximate your losses, and make sure these costs are clearly identified in your BCP.
e) How can you prevent those disruptions?
Now that you know your threats and their potential costs, it’s time to stop them! In your BCP, you’ll list the preventative measures that the business is already taking to reduce the chances of those disruptions. For example, these measures could include data backup solutions, server-room fire suppression systems, antimalware software and so on.
Depending on how your plan is structured, you may choose to combine sections C, D, E and F into a single chart, so that all this info is grouped together under each risk.
f) What should people do if disaster strikes?
A good BCP will provide clear instructions for responding to the disruption. This ensures the business can recover as quickly as possible. You should explain what must happen in the moments following a disaster, how it should be done properly and who should do it.
For example, in a ransomware attack, you might want users to turn off their machines and/or disconnect them from the network, while administrators should work to contain the infection and identify the last clean data backup recovery point.
Leave nothing for granted—spell it all out, and make sure there’s at least one disaster recovery team member assigned to manage each response.
g) What’s lacking in your continuity planning?
Nearly every BCP will have a section on “Areas for improvement” or similar. This is where you identify the gaps and weaknesses in your existing continuity strategy.
As you develop your plan, you will almost certainly uncover vulnerabilities for which you don’t yet have adequate prevention. Each one should be listed as an action item. Make recommendations for filling the holes and provide guidance for how and when those measures should be implemented.
h) What’s your plan B?
This is your “Contingencies” section. It should include information on physical (and digital) backup resources for employees, in the event of a major shutdown.
For example, is there a backup location where emergency personnel can continue to carry out operations? What kind of backup equipment is available? Computers, phones, chairs? Create a master inventory of these backup assets, instructions for how to access them, and who’s in charge of deciding when they’re needed.
i) How will everyone communicate?
Communication is key during a disaster. If a major storm strikes the office overnight, how will employees know if they should come into work? How will they know when to return, or whether they’re needed at a backup location? If phones and email are down, how will people receive updates?
There are plenty of solutions for these issues, and hopefully you already have some implemented. Your job right now is to identify them thoroughly within the BCP and make sure employees know that these emergency communication methods exist.
Tips for an awesome business continuity plan
Now that you know what goes in your BCP, let’s make it awesome. Check out these 15 essential continuity tips – you’ll find some overlap with the advice above, but here are three extra pieces of advice to keep in mind:
- Put people first. When you’re talking about business continuity, the discussion almost always revolves around the health of the business. But what about the people? After all, we’re talking about disasters. So when it comes to preparing for dangerous events, like natural disasters or terrorist attacks, you must remember to focus on protocols and systems that will keep employees safe.
- Figure out your RTO and RPO. Within your BCP, you’ll need to set goals for how quickly recovery should happen. RTO (recovery time objective) is the maximum time that recovery should take before things get a lot worse. RPO (recovery point objective) is specific to data backups: it’s the age of the oldest backup you can restore without a major disruption, i.e. 12 hours. Here are some best practices for calculating these objectives.
- Train as much as possible. Whenever feasible, conduct employee training to help prevent certain disasters and to explain the recovery protocols outlined in your BCP. For example, cybersecurity training is essential for educating staff on how to identify phishing emails and bad hyperlinks, so that infections are curbed significantly.
Put your BCP to the test
How do you know that the steps and solutions outlined in your business continuity plan will actually work? Well, you don’t—unless you test them.
A BCP should not be a static document, developed once and never touched again. You need to constantly reevaluate the information to make sure it’s accurate and up to date. Part of this evaluation should include ongoing testing to ensure your continuity strategies are effective.
Some general examples of BCP testing scenarios include:
- Data backup recoveries
- Network and internet outages
- Emergency communication systems
- Crisis management response
- Disaster response safety drills
Protection for IT infrastructure
A first-rate data backup system is essential at every business. Even the loss of one critical file (an important spreadsheet, a CRM file, etc.) can be extremely costly. You need to be sure that your data is being reliably backed up on a regular basis (ideally on-site and in the cloud) and that this data can be quickly recovered when needed.
But a backup device is only one of many other essential components of your IT infrastructure:
- Network hardware
- Email systems
- Telecommunications systems
Make sure your BCP addresses how each aspect of your infrastructure is being safeguarded against a disruptive event, as well as what the backup plan is for each system outage. If you need some help, start with this server disaster recovery plan template.
Who should manage your continuity planning?
By now, it should be obvious that your business continuity management can be a full-time job.
The single task of identifying and implementing technologies alone can take up a significant portion of your time. And that doesn’t even include all the other crucial responsibilities we’ve outlined above, like actually writing the BCP, testing it, calculating impact analyses, developing employee training programs and so on.
As such, many businesses find that hiring an outside business continuity consultancy is way more cost-efficient than managing it all in-house. Plus, by hiring experts who manage continuity every day, you can eliminate the risks of assigning these important tasks to in-house teams that have less experience in these areas.
Not sure if you need a consultant? Check this out this article.
Let our experts guide you
Find out how you can reduce costs and strengthen your continuity strategy with help from our BC experts at Invenio IT. Request a free demo of data-protection solutions from Datto, or contact us today at
(646) 395-1170 or success@invenioIT.com.