Actions

Business Continuity Plan (BCP)

The Business Continuity Plan (BCP) is an essential part of any organization’s response planning. It sets out how the business will operate following an incident and how it expects to return to ‘business as usual’ in the quickest possible time afterward.[1]


The Need for a Business Continuity Plan[2]

Major events such as terrorism (New York, 2001; London, 2005), Hurricane Katrina, and Swine Flu have brought the issue of Business Continuity Management to the attention of all business owners and executives. They now realize that they need to take steps to improve the chances that their business would survive such incidents and continue to operate, deliver an acceptable level of customer service, and generate income. Less news grabbing, but just as significant, are events such as:

  • local infrastructure failures (e.g., internet access or telephone systems);
  • access denial due to external incidents (a fire in another company, road traffic accidents, bad weather);
  • staff unavailability (winter flu, industrial action, unexpected Lottery win!);
  • accidental or malicious corruption or destruction of data;
  • theft of company property;
  • the failure of key suppliers to meet delivery deadlines;

These are all sound reasons to have in place a credible Business Continuity Management System. Other drivers which should encourage organizations to take Business Continuity Planning more seriously include:

  • Increased Executive/Board responsibilities (e.g., Turnbull Report/Combined Code of Corporate Governance, Sarbanes-Oxley Act (USA), Basel II Accord, etc.).
  • Large clients and public bodies often require that a Business Continuity Plan has been developed and implemented, even just to get on a preferred supplier list or submit a tender.
  • Auditors increasingly expect to see a Business Continuity Plan in place as part of their due diligence audits.
  • The Civil Contingencies Act 2004 has placed Business Continuity Management obligations on public sector organizations.
  • Insurers increasingly require to see evidence of Business Continuity Plans in place.
  • Holding Companies & Shareholders have rising expectations in respect of corporate governance.
  • Regulatory Bodies are starting to impose Business Continuity Management on the organizations they regulate.
  • Learning of a disaster to a neighbor or associate.
  • Experiencing a disaster or near miss!!


Business Continuity Plan Objectives[3]

  • Guide the company’s disaster recovery teams: This is one of the most fundamental objectives of business continuity management. Your BCP plan template is more than just a document to be stored away and never seen again. It’s a step-by-step guide that will be used by your recovery teams during an actual disaster situation.
  • Identify disaster recovery personnel: Who is o n those disaster recovery teams? What are their roles? How can they be reached in an emergency? Identifying this information is one of the most important goals of your business continuity planning.
  • Assess risks and impact: Another crucial purpose of creating a BCP is identifying the various threats to your operations. In a later section, your plan will outline different types of disasters that could disrupt the business. You will also include the impact of each scenario: how much damage would be caused, how long the recovery would take, the cost of operational losses, and so on.
  • Provide the step-by-step protocols: Your plan will provide the specific procedures that must be followed to assist in recovery. Chances are, when disaster strikes, personnel won’t remember exactly what they’re supposed to do. Your disaster recovery teams should have a general idea, but if needed they can consult the document to follow the exact procedures as they’re listed.
  • Identify the location of critical data and assets: One of the most important IT business continuity plan objectives is identifying where critical data and other assets are stored. This allows recovery teams to begin recovery even if key IT personnel are unavailable. Imagine, for example, a scenario in which you had no IT workforce. There must be, at least, a footprint for other personnel or stakeholders to follow. Any confusion will significantly impede the recovery process.
  • Prioritize emergency communications: Who communicates with the client during an emergency? Who notifies the workforce? Who speaks to the media? By having a business continuity management policy in place, recovery personnel will understand their roles in both internal and external emergency communications.
  • Identify backup locations and resources: Recovery teams need to know where and how to relocate operations and with what resources. Your BCP will outline the availability of any backup office space or the procedures for securing a new space rapidly. Additionally, it will cite the availability of backup physical resources, such as workstations and devices.
  • Outline existing preventative measures: A business stakeholder wants to know, “What are we doing to prevent ransomware situations like the one I just read about in the news?” This is another reason for your BCP. It will outline the technologies, tools, and protocols that are already in place to prevent or mitigate the effects of a disaster.
  • Find weaknesses and propose solutions: Any holes in your continuity planning must be addressed. The BCP is as much a process as it is a static document. It’s a work in progress in which risks must be constantly evaluated. Identify scenarios that would leave operations unprotected and propose specific action steps that should be taken immediately.


Components of Business Continuity Plan (BCP)[4]

There are five components of a Business Continuity Plan:

  • Disaster Recovery Plan
  • Continuity of Operations Plan
  • Incident Management Plan
  • Occupant Emergency Plan
  • Business Resumption Plan


Steps in Developing a Business Continuity Plan (BCP)[5]

The development of a business continuity plan includes four steps:

  • Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
  • Identify, document, and implement to recover critical business functions and processes.
  • Organize a business continuity team and compile a business continuity plan to manage a business disruption.
  • Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.


Business Continuity Plan Vs. Emergency Response, Crisis Management, and Disaster Recovery[6]

Business Continuity Planning joins with Emergency Response, Crisis Management, and Disaster Recovery Planning [see Figure 1] to create a comprehensive process for recovering from unexpected events that threaten stability or even the future existence of an organization. Business Continuity is often the most crucial element in determining whether an organization can survive a major disruption over the long run. While the other three are certainly important factors in reducing damage, saving lives, and re-establishing a reliable snapshot of the organization's technology infrastructure, databases, and transactions, all are rendered ineffective without a sound Business Continuity Plan (BCP).


Business Continuity Plan
source: ChainLink Research


Benefits of Having a Business Continuity Plan[7]

  • Having a business continuity plan in place will keep businesses trading when they would have otherwise probably failed due to an incident.
  • Business continuity plans can significantly reduce the cost of disruptions.
  • Companies with business continuity plans benefit from insurance premium discounts, reduced excesses, and doors opening to new insurance markets.
  • A business continuity plan allows what would otherwise be unacceptable risks to be insured.
  • Business continuity maintains the continuity of operations and service delivery
  • Business continuity helps to build customer confidence
  • Business continuity helps to build confidence within the organization/business
  • Business continuity is potentially life-saving
  • Business continuity provides a competitive advantage
  • Business continuity provides compliance benefits
  • Business continuity helps mitigate business risks and financial exposures
  • Business continuity helps preserve brand value and company reputation
  • Business continuity ensures supply chain security and order fulfillment
  • Business continuity can help enhance or develop an appropriate organizational culture
  • Business continuity can help enhance health and safety
  • Business continuity helps the organization/business to be more resilient
  • Business continuity gathers information that is useful to the whole organization/business


Business Continuity Plan- Best Practices[8]

  • Full-Fledged Automation: In spite of remarkable advances in automation technologies, a good number of enterprises are found to rely on recovery systems that are manual or are handled by using human power. The important feature of such practice is over-reliance on entrepreneurs and their employees regarding their ability to access the organization’s remote facilities. Remote accessibility can be severely compromised in the event of a natural disaster or terror attack. Hence remote accessibility cannot be relied upon in these situations. By adopting full-scale automation, businesses can minimize their dependence on remote accessibility and involvement of human intervention to maintain business continuity.
  • Understand the limitations of virtual systems: Adoption of virtual servers, desktops, and storage can considerably improve the ability of the organization to deal with outages and downtime. These virtualized systems have an intrinsic ability that reduces the risk of downtime by offering greater protection from outages. In spite of this, you need to understand that such virtualized systems cannot offer a hundred percent safety against failure. This calls for the need to be prepared for the unexpected by employing a robust backup strategy.
  • Testing of Every Plan: Although employing a business continuity plan immunizes business against natural disasters and guarantees business availability, it cannot be considered to be a foolproof plan until you have checked and tested every single step. You need to make sure that the business continuity plan is able to sustain the most challenging conditions. More than twenty percent of businesses surveyed were found to have never undertaken to test of their business continuity plans. An equal number of companies admitted infrequent testing of the business continuity plan. Testing establishes the credibility of the business continuity plan and must be undertaken on a quarterly basis. This must involve running critical applications and testing every single system.
  • Relevance of Location: With reference to a recent Consumer Economics report, as high as forty percent of organizations in the midsized category rely on a single data center for their business operations. In view of the growing threats of terror attacks due to the current situation and the greater frequency of natural disasters owing to global warming, it is necessary to assess the security level of data centers in terms of their geographical locations. One must also consider ease of accessibility during unexpected events and the range of service availability in catastrophic situations. There is an urgent need to explore a cloud-based data storage option by organizations that have the facility of a single remotely located data center. These steps will help reduce the effect of downtime during extreme situations.
  • Need prioritization: Even if a comprehensive and in-depth business continuity plan is essential for those organizations whose requirements of data recovery are of extremely large scale, there has to be a critical analysis of the most significant applications, software, and data storage. These mission-critical applications must be given priority while planning expenditures for business continuity. Precise identification of critical applications can avoid unnecessary spending on less important applications.


See Also

Disaster Recovery Plan (DRP)
Business Continuity
Risk Management
Enterprise Risk Management (ERM)
Crisis Management


References


Further Reading