5 Essential Steps to Business Continuity Planning

Sep 28, 2020
Olga Hout

While over half of small and midsize business owners say it would take at least three months to recover from downtime, 60% don't have an emergency response plan. However, according to Gartner, the average cost of downtime can climb up to $5,600 per minute. 

When it comes to business continuity planning, there are several critical issues leaders should be addressing. You must lay out the steps you will take to react to business shocks now, but also entirely reshape your business continuity plan.

Now is the time to create an active recovery plan if your organization doesn't have one. It takes effort, but you will give your business the best chance at survival after (and during) an unexpected event. 

Keep reading to learn the steps to effective business continuity planning.

What Is Business Continuity Planning?

Business Continuity Planning focuses on maintaining business functions or efficiently resuming them in the event of a major disaster. A major disaster can be anything from a flood, fire, malicious cybercriminal to a pandemic.

A business continuity plan (BCP) outlines the procedures your organization will follow in the face of such disasters. It covers crisis communication strategy, assets, business partners, human resources, and more. 

You've likely heard of a disaster recovery plan that focuses on restoring IT infrastructure and operations after a disaster. However, disaster recovery is one small part of a complete BCP, as it seeks to ensure the continuity of the entire organization. 

As time passes and the COVID-19 pandemic is controlled, organizations must review and renew business continuity plans. You will need to assess how your current BCPs are working—if you have any. 

The best way to locate any gaps is through business continuity testing. If you spot deficiencies, you must highlight them and identify the root causes, whether it's external environmental issues, lack of infrastructure, or timeliness of action.

Then, outline new procedures based on lessons learned, and contingency plans to build resilience and adequately respond to future disasters.

COVID-19 is unlike anything our economy has ever experienced, so it was impossible to prepare for with traditional wisdom and forecasting tools. However, you should view this disaster as something to learn from and carry the lessons learned forward once the pandemic has passed, and you've had time to analyze your response. 

Top Threats to Your Organization's Continuity

Depending on your industry and level of risk, every organization will have different primary threats to daily business. Risk assessments before creating a BCP is helpful for this reason. You don't need to have a plan for every possible scenario, but you should watch out for the following common disruptors.

Global Pandemics

You've likely experienced how a global pandemic can throw a wrench in the best of business plans, from all angles. 

Many employees must work from home, demand for specific items grows, and supplies decrease due to disturbances across the supply chain.

When considering how your organization will respond to a global pandemic, put in place a solid disaster communication plan. You'll need to envision how your employees will work together and conduct necessary business offsite. 

It's also necessary to consider alternate suppliers and products to avoid a single point of failure.

Use what's happening now to determine what is and isn't working for your business, then plan for how you will handle similar scenarios in the future.

Power Outages

Imagine the disruption to your "business as usual" that would be caused by a loss of communication lines, power generation, or water shutoffs. 

Unexpected utility outages can also potentially damage physical assets, causing a loss of productivity and downtime.

Power outages have been on the rise in the past couple of years. Particularly, the region that got affected the most was the state of California, with hundreds of thousands of customers being affected in April alone. A single power outage event can devastate an organization's revenue, productivity, capacity, and labor. Increasingly, utilities are practicing planned de-energization events, or Public Safety Power Shutoffs (PSPSs). As a last resort to prevent power lines from starting wildfires and putting human lives in danger, planned power outages are scheduled to take place during hot, dry days.

Natural Disasters

A natural disaster describes any weather-related disaster, such as hurricanes, tornadoes, ad tsunamis. It also refers to natural phenomena such as earthquakes, volcanic eruptions, and wildfires. 

The worst disasters happen in an instant and are impossible to predict. Any business could experience grave damage to its physical structures and assets. 

Natural disasters also disrupt supply chains in affected areas, causing a lack of supply for in-demand items. 


A cyberattack is a malicious computer-based attack on a technical asset. 

Cyberattacks include data theft, ransomware attacks, SQL injections, and distributed denial of services (DDoS) attacks. 

If you have the right security measures in place, you may only experience limited IT functionality until the issue is resolved. If you don't have data backup or recovery, you could potentially lose access to valuable business data. We have developed a brief and actionable cybersecurity checklist to help your organization take the first steps to check for any signs that may lead to a data breach or a cyberattack at your organization and develop preventative measures to safeguard your operations.

Steps to Creating a Business Continuity Plan

While creating an effective BCP is a lot of work, it's a critical piece of operating a resilient business. 

You, your appointed business continuity team, and your staff must take continuity planning seriously. Here are five steps to help you get started.

Step 1: Assemble a Business Continuity Management Team

 The makeup of your team depends on your continuity objectives and the size of your company.

A good BCP should detail what your staff needs to do in the event of a disaster, what communication methods are required, and the timeframe in which critical IT services need to be available.

  • Create a contact list of key people involved in your company's BCP, including names, titles, and communication info (both work and personal) such as phone numbers, email addresses.
  • Provide a detailed overview of their roles and responsibilities so that everyone knows what is expected of them in an outage event.
  • Have a process in place for how your BCP will be updated and how these updates will be communicated to the team.

This team will prepare standards for the project and train additional team members. They will also identify clear processes to improve project flow.

Step 2: Ensure the Safety and Wellbeing of Your Employees

  • When planning, you must prepare to prioritize the safety of your employees amid a crisis. They will look to you, their community, and the government for guidance. Be proactive and transparently address their concerns. Right now, many companies have to decide to initiate or expand remote work arrangements and other policies that allow employees to work flexibly. 
  • Depending on your industry, you'll want to reallocate resources and reorganize teams, as well as establish employee wellbeing programs and procedures that support a safe working environment
  • Make sure you have proper communication channels in place to get in touch with all of your employees at the same time. Sending an email may not be sufficient if the wifi is down. Consider implementing a BC Planning software with an integrated emergency messaging tool to ensure all business processes are continuous, and everyone is safe. Communicate with your teams early and regularly. You want to engage your employees as you navigate through the current crisis. 

Reimagining your usual business environment while minimizing disruptions requires a delicate balance. In some situations, telecommuting and flexible work arrangements aren't possible. In scenarios during which you'll have workers in direct contact with customers, you must prepare to provide personal protective equipment. 

Step 3: Understand the Risks to Your Company

Once your business continuity management team is assembled, you must conduct a business impact analysis (BIA). 

This type of analysis will help you identify specific threats to financial performance, operations, supply chains, reputation, employees. It can serve as a starting point when identifying risks.

You and your team should brainstorm a list of threats and potential risks to your business. Then discuss how the risks mentioned above could affect business operations. 

Don't undermine the importance of this step—or how long it could take. A proper BIA will typically involve a comprehensive questionnaire to gather the breadth of information you will need. BCP production tools such as Agility Planner help get started with creating a BCP or a BIA and provide access to historical data and ready-to-use templates.

Step 4: Implement Recovery Strategies

Once a disaster occurs, and financial losses begin to grow, it can be challenging to get back on track without a BCP in place. Consider the following questions as you discuss options with your team:

  • Do you have a way to get sales, HR, manufacturing, and support personnel back to work after a disaster to continue operating your business?
  • How will you continue to meet the demand for products or services if your equipment or facility is damaged?
  • If your facilities are impacted, will your employees work remotely at home or from an alternate location?

You'll address concerns like these and more in your business continuity plan.

Address Every Business Function

It's essential not to leave any business function out of your plan. Be sure to address the following:

  • Level of risk
  • Impact on customers and employees
  • How you will communicate with stakeholders
  • Financial resources available in the event of a disaster
  • Emergency policy creation
  • External partners who can work together with you in a mutually-beneficial way. 

Set realistic timelines and intentions across your company's resilience journey to ensure you reach your goals and exceed expectations.

As you work through your plan, develop relevant reports to share with all stakeholders. Use highly visual reports to highlight areas that need attention and show progress. 

Step 5: Test, Test Again and Make Improvements

No matter how long you spend perfecting it, a business continuity plan is never truly finished—just as the risks and requirements of your industry are never set in stone.

Testing your business continuity plan allows you to validate it as you manage risks. While 88% of companies test their strategies to identify gaps, 63% of them do so to validate their plans. 

The result of this testing is not "pass or fail," yet continuous improvement by identifying findings through a live exercise. Prepare your organization for success by using this checklist for business continuity testing.