Business Continuity Planning: The Do's and Don'ts of the Process

Blog
Oct 19, 2020
Olga Hout

In an increasingly interconnected and perpetually changing world, it’s crucial for your organization to continue to regularly revisit business continuity planning. There are certain actions to take and to avoid. Evolved global business and operations strategies add new business interruption risks to a growing list of threats. Building resilient and recoverable operations is more difficult to implement when time is limited, and challenges are approaching. Aside from all of the elements to be considered when designing a business continuity strategy, the key to a successful business continuity plan lies in building a well-thought-out plan and testing it throughout the organization. 

This article will outline the guiding principles and key elements of a business continuity plan, explain continuity incident triggers, and dive into do's and don'ts for building a BC plan.

Recent Insights

Threats to the continuity of business operations have been on the rise for the past couple of years. Recent research confirms that cyber incidents, business interruption, change in regulations, along with natural catastrophes are the top business risks this year.  

major disasters

 Just as there are many types of threats that can disrupt your operations, there are many different scenarios of how these unwelcome events may unfold. Oftentimes referred to as continuity triggers—an event that can potentially impede your business routine—these incidents range from a planned event or a reputational issue to a vendor supply chain interference or an injury among the leadership team. 

Among the most common continuity incident triggers are:

  • Anticipated or planned events (weather, planned events that could prove disruptive, pandemic or public health issues)​

  • “Office” Incidents (building damage or disruption, other operations impact, employee injury or fatality, workplace violence)​

  • Public allegations against the company or media / reputational concerns​

  • Critical vendor or supplier incidents​

  • Significant shifts in financial markets​

  • Major information technology operations or infrastructure issues (dependent on the scope and projected duration)​

  • Major information security incidents or breaches based on technology, operations, or business practice​

  • Injury or death of a member of organization leadership

Guiding Principles for Business Continuity Planning

Although each industry may have different requirements and unique aspects, a business continuity plan provides guidance to every business's unforeseen situation. When tasked with building a business continuity strategy for your organization, approach your planning process by taking the following steps and considering these actions:

  • Focus on the IMPACT, not the cause. Determine the steps to take, with designated team members to lead the task force, when responding to the following scenarios:​

    Loss of Workplace​
    Technology, Security, or Vendor Disruption​
    Legal, Financial, or Regulatory Implications​
    Reputational Impact​
    Workforce safety​
  • Utilize an “all-hazards” approach​. What this means is that you need to consider and identify all potential hazards that could affect your operations, and assess vulnerabilities and potential impacts. All-hazards plans address the resources available and actions to be taken before and after an emergency happens. It is meant to ensure people's well-being and minimize destruction to business property and eliminate the downtime of the operations. With the all-hazards approach, businesses can take emergency preparedness to a level that is more effective and scalable.

  • Ensure a “Command & Control” structure is in place and understood​. Once defined by the NATO, command, and control is the exercise of authority and direction by a properly designated individual over assigned resources in the accomplishment of a common goal.

  • Ensure everyone understands their role and is ready to act​. Conducting a tabletop exercise is the most efficient way of organizing the team members and ensuring everyone knows their responsibilities during an emergency.

  • Prioritize business processes – first things first​. Completing a Business Impact Analysis should be used to evaluate critical recovery time objectives (RTO) for each department and establish a comprehensive understanding of core business needs.

  • Build “actionable” plans and keep them up-to-date​.

  • Focus on continuity of operations, which is an effort within each department to ensure that all critical processes continued to be performed during an unforeseen event or disruption.  

  • Build awareness across the organization and exercise regularly​. 

Business Continuity Framework

Your company's business continuity framework is foundational to its success. The respective components of your framework may look different for every business, but the underlying objectives are always the same:

  • Protect against the risks of disruption (Prevention)
  • Restore operations after disruption (Response)
business continuity framework

An overall Business Continuity Framework defines a structure for a response, continuity of operations, and return to business as usual. Plans are developed using an “all-hazards” approach and are focused on the impact on location, people, technology, vendor, or reputation.

Creating a Business Continuity Plan

Your BCP is the blueprint for your business continuity framework. It should be a comprehensive document stored in a central place where anyone on the BC team can access it anytime and anywhere. A robust plan needs to outline all of the critical components and be updated often enough to help your organization keep up with compliance regulations and changes in the industry. 

1. Define

Begin your planning process by defining exactly what plan does your organization need or require, and then prioritize all critical business processes through a BIA. Ideally, each department in your organization has to have a BCP because they all have important business processes specific to them. These plans, in turn, feed an organization-wide BCP. 

create a BCP in 3 steps

Of course, the number and scope of Business Continuity Plans are determined by the organization and business structure, but this logic applies across any type of business. Your strategy may encompass various departments that, in turn, also need to have their specific plans in place because every department has its own essential business processes to be accounted for. 

bcp processes

 

2. Prioritize & Plan

For this step, consider the following logic of actions:

  • Prioritize the processes in each department based on business impact (Financial, Customer. Client, or Member, Employee, Brand/Reputation, Service Delivery, Compliance or Regulatory)​

  • Identify the continuity requirements from a business perspective for each process (0-24 hours, 2-5 business days, 6+ business days)​

  • Detail any critical dates (non-routine, could change continuity requirements)  ​

  • Define the strategy(s) to continue business (work from home, alternate space, another office, suspend, or delay)  ​

  • Catalog continuity requirements (personnel deployment, key vendor information and alternatives, technology requirements and workarounds, vital records, special equipment, etc.)​

Remember, the results of the Business Impact Analysis (BIA) provides the foundation for effective continuity planning with a focus on business priorities.​

business impact analysis

A Business Continuity Plan should provide a “playbook” that outlines the steps needed to continue business in the event of ANY disruption in normal operations. When it comes to what to include in your plan and things to avoid when planning, we suggest these do's and don'ts:

DO’s​

DON’Ts​

Make your plan actionable​

Not aspirational​

Scenario independent​
(all-hazards approach)​

Not scenario dependent​

Make your plan a guide​

Not a procedure​

Focus on continuity of daily business​

Not a long-term recovery plan​

Define continuity strategies​

Don’t wait to decide​

A solid BCP also needs to include:

  • Business Processes​

Processes, their priority, and when they must be continued to “keep the business running” . ​

  • Critical Dates​

Periodic important dates that might modify continuity priorities​.

  • Employee Deployment​

Deployment timing and work location for each employee​.

  • Continuity Tasks​

What needs to be done – same day, within 24 hours, within the next 2-5 days, or in 6+ days.

  • Key Vendors / Suppliers​

Who they are, what they provide, how to contact​.

  • Technology Dependencies​

What technologies are required and when.

  • Vital Records​

What “records” (usually paper) would need to be replicated to continue operations.

  • Special Equipment​

Any unique equipment required to execute priority processes​

3. Validate​

Once you've built your team and created a plan, make sure to validate the strategy across the board.

  • Everyone in the company needs to know their role & responsibility – don’t assume they know​

  • It’s not enough to focus only on technology ​

  • Validate your continuity strategies​

  • Can you execute your plans? Do they work?​

  • Focus on the question: “Can I keep my business running?”​

  • Just what’s needed to keep the business running, minimal alternatives, etc.​

  • It is not a pass/fail test; it’s a learning exercise…gaps are good​

In Conclusion

Nowadays, there are different factors that are driving business continuity forward. A growing number of industry interruptions have ignited the need to develop more robust resilience plans. Regulatory guidance now requires clarity of the critical third-party resiliency strategy, as well as making your organization a resilient partner. An increased focus on enterprise-wide governance, risk management, and compliance (GRC) push organizations to reduce compliance costs and provide better risk insight. Customers expect 24/7 access to products and services, thanks to the new technology that provides competitive and customized offerings. Regulators' tolerance for critical system downtime is also decreasing. And lastly, prompt identification and internal/external response to emergencies can protect and increase brand value and reputation.

Olga Hout