How to Create a Robust Business Continuity Plan
Jun 9, 2020
A business continuity plan (BCP) helps companies restart their business operations quickly through a systematic plan of prevention and recovery when hit by a disaster. Businesses conceive a plan in advance to ensure that in the event of a disaster, their employees, assets, and most importantly, their IT operations are protected and the business can recover quickly.
Consult both stakeholders and employees when preparing a BCP. Your aim is to include all risks that can hinder your company's normal day-to-day operations after a crisis. A BCP can include natural disasters, such as weather, fire, or flood, and should also include technical problems that may arise, like cyber-attacks.
A BCP also details how your company's operations would be impacted by each of the risks listed in the plan. It contains an implementation guide with detailed procedures to mitigate risks and test that the process works.
Why Is a Business Continuity Plan Important?
All businesses must have a business continuity plan to ensure that disruptions arising from disasters don't threaten their profitability. When disaster strikes, profitability is reduced by the higher costs of operations and by revenue loss. Depending on insurance alone is very likely to produce an unsatisfactory outcome for your business as it usually doesn't cover all costs involved in the event of a disaster.
Disasters of any intensity can cause minor to major impacts on businesses and hamper their operations. With a BCP, businesses can continue to operate even after a catastrophe. For many organizations, there's a big focus on the company's information technology systems, as IT systems (the company's data and services) are often the company's most valuable asset. Therefore, it's crucial to be able to quickly restore those systems.
The Impact of a Disaster on Business Continuity
A report commissioned by Hewlett-Packard (HP) & Score stated that companies that don't resume their operations within the first ten days after a crisis aren't likely to survive the ordeal. It also mentions that 43% of businesses without a plan to overcome the impact of a disaster will never reopen. Further, only 29% of those that opened after a crisis were still operating two years later.
Adverse situations like disasters test the competitiveness and capability of a company. Your company's market value and reputation will soar if it handles crises effectively. Thus, you will increase customer confidence in your company. However, if you don't manage those external stresses accordingly, you might have to close your business in the wake of a disaster.
Business Continuity Plans vs. Disaster Recovery Plans
There is some confusion regarding the difference between a BCP and a disaster recovery plan; some people consider them to be the same. However, the disaster recovery plan's sole focus is the recovery of your company's IT infrastructure after a crisis. Information technology is considered to be critical for smooth business operations by companies around the world. There are many disaster recovery solutions available to help restore IT systems after a crisis.
But a disaster recovery plan is actually only one key part of a BCP. Other parts a BCP focus on securing your company's people and the processes they use.
A business impact analysis (BIA) is another key part of the BCP. A BIA report quantifies the costs associated with a sudden loss of business operations. It also helps you evaluate whether you should outsource some noncore activities. For example, you may want to explore outsourcing support or help desk activities. Some companies outsource sales to focus on quickly recovering revenue.
A BIA helps organizations realize what their company's most critical operations are. It expresses the impact in terms of monetary losses based on business expenditures and revenue before, compared with after, a disaster scenario.
Common Misconceptions Related to Business Continuity Plans
Most companies leverage digital technologies for revenue generation. In order to continue IT operations after a disaster, having a business continuity plan has become one of the most important components for the long-term survival of a business.
Unfortunately, many companies still don't have a BCP in place to tackle the sudden effects of a disaster. Furthermore, many business leaders have misconceptions about business continuity planning. Let's address them.
Misconception #1: Your Employees Have the Know-How to Make the Right Decisions During an Emergency
Depending on your employees to know what to do when disaster strikes is likely to backfire without a BCP as even your best managers can't be expected to know everything under the sun about your company. On top of that, leaving employees to decide how to handle a disaster may add to the confusion inherent in a disaster. Each of your key employees is likely to tackle the associated problems differently. Therefore, it is important to educate and train your employees using the procedures prescribed in the business continuity plan.
A business continuity plan assures an organized, safe, and timely recovery for your company. The BCP will also assign specific recovery activities to specific personnel who will be trained on particular procedures in the BCP. Therefore, certain personnel will only be trained on certain procedures; it's often impossible to train personnel on the entire BCP.
An Example Scenario
Let's say you own a successful product-based company. You presume that your DevOps team would be able to restore your IT infrastructure in the event of a crisis. This is likely to be a fatal presumption on your behalf.
In the event of a disaster, your best DevOps employees and developers may not be able to restore your IT infrastructure unless they're trained on the BCP. They may not know some critical functions needed to successfully recover and restart the whole IT system.
It is also possible that your employees may be missing some key information to recover and restart your IT operations. Or perhaps the person who has the know-how to undertake the recovery process of your company's IT infrastructure isn't available. Your BCP will cover both of these situations.
A BCP, specifically the data recovery part of the plan, will aid your employees in restoring IT operations. Further, it will direct how to ramp up other critical services that rely on your company's data, such as human resources (HR), customer support, and supply chain, as quickly as possible.
Misconception #2: Insurance Will Cover Your Lost Revenue
It is a mistaken belief that your business can rely on an insurance policy to recover the lost revenue during or after a disaster; insurance alone is not a business continuity strategy.
Of course, proper insurance coverage still plays a significant role in the BCP. But insurance is unlikely to help you recover significant damages like interference with the release of your new product, loss of market share, or loss of customers due to a disaster. Hence, it is very important to consult with your insurance agent to understand the terms and conditions of your insurance policy.
Misconception #3: It’s Not Worth Investing Time in a Business Continuity Plan
As mentioned earlier, a report commissioned by Hewlett-Packard (HP) & Score stated that 43% of businesses without a plan to overcome the impact of a disaster will never reopen. An organization that wants to continue operating after a crisis must have a BCP in place. It does take some effort and strategy to develop a BCP. But it costs very little to take it from the idea stage to a formalized written manual.
It is well worth the effort to invest a moderate amount of resources to formalize a BCP for your organization, because your business is your livelihood and not your hobby.
Misconception #4: Testing a Business Continuity Plan Is Difficult and Time-Consuming
Often, we hear that testing a business continuity plan is difficult and expensive. However, if your BCP is hard to understand, that's a red flag. A BCP should always be easy to understand by the people who will use it. It should have very clear steps to recover each particular operation. If you follow that guideline, testing a BCP shouldn't be hard.
Furthermore, it's important that you test a BCP to find any flaws or missing steps. You don't want to end up in a disaster situation where you lack certain information needed to restore services quickly. In other words, it's worth investing some time in testing your business continuity plan thoroughly.
Next, let's learn how you can create a business continuity plan in six steps.
How to Create a Business Continuity Plan?
A company must put a business continuity plan in place to protect itself from monetary loss, customer loss, and reputation damage. The plan must be pretty detailed and it should address all possible threats the organization is likely to face. It should also include a strategy and procedures to protect the organization against those possible threats. Also, it must designate which personnel will lead each of the documented processes.
It is very important to keep the BCP well-organized. Any person reading the plan should be able to understand all the processes documented in the plan. This does not imply that HR personnel can restore IT services. However, it means they can understand why a certain service is needed or how it impacts the key operations of the business.
Making a BCP consists of the six steps listed below.
#1 Identify the Scope of the Plan
Begin with identifying the key objectives and goals of your business continuity plan. For example, what level of detail will be covered in the plan, which departments need to be included, what is the desired outcome of the plan, and which major milestones will be tracked? Remember that business continuity management applies to the whole organization, not just to the IT department of your organization.
#2 Designate a Business Continuity Team
A business continuity team is at the center of the BCP. You must include details like titles, contact information, and any other required information for each member of the team. It is good practice to include contact information for a backup person for each assigned responsibility in the plan.
There are two types of teams included in the plan: the command and control team, and the task-oriented team. The command and control team's job is to ensure a near-perfect execution of the plan. In addition, the command and control team has crisis and recovery management sub-teams.
The task-oriented team consists of employees who are assigned specialized operations, with separate subteams for legal, supply chain, information technology, internal communications, HR, customer service operations, external business communications, finance, public relations and media, and a few more.
#3 Single out the Key Business Areas and Critical Functions of Your Organization
In this step, you must identify the business processes that have proven to be the most critical for your business. Disruption of these processes would cause heavy losses to the company. Here, you must classify each business process as a function with a high, medium, or low level of importance.
#4 Prepare a Business Impact Analysis Report
A business impact analysis (BIA) report helps you determine the key areas that are most vulnerable to disruption arising from a disaster. Further, you must quantify the losses you may experience if your organization's business processes go down.
The BIA report must include information about your company's key business operations and the most critical areas for business continuity. It should also indicate which resources you'll need to ensure that these critical departments remain afloat during a disaster. It provides detailed scenarios for disasters of varying intensity.
#5 Determine Acceptable Downtime for Each Critical Function
A business needs to consider the maximum acceptable downtime for all critical business operations. You must also determine acceptable levels of loss concerning the company's reputation, market share, finance, data, operations, and other key aspects. Keep in mind that downtime for the company's critical functions will impact each of those.
You must decide how long the company's systems can stay down before a loss becomes too great. A big loss risks the survival of the company. Setting such limits will aid the company in recovering the most critical functions first, by setting priorities.
#6 Create a Plan to Maintain Operations
This is the largest section of the business continuity plan. Note that you need to update this part of the plan regularly as your company evolves. This part of the plan begins with analyzing the company's current recovery capacity and determining how to improve it. Prevention strategies, response strategies, and recovery strategies all have a place in your BCP.
Should You Test a Business Continuity Plan?
Yes! It's definitely worth testing your business continuity plan. As with testing in general, testing your BCP helps find faults in your plan. Therefore, testing your BCP helps you to find possible mistakes such as these:
Incorrect information
Missing information or steps
Confusing or unclear steps
Furthermore, testing your BCP gives your team the chance to practice the plan before an actual disaster happens. Your employees can convert this experience into confidence when it really matters. Your company should organize regular practice sessions so everyone is up-to-date on recent changes to the business continuity plan. Furthermore, regularly practicing helps new employees become familiar with the BCP more quickly.
Lastly, testing your BCP helps you identify weaknesses in your team. It's possible that the team lacks coordination or teamwork, and knowing about such weaknesses helps your team to better prepare for an actual disaster.
Do You Need a Business Continuity Plan?
To answer this question, yes, you need a business continuity plan. You don't have to create a full-blown plan to start. After determining your most vital business functions, prioritize them, and create a detailed plan for the highest priority service, then a plan for the next most critical service, and so on.
Further down the line you can work on lower priority business functions such as HR. You want to become profitable again as fast as possible after a disaster. Therefore, it's more important to restore vital functions such as IT services before HR operations. However, those priorities might be different for some organizations that don't have a strong focus on delivering IT services.
How Can Plutora Help?
We’ve cleared up some misconceptions about BCPs; now you know what a BCP is, what it’s various parts are, and the steps for creating your own BCP.
If you're looking for high-tech tools to effectively implement a BCP for your business, we've got you covered with our business intelligence platform and deployment planning tool. Customers use our deployment plan feature to have optional rollbacks for recovery or business continuity processes.
Plutora's deployment planning tool provides DevOps metrics to track how much time it takes to recover from an outage (mean time to repair, or MTTR). Also, it helps manage the release transition process and ensures recovery after a disaster.
Download our free eBook
Mastering Software Delivery with Value Stream Management
Discover how to optimize your software delivery with our comprehensive eBook on Value Stream Management (VSM). Learn how top organizations streamline pipelines, enhance quality, and accelerate delivery.