How to write a business continuity plan: the easy way

Earthquake. Flood. Cyber attack. The threat of disruption looms over organisations more ominously than ever, thanks to the increasing infiltration of technology in business processes, consumer expectations and the rapid rise in cyber crime.

You’ll rarely get advance warning about disruptions, so you need to prepare for whatever might come your way with a BCP (business continuity plan).

In this blog, we explain how a BCP works, what it covers and how to create one.

What is a business continuity plan?

A BCP outlines the processes and procedures that an organisation must follow to continue operating in the event of a disruption. The steps outlined in a BCP are typically a set of temporary measures or quick fixes to ensure that the most important business operations remain functional, even if at the cost of overall productivity.

Organisations’ top priorities tend to be their technologies, and for good reason. Network connections, online systems, phone lines, network drives, servers and business applications are all vulnerable to a range of disruptions and can cause huge headaches if they are compromised.

But business continuity planning isn’t about recovering IT. It’s primarily concerned with critical activities that, if disrupted, could immediately jeopardise your productivity or the availability of your services. In that regard, it simply considers IT a critical resource for preserving those activities – in other words, a dependency.

However, recovering your IT may take some time, so you should have a plan on how to manage in the meantime. Such temporary solutions may well be lo-fi; even so, organisations must outline them in a BCP to ensure employees know what’s expected of them.

Business continuity vs disaster recovery

BCPs shouldn’t be confused with DRPs (disaster recovery plans), even though they both tackle the immediate aftermath of a disruption.

Business continuity focuses primarily on ensuring that you maintain functionality – even if at reduced capacity – in the event of an incident while attending to the disruption. Disaster recovery is a purely corrective measure that looks to recover to full IT functionality as quickly as possible.

These concepts might sound similar enough, but business continuity’s focus on first and foremost reviving the most critical business functions is a crucial difference, and one that makes it a good idea to separate it from disaster recovery. The latter is usually just used in an IT context, as only semi-functioning technology often isn’t good for operations, but achieving full recovery may take some time.

Business continuity recognises that time is of the essence, and often involves temporary fixes that ensure vital operations continue. Recovery is also time-sensitive; temporary solutions don’t tend to offer the same level of productivity, so you don’t want to rely on them for long.

Whether taking a disaster recovery or business continuity approach, your objective should be to create a plan that buys you enough time to recover within an acceptable timeframe as defined by your RTO (recovery time objective). Just remember that business continuity has to consider two timeframes: when to be up and running again, and when to be back to full functionality.

Common threats to business continuity

Most disruptions that you will experience fall into one of these categories:

  • Natural disasters

Earthquakes, hurricanes and wildfires might spring to mind when you think of natural disasters, and although they often disrupt business, you only need to worry about them if you live in a part of the world where they are known to occur.

However, natural disasters also include snowstorms, heavy wind and floods, which are less dependent on geography but can still disrupt business, and which you should therefore plan for.

  • Man-made disasters

Your main concern in this category should be events that damage or disrupt transport routes, like car accidents and train crashes. If a major road or rail network is shut down, you might be unable to receive deliveries, and employees and customers might not be able to reach you.

Other man-made disasters include oil spills, terrorist acts, industrial accidents and acts of war.

  • Utility failures

Electrical fires and burst pipes can cause huge problems for organisations and are liable to occur at any time.

A fire or flood could damage expensive equipment or require a room to be vacated. If a sewage line is broken, the sanitary risk (not to mention the smell) could force the organisation to send its employees home.

  • Technological failures

Sometimes technology can simply stop working. Systems crash, files are lost and documents go missing. The whys of technological failures are so manifold and unpredictable that it’s impossible to anticipate how or when they will occur – just consider them an ever-present risk that will materialise at some point, so be ready for when they occur.

  • Human error

An organisation’s staff is often its biggest security weakness. Employees will lose or accidentally expose data from time to time, and although staff awareness training will reduce the risk, it won’t eradicate the threat. Humans inevitably make mistakes, and you need to be aware of that when planning for disruptions.

  • Sabotage

Employees might also breach data deliberately. This typically happens if they are disgruntled at work (maybe they were turned down for a promotion) or have left the organisation acrimoniously and their login credentials are still active.

There’s also the possibility that staff will simply be lured by the financial gain from stealing sensitive information and selling it on the dark web.

  • Cyber attacks

The most frequent examples of cyber attacks include phishing emails (which are designed to steal information), brute-force attacks (in which crooks use automated software to crack an employee’s password) and ransomware (which locks down an organisation’s system until a fee is paid).

These are far from the only threats you need to plan for, though. Organisations’ networks and the applications used will contain dozens of vulnerabilities that crooks are always looking to exploit.

Why business continuity planning is so important

The most obvious reason to implement a BCP is to ensure that your organisation remains productive in the event of a disruption. Customers must still be able to use your services, employees must be able to continue doing their job and you can’t allow yourself to face a huge backlog of work as the delay continues.

But business continuity isn’t only about short-term goals. The cyber security landscape has become increasingly volatile in recent years, with cyber crime continuing to spiral and organisations’ reliance on technology leading to vast numbers of accidental and deliberate data breaches. As a result, organisations need to prove to customers and stakeholders that they are prepared for anything.

Business continuity is especially important for OES (operators of essential services) and DSPs (digital service providers), as a disruption could cause major problems for a large section of the population. To ensure that such organisations are sufficiently prepared for risks, the EU adopted the NIS Directive, which was transposed into UK law as the NIS (Network and Information Systems) Regulations 2018.

DSPs within the Regulations’ scope are explicitly required to put business continuity measures in place. Although the same isn’t true of OES, they should still consider implementing a BCP as a means of providing a more reliable service.

Benefits of business continuity planning

Beyond the obvious reasons to implement a BCP (to remain functional in the event of a disruption), you should also consider its ability to:

  • Protect your organisation’s reputation: In demonstrating a fast and efficient response to disruption, the public will almost certainly be impressed by the way you operate. This will mitigate any negative sentiments that will accompany the loss of productivity, and it might even improve your reputation.
  • Boost employees’ morale: No one wants to work in a chaotic environment, so your staff will be pleased to know that management has a plan in case things go wrong. If the plan is well written (which we’ll show you how to do shortly), everyone in the organisation will be accounted for, which will prove to employees that management has considered their needs.
  • Build your relationship with third parties and subsidiaries: An effective BCP demonstrates that the organisation is being run well from top to bottom, which will encourage anyone that you work with. It shows that you are a reliable partner that has taken into account its responsibilities to customers, employees and partners.

Writing your business continuity plan: 8 simple steps

  1. Purpose and scope of the BCP

Your first task is to define the purpose and scope of the plan. This is especially relevant if your organisation comprises several subsidiaries or is based in different locations, as each one will have its own requirements.

If this is the case, it’s up to you to decide whether to create one plan that covers each subsidiary/location separately or to focus on just one part of your business.

  1. Responsibilities

The next step is to decide which employee(s) will be responsible for enacting the plan. You might opt to put one person in charge of the plan or delegate responsibility to people across your organisation.

Small organisations might be able to get away with a single leader, as there’s a good chance that a senior member of staff will have oversight of every department and its needs. However, if that’s not the case, a group of employees will need to share responsibility.

You also need to identify who has the authority to grant financial costs outside of the normal department budget. This could be the same person (or people) responsible for enacting the plan, or it could be a specific duty assigned to someone else.

  1. Invoking the BCP

This step defines when and how the plan will take effect. After all, it’s not always clear that a serious (and possibly planned-for) disruption has occurred; it’ll often begin with, say, the office lights going out and employees looking across the room at each other asking: ‘What’s going on?’

It’s only when someone takes charge that you can determine what caused the problem and how to respond. You don’t need to get into specifics here (that’s covered in step five), but you do need to document who will get the process started, how response teams will be mobilised and where those responsible for enacting the plan should meet.

  1. Specific BCP content

This is the meat of your plan, containing the actions you will take to recover from various incidents. It will be the result of two other processes – the risk assessment and BIA (business impact assessment) – in which you identify the threats you face and the way your organisation will be affected by them.

Once you’ve collected this information, you should take each business disruption and outline:

  • Steps that must be taken to protect individuals (staff, customers and third parties) during the business disruption;
  • Actions that should be taken to contain the disruption and prevent further loss, disturbance or unavailability of prioritised activities;
  • Guidelines on record-keeping requirements during and after the incident (such as what needs to be recorded and where);
  • Prioritised recovery objectives and the actions and resources that are needed to achieve them; and
  • Internal and external (inter)dependencies and interactions, and how these might impact one another during a disruptive incident.
  1. Communications

This stage focuses on internal and external communications. Internal communication refers to the way you will keep employees informed about the state of the business, something that’s particularly important if your usual modes of communication are disabled due to the disruption.

In the event of serious disruptions, you should also consider contacting employees’ next of kin to update them of their wellbeing. This is both thoughtful and prevents your organisation’s phone lines being jammed by concerned family members.

External communication refers to the way you will deal with the media regarding the incident. If the disruption is severe enough, you should release a statement explaining the nature of the incident, what has been affected and how you are responding. In extreme cases, you might also be obliged to give interviews, in which case you should decide who will represent your organisation and what your strategy will be.

  1. Stakeholders

You will be required to contact stakeholders as soon as possible following a disruption, so your BCP should contain their contact details for easy reference.

  1. Appoint a business continuity manager

The business continuity manager is responsible for documenting the plan and keeping it safe. They are also responsible for reviewing the plan to make sure the information is accurate. For example, if someone with BCP responsibilities leaves the organisation, the business continuity manager should flag this, so the team can appoint a successor.

  1. Change management

Once the plan is finalised, it should be published in hard copy and as a digital file, and be made accessible to all members of staff.

Every time changes are made to the BCP, you must ensure that the digital and hard-copy forms are updated.

Don’t forget to test your plan

The only way to be sure that your plan works is by testing (or ‘validating’) it. How often you test the plan is up to you, but we recommend doing it at least twice a year or whenever there are substantial changes to your organisation.

There are three types of test that you can conduct:

a. Table-top exercise

A table-top exercise is essentially a read-through of the plan. Senior employees and those with BCP responsibilities should go through the plan together, looking for gaps and ensuring that all business units are represented.

b. Structured walkthrough

A structured walkthrough is like a rehearsal, with each team member role-playing their responsibilities according to specified disruptions. The objective is to familiarise employees with their responsibilities and to make sure the plan works as intended.

You might choose to simulate the process across the entire organisation, but it can obviously be difficult to make everyone available at the same time, particularly given that the walkthrough will probably have to occur outside of office hours. As such, you might choose to split the walkthrough across the week, with one or two departments playing out a disaster at a time.

c. Disaster simulation testing

A disaster simulation test is essentially a dress rehearsal. You create a test environment that simulates an actual disaster across the entire organisation and then put the plan into action.

Unlike other types of test, you aren’t looking for gaps as you go. Instead, you should see the plan through to its conclusion, so you know exactly what the consequences of your actions (or lack thereof) are. Only after you’ve seen the plan through to the end should you review your actions and look for ways to improve.

Business continuity planning made simple

Anyone looking for help on how to develop and document their BCP should take a look at our free BCP template.

It expands on the eight steps we’ve listed in this article, showing you exactly how to structure your plan.

BCP template

Download our template >>