Disasters, both natural and man-made, can happen at any time, often with very little warning. The consequences of not being prepared can be devastating. According to the Federal Emergency Management Agency (FEMA), almost 40 percent of small businesses affected by a major disaster never reopen their doors.
How can you ensure that your company won’t be part of that statistic? The answer is to have a well-defined business continuity plan.
A BCP lays out the steps and procedures a company will follow before, during and in the wake of a disaster, so that it can maintain maximum functionality during the emergency and get its operations back to normal in the shortest possible time. With a good BCP in place, your company’s employees will know exactly what to do when disaster strikes.
In this post, we outline the scope of a typical business continuity plan and how to create one, including:
The primary focus of the scope is to identify the purpose and limitations of the business continuity plan. It specifies the areas of the business that the planning pertains to, as well as the situational context in which the documentation should be used.
In simplest terms, the scope of a business continuity plan makes it clear what the planning is for and why it exists.
Business continuity plans can vary significantly in size and scope. They can be focused on specific divisions of a business, IT systems or a company’s entire operations. As such, the plan must clearly lay out its goals and limitations from the start.
Here’s how to approach it.
What should be in your BCP so that you can be sure that your business is adequately prepared for a disruption? The following are seven areas any good business continuity plan should address. If you’re creating a BCP for the first time, these are high-level tips to help you create the core framework of your plan.
Since every business continuity plan is different, each BCP must clearly state what its objectives are: what it aims to accomplish and which operations the planning applies to. That is the scope. For example, if the plan is focused narrowly on maintaining continuity for IT systems, then it should be clearly stated at the beginning of the document that the scope is limited to IT. This leaves no room for confusion and also makes clear that other operations will require their own planning.
One of the most vital steps in formulating a good BCP is to conduct a business impact analysis (BIA) to identify the crucial areas of your business that must be maintained or quickly restored when a disaster strikes. It’s these core business functions that your BCP will be designed to protect.
Your BCP should identify the systems and data that are most critical for the continued operation of the company. What equipment, supplies and records (both digital and paper) must be available and operational in order for your company to continue to function? What is their role and importance? Why are they crucial to the survival of the business? Your BCP should identify this in clear terms to emphasize the importance of establishing effective recovery protocols.
What are the most likely disruptive events that might impact your company’s operations? Cyberattacks, accidental data loss, server outages, ransomware infections? What about natural disasters, such as tornadoes, hurricanes, wildfires and earthquakes? Obviously, it’s not possible to predict which disaster will strike your operations or when. But you can and should specifically plan for every possible scenario within your BCP. Some businesses may have a higher risk of certain types of disasters, which is why a comprehensive risk assessment should be conducted for each company, as we outline below.
Your BCP should specify procedures and systems for data backup and recovery. How frequently will backups be conducted, and by whom? Where will the data be stored, and how will it be geographically replicated so that no local disaster can result in a permanent loss? How will it be recovered? These questions should be addressed both for electronic and critical paper records.
Who can declare an emergency that activates the recovery procedures in the BCP? Who are key employees who should be notified (and how), and who will be in charge? Where will disaster recovery team members and other employees meet if the company premises are not usable? These questions and more should be addressed in detail in the BCP.
How will the BC team be notified of an emergency if, for example, your email systems and telephones are disrupted? Who is authorized to speak on the company’s behalf to media, customers, suppliers and external partners, such as government agencies? The plan should include a list of people and agencies that will be contacted when an emergency is declared.
A BCP that looks good on paper may be totally unworkable in practice. It must be realistically tested before it is put into operation, and key employees trained in its use. It must then be updated on a regular basis. With changing conditions, technology, organizational structures and personnel, the plan can quickly become outdated and unusable. Procedures for training, and for both testing and refreshing the plan should be included in the BCP itself.
Creating a thorough business continuity plan is the most important thing you can do to prepare your business for an operational disruption.
As the Department of Homeland Security notes, “A business continuity plan to continue business is essential.” Proper planning ensures that operations can be quickly restored, regardless of what has caused the incident.
Preparing for all possible disasters is vital to this planning, as FEMA writes:
“The planning process should take an ‘all hazards’ approach. There are many different threats or hazards. The probability that a specific hazard will impact your business is hard to determine. That’s why it’s important to consider many different threats and hazards and the likelihood they will occur. In developing an all-hazards preparedness plan, potential hazards should be identified, vulnerabilities assessed and potential impacts analyzed. Strategies for prevention/deterrence and risk mitigation should be developed as part of the planning process. Threats or hazards that are classified as probable and those hazards that could cause injury, property damage, business disruption or environmental impact should be addressed.”
Getting the scope of your business continuity plan right is crucial to the survivability of your business if disaster should strike. If the planning falls short or fails to anticipate certain disasters, then recovery will be far more challenging.
Above, we mentioned the importance of identifying an objective for your BCP. What is the purpose of your business continuity plan? What does it aim to accomplish?
While the fundamental goal of every BCP is similar—to ensure continuity through a disruption—plans can vary in their approach. This is why it’s important to identify your business continuity plan objective and scope at the start of your planning. Typically, this is one of the first sections in a BCP.
Setting a plan objective is crucial for ensuring that everyone is on the same page about what the plan aims to achieve. If, for example, the plan is focused solely on IT continuity, then this will make it clear that additional planning is needed for other areas of the business.
Here’s a brief example of how the scope of a business continuity plan can be documented for a specific critical system. This example is based on recommended text from the National Institutes of Standards and Technology (NIST), which is a popular resource for BCP frameworks:
Scope
This plan has been developed for system name>, which is classified as a critical, high-impact system, in accordance with Federal Information Processing Standards (FIPS) 199. Protocols outlined in this plan are for high-impact systems and designed to recover system name> within RTO hours>. This planning does not address replacement or purchase of new equipment, short-term disruptions lasting less than RTO hours>, or loss of data at the on-site facility or at the user-desktop levels.
NIST also recommends that the Scope is followed by an Assumptions section, which provides additional context for understanding the potential recovery scenarios. For example, an accompanying Assumption for the NIST scope above might be: “Secondary processing sites and offsite storage are required and have been established for this system.” Another example: “Existing backups of the system software and data are intact and available at the offsite storage facility in City, State>.”
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are additional objectives that should be identified within certain sections of your business recovery plan. However, unless your plan is strictly focused on a specific system (rather than the business as a whole) then these objectives should not be used as the plan’s key objective. Instead, RPO and RTO should be identified within your recovery planning sections.
Here’s the difference between RTO and RPO:
For example, an RPO of 8 hours would dictate that no backup should be more than 8 hours old. An RTO could be used to specify how quickly a data recovery should occur. For example, an RTO of 1 hour would dictate that a backup must be able to be restored within 1 hour.
It’s important to note that being able to achieve these objectives depends largely on the capabilities of the backup systems deployed. This is why RPO and RTO should be determined during the planning process to help identify which technologies are required.
Your business continuity plan assessment—often referred to as a risk assessment—is another critical section of your planning document.
Above, we mentioned the importance of identifying the most likely risks to your organization. This is the section where you will outline those risks, defining what they look like and their likelihood of occurring. By assessing your risks in this fashion, you’ll be able to prioritize your planning around the most urgent risks.
Some organizations may also choose to incorporate aspects of their business impact analysis in this section, in the form of a table or chart. This provides a clearer overview of the threats and their severity, at a glance. Here is a basic example of what this business continuity plan assessment might look like:
We’ve touched on the fundamental scope of a business continuity plan and some key components to include. But there are several other sections you’ll want to include to ensure that the plan is effectively communicated and able to be properly executed. Use the business continuity plan checklist below as a basic outline for how to structure your document and what these sections should entail.
Routine review and auditing of a business continuity plan is crucial for ensuring that the information within the plan is still accurate and up to date. As new risks emerge, or business objectives change, it is necessary to revisit the plan and update those sections accordingly.
For example, only a few years ago, the threat of ransomware was not on many businesses’ radars. Today, it is one of the most dangerous risks to organizations, and as such, is now commonly included in BC plans across numerous industries.
But also, on a smaller level, even personnel names and contact information within a BCP can become quickly outdated when employees leave a company. So it’s important to make sure every aspect of the plan is up to date.
Business continuity testing is another vital part of the planning process. Testing ensures that the protocols and systems identified in the plan are actually effective. Routine tests also help to educate recovery teams and have them walk through the steps, so they are familiar with the processes when real disruptions occur.
Business continuity testing can encompass nearly any aspect of your planning, including:
All tests should be thoroughly documented. Did anything go wrong? Were recovery objectives met? What improvements must be made? If any critical gaps are uncovered during the testing process that require significant infrastructure changes (such as a new backup system, for example), these should be identified in the Action Items section of the BCP.
Hiring a business continuity consultant can be a smart move for businesses that need an outside perspective from a professional. Experienced consultants can identify any gaps in your business continuity plan, as well as the need for additional systems or procedures.
If you plan to hire a business continuity professional, you’ll want to be sure that the consultant is the right fit. Here are some tips:
Businesses with limited resources may want to consider outsourcing business continuity planning to an outside provider. This is a perfectly acceptable strategy for both small and large businesses, particularly if in-house personnel have little experience building a BC plan.
Even if your organization already has a BCP, outsourcing business continuity planning can help to provide an independent audit of your plan or manage specific aspects, such as your continuity technologies.
Business continuity and disaster recovery (BCDR) vendors can help to deploy the technologies you need to maintain continuity. These solutions can include data storage, data backup, cloud replication and network solutions, just to name a few.
Choosing the right BCDR vendors is much easier when you already have a business continuity plan in place. Your BCP will identify the specific technologies you need to mitigate risks and recover from a disruption. Your continuity objectives will further help to narrow down your options: if a potential data backup solution can’t meet your RPO, for example, then you need to look for other vendors.
A business continuity plan includes the systems and procedures that help a business stay open during an operational disruption. A typical plan includes:
In simple terms, business continuity means that a business can continue operating during a disruptive event. All companies aim to maintain business continuity. A break in continuity—whether caused by natural disaster, cyberattack or other incidents—can be costly and can threaten the survival of a business.
The most important step in business continuity planning is identifying the systems and procedures that will help a business maintain operations during various disaster scenarios. To effectively complete this step, the business will first need to conduct a comprehensive risk assessment and business impact analysis.
A business continuity plan is typically the joint responsibility of leaders from different operational divisions. While one individual may be tasked with overseeing the plan as a whole, the content is usually a team effort, requiring managers to identify operational risks specific to their respective units.
Yes, backups are integral to business continuity, because a loss of data can result in a costly operational disruption. This is why it’s important to identify data backup systems and protocols within the business continuity plan, including deployed technologies, recovery objectives, backup testing and recovery procedures.
In business continuity planning, the scope refers to the areas of focus that are documented in the planning. Defining the scope helps to clarify the objectives, reach and limitations of the plan, which can help to determine if additional planning is needed in other areas of the business.
Developing and maintaining a good business continuity plan is essential for keeping operations running through an unexpected disruption. By adequately assessing risks and outlining strategies for prevention, response and recovery, organizations can greatly reduce the chances of a prolonged interruption to essential systems and services. Always identify the scope of the planning at the start of a BCP to make it clear what the areas of focus are and where additional planning may be necessary.
Request more information about dependable data backup and disaster recovery solutions that keep your business running after disaster strikes. Request a free demo or contact our business continuity experts at Invenio IT: call (646) 395-1170 or email success@invenioIT.com.
