What is a Business Continuity Plan?
Often the most talked about part of a business continuity management system, Business Continuity Plans are designed to guide the organization – at various levels (more below) – through responding to and recovering from a disruptive incident. Business Continuity Plans should focus on recovering the business in an efficient and organized manner, with the ultimate goal of mitigating or reducing impacts.
There are several different types of plans that collectively make up “Business Continuity Plans”:
- Crisis Management Plans: Crisis Management Plans assist senior leadership with quickly assessing a situation and taking action to mitigate an event. While these plans are designed to provide high-level guidance, they will still provide specific tasks and strategies to recover essential products and services and mitigate the impacts associated with a disaster.
- Crisis Communications Plans: Avalution believes that communicating frequently and clearly during a disruption is a key part of mitigating impact. This plan, typically adjunct to the Crisis Management Plan, summarizes the key audiences, both internal and external, as well as the methods and strategies for communication following a crisis.
- Department Business Continuity Plans: Department-level Business Continuity Plans provide tactical guidance to each department to enable recovery of key business activities following a disruption within management approved timeframes. While the Crisis Management Plan provides the overall decision-making framework, these plans provide detailed steps to respond to and recover from a loss of critical resources, including a loss of a facility, technology, personnel, or supplier.
- IT Disaster Recovery Plans: IT Disaster Recovery Plans enable a timely and complete recovery of core technology assets within a management-approved timeframe and with the appropriate data available based on pre-determined recovery point objectives.
It should be noted that these plans are only a sampling of potential plans that could be completed by an organization. In addition to emergency response plans that address health/safety issues (e.g., evacuation or shelter-in-place), organizations may also choose to create IT-specific plans, site-based plans, or even plans based on various, high-likelihood threat scenarios – such as Hurricane Plans for our friends in Florida. When creating plans, it’s important to remember that plan documentation is a critical step to ensuring organizational preparedness, but plans should serve as actionable tools to facilitate a response, never inhibit the decision-making of experienced personnel or trump common-sense.
What are the Common Challenges with Business Continuity Planning?
Plans Lack Focus
One of the most common planning challenges is ensuring the plan focuses on the necessary tasks to recover what’s truly critical within the organization following a disruption. There are several reasons that plans can lack focus, but one of the most common is that recovery requirements are not being properly set from the get-go through the business impact analysis (BIA). The BIA should define which activities must be resumed, the timeframes in which they must be resumed, and the resources needed to enable resumption to avoid unacceptable impacts with stakeholders. The key output of the BIA process is a set of management-reviewed and approved recovery priorities, allowing an organization to focus plans on recovering the highest priority activities and resources. Our business continuity software, Catalyst, creates a streamlined process for assigning, analyzing, and communicating business priorities and recovery objectives.
While some organizations may do too little by failing to set accurate recovery objectives, others do too much – overloading plans with an excess of information. Simplicity is key to creating focused and usable response and recovery plans, so it’s important to start with answering a few simple questions:
- Who is involved with the recovery effort?
- How do we recover?
- When do we recover? (What incident constitutes a use of this plan)
- How do we operate in “recovery mode”?
By answering these questions, and integrating the BIA results, plans will focus on the response and recovery tasks that are required to address a disruptive incident. Any additional information (e.g., contact lists/call trees, process documentation, resource information), while potentially helpful, may distract from the important tasks and strategies and should be included in an appendix rather than in the body of the plan. Avalution believes the body of the plan should be simple and actionable, guiding plan stakeholders through the tasks in an efficient and timely manner.
Plan Content Varies Between Groups or Has Noticeable Deficiencies
Another challenge that organizations face is standardizing plan content and quality, without restricting a department’s ability to customize a plan to fit their needs. Plan content will vary from department to department and from plan owner to plan owner based on each department’s individual needs. With that said, deviations in plan content are not the same as deficiencies. In some cases, a department’s plan may be overly generic, consisting of simple activities that do not deviate from template materials provided from business continuity planners. As a result, plan owners appear to “miss the mark,” leaving out information that may be essential to have during a disruption. In other cases, departments may include extremely detailed explanations of how to accomplish non-essential tasks or elect to include emergency management procedures that may already be present in other documentation, such as facility evacuation plans. These plans also appear to “miss the mark” because the useful, relevant information is masked by too much detail. The challenge for business continuity practitioners is to determine what type of content is necessary and relevant, and then communicate expectations to plan owners when it is time to create or update plans. It is also not enough to simply receive a plan back from a business owner and check the box that the activity is complete for the year.
Business continuity practitioners should incorporate a quality assurance process, potentially using a rubric or guide, to ensure that plans are meeting necessary specifications. In many large organizations (or organizations without a dedicated business continuity professional or team), it may not be feasible to review every plan, but organizations should at least consider evaluating a defined percentage of plans on a rotational basis that will cover the breadth of planning activities over the course of time.
Plan Strategies Are Too Generic or Irrelevant to Plan Owners
One of the most important aspects of creating and using business continuity plans is strategy identification and development. Too often, practitioners forget that a key function of a plan is to document the steps necessary to recover and describe how to operate in “recovery mode.” In order to ensure that plans are relevant and make sense, plan owners and program management must work together to identify strategies in the event of a facility loss, personnel absenteeism, IT downtime, or supplier loss. Once plan owners are aware of approved response and recovery strategies specific to their business activities, plan documentation typically becomes significantly simpler.
Are you tired of lengthy recovery manuals and mountains of documentation? So are we! Avalution takes a pragmatic approach to planning, designing simple and actionable plans for our clients that will cut through the noise to assist with response and recovery efforts. We approach each client with fresh ideas, and while we certainly aim to continually learn and improve our processes, we understand that every organization is unique, and that plan content and structures don’t often translate from a template. With that in mind, we base all our plans on industry best practices and frameworks, while adapting each plan to the organization and stakeholders who will use the plan. We work with organizations in virtually all industries and of varying size and complexity to design streamlined plans that will fit the culture and structure of your organization, and don’t add any unnecessary complexity.
Our Process Avalution’s approach towards planning focuses on simplicity and usability. If you’re not careful, plans can quickly become unmanageable with lots of unneeded information and supporting documentation. Avalution realizes that during a crisis, simple and actionable content is what matters most. To support this, Avalution plans for loss of resource scenarios, instead of threat-specific situations. We believe in creating one plan that can be adapted or modified to fit each unique disruption, rather than wasting time and resources to try and document a plan or strategy for each possible threat.
1. Strategy Determination
The first phase of planning leverages the outcomes of the BIA and risk assessment to evaluate enterprise-wide location, business unit, and resource-specific mitigation, response, and recovery strategies. These strategies should be in-line with business continuity requirements and will drive the remainder of the planning effort.
2. Plan Documentation
Based on the strategies selected, plans are created to answer two key questions:
1. How to recover time-sensitive business activities
2. How to operate in “recovery mode” until the organization can return to normal
During the Plan documentation phase, key information is documented, including:
- Roles and responsibilities for team members
- Activation and escalation criteria for each plan
- Meeting locations, both physical and virtual
- Contact information for stakeholders and supporting parties
- Communication protocols
- Key tasks to drive the response and recovery, account for the welfare of individuals, and manage the incident
- Downtime procedures and manual workarounds
Avalution develops tasks and procedures to address four general resource-loss scenarios:
- Loss of Facility (and associated equipment);
- Loss of Personnel;
- Loss of Technology; and
- Loss of Supplier/Third-Party
By developing strategies and tasks related to a loss of resources, plans developed by Avalution can address a variety of scenarios. In the end, a loss of your primary work facility (as an example) due to fire versus a loss due to flood doesn’t matter, as the impacts of that loss are the same – your organization must find a way to continue business without the facility and potentially the equipment normally housed there. If we can design plans to address that overall impact – a facility loss – then the plan can be flexible to adapt to all hazards, rather than specific threats.
3. Plan Validation
Following the documentation of a plan, it is important to put it to the test – via a tabletop exercise, simulation, or just an in-depth walkthrough or training. This step helps to ingrain the strategies and response into the organization, while creating a forum to identify vulnerabilities or opportunities for improvement.
Let’s look at a real-world application of Avalution’s planning methodology. Avalution recently worked with a regional bank consisting of several corporate locations in addition to a branch network spanning several states. During initial meetings, the client confided that they had previously struggled with the idea of planning for both the corporate locations, as well as the branches, and how to connect the two distinct recovery efforts.
We started with the most critical element – Crisis Management and Communication Plans – to ensure that the over-arching recovery structure was designed correctly. Through meeting with the program and organization leadership to discuss and identify strategies, we were able to ensure that the response, escalation, and recovery strategy was coordinated and integrated based on what would work best with the existing organizational culture. If we hadn’t level-set at the leadership level of the organization, it wouldn’t have mattered much what was put in place at the department and branch level. It was critical that this plan not only detail how management would make decisions and delegate resources, but also determine communication and guidance to both branches and corporate locations.
After documenting these plans, we then developed department-level plans for the corporate level functions before creating a single branch plan that could, with small adaptations, be applied across all branch locations. This branch plan detailed the general recovery steps to continue branch operations during a loss of systems or facility in a manual mode, as well as how to direct customers to alternate locations and support continued operations. The decision to create a single branch plan was critical to developing a program that could be maintained after our engagement and developing a planning structure that supported the entire business.