A key output of the business continuity planning process, ISO 22301 states that a business continuity plan is a set of “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.” Said another way, business continuity plans are documented steps that help organizations respond once a disruption occurs to minimize impact to those affected.
In most business continuity programs, there are five major types of plans:
This article focuses on the fifth of the plan types, business continuity plans.
The purpose of a business continuity program is to prevent disruption and respond efficiently and effectively when one occurs. As such, business continuity plans typically serve three main purposes:
There’s a US military quote that’s often cited when it comes to “plans” (with many people receiving credit for it). It goes something like this: “Plans are only useful as evidence that planning took place.”
When it comes to business continuity plans, that is partially true. Business continuity plans must remain flexible to changing circumstances, but also include procedures that outline how to implement recovery strategies addressing a loss of people, the workplace, equipment, information technology services and data, and suppliers/third parties.
Loss of Technology |
Loss of Facility |
Loss of Supplier |
Loss of Personnel |
Over the years, business continuity professionals debated two major schools of thought on the approach to planning: resource-loss based planning and threat-based planning. Avalution strongly recommends the former, resource-loss based planning.
Several years ago, the business continuity industry focused on completing threat-based plans. These plans focused on an organization’s response to very specific events: snowstorms, fires, floods, pipe bursts, tornados, and acts of terrorism. There are two key issues with threat-based planning:
Also, should any of these threats occur, the result is the same – a loss of people, the workplace, equipment, information technology services and data, and suppliers/third parties. So why not keep it simple and streamline the planning effort?
This is where resource-loss based planning came into place.
When creating business continuity plans (typically, one plan each for a function or department), Avalution focuses on four main resource types: people, workplace/equipment, information technology, and supplier / third parties. When documenting business continuity procedures, Avalution first works to identify the best strategies to address each resource loss for each department or function, and then documents how to implement each strategy following the onset of a disruption and as necessary, how to operate differently until returning to normal.
Before covering the business continuity plan creation process in more detail, it’s important to point out one more detail. There is a place for some threat-based procedures. For example, procedures to address preparation for hurricane, or if a public health emergency is imminent, how to prepare staff for a period of absenteeism.
STARTUP | ▶ | ANALYSIS | ▶ | STRATEGY | ▶ | PLANS | ▶ | EXERCISE | ▶ | IMPROVE |
Frame Engagement Plan Right People Process FBA Issues |
1 Hour Discussions 5 Dependencies Activity Metrics |
Options Choose Implement P+S Metrics |
Coordinate Who How |
Learn It + Feel It Awareness Actions |
Goals Quarterly Annual Measure Check-It |
Plan documentation is the fourth phase in Avalution’s Business Continuity Operating System (BCOS). Prior to documenting plans, it is necessary to complete the Startup, Analysis, and Strategy phases to scope the business continuity program, understand key activities as they relate to the organization’s key products and services, identify activity dependencies (resource requirements), and determine the strategies to recover each dependency.
After completing the first three BCOS phases, it is time to document the business continuity plans. Creating business continuity plans involves four steps:
Plan Refresh: Review the plan periodically (typically annually or following significant change) to confirm strategies remain appropriate, assigned team members remain accurate, and procedures are both complete and accurate
As discussed earlier, there are five types of business continuity plans: crisis management, crisis communications, emergency response, IT disaster recovery, and business continuity. However, some organizations may combine plans into a single document. This decision is often based on organizational size, complexity, sector, and structure.
The most common planning approach that we see organizations use looks like this:
{Create image for this here}
With this planning approach, individual teams (and their respective plans) can be triggered into action in response to a disruption impacting their respective function/department or resource dependency.
For crises or disasters that have the potential to disrupt the entire organization, the crisis management team (supplemented by the crisis communications team) would be triggered into action. This group, or groups, would provide strategic direction and address issues from individual functions/departments that were escalated, along with approving spend to acquire required resources for recovery. This group would also manage internal and external communications. Using this approach, other members of the organization’s executive leadership team that aren’t actively participating (or don’t have a specific role), aids and provides resources to the crisis management team on as “as needed” basis.
However, this approach does not make sense for all organizations. Some common examples of when a different structure is beneficial include:
Plan development addresses the creation of the plan, leveraging and summarizing information, conclusions and outcomes stemming from the Analysis and Strategy phases of the Business Continuity Operating System.
The first task is establishing the structure of each plan and clarifying the relationship among the plans. Business continuity plans typically include the following sections/content:
Response and recovery procedures
The business continuity plan scope and objectives section should summarize what the plan intends to accomplish. Additionally, the plan should define the scope of the response and recovery effort addressed by the plan.
This section should outline the team members needed to manage the response and recovery effort and their roles and responsibilities. Contact information for each team member should also be documented in the plan. In addition to the team’s contact information, any other individuals or organizations – internally or externally – that may need to be contacted during a disruption should be documented within the plan.
During the BCOS “Strategy” phase, decisions were made on how the organization would respond in general, and how to recover affected resources (people, workplace/equipment, information technology, and suppliers/third parties). During the planning process, it is important to document how to implement these strategies, and as necessary, how to operate differently when employing these strategies. Each procedure should be assigned to a team role to ensure that no steps are missed (thereby delaying the recovery effort). One more point regarding recovery strategies – business continuity plans should include information on how to use manual workarounds or alternate procedures, if known and possible.
Following the completion of an initial draft of each plan, it should be reviewed and approved by the members of the response or recovery team. Team members should validate that the procedures documented are accurate for their individual roles. Team members should be encouraged to add details and steps that accurately describe additional responsibilities or actions that they would perform during the response to a disruption. After the plan has been reviewed by members of the team, it should be approved by the plan owner, who is often the team leader.
Business continuity best practices recommend that documentation is reviewed, updated, and approved, at a minimum, on an annual basis. As such, Avalution recommends that on an annual basis (or more frequently if the organization covered by the plan changes materially) organizations review their business continuity plans. Team members, roles and responsibilities, and strategies/procedures are key areas that should be reviewed and refreshed. Considerations include:
Organizations face many challenges when documenting business continuity plans. A few of the most common challenges include:
Business continuity plan templates can ensure a higher level of quality through consistency of structure, and also efficiency by centrally creating content applicable to all plans. However, just like anything, a template only can do so much. Where a plan template can provide a great starting point, it alone will not suffice if your organization wants to be truly prepared for an incident if the template is not updated to describe how to response and recover using selected strategies. Templates are a great start, but plan customization is where your organization will gain the most from the planning process.
One of the most common questions we hear when discussing the plan documentation process with plan owners is “What am I supposed to do when something happens?” The answer to this question and the focus of any plan should be very simple: the plan is used to guide the response to and recovery from the disruption. To do so, plans must document the answers to a few simple questions, notably:
The results from the business impact analysis (BIA) should establish business continuity requirements, enabling the strategy determination and plan documentation effort. The BIA should define what activities need to be resumed, how soon these activities need to be resumed, to what performance level, and what resources are needed. If a plan doesn’t address BIA results in a concise manner, the plan will lack focus and will likely be ineffective.
This ties in with our point about using plan templates!
Strategy development must occur before documenting business continuity plans. Too often, practitioners forget that the key function of a plan is to document the steps necessary to recover and describe how to operate in “recovery mode.” To ensure that plans are relevant and make sense, plan owners and those that use the plans must work together to identify strategies in the event of a resource loss. Once plan owners are aware of approved response and recovery strategies specific to their business activities, plan documentation typically becomes significantly simpler. Imagine trying to document the steps necessary to relocate operations to a new facility without knowing where that location is, how many employees can go there, and what resources are available.
All managers delegate, and when done right, delegation is often a good thing, especially when managers can leverage subject-matter experts (SME) to assist in the planning process. However, business continuity practitioners always need to work with managers to ensure that plans are written at the appropriate level and provide actionable steps for the recovery team, which usually consists of managers and SMEs. If the new summer intern isn’t familiar with business operations, he or she is probably not the best person to develop the function or department’s business continuity plan. Business continuity professionals can work with business owners to ensure appropriate buy-in and further set expectations for plan owners during the strategy and plan development process to ensure proper ownership and review prior to approval.
As mentioned earlier, there are five types of plans. Two of these plans that often get confused are IT disaster recovery plans and business continuity plans. Both types of plans focus on how an organization can respond to and recover from a disruption. That said, business continuity plans focus on the continuation and/or recovery of business activities, whereas IT disaster recovery plans focus on recovering IT infrastructure, applications and data.
Business continuity plans focus on four loss scenarios (people, suppliers, technology, and facilities/equipment) and the business’ response to a disruption of each. As introduced previously, plans are typically created at either the business unit, department, or site level. On the other hand, IT disaster recovery plans focus on the technical requirements that go into recovering an organization’s IT services and associated infrastructure. There are usually several plans created as part of an IT disaster recovery program:
Based on industry standards, Avalution recommends updating and performing planning activities on an annual basis (more frequently based on organizational change). In general, this determination should be made based on the speed in which your organization is changing and evolving. If an organization experiences significant changes often (i.e. the scope of each department, leadership, strategic initiatives, dependency shifts), it may be beneficial to review plans on a more frequent basis than if an organization remains largely stagnant in terms of departments, activities, risks, and dependencies.
Different individuals and groups are required during different steps of the planning process. First, the business continuity steering committee, program sponsor, and program manager should work collectively to determine the planning approach. This group should identify the type and number of plans that will be created (i.e. crisis management, IT disaster recovery, emergency response, and business continuity plans). From there, plan owners and team members should be chosen for each plan. These individuals should have the knowledge necessary to recover key activities and resources, as well as the respect and authority to make required decisions for the in-scope activities and resources.
Business continuity plan templates are a great start! They provide a structure, shared content, and standard roles and responsibilities. However, these plans do not provide the detail necessary or the organization-specific information that value-adding plan includes. A plan template will not include HOW to employ chosen strategies to recover as well as unique roles and responsibilities that are required to drive toward a successful recovery.
The first step in completing a business continuity plan is determining what plans are needed. This step should be completed by the organization’s steering committee and program manager. Considerations should include the scope of the business continuity program, size and complexity of the organization, dependencies that are used by in-scope departments/sites, and leadership required to recover from an incident.
Yes and no. Small programs may find it possible to manage a business continuity program/business continuity plans without software (by small, typically organizations with less than 10 or 15 functions/departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort (and to drive program continual improvement with workflow functionality). For larger organizations, software is almost essential as the automation alone can replace the costs associated with one or more FTEs. For example, software allows a program manager to eliminate the need to manually seek plan owner reviews and approvals. Additionally, software can be used to streamline the response and recovery by providing a “live” version of plans and a single-source repository to provide response updates. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Catalyst Business Continuity Software.
Resource-loss based planning is an “all-hazards” approach to business continuity planning. Rather than creating individual plan documents that focuses on the wide variety of threats that could impact an organization (i.e. tornado, snowstorm, power outage), resource-loss based planning focuses on four key loss scenarios: the loss of personnel, technology, suppliers, or facilities. Resource-loss based planning is easier to document and maintain. Whether the organization is impacted by a tornado, fire, or power outage, a “loss of facility” strategy and procedures can help the organization effectively respond.
Like insurance, we hope that you never have to use your business continuity plan! However, selecting strategies and documenting plans ensures that, if a disruption does occur, you are ready to respond in an efficient and effective manner.
TOPICS COVERED:
What is a Business Continuity Plan?
What is the Purpose of a BC Plan?
What is the Best Approach to Writing BC Plans?
How to Write a Business Continuity Plan?
Common Challenges When Creating Business Continuity Plans
What is the Difference Between an IT Disaster Recovery Plan and a Business Continuity Plan?
Frequently Asked Questions
Avalution EMEA
Level 1, The Chase
Carmanhall Road, D18 Y3X2
+353.1.536.3299 (Ireland)
Avalution Consulting, LLC
Suite 410
323 W Lakeside Ave
Cleveland, OH 44113
+1.866.533.0575 (USA)