Avalution Consulting

Ultimate Guide to Business Continuity Planning

What is a Business Continuity Plan?

A key output of the business continuity planning process, ISO 22301 states that a business continuity plan is a set of “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.” Said another way, business continuity plans are documented steps that help organizations respond once a disruption occurs to minimize impact to those affected.

In most business continuity programs, there are five major types of plans:

  1. Crisis Management Plans:
    Sometimes referred to as “incident management plans,” crisis management plans provide a structured response to a disruption that if poorly managed, will result in unacceptable consequences for the organization. These plans provide steps and considerations for the organization’s strategic response to a disruption.
  2. Crisis Communications Plans:
    A crisis communications plan serves to supplement crisis management activities by coordinating two-way communications with internal and external stakeholders.
  3. Emergency Response Plans:
    Emergency response plans are typically written for a location and focus on ensuring a safe work environment and the protection/preservation of life.  These plans may include different sets of procedures for different threats.
  4. IT Disaster Recovery Plans:
    IT disaster recovery plans are technology plans that focus on the recovery of IT systems, data, and telecommunication assets.
  5. Business Continuity (Recovery) Plans:
    Business continuity, or business recovery, plans focus on the continuation and/or recovery of business activities and resources that support the delivery of products and services.  These plans typically include procedures, manual workarounds, and alternate procedures addressing the loss of the workplace, equipment, people, technology and suppliers.

This article focuses on the fifth of the plan types, business continuity plans.

 

What is the Purpose of a Business Continuity Plan?

The purpose of a business continuity program is to prevent disruption and respond efficiently and effectively when one occurs. As such, business continuity plans typically serve three main purposes:

  1. Ensure that employees, contractors, customers, and visitors remain safe
  2. Minimize the impact associated with disruption by speeding up the recovery effort
  3. Protect the organization’s reputation, operations, and relationships with stakeholders

There’s a US military quote that’s often cited when it comes to “plans” (with many people receiving credit for it). It goes something like this: “Plans are only useful as evidence that planning took place.”

When it comes to business continuity plans, that is partially true.  Business continuity plans must remain flexible to changing circumstances, but also include procedures that outline how to implement recovery strategies addressing a loss of people, the workplace, equipment, information technology services and data, and suppliers/third parties.

What is the Best Approach to Writing a Business Continuity Plan – Resource-Loss vs. Threat-based Planning?

Loss of Technology

Loss of Facility

Loss of Supplier

Loss of Personnel

Over the years, business continuity professionals debated two major schools of thought on the approach to planning: resource-loss based planning and threat-based planning. Avalution strongly recommends the former, resource-loss based planning.

Several years ago, the business continuity industry focused on completing threat-based plans. These plans focused on an organization’s response to very specific events: snowstorms, fires, floods, pipe bursts, tornados, and acts of terrorism. There are two key issues with threat-based planning:

  1. You can never plan for every situation
  2. Attempting to plan for every situation necessitates endless documentation, meetings, and considerations (and therefore increases the administration burden associated with maintaining these numerous plans)

Also, should any of these threats occur, the result is the same – a loss of people, the workplace, equipment, information technology services and data, and suppliers/third parties.  So why not keep it simple and streamline the planning effort?

This is where resource-loss based planning came into place.

When creating business continuity plans (typically, one plan each for a function or department), Avalution focuses on four main resource types: people, workplace/equipment, information technology, and supplier / third parties. When documenting business continuity procedures, Avalution first works to identify the best strategies to address each resource loss for each department or function, and then documents how to implement each strategy following the onset of a disruption and as necessary, how to operate differently until returning to normal.

Before covering the business continuity plan creation process in more detail, it’s important to point out one more detail.  There is a place for some threat-based procedures.  For example, procedures to address preparation for hurricane, or if a public health emergency is imminent, how to prepare staff for a period of absenteeism.

How to Write a Business Continuity Plan?

STARTUPANALYSISSTRATEGYPLANSEXERCISEIMPROVE
Frame
Engagement Plan
Right People
Process FBA
Issues
1 Hour Discussions
5 Dependencies
Activity Metrics
Options
Choose
Implement
P+S Metrics
Coordinate
Who
How
Learn It + Feel It
Awareness
Actions
Goals
Quarterly
Annual
Measure
Check-It

Plan documentation is the fourth phase in Avalution’s Business Continuity Operating System (BCOS). Prior to documenting plans, it is necessary to complete the Startup, Analysis, and Strategy phases to scope the business continuity program, understand key activities as they relate to the organization’s key products and services, identify activity dependencies (resource requirements), and determine the strategies to recover each dependency.

After completing the first three BCOS phases, it is time to document the business continuity plans. Creating business continuity plans involves four steps:

  1. Planning Approach Determination: Determine how the organization intends to manage the response to a disruption, the scope of the plans, and how the different plan types interact
  2. Plan Development: Design the plan structure, collect the information necessary to manage the response to the disruption, and then create the procedures (answering the question, “how”)
  3. Plan Review and Approval: Review the draft plan with the plan owner and the team that will be charged with responding to the disruption; seek their feedback and approval

Plan Refresh: Review the plan periodically (typically annually or following significant change) to confirm strategies remain appropriate, assigned team members remain accurate, and procedures are both complete and accurate

1. Planning Approach Determination

As discussed earlier, there are five types of business continuity plans: crisis management, crisis communications, emergency response, IT disaster recovery, and business continuity. However, some organizations may combine plans into a single document.  This decision is often based on organizational size, complexity, sector, and structure.

The most common planning approach that we see organizations use looks like this:

{Create image for this here}

With this planning approach, individual teams (and their respective plans) can be triggered into action in response to a disruption impacting their respective function/department or resource dependency.

For crises or disasters that have the potential to disrupt the entire organization, the crisis management team (supplemented by the crisis communications team) would be triggered into action. This group, or groups, would provide strategic direction and address issues from individual functions/departments that were escalated, along with approving spend to acquire required resources for recovery. This group would also manage internal and external communications. Using this approach, other members of the organization’s executive leadership team that aren’t actively participating (or don’t have a specific role), aids and provides resources to the crisis management team on as “as needed” basis.

However, this approach does not make sense for all organizations. Some common examples of when a different structure is beneficial include:

  • Executive Leadership Involvement: Some organizations have a culture or organizational structure where executive leadership feels that they should be the crisis management team. This approach is often the case for small to mid-sized organizations or when crisis communications are, typically, the primary focus of the crisis management team.
  • Site Recovery Plans: For some organizations, namely those in the manufacturing industry, site recovery plans are used either instead of, or as a supplement to, function/department recovery plans. This approach is typically used when recovering processes comprised of multiple elements of different functions or departments.

2. Plan Development

Plan development addresses the creation of the plan, leveraging and summarizing information, conclusions and outcomes stemming from the Analysis and Strategy phases of the Business Continuity Operating System.

The first task is establishing the structure of each plan and clarifying the relationship among the plans.  Business continuity plans typically include the following sections/content:

  • Plan scope and objectives
  • Team members and contact information

Response and recovery procedures

Scope and Objectives

The business continuity plan scope and objectives section should summarize what the plan intends to accomplish. Additionally, the plan should define the scope of the response and recovery effort addressed by the plan.

Team Members and Contact Information

This section should outline the team members needed to manage the response and recovery effort and their roles and responsibilities. Contact information for each team member should also be documented in the plan. In addition to the team’s contact information, any other individuals or organizations – internally or externally – that may need to be contacted during a disruption should be documented within the plan.

Response and Recovery Procedures

During the BCOS “Strategy” phase, decisions were made on how the organization would respond in general, and how to recover affected resources (people, workplace/equipment, information technology, and suppliers/third parties). During the planning process, it is important to document how to implement these strategies, and as necessary, how to operate differently when employing these strategies. Each procedure should be assigned to a team role to ensure that no steps are missed (thereby delaying the recovery effort). One more point regarding recovery strategies – business continuity plans should include information on how to use manual workarounds or alternate procedures, if known and possible.

3. Plan Review and Approval

Following the completion of an initial draft of each plan, it should be reviewed and approved by the members of the response or recovery team. Team members should validate that the procedures documented are accurate for their individual roles. Team members should be encouraged to add details and steps that accurately describe additional responsibilities or actions that they would perform during the response to a disruption. After the plan has been reviewed by members of the team, it should be approved by the plan owner, who is often the team leader.

4. Plan Refresh

Business continuity best practices recommend that documentation is reviewed, updated, and approved, at a minimum, on an annual basis. As such, Avalution recommends that on an annual basis (or more frequently if the organization covered by the plan changes materially) organizations review their business continuity plans. Team members, roles and responsibilities, and strategies/procedures are key areas that should be reviewed and refreshed. Considerations include:

  • Team members: Update roles and responsibilities to reflect the current team and its responsibilities.
  • Strategies and Procedures: If systems, suppliers, people, or facilities have changed for the given plan, the associated strategies and procedures should be updated. Procedures should continually be enhanced to reflect how the team would recover from a given incident. Especially if an incident has occurred since the past plan revisions, procedures should be reconsidered and updated to accurately reflect how the response to the disruption should occur.

Common Challenges When Creating Business Continuity Plans

Organizations face many challenges when documenting business continuity plans. A few of the most common challenges include:

Reliance on Templates

Business continuity plan templates can ensure a higher level of quality through consistency of structure, and also efficiency by centrally creating content applicable to all plans.  However, just like anything, a template only can do so much. Where a plan template can provide a great starting point, it alone will not suffice if your organization wants to be truly prepared for an incident if the template is not updated to describe how to response and recover using selected strategies.  Templates are a great start, but plan customization is where your organization will gain the most from the planning process.

Plans Lack Focus

One of the most common questions we hear when discussing the plan documentation process with plan owners is “What am I supposed to do when something happens?” The answer to this question and the focus of any plan should be very simple: the plan is used to guide the response to and recovery from the disruption. To do so, plans must document the answers to a few simple questions, notably:

  • Who is involved with the response and recovery effort?
  • How do we response and recover in a timely manner?
  • When do we recover (and to what performance level)?
  • How do we operate in “recovery mode” until returning to normal?

The results from the business impact analysis (BIA) should establish business continuity requirements, enabling the strategy determination and plan documentation effort.  The BIA should define what activities need to be resumed, how soon these activities need to be resumed, to what performance level, and what resources are needed. If a plan doesn’t address BIA results in a concise manner, the plan will lack focus and will likely be ineffective.

Plan Activities and Tasks are Too Generic or Irrelevant

This ties in with our point about using plan templates!

Strategy development must occur before documenting business continuity plans. Too often, practitioners forget that the key function of a plan is to document the steps necessary to recover and describe how to operate in “recovery mode.” To ensure that plans are relevant and make sense, plan owners and those that use the plans must work together to identify strategies in the event of a resource loss. Once plan owners are aware of approved response and recovery strategies specific to their business activities, plan documentation typically becomes significantly simpler. Imagine trying to document the steps necessary to relocate operations to a new facility without knowing where that location is, how many employees can go there, and what resources are available.

Plan Content Is Not Developed for the Right Audience

All managers delegate, and when done right, delegation is often a good thing, especially when managers can leverage subject-matter experts (SME) to assist in the planning process. However, business continuity practitioners always need to work with managers to ensure that plans are written at the appropriate level and provide actionable steps for the recovery team, which usually consists of managers and SMEs. If the new summer intern isn’t familiar with business operations, he or she is probably not the best person to develop the function or department’s business continuity plan. Business continuity professionals can work with business owners to ensure appropriate buy-in and further set expectations for plan owners during the strategy and plan development process to ensure proper ownership and review prior to approval.

What is the Difference Between an IT Disaster Recovery Plan and a Business Continuity Plan?

As mentioned earlier, there are five types of plans. Two of these plans that often get confused are IT disaster recovery plans and business continuity plans. Both types of plans focus on how an organization can respond to and recover from a disruption. That said, business continuity plans focus on the continuation and/or recovery of business activities, whereas IT disaster recovery plans focus on recovering IT infrastructure, applications and data.

Business continuity plans focus on four loss scenarios (people, suppliers, technology, and facilities/equipment) and the business’ response to a disruption of each. As introduced previously, plans are typically created at either the business unit, department, or site level.  On the other hand, IT disaster recovery plans focus on the technical requirements that go into recovering an organization’s IT services and associated infrastructure. There are usually several plans created as part of an IT disaster recovery program:

  • IT Incident Management Plans: Describes the strategic nature of IT response and recovery, summarizing priorities and order of recovery, with an IT Incident Management team to oversee the overall response and recovery effort.
  • IT Infrastructure Recovery Plans: Based on the size and complexity of an organization, IT Infrastructure Plans can be developed in different ways. However, these plans typically address how to recover network, storage, compute (servers and databases), and telecommunications assets.
  • IT Application Recovery Plans: IT Application Plans document how to recover, test and connect the end user to a recovered application and its data.

Frequently Asked Questions

How often do you perform business continuity planning?

Based on industry standards, Avalution recommends updating and performing planning activities on an annual basis (more frequently based on organizational change). In general, this determination should be made based on the speed in which your organization is changing and evolving. If an organization experiences significant changes often (i.e. the scope of each department, leadership, strategic initiatives, dependency shifts), it may be beneficial to review plans on a more frequent basis than if an organization remains largely stagnant in terms of departments, activities, risks, and dependencies.

Who should be involved in business continuity planning?

Different individuals and groups are required during different steps of the planning process. First, the business continuity steering committee, program sponsor, and program manager should work collectively to determine the planning approach. This group should identify the type and number of plans that will be created (i.e. crisis management, IT disaster recovery, emergency response, and business continuity plans). From there, plan owners and team members should be chosen for each plan. These individuals should have the knowledge necessary to recover key activities and resources, as well as the respect and authority to make required decisions for the in-scope activities and resources.

Does a business continuity plan template suffice?

Business continuity plan templates are a great start! They provide a structure, shared content, and standard roles and responsibilities. However, these plans do not provide the detail necessary or the organization-specific information that value-adding plan includes. A plan template will not include HOW to employ chosen strategies to recover as well as unique roles and responsibilities that are required to drive toward a successful recovery.

How do I start a business continuity plan?

The first step in completing a business continuity plan is determining what plans are needed. This step should be completed by the organization’s steering committee and program manager. Considerations should include the scope of the business continuity program, size and complexity of the organization, dependencies that are used by in-scope departments/sites, and leadership required to recover from an incident.

Do I need software for a business continuity plan?

Yes and no. Small programs may find it possible to manage a business continuity program/business continuity plans without software (by small, typically organizations with less than 10 or 15 functions/departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort (and to drive program continual improvement with workflow functionality).  For larger organizations, software is almost essential as the automation alone can replace the costs associated with one or more FTEs.  For example, software allows a program manager to eliminate the need to manually seek plan owner reviews and approvals. Additionally, software can be used to streamline the response and recovery by providing a “live” version of plans and a single-source repository to provide response updates. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Catalyst Business Continuity Software.

What is resource-loss based planning?

Resource-loss based planning is an “all-hazards” approach to business continuity planning. Rather than creating individual plan documents that focuses on the wide variety of threats that could impact an organization (i.e. tornado, snowstorm, power outage), resource-loss based planning focuses on four key loss scenarios: the loss of personnel, technology, suppliers, or facilities. Resource-loss based planning is easier to document and maintain. Whether the organization is impacted by a tornado, fire, or power outage, a “loss of facility” strategy and procedures can help the organization effectively respond.

Why is business continuity planning important?

Like insurance, we hope that you never have to use your business continuity plan! However, selecting strategies and documenting plans ensures that, if a disruption does occur, you are ready to respond in an efficient and effective manner.

Avalution EMEA
Level 1, The Chase
Carmanhall Road, D18 Y3X2
+353.1.536.3299 (Ireland)

Avalution Consulting, LLC
Suite 410
323 W Lakeside Ave
Cleveland, OH 44113
+1.866.533.0575 (USA)