The Simplest Business Continuity Plan Assessment Approach Ever

Brian Zawada, FBCI Brian Zawada, FBCI | Apr 14, 2014

Although plan documentation isn’t the only business continuity planning outcome, and absolutely should not be the sole focus during a program assessment, it’s certainly an important one.  Plans are one of the first things customers and auditors ask to review because these documents should summarize the response and recovery approach used by the business following the onset of a disruptive incident, as well as a summary of the resources needed to deliver products and services.  If asked to evaluate a plan, what’s the best approach, and what elements and content should you expect to see?  The purpose of this perspective is to outline a simple, straightforward plan assessment approach.

What is a Plan?
According to ISO 22301, a business continuity plan is a set of “documented procedures that guide organizations to respond, recover, resume and restore to a pre-defined level of operation following disruption”. In order words, a plan is like a good instruction manual – offering information on parts, how to assemble the product, how to operate the product, troubleshooting tips, and where to go for assistance.

Plan Content Best Practices
Clause 8.4.4 in ISO 22301 offers requirements that each plan should contain, including:

  • Purpose and scope
  • Objectives
  • Activation criteria and procedures
  • Implementation procedures
  • Role, responsibilities and authorities
  • Communication requirements and procedures
  • Internal and external interdependencies and interactions
  • Resource requirements
  • Information flow and documentation processes

Putting ISO 22301 aside for a moment, the plan should offer information that will be needed when faced with a disruptive incident – and nothing more!  Large, voluminous plans are likely to be ignored – during exercises and real events – as they are intimidating, often confusing, and typically delay and detract from the response and recovery effort due to (unnecessary) information overload.

In particular from the ISO list we discussed above, emphasis should be placed on roles and responsibilities, as well as the procedures, to do two things:

  1. How to recover the activity or resource
  2. How to operate in “recovery mode” throughout the course of the disruptive incident

The Recommended Assessment Approach
I equate what I’m about to recommend to my Eighth Grade English class, which taught me about all the questions that my essay needed to address:  who, what, where, when, how, and to what extent.  Those are the exact same questions that I use to evaluate the usefulness and completeness of business continuity plans.  Specifically:

  • Who: Who is leading the response and recovery effort, who is a member of the response/recovery team (and what are their responsibilities), and who is our customer
  • What: What are we trying to do in “recovery mode”?
  • Where: Where do I go?
  • When: When should I begin working again?
  • How: How to do I recover and how do I operate in order to meet expectations
  • To what extent: To what level may I produce my work in recovery mode, sacrificing what in terms of performance or quality?

When asked to review a plan or series of plans, review the documentation to ensure it meets the requirements of any regulatory requirements or standards that the organization intends to comply with.  But, in terms of pure pragmatism, look to see if the plan answers the questions above.  If it doesn’t, it’s likely that one or more response or recovery team members will be confused and likely unable to fully meet stakeholder expectations – resulting in greater impact or missed business continuity requirements.

Plans should NEVER be assessed using the “weight test” but rather the content.  A plan is a guide, helping the organization flexibly respond to a disruptive incident and recover in a manner that meets interested party expectations.

Simply, does it answer, “what to do, where to go, when to do it, and how to go about it?”  If so, the plan is probably in pretty good shape.

Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help. Please contact us today to get started.


Brian Zawada
Avalution Consulting: Business Continuity Consulting