In an article aimed at providing assistance to those starting out in business continuity, CMAC overviews the basics of business continuity and offers a useful framework for writing your first business continuity plan.
What is a business continuity plan?
A business continuity plan is a written document that describes the emergency procedures that should happen if a business-critical process fails.
Several sources can threaten businesses. Sometimes, disruption can take the form of Force Majeure circumstances, like extreme weather or political unrest. Other circumstances are less obvious, but just as disruptive: supply chain issues, web server downtime or power outages can leave permanent damage to a business’s finances after a certain amount of time.
Businesses must prevent unwanted downtime to ensure critical functions and services aren’t affected. The best way to ensure a consistent and effective response to potential issues is to implement a robust, documented business continuity plan.
What is the purpose of a business continuity plan?
A strategically structured and rehearsed business continuity plan provides a number of benefits to both employees and the company itself.
With improvements to communication, technology and resilience, here are a number of examples of the positives that you can expect from a business continuity plan:
Helps your business to survive a disruptive event - Ensuring you have a robust plan in place will enable your business to recover in the shortest possible timeframe from an incident.
Protect your organization’s reputation and brand - Whether it’s in the eyes of the public, suppliers and/or clients you work with, showing that you can respond well to the unexpected will instil confidence in your business and help to mitigate any negative feelings due to disruptions.
Strengthen your relationship with third parties and subsidiaries - With an effective business continuity plan, you’ll demonstrate that your company is being run well from the top down. By showing that you’re a reliable partner that can be depended on, you’ll attract new business and solidify your relationship with current clients and service providers.
Ensure staff safety - The well-being of your employees is a natural factor in a business continuity plan. By ensuring your team is looked after and knows what the procedure is during disruptions, you can establish clear roles and responsibilities to keep everyone under your care safe in an emergency.
Meet regulatory standards - Globally, there are corporate governance regulations that require directors and key stakeholders to exercise reasonable care, skill and diligence to mitigate risks facing an organization. With an effective business continuity plan in place, you can ensure you’re meeting the requirements of a growing body of legislation.
What does a good business continuity plan look like?
The three key elements of a business continuity plan are resilience, recovery, and contingency:
Businesses can increase their resilience by designing critical functions and infrastructures to protect against specific scenarios. Examples include; data redundancy, staffing rotations and maintaining a surplus of capacity. If implemented efficiently, resilience in business continuity can even keep essential services running on-site or remotely without interruption to daily operations.
There’s no way an organization can prepare for every eventuality. But with rapid recovery, you can future-proof your business by ensuring you have strategies in place to restore business functions in an emergency. With recovery time objectives for different systems, you can analyse and prioritise which needs recovering first.
A contingency plan ensures that an organization has procedures in place to distribute and delegate responsibilities for a range of external scenarios. These can include replacing hardware, sourcing an emergency workspace and contracting third-party vendors for assistance.
Who is responsible for a business continuity plan?
To ensure your organization’s readiness, it’s important to designate who will be responsible for implementing and managing your business continuity plan. For small businesses, a single individual could be tasked with writing a business continuity plan. Or for larger organizations, a whole team could be involved with developing a business continuity plan.
In such cases, business unit leaders - such as payroll, corporate travel, human resources and security - will be given the responsibility of creating their respective unit’s business continuity plan with a program manager overseeing the process.
It is essential to make sure each person understanding their responsibilities and that there are clear lines of communication between employees and external stakeholders, in order to keep everything as smooth as possible during an disruptive scenario.
What is the first step in writing a business continuity plan?
The first step you should take when preparing to write a business continuity plan is to conduct a full Business Impact Assessment (BIA).
A BIA predicts the consequences of a significant disruption to your business processes. It clarifies the potential losses that could be incurred in each circumstance.
A BIA should include the following:
Potential losses - What would your lost sales and income look like for each hour of downtime, or each day?
Delayed sales - Could disruption create cash flow issues for you by delaying your sales or income? If so, to what extent? What lines of credit would you have to rely on?
Increased expenses - How much would you have to spend on resources to mitigate the issue? Think about things like overtime, outsourcing, and costs associated with expediting business-critical activities.
Regulatory fines - How much could you be fined by regulators for breaches to things like data privacy or health and safety?
Contractual penalties - Are there any charges you could incur for failing to meet SLAs with your business partners?
Customer satisfaction - How much damage to your public reputation could a disruption have? You can quantify by thinking of the number of additional negative reviews you could receive for each day of delays.
Delay of new business plans - Would you need to push back any planned launches or new business agreements while you deal with disruptions?
Writing your plan: a step-by-step framework
Identify your business-critical processes - Critical business processes are those necessary for the survival of the company in the case of loss of revenue, customer service interruption or reputation damage. E.g. Manufacturing - what you would need to keep your production line going. Finance — how to recover important documents that contain sensitive information. IT - is home working feasible for your business?
Specify the target recovery time for these processes - How long would it take for the loss of a business-critical process to do irreparable damage to your business? Your target recovery time for each process you identified should be within this window. Determine how long you could tolerate a disruption: this is known as a recovery time objective (RTO). Your business continuity plan should enable you to mitigate disruptions within this time window.
Define the specific resources needed for each process - Once you’ve identified how long you’ll need to restore a process, you’ll need to outline everything you’ll need to do so, and plan within that time frame. You could split this into internal resources (key people in your organization, passwords, office space, specialist equipment) and external resources (e.g. supplies, transportation). Along with identifying how readily available they can be, and for how long you’ll need them.
Describe the steps needed to restore each process - If your business is disrupted by an IT failure, fire, flood or an extreme weather event, what is your plan to address this? Devise a backup plan for each key operation you have, detailing who to contact, what resources you’ll need, and how much you might need to spend in order to restore each process.
Decide on a schedule to update the information - Once you’ve compiled the above four points, you’ll have a strong business continuity plan that you can action. But it won’t be bulletproof forever. As your business evolves, so will the technology it uses and the relationships it has. Therefore, you need to plan ways to keep the information up-to-date. It might be that you decide on a regular date that the whole plan needs to be revisited, whether that’s yearly, quarterly or even monthly. Alternatively, you might decide it’s better to update small elements of the plan as and when they change: e.g. if a password to a critical folder is changed, there’s someone in your organization who is responsible for updating your business continuity plan accordingly.
What are the four P’s of business continuity planning?
The four P’s of business continuity are people, processes, premises, and providers:
- People - This covers your staff, customers and clients.
- Processes - This includes the technology and strategies your business uses to keep everything running.
- Premises - Covers the buildings and spaces from which your business operates.
- Providers - This includes parties that your business relies on for getting resources, like your suppliers and partners.
You can use the four P’s when reviewing the initial draft of your business continuity plan to ensure you’ve considered the impact on each of them at every stage.
For example, how might your plan to recover important documents out of working hours impact your staff? How hard would it be to access the premises? When should you notify your clients and business partners?
What is the most important part of a business continuity plan?
Every element of your business continuity plan is important, but perhaps the most critical part to get right is how you plan to respond to potential issues. It’s advantageous to have precise calculations about potential losses and the impact of your business relationships, but without a clear and effective way of reacting to disruptions, your business will incur serious - and sometimes irreparable - financial damage.
Business continuity plan template
The following example business continuity plan template will help you get started:
1. Objective of the plan
Open with a short summary of the ‘why’ behind the how. Explain clearly and succinctly that the aim of your business continuity plan is to protect your business in the event of a disruption to business-critical processes.
2. Business-critical processes checklist
Your plan will need to contain a list of its most important processes. Below are a few examples:
Recovery time objective (RTO)
Receiving orders via the website
Shipping orders out of the warehouse
3. Recovery plan
For each critical function you listed in step 2, you’ll need to specify a comprehensive, tailored recovery plan that should be followed in order to get the process back up and running within your RTO. For example:
Critical Function: Receiving orders via the website
RTO: 2 hours
Responsibility [e.g. team member or department]: eCommerce Team
Potential impact if disrupted: -£1,500 per hour
Resources for recovery:
4. Contact list
Create lists of staff, suppliers and insurers that should be contacted in case of an emergency.
List of key staff: example
Supplier list: example
|Name of POC:
List of insurers: example
|Type of Policy:
About the author
CMAC specialises in providing emergency assistance to businesses experiencing transport disruptions to keep things running smoothly and minimise potential losses. Learn more about CMAC’s full suite of industry-leading recovery solutions, from ground transport to emergency accommodation.