Seven things every business continuity plan should contain
- Published: Wednesday, 24 February 2016 09:03
In an article aimed at people new to business continuity, Jennifer Craig examines the basic content of a business continuity plan, describing seven components that should be incorporated in every plan:
1. Initial response
When something disrupts day-to-day operations, everyone should understand what – if anything – they should do immediately. By planning for that – and exercising it – no one will be running in circles muttering “What’ll we do? What’ll we do?”
Whoever notices the ‘event’ should know what to do (like calling emergency services, alerting Security, pulling the fire alarm, etc.). Protocols for alerting the proper decision-makers should be planned (along with contact information for those decisions-makers).
The initial response should also include a clear plan for who will be ‘in charge’. Whether that’s locally, regionally, or corporately, making it clear so that all participants will understand.
Every disruption – regardless of cause – needs the same treatment: containment, to stabilize the situation and to prevent it from getting worse.
This involves understanding what happened, including the cause of the event – and its potential impact if left unchecked. Like containing wildfires, containment needs to be a simple procedure; there’s no time to get caught up in analysis/paralysis, or to delay decisions while awaiting more detailed information.
Assess the impact, determine how to stop the ‘bleeding’ and figure out what short-term and medium-term goals are appropriate to the situation.
Once an impact assessment has been conducted, the services that will need to be restored will become evident.
Linking the plan to the services/assets that it is designed to recover (or continue) enables the incident management team (IMT) to determine which plans to activate.
Who is responsible for the plan? Who will be contacted by the IMT? What will they do, where will they do it, and with whom?
In response to an incident, multiple stakeholders might initiate various actions to stabilize and or restore services. This could be a diverse group of responders coordinating across multiple geographically dispersed locations. Timely communication between the various respondents is critical to effective incident response.
Communications during an incident response may be to
- Alert potential stakeholders,
- Notify management,
- Invoke responders,
- Update current state of restoration activities,
- Report to senior management or facilitating
- Collaborate among responders.
Every plan should ensure that communication is emphasized and that protocols are defined as to when in the recovery process it should take place. The plan also needs to make clear who is responsible for initiating the communication process and whom to target with each communication task.
5. Planned response
After the initial response activities and completion of the initial assessment, incident managers might ‘declare a disaster’ and invoke business continuity plans: the planned response which is the focus of continuity planning. The scope of planned response should include:
- What is the incident scenario or is it a combination of scenarios?
- What are the true impacts and the causality / downstream impacts?
- What are the available response strategies?
- Are resources (work areas, people, technology, supplies...) available to deliver the planned response?
- Protocols to monitor, measure and manage the recovery efforts.
6. Extended response
While you may plan for a specific recovery time objective (RTO), actual recovery may take longer; perhaps days, perhaps weeks, or even months longer.
Be prepared for an extended response – even though you don’t expect it (after all, isn’t a business continuity plan supposed to be about preparing for the unexpected?).
What resources (facilities, people, supplies, suppliers, technology, equipment) will you need to sustain a lengthy recovery? Also plan for rotating staff, roles and responsibilities, and task hand-offs for extended response.
Be prepared to work with – or under the direction of – others outside your organization. In an event that impacts more than your organization, local, regional or federal authorities may assume command of the response. A simple acknowledgement of that possibility – and how you’ll deal with it – should be included in your plan.
7. Return to normal
When a disruptive event ends, it’s not like a football game. There’s no final whistle and there are questions that will need to be answered:
- Is the return to ‘normal’ or a ‘new normal’?
- How will back-logs of work be reduced?
- How will work be divided between ‘normal’ operations and these post-event tasks?
- How will information – for insurance and regulatory purposes – be collected?
No two business continuity plans are alike, but all can benefit from considering these seven components. In many cases, smaller plans –containing only some of these components – may be rolled up into a larger plan that, with their inclusion, contains them all.
Jennifer Craig is manager, marketing at eBRP. Jennifer has been the cheerleader for everything eBRP – from designing & coordinating tradeshows, print ads, press releases and building eBRP’ s web presence. Strategic efforts with LinkedIn, Twitter, WordPress and Hootsuite makes Jen the key social media marketing champion at eBRP. Her efforts have greatly enhanced eBRP’s brand image globally and is credited for many of the accolades and awards in eBRP’s trophy showcase.