How to Create a Business Continuity Plan
When a business crisis occurs, the last thing you want to do is panic. The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen. A business crisis can cost your company a lot of money and ruin your reputation if you aren't proactively prepared to handle one. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with a plan to uphold its essential functions. In this post, we'll explain what business continuity is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business. Table of Contents: Business Continuity Planning How to Write a Business Continuity Plan Business Continuity Plan Template Business Continuity Examples Business Continuity Management Business continuity is the advanced response planning to deal with a crisis or difficult situation so your organization can continue to run without disruption. This translates into an actionable business continuity plan that is used to handle minor disruptions to full-blown threats. A business continuity plan is important because regular operations will need to continue in the event of a crisis -- and sometimes, especially during a crisis. Having a business continuity plan in case of each type of crisis will be helpful to maintaining your operations. Below we'll go over different types of business continuity. Operational continuity means that the systems and processes your business relies on are able to continue functioning without disruption. As these processes are critical to business operations, it's important to have a plan in place in case disruption occurs so you can minimize the loss of revenue. Organizations that rely on technology to run want to ensure the integrity and continuity of those systems. For example, while the functionality of Google Drive is not within your realm of control, there are many internal systems that you'll want to maintain and mitigate, like maybe having an offline file storage system to access important documents. Economic continuity means that your business is still able to continue being profitable during possible disruptions. Every business has its ups and downs, so one thing you'll want to do is future-proof your organization for negative scenarios that can hit the bottom line. Workforce continuity means that you'll always have enough staff, and the right staff, to handle the work that comes through your doors, especially during times of crisis. Workforce continuity goes beyond planning the right roles and staffing the right people to fill them. In order for them to show up every day and perform well, they must feel safe to do so. This involves creating a comfortable work environment, and ensuring that, even during a crisis, people have the tools they need to succeed and feel supported in the workplace. Environmental continuity means that your team is able to operate effectively and safely in their work environment. This can mean considering possible threats to your physical office or headquarters, and coming up with plans of action if these issues occur. You want your employees to be safe. You also want your employees and business assets to be secure as well. Security breaches can cause major harm to your operations, safety, and reputation. Continuity in this realm means prioritizing employee security and safety of important business information, and plans of action if the information were to become compromised. Customer satisfaction and a good reputation can fuel your flywheel and result in increased revenue. The flip side of this coin, however, is that a tarnished reputation can cause great harm. Reputation continuity means continuously monitoring conversations about your brand or business, prioritizing customer satisfaction, and coming up with action plans for rectifying situations if your reputation is called into question. The difference between disaster recovery and continuity plans lies in that disaster recovery plans are technical plans focused specifically on recovering from failures, while business continuity plans manage relationships during a crisis. Disaster recovery plans are created as part of an overarching business continuity plan. Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each. Your business continuity plan should be reviewed at least twice per year. You should constantly be looking over the plan and testing it to make sure it's up-to-date with your current business processes. The larger your organization is, the more complex your systems are going to be, meaning you'll want to review your business continuity plan more frequently to ensure there aren't any overlooked gaps. The following schedule is recommended to maximize the reliability and validity of your plan, while also minimizing the amount of time you're putting into plan review. Your teams should review the elements of your business continuity plan bi-annually to make sure all the responses still apply to your current status. In addition, you'll use this opportunity to ensure that each response aligns with your desired business goals. Just like schools have fire drills, your organization should have emergency drills to prepare your staff for the steps that are laid out in your business continuity plan. This will also help when a real crisis occurs because they will have practiced the steps before. All stakeholders that are involved in your business continuity plan should meet every other year to discuss it. The review doesn't need to take too much time and doesn't require physically running through the steps, but it can help you uncover red flags that may otherwise go unnoticed without testing. Unlike the tabletop review, the comprehensive review takes a deep dive into the plan. It should look closely at cost-benefit analyses as well as recovery procedures to ensure everything is up-to-date with current business operations. This is an in-depth test in which your continuity plan is put into motion to test for any weaknesses or mishaps. Since this test is time-consuming, it shouldn't occur frequently, but it will ensure all internal stakeholders are confident in the plan. No matter what type of business you are operating, you need to be constantly considering the possible threat of a crisis. If you want to be able to effectively manage them, then it's essential that you have a business continuity plan in place to tackle difficult or unexpected situations. A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis. Below we'll go over the process of writing a business continuity plan. Before you begin strategizing, assemble a management team to be in charge. The job of crafting a business continuity plan isn't a light one, so this group should include people who are detail-oriented and organized. Some of the roles on the team are: What are you trying to achieve with this plan? It's important to know the end goal, whether it be resuming business processes as normal or improving the organization's reputation. When laying out the objectives, you should also consider your budget to get a sense of the resources that you're going to be working with. Executives and upper management have a great bird's eye view of an organization, but business continuity issues happen at all levels of an organization. For an analysis that's truly comprehensive (and, in effect, valuable), you'll want to interview key team members in various departments of your organization. Choose individuals who know the ins and outs of their department's operations and understand the importance of its functionality within the grander scheme of the organization. You can ask questions such as: The above questions are a guide to help give you insight into the areas of your business that require the greatest degree of business continuity. Prioritize the business functions and threats that are the most critical according to: The idea here is to quantify the information you received during the interviews: Once you've gathered information across disparate processes, it's time to compile that information into a format that reflects the broader business. A Business Impact Analysis (BIA) analyzes the main operations of an organization, the major resources it uses, how its operations relate to one another — a.k.a. when one function goes down, how does it affect other operations — and how long each function generally takes to complete. A BIA is a key part of the final business continuity plan. This is where you summarize your findings regarding costs against benefits to further underscore what gets prioritized. Now that you have a good idea of what to include in your plan, start by composing a first draft that can serve as a baseline. The draft should include the following aspects to ensure a well-rounded, actionable plan: Of course, you should immediately test your plan. Start with communicating with those that play a critical role in your continuity plan. After they know what their involvement is in the plan, conduct a mock recovery test and put the plan into action. Make note of any gaps that arise during this process. After testing is complete, correct any flaws you've uncovered throughout the process. Continue testing and implementing changes until you're satisfied with the outcomes. However, it is important to be aware that business changes will likely require updating the plans you have. Given this, it's important to keep testing your plan to ensure it's up to date with your business needs, and you're properly prepared for any type of crisis. Now that you've learned everything there is to know about business continuity plans, use the following template to start creating one for your organization. Name of Organization Date I. Program Administration 1. [Purpose of the plan] 2. [Objectives of the plan] 3. [Budget] 4. [Timeline] The gathering process for this section could take anywhere from 1-2 weeks, as you'll want to take enough time to uncover all the necessary information that helps you understand why the plan is necessary for your business. It is essentially the background information for your plan. II. Governance 1. [Members of the business continuity team with their roles and contact information] 2. [Other stakeholders with their contact information] III. Business Impact Analysis 1. [Business Impact Analysis] This section of your plan will take the most amount of time to complete. As it is a full assessment of how a crisis will affect your business, you'll need to analyze multiple different types of scenarios that you may encounter and analyze how each one will affect your business and the specific areas of your business that will be affected. Aim to spend a week or so drafting the analysis and collaborating with the relevant teams and stakeholders that will be involved in enacting your plan when a crisis does occur. To conduct the actual analysis, give yourself 1-2 weeks, or enough time to accurately assess the possible scenarios and impacts they will have on your business if they occur. IV. Strategies and Requirements 1. [Proactive strategies to prevent crises] 2. [Reactive strategies to immediately respond to crises] 3. [Reactive strategies for long-term recovery from the crises] After conducting your business impact analysis, you should have an understanding of how your business will need to respond to crises when they arise in order to come out on top. Spend a week or so crafting the strategies that will make up your continuity plan, and collaborate with relevant stakeholders. V. Training and Testing 1. [Training schedule for employees] 2. [Testing schedule] It's best to test and iterate on your plan multiple times a year to ensure that it's up-to-date with your business needs. Maybe you run through the plan once a quarter to ensure that everyone is on the same page and new hires have the chance to learn along with their experienced peers, or maybe you do scenario run thoughts twice a year. Let's say that your entire workforce accesses, creates, and manages necessary files in Google Drive throughout the day. What happens if Google Drive has an unplanned product outage? Do you have a backup plan in place for your team to access files, or will there be a major loss of productivity until the issue is resolved? Identifying your essential operational functions can help you identify and mitigate risk. This is where your interviews will come into play the most. Examples of operational failure may include: The operational continuity plan shown above provides a great starting point for crafting your own. Say your network goes down in the middle of the day and employees are unable to access the internet or dial out with their phones. Do you have an information technology department that can quickly diagnose the issue? If you don't, do you know the numbers of your ISP provider so that you can quickly get them on the phone and resolve the issue? You can't always anticipate unexpected errors, but you can put a process in place to handle them swiftly and effectively. The table above is an example of a backup strategy businesses can use in a crisis. Here are some examples of tech-related business continuity issues: Your biggest client goes out of business, slashing your annual recurring revenue by hundreds of thousands of dollars. Did this client make up the majority of your revenue and you counted them as a sure thing, or did you insulate yourself against this loss with other sources of income? How will you adjust to the revenue loss, where will you cut the budget, and do have a concrete plan to protect against workforce layoffs? Markets change, client attrition happens, economies ebb and flow. The important part is to understand how your organization can weather these events. Here are some examples: Creating a chart similar to the one above can help you determine how much of a risk certain economic factors are for your business and how to address them. Let's say that you have a rockstar on your leadership team. With extreme performance comes opportunity, and that rockstar may decide to leave your organization to pursue employment elsewhere. Are there critical business functions that only this employee knows how to do, or do you have a cross-functional team who can take on the work should they decide to leave? How does this impact the workflow of the company, especially if it takes time to fill the role with someone else? It all comes down to resource management and making sure that you can adapt to workforce changes in an agile way. However, this is often easier said than done, and here are some examples of threats to your workforce continuity: The chart above outlines how you can help your company prepare for employee departures by having a successor plan in place ahead of time. A fire broke out in the break room. Do you have a fire alarm that alerts employees it's time to vacate? Do your employees know where the fire extinguishers are located in the building? Do they know where to evacuate to? What plans do you have in place post-fire in case the worst is realized for your physical office? Ultimately, you have to protect your staff and create an environment where they can do their best work instead of worrying about threats to their person. The image above is an example of how employers can help their employees prepare for both family emergencies as well as business ones. Here are examples of safety risks your business continuity plan should account for: Let's say that a pipe burst in your bathroom and flooded out the building. What kind of threat does water damage pose to your office or workplace? Is your technical equipment safe? Your employees? Your files? Will you lose anything irreplaceable? Do you know who to call for water damage and restoration? Do you have funds set aside for emergencies like this? Use a table like the one above to help determine the risk probability of natural disasters to further inform your continuity plan. Your office space is a business asset, but it can quickly become a liability if you're unprepared. A phishing company chooses to target your employees' emails to gain access to your sensitive data. The risk assessment table above outlines how companies can address cyber attacks and other breaches. Do you have a strong spam filter that can reduce the number of emails employees receive? Are employees trained on email security, and will they recognize phishing attempts? If someone does accidentally buy into the scam, what protocols do you have in place to mitigate the damage from a breach? A feeling of safety can come from having security procedures in place to mitigate risk as well as deal with issues as they arise. Here are some examples of security risks to plan for and mitigate (both technological and physical): Do you have a plan in place to manage your reputation, and do you know the biggest risks for negative publicity in your space? The example plan above outlines the steps for handling a media or reputation crisis. Once you create a business continuity plan, your work isn't over. Continue to iterate on the plan and identify new risks that become possible over time and/or with increased experience. Business continuity planning isn't a one-time feat. Your plans need to be constantly reassessed if you want to adequately prepare for every situation. Consider adopting a business continuity management team to oversee your continuity plans and keep them up-to-date. Here are examples of reputation issues that can affect business continuity: Business continuity management oversees a business's continuity plan and makes necessary changes to it when needed. This type of management determines the potential threats to a company and how each of these threats might impact business functions. Based on these findings, business continuity management is able to tweak the company's continuity plan to address any new potential hazards. One responsibility that business continuity management teams have is planning for disaster recovery. Disaster recovery is a component of the business continuity plan that specifically focuses on product issues. In addition to that, business continuity managment also includes crisis management, contingency planning, and emergency management. You'll want to regularly test and adjust your plan as time goes on to make sure it's still effectice and addresses your company's needs. The more time you put into your business continuity plan, the better it's going to be. The more often you test, the stronger your plan will be, as you'll be able to quickly identify problem areas and correct them before you're forced to deal with them during a crisis. Editor's note: This post was originally published in March 2019 and has been updated for comprehensiveness. 
What is business continuity?
If you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.Importance of Business Continuity Plan
Types of Business Continuity
1. Operational
2. Technological
3. Economic
4. Workforce
5. Safety
6. Environmental
7. Security
8. Reputation
Business Continuity vs. Disaster Recovery
For instance, in a larger crisis — like a building being flooded — you may have lost some of your IT services. Thus, included in the larger business continuity plan would be one or more disaster recovery instructions that would focus specifically on recovering those IT services.Business Continuity Planning
How often should a business continuity plan be tested?
1. Review your checklist twice a year.
2. Conduct emergency drills once a year.
3. Hold tabletop reviews every other year.
4. Conduct a comprehensive review every other year.
5. Mock recovery test, every two to three years.
Business Continuity Plan
How to Write a Business Continuity Plan
1. Select a business continuity team.
2. Define plan objectives.
3. Schedule interviews with key players in your departments.
4. Identify critical functions and types of threats.
5. Conduct risk assessments across each area identified.
6. Conduct a Business Impact Analysis.
7. Draft out the plan.
8. Test the plan for gaps.
9. Revise based on your findings.
Business Continuity Plan Template
Let's go over some examples of scenarios that would require a business continuity plan that will help you understand why your business needs one.Business Continuity Examples
1. External Product Outage
Image Source Type: Operational
2. Unplanned Internet or Telecom Outages
Image Source Type: Technological
3. Revenue Loss
Image Source Type: Economic
4. Turnover of Critical Employees
Image Source Type: Workforce
5. Workplace Emergencies
Image Source Type: Safety
6. Property Hazards
Image Source Type: Environmental
7. Cyberattacks
Image Source Type: Security
8. Negative Publicity
Image Source Type: Reputation
Business Continuity Management
Create a Business Continuity Plan Before Disaster Strikes
Source: https://blog.hubspot.com/service/business-continuity-plan
0 Response to "How to Create a Business Continuity Plan"
Post a Comment