Nextiva / Blog / Leadership

Leadership Leadership March 5, 2020

How To Write & Implement a Business Continuity Plan

how to create a business continuity plan
Strengthen your operations and reassure your team. Follow this step-by-step guide to develop your Business Continuity Plan (BCP). Prepare for unexpected change.
Gaetano DiNardi
Author

Gaetano DiNardi

how to create a business continuity plan

See Nextiva in action.
Quick, on-demand demos.

If a disaster such as a fire, flood or communication breakdown were to occur, many businesses would lose profits, damage their reputation or even be forced to close. A well-thought-out business continuity plan is what you need to prevent interruptions.
Having a company-wide plan in case of an emergency is essential. If you rely on cloud-based communications, you might still have vulnerabilities. If you centralize your operations in one location, that can also become a risk.
Luckily, there are ample resources available to develop a business continuity plan. Here, we’ll cover key aspects of a business continuity plan including:

Feel free to jump to a condensed version in our visual below.
Business Continuity Plan - Making a Plan

What is a Business Continuity Plan?

A business continuity plan is the outline of procedures to prevent damage, maintain productivity and recover in the event of a national emergency or disaster.
When you create such a plan, identify possible threats like fires, utility disruptions or social engineering attacks. Then proactively determine what employees can do to get the business back on track.
A business continuity plan is sometimes abbreviated “BCP,” but essentially it details the emergency management procedures and strategies to enact. Writing out your business continuity plan minimizes panic and uncertainty when a crisis happens and how to respond effectively.
Every business needs a plan to maintain business stability. Even if it’s a small business, you need to effectively have a plan when disaster strikes to avoid business disruption.

What are the best practices for team communication?
Find out in the State of Business Communication Report!

Top 6 Threats to Business Continuity

Threats to Business Continuity and Business Operations
There are several disruptions a company can experience. Some businesses have industry-specific threats, but there are also events that threaten almost any company, including:

1) Global pandemics:

Global pandemics can cause massive issues for companies, namely by forcing employees to work from home and creating a scenario where a company workforce must go remote swiftly and for an indefinite period of time.
In these scenarios, companies must equip their company to communicate with customers and each other remotely in the event of a need for quarantine.

2) Natural disasters:

This includes any force of nature that poses a significant threat to human health and safety, property or critical infrastructure. Natural disasters include all natural phenomena like wildfires, tornadoes, hurricanes, winter storms, floods, or earthquakes.

3) Man-made disasters

Any catastrophe that is the result of human negligence, mistake or accident. Man-made disasters include chemical explosions, gas leaks, oil spills, factory fires, hazardous material spills or improper disposal of waste.

4) Utility failures

This occurs when any utility provider fails to provide service for any reason. Utility failures include electricity or power failure, loss of communication lines, or disruption of water service.

5) Intentional sabotage

These are acts you commit with the intent of putting a business at risk. Sabotage can take many forms. For example, a bomb threat, a financial information leak, or arson.
It’s prudent to involve human resources to minimize risks internally and externally in the event of a disgruntled

6) Cybersecurity attacks

This refers to any attack on the company’s technical assets such as by a hacker. Cybersecurity threats include information leaks, ransomware, SQL injection attacks, or denial of service attacks.
Cyberattacks usually result in great harm to consumers and businesses alike, which can trigger an investigation of security protocols at data centers. The effects of such an attack are felt beyond the Information Technology (IT) department.
Business Continuity Plans Build Operational Strength

The Anatomy of a Business Continuity Plan

In order to protect itself from profit losses, reputation damage and customer loss, a company must create a business continuity plan.
The plan should be thorough and include possible threats, readiness procedures to protect against these threats and information on who should be leading each process.
While you create this emergency response plan, be sure to thoroughly document every section so you can share it across the company later. Keep it well-organized so readers can identify risk assessments, planning processes, and recovery steps.

#1 Identify the objectives of the plan and set goals

goals, milestones and expected outcomes
The first step is to identify the objectives of the business continuity plan and set goals around them. Here are some examples of a BCP:

  • How detailed and practiced should the plan be?
  • What departments will the plan cover?
  • What are the outcomes of a successful plan?
  • Which milestones should we track?

One important factor is the budget for the continuity plan. Include any preparation or research hours, training time and materials, etc as you create this plan. Business continuity management extends beyond IT and applies to the entire organization.

#2 Choose the business continuity team

assemble your business continuity plan team
An important part of your business continuity plan is the incident command team and their responsibilities.
Include the contact information, titles, and any other required information for each member. If applicable, specify backup contacts for each responsibility or department. These first responders carry out specific duties to keep the business running smoothly.
Two types of sub-teams to consider are:

Command and control teams

The command and control sub-teams include a crisis and recovery management team. They make sure there is near-perfect execution and that all resources are ready to go.

Task-oriented teams

This sub-team includes specialized teams such as a:

  • Internal communication
  • External business communication
  • Disaster recovery
  • Legal
    Customer operations
  • Information Technology (IT)
  • Supply chain management
  • Finance and Human Resources

#3 Conduct a business impact analysis (BIA)

business impact analysis
Impact analysis is another crucial aspect of your business continuity plan. A BIA is an assessment of the impact potential threats could have on each aspect of the business.
Predictions and forecasts can help your team put together a custom template. They have to then test it for potential holes and modify the BCP. Use this information to update the recovery plan later.
The BIA document should include explanations of the core business operations and what areas are critical for business continuity. It should document any resources needed to keep these critical departments afloat during a disaster scenario.
As a core function of disaster recovery planning includes a BIA that details scenarios for every level of disaster. This will make it easier to choose the most logical and realistic plan keeping in mind the risks.
Related: What is Digital Transformation? (Why Does It Matter?)

#4 Identify key business areas and critical functions

rate business aspects by importance
As part of the BIA, the team will want to establish a comprehensive understanding of the business’s core needs. To do this, identify which critical business processes would have the most damage to the company overall. Damage can include revenue loss, harm to the company’s reputation or damage to the company’s ability to operate properly.
Examine each aspect and function of the business and classify it as either high, medium or low. Some questions that can be helpful to consider when examining critical business functions include:

  • What business objectives does this aspect support?
  • How many departments will this function affect?
  • How often does this function occur?
  • What other aspects of the business are dependent on this function for success?
  • What would be the revenue loss if this function was not completed?
  • Are there potential fines or legal issues tied in with this function?
  • Does this function impact the business’s public image or market share?

Additionally, it’s wise for a business to carefully evaluate how they can move operations offsite. One example might be clear plans to move sales and support staff to work from home proactively.

#5 Identify any pain points or dependencies

identify pain points
Also part of the BIA, businesses should proactively identify potential problems that could arise. If any departments or functions have time-sensitive stipulations, monitor the tolerable downtime. Use the rating system for key business functions to understand where to allocate resources.
Use drills and tests to make your business continuity plan fail-proof. More information on how to do that below.

#6 Make a plan to maintain operations

business continuity strategies
This should be the most detailed section of the business continuity plan. Note that you should also revisit this as the company evolves. Start by doing an analysis of current recovery capabilities and how you can improve them.

Related: What Is VoIP? The Newbie’s Guide to Voice over IP

Readiness procedures could include:

Prevention strategies

Detail any actions your business needs to take as preventative measures before the disaster occurs.
While conducting the BIA, it’s likely you’ll find places that need mitigation. This could include having backup providers for utilities or generators available nearby. It could also include setting up alternative communication networks. Remote work solutions for employees in emergencies is another example.

Response strategies

Each department ought to have a detailed emergency response plan. Include exactly what each member of the business continuity team should do in case of an emergency.
For example, if there is an evacuation, proper technology, procedures and safety protocols are essential to recovery. When and how the company will contact the media, the public or customers should also be specified as a part of the business communications plan.
It’s critical to maintain reliable communication, including your organization’s business phone service for announcements and managing reliable call routing.

Recovery strategies

After the event has been contained, your focus should be recovery. This step of a continuity plan outlines exactly what they are and who is responsible for implementing them.
One example is a manual workaround to get the company running again. Operationalizing an alternative facility that the company could use in the interim is another example.
The first question people will always ask is about the timeline to recovery. Some resolutions are instant. Others may take days or weeks to implement. For all your recovery plans, scope out the Recovery Time Objective (RTO). This gives stakeholders clear-cut estimates on activating a recovery plan.
For companies with data centers where data powers their central operations, it’s important to understand the intervals of recovery available. A Recovery Point Objective (RPO) defines the timelines of data recovery available in the event of a loss or corruption.

#7 Develop a testing and training curriculum

testing and training
Implement a curriculum to train the business continuity team as well as employees in the event of an emergency. This could include basic training and an overview of the business continuity plan. Or in-depth exercises designed to test the procedures and prepare employees.
As a part of a BCP, it can include tactical exercises designed to test the procedures and prepare employees. You might even stage a mock emergency to evaluate areas for improvement.
An emergency protocol to train team members with specialized responsibilities is important. If you are conducting drill exercises, make sure employees display readiness and high comprehension.
One of the best practices to maintain business operations is to instruct employees not to publish unconfirmed reports and rumors on social media like Facebook, Twitter, or LinkedIn. Establish a feedback loop to listen and respond to internal staff concerns. This will conserve communications resources that are dedicated to higher priority objectives.

Exercises should have:

  • Clear objectives and goals
  • Easily understood assumptions of the scenario
  • Instructions for all participants
  • A clear narrative
  • A post-exercise evaluation

Leaders should identify if you need further training or improvements to the overall business continuity plan.

#8 Determine ongoing program maintenance and quality assurance

determine ongoing business continuity plan maintenance
Business continuity planning should evolve with your organization. A quality assurance strategy can ensure effectiveness as dedicated departments keep tabs on it. This could include when to hold reviews and tests.

Internal reviews

Businesses should conduct a review of the plan annually. This section should address exactly when updates are required due to:

  • Threats to the environment
  • Exercises that indicate the need for change
  • Changes to company structure or personnel
  • Geographic distribution of employees

External reviews

It can be helpful to have an external consultant come in and evaluate the plan or suggest improvements. This section should document when this should happen and who should conduct the audit.
An objective analysis of the disaster recovery plan and its execution is critical for continual improvement.

Additional drills and tests

Exercise ongoing training and tests based on changes to your business continuity plan. This section can outline when that is necessary and how to conduct drills.
The disaster recovery plan for your business is only as good as how well it’s put into practice.
software and tools

Business Continuity Software and Tools

There are many tools and apps you can use to craft a business continuity plan. Tools range from consultants to micro tools to full software platforms. Determine which tools are right for your company by assessing your business processes, plan complexity, timelines, and budget.

Communication tools

Your business is helpless if it cannot communicate with each other before and during a disruptive episode. This includes internal and external communication and notification tools. Communication tools can be used to send direct messages to recovery teams, vendors, shareholders or staff.

  • Everbridge is a popular mass notification tool
  • Intrado offers enterprise notification services, which is popular with school districts
  • A cloud phone system can be helpful in emergency situations as well.
  • Slack is one quick way to organize team chats and

Preparatory tools

These include tools to help you build your BCP. For example, the U.S. Department of Homeland Security offers a Business Continuity Planning Suite. Other business continuity planning software providers include:

  • Arcserve
  • Axcient
  • Continuity Logic
  • Arcserve
  • Strategic BCP

Internal auditing tools

These tools can help a business assess their strengths, weaknesses, pain points and areas of concern. Some handy internal auditing tools include:

  • Open-AudIT
  • Onspring

Documentation tools

These can include simple office tools like Word, Excel and other office suite tools, but can also include BCM planning templates.
Cloud-based software can be helpful to document processes and also make sure they are accessible. Cloud storage software like Dropbox, Acronis, and Amazon S3 can ensure data protection. Internet phone service can be managed remotely with no need for on-site changes.

Disaster recovery tools

There are plenty of tools dedicated to disaster recovery in case of business interruption. Depending on the tool, they can help with everything from communication assistance to data recovery and office space.

  • Agility Recovery
  • Novinex
  • Long View

No matter the incident, you need to develop a strong disaster recovery plan. This includes names, phone numbers of qualified individuals and agencies to assist with recovering data backups.
Related: Top 10 VoIP Myths & Misconceptions Debunked [INFOGRAPHIC]

The Anatomy of a Business Continuity Plan [Infographic]

Having a concrete business continuity plan is an essential security measure in today’s corporate environment. The benefits are numerous both internally and externally.
Having a dynamic plan in place can help build confidence and trust with employees and shareholders. Such a plan can also help:

  • Manage the company’s reputation with customers
  • Assist the business to meet legal obligations
  • Ensure the business has few interruptions in the event of a disaster
  • Identify essential remote tools to maintain operations.

Business Continuity Plan Infographic - Anatomy of a BCP
Related: The Ultimate Guide to VoIP RFPs (+Free Templates)

See Nextiva in action.
Quick, on-demand demos.