How to write an effective Business Continuity Plan
A Business Continuity Plan (BCP) is unique to your organisation. But the process of building one can be distilled into three stages.
Plan the plan
Yes, this is kind of obvious. You need a planning phase before building the actual BCP. Kicking off a plan in the right way will make or break everything that comes later. A robust planning phase lays the foundations for a resilient business. A bad plan is written by the BC practitioner to satisfy auditors. A good plan is written with the business, for the business. For more on what makes a great plan (and a bad one) listen to The BCPcast here.
Make it policy
Hard coding business continuity as a key part of business strategy is vital. This has to come from top management stating their objectives. The policy must be short and clear, so staff can engage at all levels. A BCP covers the high level and tactical aspects of a business. Make sure you define the priorities for business continuity and its place in the overall business strategy. That way, everyone knows where they’re going, how, when and why.
Assign teams and responsibility
Name your Crisis Management Team. Like in sport, you need a core squad who knows their roles and responsibilities. The team should include senior management, Operations IT, PR and other key management. You also need ‘subs’ who can step up to fill a personnel gap if needed. There also needs to be an individual responsible for the BCP. A dedicated person shows the rest of the business how seriously continuity is taken, and ensures it won’t slip down the priority list.
Hold a Business Impact Analysis (BIA)
A BIA is the process of analysing activities and the effect a business disruption might have on them. Identify the types of impact (financial, regulatory, legal and reputational) and the functions that support those areas. You can then assign levels of criticality and plan accordingly. This analysis should produce the business’ Recovery Time Objective, Recovery Point Objective and Maximum Tolerable Period of Disruption. Review and update the BIA at least annually.
Identify threats/risks to urgent functions
From the BIA you can create a Risk Register. This list clarifies the specific threats facing your business. You can then plot each risk on a matrix to identify which ones need the most attention and resources.
Now you have a clear view of your risks, you can put the BCP into action.
Implement mitigation strategies
After identifying risks, disruptions and the effect on the organisation, you now need mitigate those effects. The key projects are:
• People – where will staff go?
• Premises – Which premises in what circumstances?
• Suppliers – relocate supplies
• Resources – IT equipment, access to information
Agree activation plans
How do you escalate comms when disaster strikes? Agree communication plans so everyone knows who to ring when all hell breaks loose. Time is of the essence when disruption happens, so a clear order of escalation is key. A call tree and mass notification service (preferably one running off a separate provider) are needed here.
Test & Maintain
Exercise and test
Create a Testing and Exercise schedule, including success criteria and KPIs. Your recovery times should be set out in your planning and BIA. Measure your Exercises against your KPIs to track if your recovery efforts are adequate and improving over time.
Full-scale BC exercises require a significant time-commitment, so hold more frequent, smaller exercises. This will help maintain a level of organisational preparedness. You should exercise plans annually at least.
Ongoing changes and maintenance
ISO22301 for Business Continuity recommends the catchy Plan, Do, Check, Act model (PDCA). This simple cycle lets you review and improve your Business Continuity Planning.
In addition to the plan, the entire programme should be reviewed each year. Is the team still right? Is there enough internal resource? Are external resources needed?
To embed Business Continuity, it needs regular review. Like anything else, regular revisiting and practice becomes habit. That way, your resilience stays constant, rather than dipping over time, only to be hastily reinforced.
For more on building an effective Business Continuity Plan, you can listen to our webinar here.