Creating a Business Continuity Plan (BCP) in 2024

February 1st, 2024 Posted in Business Continuity

What is a Business Continuity Plan?

A Business Continuity Plan (BCP) is a framework of prevention and recovery that instructs employees in the procedures to carry out, following an emergency, disaster or serious disruption. The aim of the plan is to ensure that all staff and valuable assets are secured during a crisis, and are able to operate and recover as quickly as possible.

A BCP covers risks such as natural disasters like fire, flooding and weather-related crises. A BCP also covers pandemics, cyber-attacks and human error. The vast scope of potential risks to a business makes a BCP vital to any organisation no matter the size or the industry. It is important to be aware that Business Continuity Plans are different from a Disaster Recovery Plan, which is solely for the purpose of the recovery of an organisation’s IT systems.

The importance of a BCP and its benefits

A well-thought-out and robust Business Continuity Plan means the likelihood of a prolonged operations outage lessons significantly and therefore decreases the overall financial loss caused by the disruption. Furthermore, when an organisation ceases operations, even temporarily, it runs the risk of clients and customers going to their competitors for support.

Natural disasters often happen in an unpredictable manner, so having a plan in place for all employees to turn to when disaster strikes, ensures everyone knows their part to play and what needs to be done. In 2020, during the COVID-19 pandemic, many organisations found that their Business Continuity Plans (BCPs) were out-of-date, incomplete, overly complicated and in desperate need of rejuvenation. If anything, it highlighted the importance of having a strong and tested plan set now, before it is needed.

The key to creating a Business Continuity Plan fit for purpose lies in a set of activities which we highlight in this blog.

What should a BCP include?

There are some key elements that every BCP should include. There are:

Risk profile – what is the potential impact on your business?

The Business Impact Analysis (BIA) – what needs to be recovered and within what time frame?

Planning your response – develop an appropriate response strategy to every risk outlined in your risk profile. This is also where key roles and responsibilities should be defined – who is responsible for what?

Communication – how will your organisation communicate the crisis internally or externally? Your plan should include key contacts as well as templates for things like press releases and how they will be communicated over social media.

Training & Testing – this helps your key personnel understand their roles and exactly what actions they need to take should a disaster occur. It will give them the confidence they need to act effectively and efficiently. In order to ensure your BCP is as robust as possible, it’s important to exercise it – ensuring that different scenarios are tested, so that your organisation is prepared for anything.

Maintenance – ensure that plans are kept up to date and improvements are made as and when required.

Risk profile: understanding your organisation

It is worth taking a good look at your organisational chart to understand how your company is structured and who your key stakeholders are likely to be in your effort to build – or rebuild – your BCPs.

Ultimately, understanding your organisational profile will help identify the type of Business Continuity Plan (BCP) that is likely to best suit your company.

For example, manufacturing organisations have complex supply chains and often find that process-based BCPs that consider end-to-end processes and their dependencies better suit their requirements.

Larger organisations can be so different across functions that a department-based BCP may be appropriate. Multi-site organisations and small businesses operating from a single site should consider a location-based BCP.

Understanding recovery needs and time frames

It is pointless trying to build a Business Continuity Plan if you have not first determined what needs to be recovered and within what time frame. Not doing so equates to launching yourself into a complicated recipe without a list of ingredients or knowing how many people you are cooking for or when they are coming to dinner!

The Business Impact Analysis (BIA) process will help you understand from your stakeholders what their recovery requirements are. With their help, you must:

  • First, identify their key deliverables or activities.
  • Agree on a suitable time frame for recovery or resumption.
  • Determine the dependencies of these key deliverables or activities on:
    • Staff and skills
    • Locations and buildings
    • Technology
    • Suppliers
    • Internal processes

Only once the BIA has been built and approved should you consider building your BCP.

If you find it tricky to identify a recovery or resumption time frame, focus on the question “How long can we afford to be without this” and you’ll soon get to the right answer.

Planning: formalising recovery strategies and solutions

The Business Continuity Plan is just that: a plan. A set of guidelines that are explicit and unambiguous as to what needs to be recovered, by whom and within what time frame. Where the BIA identifies the WHAT, the BCP explains the HOW. It provides the reader with simple instructions that are easy to understand and action under pressure. Theoretically, anyone in the organisation should be able to pick up a BCP and coordinate the recovery effort.

The BCP should:

  • Provide simple guidelines on when a situation may require the BCP to be activated: this should be a step up from day-to-day incident management.
  • List the key (internal and external) people and entities that need to be brought together to help coordinate recovery and their contact details.
  • Help assign roles and responsibilities within the recovery team.
  • Build upon the BIA, clearly laying out what needs to be recovered and by when and offering strategies and solutions to ensure that the recovery requirements are met.
  • Provide instructions on coordinating the recovery effort and on how to stand the recovery team down, deactivate the plan, and manage follow-up actions.

It is important to note that a BCP should not include detailed procedures. The Business Continuity Plan is an overarching document that sits on top of whatever procedures may be required to effect recovery, and these should be proactively maintained by the various teams likely to play an active role in any recovery activity. Including procedures within the plan will not only add complexity to the maintenance of the plan, it will also increase the bulk of the plans and make them cumbersome to use.

Communication: share your business continuity plan

For a Business Continuity Plan to be of any use, it must be accessible and communicated. You do not know who will be available the day your plan is invoked, and for this reason, it is paramount that all staff:

  • Know where to find the latest version of the BCP(s) that are relevant to them.
  • Are trained on how to invoke and use their BCP(s).
  • Are involved in testing activities.

Testing: Ensure the BCP is accurate, complete and fit for purpose

Once your Business Continuity Plan is finalised and approved, you must validate it. To achieve this, you must test, test and test. And when you’ve done that… test again.

A failed test means that your BCP is not fit for purpose. You must understand why it failed, identify and apply the required improvements, and repeat the test as soon as practicable. Until it works.

The most effective way to test a plan is to test components of it one by one, gradually building it up until you are able to test the whole plan in one testing exercise. Build realistic scenarios focused in turn on loss of staff or skills, loss of building, loss of technology, disruption to the supply chain or to an upstream internal process.

Be clear on the objectives of the test to reduce scope creep and focus on impact rather than cause: an epidemic, a transport strike or industrial action all lead to loss of staff and skills. A fire or flood, a terrorist attack, a gas leak, or an area cordoned off by the policy all lead to an office block not being accessible.

Maintain your business continuity plan

Finally, efforts to ensure that plans are kept up to date are often hampered by lack of or rather inappropriate ownership. Maintaining Business Continuity Plan documentation will remain a challenge for as long as ownership rests with the business continuity or compliance/quality function.

Certainly, the business continuity function should own business continuity processes and their supporting templates. They should also own the testing schedule and facilitate and track business continuity activities. However, it is important that Department and Team Heads take responsibility and therefore own the contents of their Business Impact Analyses and Business Continuity Plans. Similarly, they should and must take an active part in any testing activities and in the identification and implementation of improvements to their Business Continuity documents.

Need help with your BCP?

If your organisation needs help to develop or test a Business Continuity Plan, we can help. Contact us for a friendly chat.

  • This field is for validation purposes and should be left unchanged.

 

Image by storyset on Freepik

Daniel Djiann Evalian Limited 250x250

Written by Daniel Djiann

Daniel consults on ISO 27001, ISO 22301, ISO 9001 and business continuity. He has specialised in organisational resilience for much of his career, working as a consultant and in-house for multi-national organisations. He is also Head of our ISO & Business Continuity Practice. He is an ISO 27001 and ISO 22301 Lead Auditor and a Member of the Business Continuity Institute, MBCI.