jason leung N2JUQtT5i40 unsplash

Creating a Business Continuity Plan

April 15th, 2020 Posted in Business Continuity

In the current climate where most companies need to implement radical changes to the way they operate in order to comply with government restrictions, some are finding that their Business Continuity Plans (BCPs) are out-of-date, incomplete, overly complicated and in desperate need of rejuvenation. The key to building a useful and fit-for-purpose Business Continuity Plan lies in a set of activities, as follow in this blog.

Understanding your Organisation

It is worth taking a good look at your organisational chart to understand how your company is structured and who your key stakeholders are likely to be in your effort to build – or rebuild – your BCPs.

Ultimately, understanding your organisational profile will help identify the type of Business Continuity Plan that is likely to best suit your company.

For example, manufacturing organisations have complex supply chains and often find that process-based BCPs that consider end-to-end processes and their dependencies better suit their requirements.

Larger organisations can be so different across functions that a department based BCP may be appropriate. Multi site organisations and small businesses operating from a single site should consider a location based BCP.

Understanding Recovery Needs & Time Frames

It is pointless trying to build a Business Continuity Plan if you have not first determined what needs to be recovered and within what time frame. Not doing so equates to launching yourself into a complicated recipe without a list of ingredients or knowing how many people you are cooking for or when they are coming to dinner!

The Business Impact Analysis (BIA) process will help you understand from your stakeholders what their recovery requirements are. With their help, you must:

  • First identify their key deliverables or activities.
  • Agree a suitable time frame for recovery or resumption.
  • Determine the dependencies of these key deliverables or activities on:
    • Staff and skills
    • Locations and buildings
    • Technology
    • Suppliers
    • Internal processes

Only once the BIA has been built and approved should you consider building your BCP.

If you find it tricky to identify a recovery or resumption time frame, focus on the question “how long can we afford to be without this” and you’ll soon get to the right answer.

Formalising Recovery Strategies and Solutions

The Business Continuity Plan is just that: a plan. A set of guidelines that are explicit and unambiguous as to what needs to be recovered, by whom and within what time frame. Where the BIA identifies the WHAT, the BCP explains the HOW. It provides the reader with simple instructions that are easy to understand and action under pressure. Theoretically, anyone in the organisation should be able to pick up a BCP and co-ordinate the recovery effort.

The BCP should:

  • Provide simple guidelines on when a situation may require the BCP to be activated: this should be a step up from day-to-day incident management.
  • List the key (internal and external) people and entities that need to be brought together to help co-ordinate recovery and their contact details.
  • Help assign roles and responsibilities within the recovery team.
  • Build upon the BIA, clearly laying out what needs to be recovered and by when and offering strategies and solutions to ensure that the recovery requirements are met.
  • Provide instructions on coordinating the recovery effort and on how to stand the recovery team down, deactivate the plan, and manage follow up actions.

It is important to note that a BCP should not include detailed procedures. The Business Continuity Plan is an overarching document that sits on top of whatever procedures may be required to effect recovery, and these should be proactively maintained by the various teams likely to play an active role in any recovery activity. Including procedures within the plan will not only add complexity to the maintenance of the plan, it will also increase the bulk of the plans and make them cumbersome to use.

Ensure the Plan is Accurate, Complete & Fit for Purpose

Once your Business Continuity Plan is finalised and approved, you must validate it. To achieve this, you must test, test and test. And when you’ve done that… test again.

A failed test means that your BCP is not fit for purpose. You must understand why it failed, identify and apply the required improvements, and repeat the test as soon as practicable. Until it works.

The most effective way to test a plan is to test components of it one by one, gradually building it up until you are able to test the whole plan in one testing exercise. Build realistic scenarios focused in turn on loss of staff or skills, loss of building, loss of technology, disruption to the supply chain or to an upstream internal process.

Be clear on the objectives of the test to reduce scope creep and focus on impact rather than cause: an epidemic, a transport strike or industrial action all lead to loss of staff and skills. A fire or flood, a terrorist attack, a gas leak, or an area cordoned off by the policy all lead to an office block not being accessible.

Share your Business Continuity Plan

For a Business Continuity Plan to be of any use, it must be accessible and communicated. You do not know who will be available the day your plan is invoked, and for this reason it is paramount that all staff:

  • Know where to find the latest version of the BCP(s) that are relevant to them.
  • Are trained on how to invoke and use their BCP(s).
  • Are involved in testing activities.

Maintain your Business Continuity Plan

Finally, efforts in ensuring that plans are kept up to date are often hampered by lack of, or rather inappropriate ownership. Maintaining Business Continuity Plan documentation will remain a challenge for as long as ownership rests with the business continuity or compliance / quality function.

Certainly, the business continuity function should own business continuity processes and their supporting templates. They should also own the testing schedule and facilitate and track business continuity activities. However, it is important that Department and Team Heads take responsibility and therefore own the contents of their Business Impact Analyses and Business Continuity Plans. Similarly, they should and must take an active part in any testing activities and in the identification and implementation of improvements to their Business Continuity documents.

Need help?

If your organisation needs help to develop or test a Business Continuity Plan, we can help. Contact us for a friendly chat.


Daniel Djiann Evalian Limited 250x250

Written by Daniel Djiann

Daniel consults on ISO 27001, ISO 22301, ISO 9001 and business continuity. He has specialised in organisational resilience for much of his career, working as a consultant and in-house for multi-national organisations. He is also Head of our ISO & Business Continuity Practice. He is an ISO 27001 and ISO 22301 Lead Auditor and a Member of the Business Continuity Institute, MBCI.