The goal of risk management is not to eliminate all risks but to effectively reduce their likelihood and impact. One way to do that is through business continuity planning.
Having a business continuity plan in place can help your organization keep operating at some capacity during a disaster.
Below, get straightforward answers to what a business continuity plan includes, why it’s important, and how to write one. You’ll also find a business continuity template to simplify the process.
What is a business continuity plan?
A business continuity plan is a document containing a predetermined set of procedures that describe how an organization will sustain its business operations during and after a significant disruption.
This disruption may be caused by a broad range of threats, including natural disasters, technical failures, and cyberattacks.
What is business continuity management?
A business continuity plan is one part of business continuity management (BCM). BCM includes risk assessment, response planning, recovery, and long-term maintenance of the policies and procedures developed, tested, and used when a crisis occurs.
What is the primary goal of business continuity planning?
The primary goal of business continuity planning is to identify preparations and recovery actions that can assist an organization in resuming operations and services as quickly as possible during and after a crisis.
For example, most business operations depend heavily on technology and automated systems, and the disruption of these systems for even a few hours may cause severe problems. Consider a Zoom outage. This may impact meetings with colleagues, customers, and prospects and important projects and deals as a result. A company with a business continuity plan that has identified a substitute tool for video meetings will be able to recover faster than a company without one.
To ensure your business runs as smoothly as possible even when faced with system failures, cyber attacks, natural disasters, and other major disruptions, there must be an awareness of potential crises that could impact critical systems, tools, and skills of your organization and a plan to deal with them.
Business continuity planning is also important for getting and staying compliant with some privacy and security standards, including SOC 2®. Let’s take a look at this other reason for creating a BCP and keeping it up to date.
SOC 2 Compliance: Requirements, Audit Process, and Benefits for Business Growth
Why is a business continuity plan important for SOC 2 compliance?
A business continuity plan is part of the documentation that a SOC 2 auditor will likely review, along with your systems and security controls, to determine your level of compliance with the Trust Services Criteria (TSC) you’ve selected. This plan is especially important if you include Availability as a TSC in your SOC 2 audit.
The Availability controls in SOC 2 focus on minimizing downtime. Risk assessment is therefore essential.
A SOC 2 auditor will most likely review whether your company has identified and thought of ways to mitigate environmental threats that could impact system availability, like hurricanes, tornados, and wildfires. The same process should be applied to “man made” threats, like theft and cyber attacks.
A SOC 2 auditor will also likely review whether your business continuity plan can be applied to unforeseen events that could impact your system availability and capacity, like a global pandemic.
An auditor will also likely review if you’ve tested your BCP within the last year (at least).
Who is responsible for business continuity planning?
Business continuity planning must be a top-down effort. Meaning, it must have the support and willing participation of a director or senior manager at the company. While they will act as the executive sponsor, another individual should be appointed as the BCP coordinator. Depending on the size of the organization, a planning team representing all major areas of operations may also need to be appointed to assist the BCP coordinator.
This coordinator and/or team should be appropriately announced and empowered to execute on a range of responsibilities, including uncovering your business’s weaknesses and making plans to mitigate them, testing those plans to make sure they’re effective for different types of crises, and updating them as new threats emerge.
What’s the difference between business continuity, disaster recovery, and incident response plans?
There are several contingency and continuity plans that can help minimize the impact of catastrophic events. Let’s take a look at the three most common plans and how they differ from each other below.
Business continuity plan vs disaster recovery plan
The key difference between a business continuity and disaster recovery plan is that a BCP provides procedures for sustaining business operations while recovering from a significant disruption, whereas a DRP provides procedures for recovering information systems operations after a significant system disruption like a major software failure or a natural disaster by relocating them to an alternate location.
Many organizations choose to combine their business continuity and disaster recovery plans into a single document. However, some choose to create them as standalone documents.
Business continuity plan vs incident response
The key difference between a business continuity plan and incident response plan is that a BCP provides procedures for sustaining business operations while recovering from a significant disruption, whereas an IRP provides procedures for mitigating and correcting a system after a security incident, like a virus or Trojan horse.
An IRP plan should detail a recovery process for when security incidents do happen.
This is another crucial document that a SOC 2 auditor will likely review to determine your level of compliance with the TSC you’ve selected.
What does a business continuity plan typically include?
A business continuity plan typically includes the following:
- Mission critical services, processes, and resources: Every BCP should include a list of mission critical services, processes, and resources. These need to be recovered first when a BCP event occurs to minimize downtime.
- Alternative location considerations: During a significant BCP event, an organization may need to use back-up data centers, back-up sites for operations, remote locations, or other alternative locations. These are typically documented in the BCP along with considerations like the accessibility of these alternative sites, transportation alternatives to these sites, the number of staff necessary to perform critical activities at these sites, and other resources that will be required.
- Vendor relationships: Organizations may categorize vendors into risk levels and evaluate the risk in their BCP plans.
- Telecommunications services and technology considerations: Organizations typically detail strategies for maintaining operations during communications disruptions in their BCP. This may include using multiple telecommunication providers, secondary phone lines, cloud technology, temporary phone lines, mobile telecom units and Wi-Fi for staff without power, as well as back-up mobile phone services with different carriers.
- Communication plans: Organizations typically establish communications plans with staff, customers, and other external third parties, including regulators, exchanges, and emergency officials, in their BCP as well.
- Regulatory and compliance considerations: Organizations typically include regulatory requirements in their BCPs and should regularly update them to include any new requirements.
- Review and testing methods: Organizations should include how their BCP is reviewed and tested and how often. For example, they may conduct full BCP tests at least annually or sooner if significant changes are made. They may also conduct employee training or require employees to review their BCP annually to ensure all personnel are familiar with the plan and their responsibilities.
- Recovery objectives: A BCP will typically include key recovery objectives that help organizations plan how quickly they need to recover data and systems in order to minimize disruptions and maintain smooth operations during unexpected events. These are defined below:
- RPO (Recovery Point Objective): RPO sets the limit for how much data loss a business can tolerate after a disruption. It defines the
latest acceptable point in time to recover data, minimizing potential losses.
- RTO (Recovery Time Objective): RTO is the maximum acceptable downtime for systems or processes. It indicates how quickly a
business needs to recover and resume normal operations after a disruption.
Business continuity plan example
This business continuity plan example from Santa Cruz Health is designed for different facilities to customize to ensure measures are taken to prepare and pre-position resources to ensure continuity of mission critical services and processes in an event that disrupts normal operations and impacts essential operations of the facility. It is broken down into several sections, including:
- General: Describes the purpose of the BCP, as stated above.
- Activation: Briefly describes when the plan should be activated.
- Overview: Briefly describes what the plan is, how it was developed, what steps need to be taken to ensure it’s effective, and what’s included.
- Continuity requirements: Lists the facility’s mission critical services, processes, equipment and supplies, IT applications, records, and business continuity personnel.
- Continuity and recovery actions: Lists procedures following the occurrence of different BCP events, including loss of power, loss of HVAC, and relocation of departmental services to an alternate location.
How to write a business continuity plan
Now it’s time to start formulating and building out your business continuity plan. To guide you through the process, we’ve broken the process down into six key steps. We’ve also provided a template below to help get you started.
1. Identify and assess your risks.
The first major task of writing a BCP is identifying the risks or threats in your environment and determining how they might impact your operations. For example, some environmental threats may be likely to cause physical damage to your building. Other types of threats may have an impact on your staff and their families.
The risks that are most threatening to your operations should be prioritized.
2. Identify critical elements of your organization.
The next major task is identifying the tools, systems, and skills that are essential to your operations and how critical they are to recover. You can kick off brainstorming by posing the question, how do we achieve our goals?
For example, let’s say one of your mission critical services is fundraising. In that case, a critical asset might be pledge cards. The vendor that prints your pledge cards would also be considered critical.
When identifying these systems, tools, and skills, you’ll also want to determine what resources would be required to restore them and therefore resume the mission critical services and processes they are part of. Examples of resource requirements are facilities, personnel, equipment, software, data files, system components, and vital records.
This will help determine priority levels for sequencing recovery activities. In other words, what needs to be restored first in order to get back to work as quickly as possible during and after a crisis?
3. Identify ways to mitigate risks.
Now that you understand your organization’s unique risks and critical elements, you’re ready to create a plan of action.
Start by identifying strategies that will eliminate the risks you identified in step 1 entirely. If that’s not possible, identify strategies that will lessen their impact. For example, it’s impossible to eliminate the threat of environmental threats like snowstorms entirely. Instead, you can create a procedure to have your employees and contractors work remotely if a snowstorm makes it impossible or difficult to get to the office. This will require that all employees and contractors have the appropriate supplies and equipment and receive the same communications.
These mitigation strategies are designed to eliminate or lessen the impact of a threat before a crisis and should therefore be implemented as quickly as possible.
4. Identify ways to prepare for and recover from the loss of any critical elements.
Since it is impossible to eliminate all threats facing your organization, your next step is to identify as many strategies as possible for dealing with the loss of each critical element identified in step 2.
For example, installing protective systems like a security system, fire alarm system, and antivirus software can all be considered strategies to prepare for and recover from the loss of critical elements caused by theft, vandalism, environmental hazards, cyber attacks, and other threats.
The goal is to come up with as many preparedness strategies as possible in order to best prepare and recover from the loss of mission critical assets during and after a crisis.
During the review or testing stage, you can remove any strategies that are too time-consuming or expensive.
5. Prepare for how you will respond after a crisis.
Now that plans and strategies are in place, you can take steps to improve the efficiency and quality of your organization’s response to a crisis to help you get back to work as quickly as possible.
Consider creating a recovery team that can assess your losses and initiate recovery actions after a crisis. The roles and responsibilities of this team can be documented in your BCP.
6. Update and test your business continuity plan.
Your business continuity plan is a living document. It should be updated to reflect the evolving risks and needs of your business. Whether you’re integrating new software that suddenly crashes or bringing on a new management team member, your BCP should reflect these changes.
If there are no major changes impacting your business, you should still test your business continuity plan once a year at a minimum. This is a best practice and compliance requirement. You can use a variety of testing methods, including tabletop exercises and simulation tests.
Testing and keeping documentation like this up to date is an important part of continuous compliance.
What Is Continuous Compliance + How To Achieve It
Business continuity plan template
Use this template to begin identifying the risks, critical elements, mitigation actions, and preparedness strategies that will make up the basic components of your business continuity plan.
What are the benefits of a business continuity plan?
Implementing and maintaining an effective business continuity plan offers a range of benefits, including:
- reduced costs and impact on business performance when a disruption occurs
- a consistent, organization-wide approach to respond and recover from a significant disruption
- assurance for clients, suppliers, regulators, and other stakeholders that the organization has systems and processes in place for business continuity
- improved business performance and organizational resilience
- a better understanding of the business, its critical issues, and areas of vulnerability
What are the 5 components of a business continuity plan?
While every business continuity plan is unique, five key components are:
- Risks and their potential business impact and likelihood of occurrence
- Mission critical services, processes, and resources
- Risk mitigation actions
- Preparedness strategies to prepare for and recover from the loss of any critical elements
- Training, testing, and plan maintenance
What are the 4 P’s of business continuity?
The four P's of business continuity are people, processes, premises, and providers. Below are definitions of each:
- People: This includes your employees and customers.
- Processes: This includes the technology and processes your business uses to keep everything running.
- Premises: This includes the buildings and spaces from which your business operates.
- Providers: This includes partners, vendors, and suppliers that your business relies on for resources.
What is a real-life example of business continuity?
A real-life example of business continuity is the response to the Cape Town water crisis, which began in 2015. During a period of severe drought, Cape Town implemented several response and recovery strategies which averted the catastrophe of running out of water — also known as “Day Zero.” This included the introduction of innovative pressure reduction methodologies to curb water losses, sustained reduction in water use, and effective public communication and awareness programs to avoid “Day Zero.”
How do I write a BCM plan?
Below is a step-by-step process for writing a BCM plan:
- Identify and assess risks (can use the 4 P’s)
- Identify mission critical products, services, or functions
- Evaluate the potential impact of risks and disruptions to critical elements
- List actions to mitigate these risks
- List strategies to prepare for and recover from the loss of any critical elements
- Maintain, review, and continuously update the business continuity plan
Why do business continuity plans fail?
Business continuity plans fail for a variety of reasons, with the most common being a lack of buy-in from top management. Other reasons are that no one is appointed to take ownership of business continuity planning, or the plan isn’t tested and updated regularly to keep up with changes affecting the business.