business continuity plan fire department

Building a fire department COOP: A guiding light in an operational storm

2020 proved the importance of building – and updating – thorough continuity of operations plans for fire departments.

As fire service leaders, we proactively compile preplans on various structures and hazards in our territories and envision all of the worst-case scenarios that could happen. But how often do look at our departments in the same way?

Photo/Burlington (N.C.) Fire Department

One year ago, we knew something was brewing but had no idea on what scale and how long we would be working outside of our normal operations. It ultimately became a year of so many trials – and so many firsts – for fire departments.

One of the firsts for our department was relying on our continuity of operations plan (COOP).

Many departments have COOPs, but I’ll bet most of us didn’t expect to go searching for them last year, pulling them out like playbooks to call the next play on the field.

I had written our department’s COOP five years ago thinking it would sit on the shelf and collect dust along with other books and mementos on my bookshelf. But much to my surprise, we referenced it multiple times throughout 2020 for various strategic planning and event needs, and we continue to pull it out for reference as the pandemic drags on.

Our COOP is like a master preplan for our department. It provides guidance for station relocations in the event a station has to be vacated for any variety of reasons, suggestions for how to operate in the event of technology becoming unreliable, and recommendations for operating during a pandemic, which, as predicted, creates a reduction in staffing.

As fire service leaders, we proactively compile preplans on various structures and hazards in our territories and envision all of the worst-case scenarios that could happen. We are firefighters; it’s just what we do. We are good at looking around us and preparing, training and rehearsing for the “big one.” But how often do look at our departments in the same way? How often do we preplan department contingencies?

In 2020, we had to break out our COOP to create a game plan in the case of staffing deficiencies due to employees out sick, either with COVID-19 or out caring for a loved one. The difference between staffing shortages in a pandemic and other times is also that mutual aid is not going to be available, as everyone is suffering the same plight.

This requires out-of-the-box thinking about how your jurisdiction will be covered. It is not as simple as “normal times,” as additional overtime of employees places additional stress on them, and can lead to cross-contamination of shifts if an employee does contract an illness – a situation many departments experienced over the past year.

Additionally, 2020 saw social unrest erupt in many of our cities, creating more unique operational circumstances. Our department experienced a time when, for precautionary measures, our personnel vacated a station and relocated to an alternate site identified within our COOP. This action was done on short notice, but having a plan in place helped crews execute it seamlessly.

There are various templates available to compile a COOP. FEMA, for example, has excellent templates available. Templates offer a base plan for building a lineup of personnel who can fill roles as vacancies arise, to plans for more complex problems that require decision matrixes to guide each agency or department through a time where normal operations are interrupted.

When our COOP was written, it incorporated a variety of templates to create a document that was functional for our department. Hazards that are likely to impact our department were identified, as were low-probability hazards, such as a pandemic.

In creating or updating your COOP, it is also smart to update department inventories of mundane supplies and vendors. As so many of us experienced last year, numerous basic items, such as toilet paper and cleaning supplies, suddenly became challenging to find, as did some food items. Fortunately, our COOP identified vendors for additional fuel, medical supplies and even oxygen, but like many, we did not have additional sources for basic items, such as the aforementioned toiletries.

It is imperative that your department’s COOP be a living and breathing document that goes beyond a simple backup of phone numbers to provide a map for how to operate.

As 2020 has showed us, we must be prepared for any obstacles. Again, in the fire service we think we are prepared for any incident that can come at us, but sometimes those incidents are bigger than us. This is where a thorough COOP can make the difference in continuing our services to our communities or missing an alarm due to unforeseen circumstances.

We typically feel confident in our response to emergencies in our communities. However, it is paramount we prepare ourselves, our departments, and even our own households for another 2020 by creating a living and breathing COOP. Just as we create a preplan with the assumption that we will one day reference it on the “big one,” we must also not think of our COOP as just another document to sit on a shelf.

The COOP can be a guiding light in the midst of a storm. As we move forward into a new year, we can all hope and pray 2021 does not bring about the same challenges, but the fact of the matter is, we will all face challenges of the unknown again one day. Is your department prepared to continue to provide emergency services when this occurs?

Daniel Shoffner is the battalion chief of EMS and public information officer for the Burlington (North Carolina) Fire Department, and has 25 years of experience in the fire service. He is also a volunteer with the Mt. Hope Community Fire Department in Guilford County. Shoffner has served with the Kimesville Community Fire-Rescue Department in Guilford County, worked for Guilford County EMS and volunteered with Emerald Isle EMS in Carteret County. He holds a Ph.D. in public policy, with research focusing on fire apparatus staffing, plus a master’s degree in public administration concentrated in emergency management. Shoffner is an adjunct faculty member in the Fire Science and Emergency Management Program at Purdue University Global as well as the Fire Protection Technology and Emergency Medical Services departments with Guilford Technical Community College.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Business Continuity Planning

Organize a business continuity team and compile a  business continuity plan  to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

• Business Continuity Plan Situation Manual
• Business Continuity Plan Test Exercise Planner Instructions
• Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

Business Continuity Planning

Business Continuity Management Program Governance Charter 2021

• Artificial Intelligence
• Generative AI
• Business Operations
• Cloud Computing
• Data Center
• Data Management
• Emerging Technology
• Enterprise Applications
• IT Leadership
• Digital Transformation
• IT Strategy
• IT Management
• Diversity and Inclusion
• IT Operations
• Project Management
• Software Development
• Vendors and Providers
• Enterprise Buyer’s Guides
• United States
• Middle East
• España (Spain)
• Italia (Italy)
• Netherlands
• United Kingdom
• New Zealand
• Data Analytics & AI
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Copyright Notice
• Member Preferences
• About AdChoices
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

How to create an effective business continuity plan

A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. here’s how to create a plan that gives your business the best chance of surviving such an event..

The tumultuous events of the past several years have impacted practically every business. And with the number of extreme weather events, cyberattacks, and geopolitical conflicts continuing to rise, business leaders are bracing for the possibility of increasingly more frequent impactful incidents their organizations will need to respond to.

According to PwC’s 2023 Global Crisis and Resilience Survey , 96% of 1,812 business leaders said their organizations had experienced disruption in the past two years and 76% said their most serious disruption had a medium to high impact on operations.

It’s little wonder then that 89% of executives list resilience as one of their most important strategic priorities.

Yet at the same time, only 70% of respondents said they were confident in their organization’s ability to respond to disruptions, with PwC noting that its research shows that too many organizations “are lacking the foundational elements of resilience they need to be successful.”

A solid business continuity plan is one of those foundational elements.

“Every business should have the mindset that they will face a disaster, and every business needs a plan to address the different potential scenarios,” says Goh Ser Yoong, head of compliance at Advance.AI and a member of the Emerging Trends Working Group at the professional governance association ISACA.

A business continuity plan gives the organization the best shot at successfully navigating a disaster by providing ready-made directions on who should do what tasks in what order to keep the business viable.

Without such as a plan, the organization will take longer than necessary to recover from an event or incident — or may never recover at all.

What is a business continuity plan?

A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is caused by a natural disaster, civic unrest, cyberattack, or any other threat to business operations.

A business continuity plan outlines the procedures and instructions that the organization must follow during such an event to minimize downtime, covering business processes, assets, human resources, business partners, and more.

A business continuity plan is not the same as a disaster recovery plan , which focuses on restoring IT infrastructure and operations after a crisis. Still, a disaster recovery plan is part of the overall strategy to ensure business continuity, and the business continuity plan should inform the action items detailed in an organization’s disaster recovery plan. The two are tightly coupled, which is why they often are considered together and abbreviated as BCDR.

Why business continuity planning matters

Whether you operate a small business or a large corporation, it’s vital to retain and increase your customer base. There’s no better test of your capability to do so than right after an adverse event.

Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.

Moreover, there are increasing consumer and regulatory expectations for both enterprise security and continuity today. Consequently, organizations must prioritize continuity planning to prevent not only business losses, but financial, legal, reputational, and regulatory consequences.

For example, the risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence.

Building (and updating) a business continuity plan

Whether building the organization’s first business continuity plan or updating an existing one, the process involves multiple essential steps.

Assess business processes for criticality and vulnerability: Business continuity planning “starts with understanding what’s most important to the business,” says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional services firm.

So the first step in building your business continuity plan is assessing your business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, or a week.

“This step essentially determines what you are trying to protect and what you are trying to keep up for systems,” says Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting.

This assessment is more demanding than ever before because of the complexity of today’s hybrid workplace, the modern IT environment, and the reliance on business partners and third-party providers to perform or support critical processes.

Given that complexity, Goh says a thorough assessment requires an inventory of not only key processes but also the supporting components — including the IT systems, networks, people, and outside vendors — as well as the risks to those components.

This is essentially a business impact analysis.

Determine your organization’s RTO and RPO: The next step in building a business continuity plan is determining the organization’s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.

Each organization has its own RTO and RPO based on the nature of its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives need to establish, Nocera says.

“When you meet with individual aspects of the business, everyone says everything [they do] is important; no one wants to say their part of the business is less critical, but in reality you have to have those challenging conversations and determinations about what is actually critical to the business and to business continuity,” he adds.

Detail the steps, roles, and responsibilities for continuity: Once that is done, business leaders should use the RTO and the RPO, along with the business impact analysis, to determine the specific tasks that need to happen, by whom, and in what order to ensure business continuity.

“It’s taking the key components of your analysis and designing a plan that outlines roles and responsibilities, about who does what. It gets into the nitty-gritty on how you’re going to keep the company up and running,” Renner explains.

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.

Although the list of possible scenarios that could impact business operations can seem extensive, Goh says business leaders don’t have to compile an exhaustive list of potential incidents. Rather, they should compile a list that includes likely incidents as well as representative ones so that they can create responses that have a higher likelihood of ensuring continuity even when faced with an unimagined disaster.

“So even if it’s an unexpected event, they can pull those building blocks from the plan and apply them to the unique crisis they’re facing,” Nocera says.

The importance of testing the business continuity plan

Devising a business continuity plan is not enough to ensure preparedness; testing and practicing are other critical components.

Renner says testing and practicing offer a few important benefits.

First, they show whether or how well a plan will work.

Testing and practicing help prepare all stakeholders for an actual incident, helping them build the muscle memory needed to respond as quickly and as confidently as possible during a crisis.

They also help identify gaps in the devised plan. As Renner says: “Every tabletop exercise that I’ve ever done has been an eye-opener for everyone involved.”

Additionally, they help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.

Types and timing of tests

Many organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization itself — its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.

Common tests include tabletop exercises , structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.

In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

Some experts also advise a full emergency evacuation drill at least once a year.

Meanwhile, disaster simulation testing — which can be quite involved — should still be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine whether the organization and its staff can carry out critical business functions during an actual event.

During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.

Reviewing and updating the business continuity plan should likewise happen on an ongoing basis.

“It should be a living document. It shouldn’t be shelved. It shouldn’t be just a check-the-box exercise,” Renner says.

Otherwise, plans go stale and are of no use when needed.

Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.

Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.

Furthermore, a strong business continuity function calls for reviewing the organization’s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.

How to ensure business continuity plan support, awareness

One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.

Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts?

Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.

Related content

4 essential lessons in ai governance, scaling gen ai right takes a certain kind of cio. are you one of them, broadcom pinnacle partners: guiding enterprises throughout their cloud journeys, balancing innovation with value, cost, and practicality: the cio's guide to future proofing technology investments, from our editors straight to your inbox, show me more, the essential ai checklist: future-proof your workforce in six simple steps.

10 ways AI can make IT more productive

Robots make a smash in Chipotle kitchens

CIO Leadership Live Middle East with Kenan Begovic, Group Director of Information Security, beIN Media Group

Pacific Coast Companies CIO Marty Menard on leveraging vendor partners

CIO Leadership Live UK with Elizabeth Akorita, Group Deputy Director, Digital Delivery, Department for Science and Innovation and Technology

Sponsored Links

• Everybody's ready for AI except your data. Unlock the power of AI with Informatica
• Everyone’s moving to the cloud. Are they realizing expected value?
• Visibility, monitoring, analytics. See Cisco SD-WAN in a live demo.
• The cloud shouldn’t be complicated. Unlock its potential with SAS.

• Skip to primary navigation
• Skip to main content
• Skip to footer

Shoreline Technology Solutions

Fire or Flooding Disaster Recovery & Business Continuity Planning

April 1, 2021 By Mark Kolean Leave a Comment

Fires or floods within an office or building can range from small incidents of short duration to the complete destruction of the facility.

Potential Impact

Even a relatively small fire/flooding incident can have a very disruptive impact on a business. For example, a small fire in an office on an upper floor can result in the complete flooding of computers and telephone systems in the offices below as the building’s sprinkler systems kick in and firefighters seek to extinguish the blaze.

Similarly, even a relatively limited amount of water leaking from a broken pipe or valve can put some or all of a business’s technology infrastructure out of commission.

A large fire, of course, can force a business to have to relocate all of its operations temporarily or permanently.

Risk Factors

There are approximately 100,000 commercial building fires in the U.S. per year, according to the National Fire Protection Association. Those at highest risk include manufacturing facilities, as well as offices located above or in proximity to restaurants because cooking is a primary cause of non-residential structure fires, just as it is in homes.

Warning Times

Water damage from failed plumbing, sprinkler systems, etc. can short-circuit electronic equipment with zero warning. However, building alarm systems typically give employees a few minutes to shut down critical systems and evacuate the premises.

Technology Continuity

As noted above, the severity and length of business disruptions caused by fires and flooding can vary considerably. To be prepared for extended or permanent facility damage, businesses should:

• Maintain continuous off-site backup of data, applications, and server images.
• Have arrangements in place for re-routing incoming calls to an alternative site and/or to employees’ mobile phones.
• Prepare an emergency posting for the company website that can be activated immediately and progressively as the consequences of the event unfold.

People Continuity

Because building fires and flooding only affect individual structures (or, at worst, just a few adjoining ones as well), businesses impacted have a lot of options for keeping people productive. Business Continuity plans should include:

• Arrangements in advance with a nearby shared/furnished office space provider, hotel, college, or other facility for an immediate/temporary operations command center.
• Next-day workspace provisioning in another company facility, emergency failover “cold site,” or at home personal desktops/laptops with appropriate call forwarding.
• Internal communications for keeping employees updated on resource availability, recovery status, etc.
• Any necessary third-party contracting for shipping/receiving, mail processing, duplicating, etc.

Process Continuity

Again, because building fires and flooding are highly localized, they typically only disrupt processes that touch a single company location. Business continuity plans therefore need to provide for alternative locations and means to perform actions such as:

• Answering phones
• Processing orders
• Issuing invoices
• Signing checks
• Filing reports required by regulatory mandates

Insurance Considerations

A properly insured business should have a policy that covers the expenses above, in addition to the physical damage directly caused by the fire or flood. Businesses may also seek policy provisions that address work done from home or other locations while the facility is under repair (and/or a new location is secured) as well as business losses that may occur despite best-effort BC planning and execution.

Learn more via Datto’s Natural Disaster Survival Guide .

Contact us today  to learn how our Disaster Recovery as a Service (DRaaS) can help protect your business.

President / Network Architect

Mark Kolean always had a fascination with technology from the time he was 3 and his gift of the Atari 2600 to current. In 1990 at the age of 14 Mark got his first job in customer support for a mail order business supporting Tandy TSR-80 computer software shipped on cassette tape. A few years later Mark was building hundreds of 286, 386, and 486 computers for the new emerging DOS & Windows 3.1 computers that had exploded on the market.

After a college career studying business and technology Mark Started Shoreline Computer Systems in 1999 at the height of the dot.com boom with the looming crisis of the year2k bug just around the corner. In the early 2000’s a lot of work was done with early network systems including Lantastic, Novell, and Windows NT Server. Mark became a community contributor to the Small Business Specialist community that revolved around Small Business Server 2000-2011 which focused on single or dual server environments for businesses up to 50 in size. Networks during this time frame mostly had a break fix relationship in which work was billed only when a problem occurred.

In the 2010’s Microsoft released their first cloud based software called Microsoft BPOS which would in later become known as Microsoft Office 365. This introduced a new model in technology with pay as you go subscription services. Starting in 2013 Mark’s team at Shoreline Computer System rebranded as Shoreline Technology Solutions to focus on the transition to become proactive and less reactive to data backup and security needs. Starting in 2018 all customers are required to have a backup management plan in place as a center point with the full understanding that if STS isn’t watching the customer’s data, then no one is.

Now in Mark’s 22 years of business he is building a company emphasis of how to help customers retire servers and build networks completely in the cloud.

Share this post:

Reader interactions, leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Client Testimonials

Our non-profit organization, Broadway Grand Rapids, has worked with Shoreline for years and as technology continues to evolve and change, they have been there to guide us. From advanced security implementation to our successful cloud migration project, they have proactively advised us and walked us through it all. It's not just the big projects that they excel at! STS has been our wholistic IT partner keeping us running on a day to day basis as well. Their fast and friendly team always answers and responds quickly to our needs no matter how big or small. No matter your size or experience level, they are the ideal IT partner, and I can't recommend them enough.

We appreciate the fast, friendly and proactive services provided while working both in the office and while working remotely.

I have worked with STS for many years. I can strongly recommend their team for your IT needs. Service is top notch, especially when a problem develops. When doing projects for us, we discuss before starting, they openly communicate with us during to keep us informed and finish the project quickly as possible. Each year, we review where we are currently at, the age of our equipment, projected needs for the next year, technology advances and security upgrades needed to protect our company.

Mark and his team have taken care of all my IT needs.....knowledgable, professional and a pleasure to work with.

They are there when we call. That means a lot to up

STS has been managing our companies' equipment and network for a few years now. We couldn't be happier with their service. Fast and timely responses, efficient problem solving via remote access, and seamless transitions with little to no downtime during upgrades or additions to the network. Definitely give STS a chance if you're in the market for an IT company to help manage all your computer and network needs!

We have only been using Shoreline for a few months now, we switched over to them from another local tech company. The difference in company's is not comparable. If we put a ticket into shoreline they respond within 24 hours, it is usually the same day. Shoreline has amazing customer support; they remote into our computers and are very quick to solve our issues. If for some reason they cannot solve it just by remoting in we had Terri stop in within an hour to help us. We are very grateful for Shoreline, and we are very thankful for your team!

Mark and his team have done an excellent job with my business tech assistance and security. I highly recommend them.

Easy to work with and no down time on systems updates, etc.!

Shoreline Technology Solutions is very helpful for our IT needs. They provide excellent customer service and are always readily available to answer our questions and solve our tech issues.

Mark and his team are excellent at what they do. They helped us with a large server upgrade and the transition was very easy on my staff with very little work interruption. I highly recommend Shoreline Technology Solutions.

We are a small office in Holland and have been using Shoreline for over 5 years. We have found them to offer proactive service and IT suggestions. The service is consistently fast and friendly. Because of solutions implemented by Shoreline we've had reliable remote access which has allowed us to be more flexible in our work. The hardware Shoreline installed has been quality and long-lasting. It is clear in all they do that Shoreline takes IT security seriously and we feel well protected by the systems they've put in place. Overall, we have been very pleased with the great relationship we've built with Shoreline and consider them a true partner in functioning at our best.

Shoreline Technology Solutions has been our IT specialists since 2016 and they took us from a very antiquated system to something that works for our busy lives at Harbor Humane Society. We have over 5 years of great support with Shoreline. They are extremely fast and typically address our concerns within the same day. They offer proactive services and suggestions. They are helping us with our long term IT security goals as well as continuing to maintain and update our equipment and systems as needed. We highly recommend Shoreline Technology Solutions to meet your business needs!

Shoreline Technology had been with us for 7 plus years. They have done a great job of moving us to a reliable system environment, moving us to new platforms, responding to our urgent requests and providing us with counsel on system development. They manage all of our devices, wireless and system server, and all of our user devices. They always respond to our needs quickly and we value having them as a trusted valued added partner. With lots of sensitive and confidential information on our servers, its great to know we have a partner who is looking out for our best interests and the interests of the church. We would not want to be with any other IT provider. We were and it was not a pleasant relationship. I would recommend to any company looking to have a value added partners, look no further Shoreline Technology is the answer.

Mark and his team at Shoreline have been fantastic to work with as Shoreline helped us unbundle and reconfigure our network this past year! They worked around our schedule to minimize downtime and quickly responded when we had questions. Highly recommend

Basic IT break-fix issues are unpredictable and sometimes maddening - especially if they're left to accumulate over time. A dependable and competent resource for IT is very important for us and has been surprisingly hard to find, but that’s exactly what we have now after signing up with Shoreline. They're responsive, professional and efficient (and nice to be around!). Our productivity has increased and downtime has virtually disappeared.

I'm an IT professional that supports a large company (23 locations) by myself. There are times, especially when it comes to Server work, that I need someone that I can call for assistance. I have worked with Shoreline for about 6 years now and they are GREAT! Very professional, quick to respond and very reasonably priced. Because I work in the industry, I have dealt with many companies like Shoreline and I can honestly say that they are a pleasure to work with. If you are looking for someone to support your technology, look no further because these guys are the best!

Mark and his team at Shoreline Tech have supported our company for over 8 years. They are very responsive to any calls for support and can always find a solution to our communication issues. They continue to support our older server and have already laid plans for the upgrade due in 2023. As our machines age and technology advances, communication becomes more difficult between our workstations and the machine controls. They remotely repair our system when necessary so that we can maintain our production schedule. I highly recommend the team at Shoreline and have no desire to search for another IT service. Their service and knowledge are top notch.

We hired Shoreline Technology Solutions (STS) in January 2021 to be our managed IT provider and migrate our current IT environment onto a brand new, cloud-based system utilizing Microsoft 365. Our situation was challenging and unique, but Mark and his team didn’t hesitate to take on the challenge. During the planning stages, STS was very proactive in making recommendations for items we never considered. They helped us plan and think through all stages of the migration process. We couldn’t have asked for a more seamless and easy transition. Downtime was minimal and any end-user issues were met with friendly, efficient service. Now that we’re through the migration, our organization is happily working under the new system with great efficiency. We look forward to a long-standing relationship with STS as our IT service provider.

So grateful for the STS help at a crazy time right before the election. The internet outage at the office meant that I couldn’t issue ballots to people who were stopping in all day long to vote early. Kyle not only helped me set up my computer to work off my phone’s hotspot, but he came back later to network the new laptops together for the election day festivities—something that I just didn’t have time for.

We have very much enjoyed our relationship with STS. Their people know the IT industry and develop IT solution that meet our need. We find their pricing to be very competitive, great value. Their staff is friendly and knowledgeable. They are responsive to our needs. Appreciate remote access during these COVID times. I highly recommend STS you won't be disappointed.

Appenx Inc. started using Shoreline Technology about a year ago. We had a patchwork of old computer systems in place (with many failures) prior to their involvement and were in the beginning stages of implementing a new all encompassing business system. We needed help with a new server and workstations that were more dependable, setting up more modern email, working with our legacy business system provider and backups to ensure our data is secure. We interviewed many local IT companies that all had positive attributes but felt Mark and his team had the expertise, honest feedback and reasonable pricing to fit our needs. The Shoreline team has done a great job with our goals above and helping us keep some of our older systems going (which has really helped spread out some of the costs), implementing new systems and communicating with our other IT related vendors to keep things running smoothly and let us focus on our business rather than our computers. I would highly recommend Shoreline Tech!

Ok Tire has been using Shoreline for over 15 years. We recommend them to anyone looking for an IT service that responds promptly when you contact them and their Equipment is high quality at a good value. Our server they built just keeps on going...Mark meets with us on a regular basis to go over what our plans are so they can stay on top of our IT needs. They are a great bunch of guys!

I can't say enough good things about Shoreline Technology Solutions. They have been great to work with and are always responsive to our requests. They were life saving when we had to move all of our employees from working in the office to working remotely. They had us up and running within a day. They also helped us purchase new wireless hardware, new computers and upgrade our computer software. We are glad to have them as our IT professionals!

Guard Your Business Against Ransomware!

Shoreline Technology Solutions 828 Lincoln Ave. Holland, MI 49423 Phone: (616) 394-1303

• Services Overview
• Managed Services
• Co-Managed Services
• Hardware Services
• Cloud-Based Solutions
• Free Network Security Assessment
• Disaster Recovery as a Service

For Clients & Prospects

• Testimonials
• Client Knowledge Center
• Submit Ticket
• Remote Assistance
• Payment Portal

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

• Terms of Service
• Editorial Policy
• Privacy Policy

• Sign up for free
• SafetyCulture
• Business Continuity Plan

Writing an Effective Business Continuity Plan

Power through business disruptions and ascertain operational stability with a practical and effective Business Continuity Plan (BCP).

What is a Business Continuity Plan?

A business continuity plan is a practical guide developed by companies to enable continuous operations in the event of major business disruptions like natural disasters and global lockdowns. Business continuity planning usually involves analyzing the impact of disrupted business processes and determining recovery strategies with management. Business continuity plans should be properly documented and tested through exercises for optimal effectiveness.

The goal of a business continuity plan is to strengthen the defense of businesses against various potential disruptions. It also aims to maintain critical business functions during unforeseen disasters.

Business continuity has increasingly become a top priority for organizations around the world. A BCP is important because it helps companies maintain essential functions amid or after emergencies, protecting their reputation and minimizing financial losses. Moreover, it helps employers stay on top of disruptive incidents and empower workers to complete job tasks confidently.

What are the 7 Elements of a Business Continuity Plan?

Business continuity planning enables businesses, small or large, to ensure resilient operations. For an effective plan, the following elements should be included:

• BCP Team – Amid a disaster or emergency, having a team or point person to go to will be essential. The BCP team will be responsible for planning and testing business continuity strategies. The background of each member of the BCP team can vary from organization managers or supervisors to specialists.
• Business Impact Analysis (BIA) – A BIA identifies, quantifies, and qualifies the impact of a loss, interruption, or disruption. Having a BIA will be essential in discovering risks that your business is exposed to and the potential disruptions that may occur.
• Risk Mitigation – This element pertains to the strategies against the risks that were discovered during the BIA. Risk mitigation strategies may include putting up security and safety systems in the workplace, conducting preventive maintenance of vehicles , machines, equipment, or any asset vital to operations, and training employees , among others.
• Business Continuity Strategies – A good BCP should establish strategies or alternate practices to keep the business running despite disruptions or disasters.
• Business Continuity Plan – The business continuity plan is a combination of findings from the performed BIA and the recovery strategies established by the organization. A BCP typically includes 4 key components: scope and objectives, operations at risk, recovery strategy, and roles and responsibilities.
• Training – All relevant personnel associated with the business continuity, disaster recovery, and incident response process should be trained according to the BCP plan that’s established and agreed upon.
• Testing – In this phase, strategies and plans are rehearsed or exercised to demonstrate their effectiveness. Testing the plan before rolling it out will enable the BCP team to discover potential flaws and fix them before they lead to damage or injury. It’s recommended to review and test the plan periodically to ensure that all protocols and strategies are up-to-date.

Achieve operational excellence

Cultivate a culture of excellence with our digital solutions that enhance efficiency, agility, and continuous improvement across all operations.

How to Write a BCP

Creating a business continuity plan seems to be a daunting task at first, especially for managers of operations, information technology, and human resources as they are often designated with this duty. As recommended by the International Labour Organization (ILO), listed below are general steps in developing a business continuity plan for small to medium-sized enterprises (SMEs):

• Step 1: Determine the risk profile through a self-assessment using the 4Ps framework—People, Processes, Profits, and Partnerships.
• Step 2: Identify key products, services, or functions.
• Step 3: Establish the business continuity plan objectives.
• Step 4: Evaluate the potential impact of disruptions to the business and its workers.
• Step 5: List actions to protect the business.
• Step 6: Organize contact lists.
• Step 7: Maintain, review, and continuously update the BCP.

Create your own Business Continuity Plan checklist

Build from scratch or choose from our collection of free, ready-to-download, and customizable templates.

Business Continuity Plan | View Sample PDF

When planning for business continuity, it helps to break down its elements into quickly-understood segments. Keeping the plan user-focused can also help ensure usability and promote transferability. The following is a brief business continuity plan example:

Scope and Objectives: 

This BCP is to ensure the continuity of IT services and customer lines in the event of an unforeseen and prolonged power shutdown. Power disruption could be caused by emergency weather conditions or a building fire. Functional areas that are prioritized for recovery in this BCP include the customer support desk and finance team.

Operations at Risk:

Operation: Customer Support Operation Description: Customer support team looking after 24-hour global operations of live chat and customer calls for US, EMEA and APAC regions Business Impact: Critical Impact description: 100% of live chats go through the customer support team in Manila. 20% of live calls are routed to Manila office. A disruption would mean no more live chat support and customers experiencing significant wait times on calls Project timeline and team schedules

Recovery Strategy:

IT personnel and BCP committees should operate alternate backup programs and servers to help save customer requests after power outage. Customer support should be able to receive the requests and respond to customers within 30 minutes. IT Director should operate alternate server rooms in Area B if the power outage last more than an hour to prevent huge revenue loss.

Roles and Responsibilities:

Representative: Jon Sims Role: Head of Operations Contact Details: [email protected] Description of Responsibilities: 1. Must ensure BCPs are updated and must coordinate with team leaders regarding changes 2. Helps notify key stakeholders in EMEA region of threats in Customer Support programs and tools

Create and Implement Effective BCPs with SafetyCulture

Why use safetyculture.

Even when disruptions can force businesses to shut down, yours doesn’t have to. Aim for operational stability by developing and implementing a business continuity plan with the help of a simple tool like SafetyCulture. SafetyCulture is a digital platform that empowers people to work safely and efficiently through mobile checklists, actions, and reporting.

Optimize your organization’s operations and workflow with SafetyCulture. Our digital platform enables you to:

• Simplify processes by automating manual and repetitive tasks
• Maintain safety, quality, and compliance standards with digital BCP checklists
• Create powerful workflows by integrating your existing systems and software
• Gain greater visibility and transparency with real-time reporting

Take advantage of our comprehensive features to transform your organization’s capabilities towards operations excellence.

FAQs About Business Continuity Plans

What’s the difference between business continuity plan vs. disaster recovery plan.

The main difference between a business continuity plan and a disaster recovery plan is that the former encompasses the latter—that is, business continuity planning includes disaster recovery planning. ISO 22301:2019 is the international standard for Business Continuity Management (BCM) systems , and it outlines how specific plans for disaster recovery, incident preparedness, and emergency response may be needed rather than just one large plan for business continuity.

How often should business continuity plans be tested?

A business continuity plan should be tested at least every 6 months to verify the BCP’s effectiveness. Frequent testing can also allow the discovery of gaps and potential issues. This will help the organization update protocols and strategies accordingly.

What role does technology play in a BCP?

Technology helps ensure a BCP’s critical data is backed up and can be quickly restored, maintaining reliable communication platforms for ongoing contact during disruptions, and enabling remote work capabilities to keep operations running smoothly. Automated monitoring tools help detect and respond to threats in real-time, enhancing overall resilience. Additionally, cloud services provide accessibility to applications and data from any location, ensuring business continuity.

What are some common mistakes to avoid when creating a BCP?

Common mistakes to avoid when creating a BCP include neglecting to involve all relevant departments and stakeholders, failing to regularly update and test the plan, and not considering a wide range of potential risks. Additionally, overlooking the importance of clear communication and training for employees can lead to confusion and inefficiency during a disruption. Ensuring comprehensive coverage, regular maintenance, and thorough training can help avoid these pitfalls.

Jona Tarlengco

Related articles

• Product Launch

Discover the strategies for product launch flawlessly and some best practices to overcome the most common challenges.

• Find out more

• Impact Effort Matrix

Learn how to use this visual tool to boost productivity by focusing on high-impact, low-effort activities.

• Demand Management Strategy

Learn why you must create a demand management strategy for your organization and how it can help you achieve better business results.

Related pages

• Workforce Optimization Software
• Care Management Software
• Visitor Management Software
• Digital Process Automation Software
• Process Control Software
• Digital Procurement Transformation
• Innovation Management
• Change Impact Assessment Template
• Environmental Aspects and Impacts Register
• 5 Whys Template
• Agile Transformation Checklist
• CSR Audit Checklist

• Skip to main content
• Skip to main navigation

Office of Emergency Management

• Contacts & Staff
• Campus Public Safety Resources
• News & Events
• AED Program 
• Emergency Procedures
• Training Resources
• See/Say/Do Something
• Continuity Education & Awareness
• UC Ready Login
• UC Ready Instructions
• Pandemic Continuity Planning
• Fire Prevention
• Campus Notification System
• Everbridge Mobile Application
• Other Alert Services
• Social Media Pages

Home / Business Continuity / Dept Continuity Planning

Department Business Continuity Planning

Purpose of business continuity planning.

A Business Continuity Plan provides an effective framework for risk mitigation and disaster recovery.  Within this framework, a department plan will identify the resources and strategies necessary for responding to and recovering from all plausible hazards. Your plan will identify which essential functions must be protected and the processes for preserving those operations. 

Role of the Department Business Continuity Coordinator

The Business Continuity Coordinator (BCC) provides data, analysis and strategy to complete a comprehensive business continuity plan.  This includes examination and identification of: risks, emergency preparedness protocols, mitigation, essential functions, resumption protocols, resource procurement and assignment, vital records redundancy and protection, equipment, and recovery projections. It is likely that a BCC will lead an ad-hoc committee within their division to accomplish these tasks.

A BCC should possess a broad knowledge of the operations and individuals within the department. They will have access and authority to collect information necessary to build a comprehensive continuity plan. 

First Steps 

• Delegate a primary and secondary Business Continuity Coordinator (BCC).
• Request access to UC Ready.
• Register for UC Ready Level I training via the UC Learning Center.  To find a course, go to the Learning Center and enter the name of the class in the query field.
• After BCC training, receive the UC Ready User Manual and Resumption Annex and begin making entries.
• Consider forming a Business Continuity ad-hoc committee to discuss recovery strategies, resources, and assignments. Facilitate collaborative continuity planning.
• Share your draft plan with the campus Business Continuity Planner.

Continued Processes

• Promulgate the plan to employees annually.
• When onboarding new employees, share the department's continuity plan.
• Train employees and exercise your plan. The Office of Emergency Services can assist with table-top exercises or drills. 

Login to UC Ready

Once you are ready to login to the UCReady Continuity Planning Tool, please follow these steps:

• Open the  UCReady URL at https://ucready-fusion.cloudforce.com/   
• Use the drop down menu to select University of California, Santa Cruz.
• Enter your Gold Cruz ID and password. 
• Select the Plans tab to locate and open your plan.
• See the UC Ready User Manual for further instructions.  

Begin entries into UC Ready and the Resumption Annex. Do not agonize over cells or tabs that seem confusing to you. Make note of these fields and contact the campus Business Continuity Planner for assistance.

Good luck and happy planning!

• Business Continuity Home
• UC Ready Enhancement FAQ
• Continuity Planning

For campus emergencies, dial 9-1-1 from any landline or cell phone.

Do not call or e-mail OEM directly to report a hazardous situation.

To contact the Santa Cruz Fire Department at Station #4 directly or to schedule a station tour, please call (831) 420-5678 

• Click here for Mass Notification information or to make updates.
• Report an accessibility barrier
• Land Acknowledgment
• Accreditation

Last modified: February 16, 2023 195.190.12.77

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

Business continuity and disaster recovery planning: The basics

Good business continuity plans will keep your company up and running through interruptions of any kind: power failures, it system crashes, natural disasters, pandemics and more..

Editor’s note: This article, originally published on March 27, 2014, has been updated to more accurately reflect recent trends.

Wildfires in California. A snowstorm in Texas.  Windstorms across the Midwest. Floods in Hawaii. Hurricanes in Florida and Louisiana. Russian hackers and ransomware attacks. And let’s not forget the global pandemic.

If anyone still thinks that having a disaster recovery and business continuity plan isn’t a high priority, you haven’t been paying attention to recent events. As we begin to emerge from the COVID-19 pandemic, organizations are shifting to a new normal that will certainly be more remote, more digital and more cloud-based. Disaster recovery plans will have to evolve to keep up with these changing business conditions.

On top of that, business requirements for disaster recovery have changed dramatically. There was a time when it was acceptable for recovery time to be measured in days or hours. Now it’s minutes. In some cases, business units are demanding zero down time in the event of an unplanned outage.

Here are the basics of a state-of-the-art disaster recovery/business continuity (DR/BC) plan for 2021 and beyond. (Without getting too hung up on definitions, let’s say that disaster recovery is getting the IT infrastructure back up and running, while business continuity is a broader discipline that gets the business back up and functioning once the lights are back on.) 

Integrate cybersecurity, intrusion detection/response, disaster recovery into a comprehensive data protection plan

For CISOs, the first goal of a disaster recovery plan is to avoid the disaster in the first place, which is becoming increasingly challenging. First, data is no longer safely tucked away in an on-premises data center. It’s distributed across on-premises environments, hyperscale clouds, the edge and SaaS applications. ESG Research Senior Analyst Christophe Bertrand points out that SaaS presents a serious data protection and recovery challenge because “now you have mission critical applications running as a service that you have no control over.”

Second, the pandemic drove millions of employees out of the secure confines of the corporate office to their home offices, where the Wi-Fi is less secure and where employees might be sharing sensitive data on collaboration applications.

Third, hackers took notice of these expanding attack vectors and launched a barrage of new and more targeted ransomware attacks. According to the Sophos State of Ransomware 2020 Report, hackers have moved from spray-and-pray desktop attacks to server-based attacks. “These are highly targeted, sophisticated attacks that take more effort to deploy. However, they are typically far more deadly due to the higher value of assets encrypted and can cripple organizations with multi-million dollar ransom requests,” according to the report .

In response to these changing conditions, CISOs should focus on beefing up endpoint security for remote workers, deploying VPNs and encryption, protecting data at rest no matter where it lives, and also making sure that collaboration tools don’t become a source of security vulnerabilities.

Conduct a business impact analysis (BIA)

Organizations need to conduct a thorough business impact analysis to identify and evaluate potential effects of disasters through the lenses of financial fallout, regulatory compliance, legal liability, and employee safety. Gartner estimates that 70% of organizations are making disaster recovery decisions without any business-aligned data points or based on an outdated BIA. “Without the fact base the BIA provides, teams can only guess at the appropriate level of DR and what risks are tolerable. This results in overspend or unmet expectations,” according to Gartner.

Remember, you don’t need to protect everything. Organizations that conduct these exercises are often surprised to discover servers that do nothing but run a routine back-end business process once a month, or even once a year.

Organizations need to prioritize applications by their criticality to the business, and to identify all the dependencies associated with a business process, particularly applications that may have been virtualized across multiple physical servers, might be running in containers in the cloud, or in serverless cloud environments.

Classify data

Along the same lines, you don’t need to protect all data, just the data that you need to keep the business running. You do need to go through the process of locating, identifying, and classifying data. Be sure to protect data that falls under regulatory requirements, customer data, patient data, credit card data, intellectual property, private communications, etc. The good news is that tools can automate data identification and classification.

Consider disaster recovery as a service (DRaaS)

DRaaS is an increasingly popular option for CISOs at small- to mid-sized organizations who want to cost-effectively improve IT resilience, meet compliance or regulatory requirements, and address resource deficiencies. The DRaaS market is expected to grow at a rate of 12% a year over the next five years, according to Mordor Intelligence . DRaaS services cover the full gamut of disaster recovery and business continuity, providing flexibility and agility to enterprises, according to the Mordor report.

Gartner adds that as the DRaaS market has matured and vendor offerings have become more industrialized, the size and scope of DRaaS implementations have increased significantly, compared with a few years ago.

Develop a solid communication plan

Simply getting servers back up and running is essentially meaningless unless everyone knows their roles and responsibilities. Do people have the appropriate cell phone numbers and email addresses to share information? Do the relevant stakeholders have a playbook that spells out how to respond to a crisis in terms of contacting law enforcement, outside legal teams, utility companies, key technology and supply chain partners, senior leadership, the broader employee base, external PR teams, etc.?

Depending on the nature of the disaster, networking groups might need to establish new lines of connectivity for remote workers and reconfigure traffic flows; maintenance teams might need to perform remote troubleshooting, security teams might need to re-set firewalls, change access policies, extend security protection to new devices or to cloud-based resources. The biggest problem in a disaster isn’t related to data backups, it’s not having the right people in place and understanding all the steps required for the business to recover, says Bertrand.

Automate testing

To test disaster preparedness, companies traditionally conduct tabletop exercises in which key players physically come together to play out DR scenarios. However, only one-third of organizations perceive the exercises as “highly effective,”  according to a July study  by Osterman Research in association with Immersive Labs, a company that develops human-readiness skills in cybersecurity. The research also found that organizations don’t perform tabletop exercises often enough to keep up with evolving threats and that these exercises cost an average of $30,000. During the pandemic, it’s fair to assume that tabletop exercises fell by the wayside.

Doug Matthews, vice-president of enterprise data protection at Veritas, says there’s a better way. New tools can automatically test backup and recovery procedures on an ongoing basis and identify potential issues that need to be addressed. Modern testing solutions are also able to use sandboxing technology to create safe environments in which companies can test the recoverability of applications without impacting production networks.

Create immutable data backups

Ransomware attackers are targeting backup repositories, particularly in the cloud. They are also targeting SaaS applications. In response, organizations should keep one copy of data that can’t be altered. “Be sure that you have an immutable copy of backup data that nobody can touch,” advises Matthews, who says companies should have three copies of data at all times, not just two.

Companies should also investigate isolated recovery environments, such as air gapping, in which one copy of the data lives in an environment not connected to the production environment.

Consider data re-use

“Business is the data and data is the business,” says Bertrand. Once organizations have a copy of their important data sitting in a safe backup environment, why not think about ways to reuse it to advance the company’s digital transformation efforts.

The idea is for organizations to “understand what you have, where it is, how to protect it, store it and optimize it.”  Ultimately, Bertrand predicts that organizations will evolve an intelligent data strategy that encompasses regulatory compliance, disaster recovery/business continuity and data analytics.

Perform continuous updates

CISOs updating their DR/BC plans should take their cue from DevOps. It’s not about one-and-done, it’s about continuous improvement. DR planners need to be plugged into any changes at the company that might affect recoverability, including employees working from home permanently, stores or remote offices opening or closing, applications being replaced by SaaS, data moving to the edge, or DevOps moving to the cloud. Also, the technology is constantly improving, so be on the lookout for new tools that can help automate DR/BC processes. The plan should not be sitting on the shelf collecting dust. It should be updated on a regular basis.

Do long-term planning

In light of everything that has happened over the past 12 months, it’s a good time to shift thinking about DR/BC from reactive to proactive. Unfortunately, between public health emergencies, climate change and the increase in cyberattacks, disasters seem to be occurring more often and are certainly more devastating. DR/BC plans need to get ahead of the threats, not simply respond to them.

For example, if your company is in California, your DR/BC plan has to assume that there will be power outages from next season’s wildfires. Companies concerned about losing power when the next natural disaster hits might want to think about generating their own power from alternative sources.

A successful DR/BC plan requires that companies perform the basics, but it is also an opportunity for companies to find creative and innovative ways to keep the business running when disaster hits.

Related content

Download the uem vendor comparison chart, 2024 edition, passkeys aren’t attack-proof, not until properly implemented, how cisos can protect their personal liability, cisco patches actively exploited zero-day flaw in nexus switches, from our editors straight to your inbox.

Neal Weinberg is a freelance technology writer and editor. He can be reached at [email protected] .

More from this author

10 most powerful cybersecurity companies today, download our cloud access security broker (casb) enterprise buyer’s guide, casb buyer’s guide: what to know about cloud access security brokers before you buy, download the hybrid cloud data protection enterprise buyer’s guide, download the sase and sse enterprise buyer’s guide, best and worst data breach responses highlight the do’s and don’ts of ir, pci dss 4.0 is coming: how to prepare for the looming changes to credit card payment rules, aws, google cloud, and azure: how their security features compare, most popular authors.

Show me more

Us supreme court ruling will likely cause cyber regulation chaos.

CocoaPods flaws left iOS, macOS apps open to supply-chain attack

AI agents can find and exploit known vulnerabilities, study shows

CSO Executive Sessions: Data protection in Malaysia

CSO Executive Session India with Mrinal Kanti Roy, CISO, Cairn Oil and Gas

CSO Executive Sessions India with Hilal Lone, CISO, Razorpay

CSO Executive Session India with Hilal Lone, CISO, Razorpay

Sponsored Links

• Visibility, monitoring, analytics. See Cisco SD-WAN in a live demo.
• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Fire Hydrants & Business Continuity Plans: How Testing Can Put Out Potential Fires

The importance of testing your business continuity and disaster recovery (BCDR) plan has never been a dry subject for us at Agility. With a  wildfire reason around the corner , we wanted to learn a little bit more about the value fire departments find in testing their hydrants, as well as how we can learn from their examples. Here are several similarities we found between testing fire hydrants and BCDR plans.

The  National Fire Protection Association (NFPA)  sets a standard for the minimum water flow that hydrants must meet. Testing hydrants ahead of time not only ensures the codes are satisfied but also maintains quality. If hydrants aren’t regularly maintained, they can rust, causing parts to snap off.

If your business is subject to industry regulations like fire hydrants are, it’s important to test your BCDR plan regularly to ensure you’re meeting the compliance requirements . Otherwise, you expose yourself to potential regulatory violations, such as excessive downtime or rusty procedures, endangering you to security breaches.

Maintenance

Facilitating your business growth requires you to revise, modernize, and develop your current and future products and services, as well as the tools you use to deliver them.

Hydrants are a part of a huge underground network that provides water access to an entire community. Sometimes valves have to be temporarily closed to allow for maintenance, but due to the complexities of this network, water flow can be reduced without ever being fully cut off from users. Unfortunately, after the work is completed, these closed valves are sometimes forgotten about and not reopened. While this omission doesn’t affect the community on a day-to-day basis, the reduced water flow wouldn’t be sufficient to put out a fire when needed for an emergency.

Similar to hydrants, your BCDR plan needs to be updated and maintained to coincide with the progress of your company. Facilitating your business growth requires you to revise, modernize, and develop your current and future products and services, as well as the tools you use to deliver them. However, if you don’t consistently update and test your BCDR plan to ensure that it keeps up with the innovation of your business, your plan won’t offer the full flow of information you need to calm the fire, so to speak, when it comes.

Avoiding Neglect

One of the dangerous consequences of not regularly testing hydrants is that they become hidden, either by overgrown plants or by decorations placed by residents who find the sight of hydrants unpleasant. Unfortunately, when a crisis occurs, these obstructions can make it almost impossible for firefighters to find hydrants and carry out their jobs.

Just as residents don’t want to look at fire hydrants, many companies don’t like to dwell on BC/DR planning because it’s not always pleasant to think about. Instead, they focus on revenue, shareholders, or customer growth. A common issue that we’ve seen over the years is businesses that have a plan but don’t make it a priority to regularly test. This leaves the BC/DR plan to get buried under more gratifying things, such as profits.

We recommend taking the time to fully test your BC/DR plan at least once a year to help you work out any kinks before a disaster actually strikes. How often do you test your BC/DR plan?

Subscribe to Our Newsletter

Get the latest business continuity news and insights

Start planning.

For more guidance on how to manage your Business Continuity Plan, download our checklist.

Latest Articles

The Ultimate Guide to Business Continuity Testing

Business Impact Analysis (BIA) Checklist

Severe Summer Weather Business Threats

Get the Latest Business Continuity Insights

By clicking the "Subscribe" button you agree to the  Terms of Use  and  Privacy Policy

Tabletop Exercise: Fire Scenario for Building Management Team

by Rob Burton | Apr 25, 2023

Tabletop exercises are an essential part of emergency preparedness and business continuity planning for building management teams.

These exercises help to identify potential gaps in response plans, improve communication, and assess overall readiness for various emergency scenarios. This blog will focus on a fire scenario, its potential impacts on business continuity and life safety, and the steps to take for an effective response. 

Scenario: Fire in the Building 

Imagine a fire breaking out in the office building you manage. The fire alarm system activates, and occupants are alerted to potential danger. The fire starts on the 7th floor in a janitorial closet and quickly spreads to surrounding offices. Thick smoke and heat fill the area, hindering visibility and making evacuation difficult. The fire department is dispatched and en-route, but response time is 15 minutes due to traffic and distance. 

Related: Fire Drills – an Interview with Jack Murphy

Life Safety Impact 

The most significant concern during a fire event is life safety. Ensuring the well-being of building occupants is crucial. A fire can cause injury or loss of life, making it vital to have an effective evacuation plan in place. Additionally, understanding the potential dangers associated with fires, such as smoke inhalation, burns, and structural collapse, is essential for preparedness and response efforts.  

Business Continuity Impact 

A fire in a building can severely impact business continuity, causing both immediate and long-term effects. Immediate impacts include the evacuation of the building, suspension of operations, and potential damage to critical infrastructure, equipment, and other critical assets. Long-term effects may include the need to find alternative workspaces, repair or replace damaged assets, and address potential reputation damage with clients, employees, and stakeholders. 

Tabletop Exercise : Fire Response and Recovery 

Step 1: initial response .

Gather your building management team and begin the exercise by discussing the initial response to the fire. Consider the following questions: 

• How will your team communicate the emergency situation to building occupants? 
• What is the evacuation plan for the building, and how will it be executed? 
• How will you account for all occupants during and after the evacuation? 
• What is the role of floor wardens and safety officers in assisting the evacuation process? 
• How will you coordinate with first responders, such as the fire department and emergency medical services? 

Step 2: Life Safety Planning 

Discuss the life safety aspects of the scenario and identify strategies to ensure the well-being of building occupants. Consider the following questions: 

• How will you manage potential injuries or casualties during the event? 
• What training and resources do your team and building occupants have to address fire-related emergencies? 
• How will you ensure that occupants with disabilities or mobility challenges can evacuate safely? 
• How will you monitor and control potential hazards, such as smoke, heat, and structural damage during and after the event? 

Step 3: Business Continuity Planning 

Discuss the potential business continuity impacts and identify strategies to minimize disruption to building operations. Address the following questions: 

• What is your plan for relocating employees and building occupants to alternative workspaces during and after the event? 
• How will you ensure that essential business functions continue during the recovery process? 
• What is your plan for addressing potential damage to critical infrastructure, equipment, and documents? 
• How will you communicate with clients, employees, and stakeholders about the event and the steps taken to address it? 

Step 4: Recovery and Lessons Learned 

Finally, discuss the recovery process and identify lessons learned from the exercise. Address the following questions: 

• How will you evaluate the effectiveness of your response plan and identify areas for improvement? 
• What resources will be needed to repair or replace damaged assets? 
• How will you address potential reputation damage and rebuild stakeholder trust? 
• What additional training or resources might be needed to better prepare for future fire-related emergencies? 
• How will you develop and maintain relationships with external partners, such as first responders, insurance providers, and local government agencies, to ensure a coordinated and efficient recovery process? 

Step 5: Implementing Changes and Improvements 

Based on the lessons learned and identified gaps in your EAP / response plans, discuss the changes and improvements that should be made. Consider the following questions: 

• What modifications should be made to the building’s evacuation plan to improve its effectiveness and efficiency? 
• How can you enhance communication and coordination with first responders and other stakeholders during an emergency? 
• What additional training or resources should be provided to your team, floor wardens, safety officers, and building occupants to better prepare for fire-related emergencies? 
• Are there any modifications that can be made to the building’s design, systems, or equipment to minimize the risk of fire and improve life safety? 
• How can you improve your business continuity plan to minimize disruptions and expedite the recovery process after a fire event? 

Conclusion 

This tabletop exercise is designed to help your building management team proactively prepare for a fire scenario and its potential impacts on business continuity and life safety. By actively discussing response plans, identifying gaps, and implementing improvements, your team can enhance its preparedness and reduce the potential consequences of a fire event. Regularly conducting tabletop exercises and updating your response plans will ensure that your team remains well-equipped to handle emergencies and protect the well-being of your building occupants. 

Rob is a Principal at PreparedEx where he manages a team of crisis preparedness professionals and has over 20 years of experience preparing for and responding to crises. Part of his leadership role includes assisting PreparedEx clients in designing, implementing and evaluating crisis, emergency, security and business continuity management programs. During his career Rob has worked for the US State Department’s Anti-Terrorism Assistance Program, as a crisis management consultant in Pakistan and Afghanistan where he negotiated with the UN and Pashtun tribal warlords and he served with the United Kingdom Special Forces where he operated internationally under hazardous covert and confidential conditions. Rob was also part of a disciplined and prestigious unit The Grenadier Guards where he served Her Majesty Queen Elizabeth II at the Royal Palaces in London. Rob was a highly trained and experienced infantryman serving in Desert Storm and commanded covert operational teams and was a sniper. Rob has keynoted disaster recovery conferences and participated in live debates on FOX News regarding complex security requirements and terrorism. Rob has a Queen’s Commendation for Bravery.

Related posts:

• PreparedEx Podcast Episode 13 – Crisis Simulation Exercise Criteria
• An Interview with Crisis Management Expert Aaron Duncan
• Crisis Preparedness Interview with Joe McEnness
• Confined Space Protection: Safeguarding Today’s Stadiums, Venues and Arenas 2017 & Beyond

Submit a Comment Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of follow-up comments by email.

Notify me of new posts by email.