business continuity plan success stories

• (888) 244-1912
• [email protected]

• Understanding Business Continuity vs BDR: A Guide
• About Invenio IT
• Business Continuity

7 Real-Life Business Continuity Plan Examples You’ll Want to Read

• March 14, 2022

It’s no secret that we believe in the importance of disaster preparedness and business continuity  at every organization. But what does that planning actually look like when it’s put to the test in a real-world scenario?

Today, we look at 7 business continuity examples to show how organizations have worked to minimize downtime (or not) after critical events.

Business Continuity Examples: the best in class and the failures of BCP

1) ransomware disrupts ireland’s healthcare system  .

For years, healthcare organizations have been a top target for ransomware attacks. The critical nature of their operations, combined with notoriously lax IT security throughout the industry, are a magnet for ransomware groups looking for big payouts.

But despite the warnings, healthcare orgs still remain vulnerable. A prime example was the 2021 ransomware attack on Ireland’s healthcare system (HSE) – the fallout from which was still being understood nearly a year later.

According to reports, the attack had a widespread impact on operations:

• Dozens of outpatient services were shut down
• IT outages affected at least 5 hospitals, including Children’s Health Ireland (CHI) at Crumlin Hospital
• Employee payment systems were knocked offline, delaying pay for 146,000 staff
• Covid-19 test results were delayed and a Covid-19 vaccine portal went offline
• Appointments were canceled across numerous facilities and medical departments
• Near-full recovery and restoration of all servers and applications took more than 3 months

All told, the attack was projected to cost more than $100 million in recovery efforts alone. That figure does not include the projected costs to implement a wide range of new security protocols that were recommended in the wake of the attack.

Like several of the business continuity examples highlighted below, the Ireland attack did have some good disaster recovery methods in place. Despite the impact of the event, there were several mitigating factors that prevented the attack from being even worse, such as:

• Once the attack was known, cybersecurity teams shut down more than 85,000 computers to stop the spread.
• Disaster recovery teams inspected more than 2,000 IT systems, one by one, to contain the damage and ensure they were clean.
• Cloud-based systems were not exposed to the ransomware.

However, there was some luck involved.

As HSE raced to contain the damage from the attack and secured a High Court Injunction to restrain the sharing of its hacked data, the attackers suddenly released the decryption key online. Without that decryption, HSE would not have had adequate data backup systems to recover from the attack. As the group concluded in its post-incident review :

“It is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape. Therefore it is highly likely that segments of data for backup would have remained encrypted, resulting in significant data loss. It is also likely to have taken considerably longer to recover systems without the decryption key.”

2) The city of Atlanta is hobbled by ransomware

There has been no shortage of other headline-making ransomware attacks over the last few years. But one that stands out (and whose impact reverberated for at least a year after the incident) was the March 2018 SamSam  ransomware attack on the City of Atlanta .

The attack devastated the city government’s computer systems:

• Numerous city services were disrupted, including police records, courts, utilities, parking services and other programs.
• Computer systems were shut down for 5 days, forcing many departments to complete essential paperwork by hand.
• Even as services were slowly brought back online over the following weeks, the full recovery took months.

Attackers demanded a $52,000 ransom payment. But when all was said and done, the full impact of the attack was projected to cost more than $17 million. Nearly $3 million alone was spent on contracts for emergency IT consultants and crisis management firms.

In many ways, the Atlanta ransomware attack is a lesson in inadequate business continuity planning. The event revealed that the city’s IT was woefully unprepared for the attack. Just two months prior, an audit found 1,500 to 2,000 vulnerabilities in the city’s IT systems, which were compounded by “obsolete software and an IT culture driven by ‘ad hoc or undocumented’ processes,” according to  StateScoop .

Which vulnerabilities allowed the attack to happen? Weak passwords, most likely. That is a common entry point for SamSam attackers, who use brute-force software to guess thousands of password combinations in a matter of seconds. Frankly, it’s an unsophisticated method that could have been prevented with stronger password management protocols.

Despite the business continuity missteps, credit should still be given to the many IT professionals (internal and external) who worked to restore critical city services as quickly as possible. What’s clear is that the city did have some disaster recovery procedures in place that allowed it to restore critical services. If it hadn’t, the event likely would have been much worse.

3) Fire torches office of managed services provider (MSP)

Here’s an example of business continuity done right:

In 2013, lightning struck an office building in Mount Pleasant, South Carolina, causing a fire to break out. The offices were home to Cantey Technology, an IT company that hosts servers for more than 200 clients.

The fire torched Cantey’s network infrastructure, melting cables and burning its computer hardware. The equipment was destroyed beyond repair and the office was unusable. For a company whose core service is hosting servers for other companies, the situation looked bleak. Cantey’s entire infrastructure was destroyed.

But ultimately, Cantey’s clients never knew the difference:

• As part of its business continuity plan, Cantey had already moved its client servers to a remote data center, where continual backups were stored.
• Even though Cantey’s staff were forced to move to a temporary office, its clients never experienced any interruption in service.

It was an outcome that could have turned out very differently. Only five years prior, the company had kept all of its client servers on site. But founder Willis Cantey made the right determination that this setup created too many risks. All it would take is one major on-site disruption to wipe out his entire business, as well as his clients’ businesses, potentially leaving him exposed to legal liabilities as well.

Cantey thus implemented a more comprehensive business continuity plan and moved his clients’ servers off-site. And in doing so, he averted disaster.

4) Computer virus infects UK hospital network

In another post , we highlighted one of the worst business continuity examples we saw in 2016 – before ransomware had become a well-known threat in the business community.

On October 30, 2016, a nasty “computer virus” infected a network of hospitals in the UK, known as the Northern Lincolnshire and Goole NHS Foundation Trust. At the time, little was known about the virus, but its impact on operations was devastating:

• The virus crippled its systems and halted operations at three separate hospitals for five days.
• Patients were literally turned away at the door and sent to other hospitals, even in cases of “major trauma” or childbirth.
• In total, more than 2,800 patient procedures and appointments were canceled because of the attack. Only critical emergency patients, such as those suffering from severe accidents, were admitted.

Remarkably, a report in Computing.co.uk speculated that there had been no business continuity plan document in place. Even if there had been, clearly there were failings. Disaster scenarios can be truly life-or-death at healthcare facilities. Every healthcare organization must have a clear business continuity plan outlined with comprehensive measures for responding to a critical IT systems failure. If there had been in this case, the hospitals likely could have remained open with little to no disruption.

The hospital system was initially tight-lipped about the attack. But in the year following the incident, it became clear that ransomware was to blame – specifically, the Globe2 variant.

Interestingly, however, hospital officials did not say the ransomware infection was due to an infected email being opened (which is what allows most infections to occur). Instead, they said a misconfigured firewall was to blame. (It’s unclear then exactly how the ransomware passed through the firewall—it may have come through inboxes after all.) Unfortunately, officials knew about the firewall misconfiguration before the attack occurred, which is what makes this incident a prime example of a business continuity failure. The organization had plans to fix the problem, but they were too late. The attack occurred “before the necessary work on weakest parts of the system had been completed.”

5) Electric company responds to unstable WAN connection

Here is another example of well-executed business continuity.

After a major electric company in Georgia  experienced failure  with one of its data lines, it took several proactive steps to ensuring its critical systems would not experience interruption in the future. The company implemented a FatPipe WARP at its main site, bonding two connections to achieve redundancy, and it also readied plans for a third data line. Additionally, the company replicated its mission-critical servers off-site, incorporating its own site-failover WARP.

According to Disasterrecovery.org:

“Each office has a WARP, which bonds lines from separate ISPs connected by a fiber loop. They effectively established data-line failover at both offices by setting up a single WARP at each location. They also accomplished a total site failover solution by implementing the site failover between the disaster recovery and main office locations.”

While the initial WAN problem was minimal, this is a good example of a company that is planning ahead to prevent a worst-case scenario. Given the critical nature of the utility company’s services (which deliver energy to 170,000 homes across five counties surrounding Atlanta), it’s imperative that there are numerous failsafes in place.

6) German telecom giant rapidly restores service after fire

Among the better business continuity examples we’ve seen, incident management solutions are increasingly playing an important role.

Take the case of a German telecom company that discovered a dangerous fire was encroaching on one of its crucial facilities. The building was a central switching center, which housed important telecom wiring and equipment that were vital to providing service to millions of customers.

The company uses an incident management system from Simba, which alerted staff to the fire, evaluated the impact of the incident, automatically activated incident management response teams and sent emergency alerts to Simba’s 1,600 Germany-based employees. The fire did indeed reach the building, ultimately knocking out the entire switching center. But with an effective incident management system in place, combined with a redundant network design, the company was able to fully restore service within six hours.

7) Internet marketing firm goes mobile in face of Hurricane Harvey

Research shows that 40-60% of small businesses never reopen their doors after a major disaster. Here’s an example of one small firm that didn’t want to become another statistic.

In August 2017, Hurricane Harvey slammed into Southeast Texas, ravaging homes and businesses across the region. Over 4 days, some areas received more than 40 inches of rain. And by the time the storm cleared, it had caused more than $125 billion in damage.

Countless small businesses were devastated by the hurricane. Gaille Media, a small Internet marketing agency, was  almost  one of them. Despite being located on the second floor of an office building, Gaille’s offices were flooded when Lake Houston overflowed. The flooding was so severe, nobody could enter the building for three months. And when Gaille’s staff were finally able to enter the space after water levels receded, any hopes for recovering the space were quickly crushed. The office was destroyed, and mold was rampant.

The company never returned to the building. However, its operations were hardly affected.

That’s because Gaille kept most of its data stored in the cloud, allowing staff to work remotely through the storm and after. Even with the office shuttered, they never lost access to their critical documents and records. In fact, when it came time to decide where to relocate, the owner ultimately decided to keep the company decentralized, allowing workers to continue working remotely (and providing a glimpse of how other businesses around the world would similarly adapt to disaster during the Covid-19 pandemic three years later).

Had the company kept all its data stored at the office, the business may never have recovered.

Examples of poor business continuity planning

Some of the real-life business continuity examples above paint a picture of what can go wrong when there are lapses in continuity planning. But what exactly do those lapses look like? What are the specific failures that can increase a company’s risk of disaster?

Here are the big ones:

• No business continuity plan: Every business needs a BCP that outlines its unique threats, along with protocols for prevention and recovery.
• No risk assessment: A major component of your BCP is a risk assessment that should define how your business is at risk of various disaster scenarios. We list several examples of these risks below.
• No business impact analysis: The risk assessment is useless without an analysis of how those threats actually affect the business. Organizations must conduct an impact analysis to understand how various events will disrupt operations and at what cost.
• No prevention: Business continuity isn’t just about keeping the business running in a disaster. It’s about risk mitigation as well. Companies must be proactive about implementing technologies and protocols that will  prevent  disruptive events from occurring in the first place.
• No recovery plan:  Every disaster scenario needs a clear path to recovery. Without such protocols and systems, recovery will take far longer, if it happens at all.

Examples of threats to your business continuity

It’s important to remember that business-threatening disasters can take many forms. It’s not always a destructive natural disaster. In fact, it’s far more common to experience disaster from “the inside” – events that hurt your productivity or affect your IT infrastructure and are just as disruptive to your operations.

Example threats include:

• Cyberattacks
• Malware and viruses
• Network & internet disruptions
• Hardware/software failure
• Natural disasters
• Severe weather
• Flooding (including pipe bursts)
• Terrorist attacks
• Office vandalism/destruction
• Workforce stoppages (transportation blockages, strikes, etc.)

The list goes on and on. Any single one of these threats can disrupt your business, which is why it’s so important to take continuity planning seriously.

Business continuity technology

Within IT, data loss is often the primary focus of business continuity and disaster recovery (BC/DR). And for good reason …

Data is the lifeblood of most business operations today, encompassing all the emails, files, software and operating systems that companies depend on every day. A major loss of data, whether caused by ransomware, human error or some other event, can be disastrous for businesses of any size.

Backing up that data is thus a vital component of business continuity planning.

Today’s  best data backup systems  are smarter and more resilient than they were even just a decade ago. Solutions from Datto, for example, are built with numerous features to ensure continuity, including hybrid cloud technology (backups stored both on-site and in the cloud), instant virtualization, ransomware detection and automatic backup verification, just to name a few.

Like other BC initiatives, a data backup solution itself won’t prevent data-loss events from occurring. But it does ensure that businesses can rapidly recover data if/when disaster strikes, so that operations are minimally impacted – and that’s the whole point of business continuity.

Learn more: request a free demo

For more information on data backup solutions from Datto,  request a free demo  – or contact our business continuity experts at Invenio IT by calling (646) 395-1170 or by emailing  [email protected] .

Join 23,000+ readers in the Data Protection Forum

Related articles.

BCDR Faceoff: How Do Datto Competitors Stack Up? What are the Alternatives?

Do you know what makes Datto Encryption So Secure?

The Truth about All Datto SIRIS Models for BCDR

Where’s My Data? 411 on Datto Locations around the Globe

2023 Guide to Datto SaaS Protection for M365 and Google Workspace

Cybersecurity.

© 2023 InvenioIT. All rights reserved.

How a Business Continuity Plan Saved the Day for These Companies

For some companies, downtime or natural disasters spell the end of their operations. However, it doesn’t have to be this way. Below, we take a look at some business continuity successes, and what other companies can learn from their stories.

What is business continuity planning?

Also referred to as contingency planning, business continuity planning is all about a company’s ability to bounce back after an incident causes downtime. In other words, it’s how well a business adapts to changing circumstances beyond its control. 

Business continuity planning is important because recovering from downtime is a costly endeavor. In fact, up to 60 percent of small businesses fail to reopen after downtime, whether as a result of natural disasters, employee error, or cyber crime , because the costs are simply too high to recover from. 

How, then, do successful businesses rise above these challenges and stay operational? Let’s take a look at some examples.

Business continuity planning saved these companies

In no particular order, here are three companies that credit business continuity planning with saving their operations. 

1. Cupcake Kitchen

Houston-based bakery Cupcake Kitchen lost access to its premises for around three weeks after a hurricane caused severe water damage. The company lost multiple appliances and perishable goods to a total loss of around $30,000.00. 

The owner actively kept her customers notified on social media about what was happening and the steps she was taking to get the bakery up and running again. A few months later, revenue returned to 80 percent of pre-hurricane levels. 

The key point here is that, as a local business, the owner found a way to connect to her clients and ensure they understood that the kitchen would open again . She turned an obstacle–picking a new location for her bakery–into an opportunity, which is a hallmark of a great contingency planning strategy. 

2. Georgia Power

Georgia Power, a major electricity supplier, lost a transformer to fire damage back in 2017 . In response, Georgia Power aligned with a tech company to upgrade its transformer testing capabilities. 

The transformers now have sensors that record dissolved levels and instantly alert engineers if the levels exceed a safe amount. What’s more, the transformers generate gas readings at far more frequent intervals than before. 

What does this tell us? Well, Georgia Power instantly reacted to the crisis and took steps to prevent a similar incident from arising in the future. They learned from the failure and moved the company forward as a result. 

3. Gaille Media 

In 2017, Gaille Media, a small online marketing agency, lost its entire office space to hurricane damage. No one could enter the building for three months, and it wasn’t possible to salvage any hardware from inside. 

What happened? Surprisingly, it was business as usual at Gaille Media. The agency continued operating because it kept its business data, and all its backups , in the cloud. Employees worked remotely and provided their usual service to clients. The office didn’t reopen and the employees all now work remotely. 

The key takeaway is that Gaille Media had an effective contingency plan in place before disaster struck. They understood their core business processes and ensured that, whatever happened to their physical office space, they could access the data they needed to run their day-to-day operations. This is a great example of a truly proactive business continuity plan.

The good news is that it’s possible to keep your company afloat and active even when disaster strikes . As you can see from these company success stories, all it takes is some careful business continuity planning. For more information on business continuity planning and how the right strategy can save your company, contact us today.

You might also like

GET OUR NEWSLETTER

• Email Address *
• Name This field is for validation purposes and should be left unchanged.

We use essential cookies to make Venngage work. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

Manage Cookies

Cookies and similar technologies collect certain information about how you’re using our website. Some of them are essential, and without them you wouldn’t be able to use Venngage. But others are optional, and you get to choose whether we use them or not.

Strictly Necessary Cookies

These cookies are always on, as they’re essential for making Venngage work, and making it safe. Without these cookies, services you’ve asked for can’t be provided.

Show cookie providers

• Google Login

Functionality Cookies

These cookies help us provide enhanced functionality and personalisation, and remember your settings. They may be set by us or by third party providers.

Performance Cookies

These cookies help us analyze how many people are using Venngage, where they come from and how they're using it. If you opt out of these cookies, we can’t get feedback to make Venngage better for you and all our users.

• Google Analytics

Targeting Cookies

These cookies are set by our advertising partners to track your activity and show you relevant Venngage ads on other sites as you browse the internet.

• Google Tag Manager
• Infographics
• Daily Infographics
• Popular Templates
• Accessibility
• Graphic Design
• Graphs and Charts
• Data Visualization
• Human Resources
• Beginner Guides

Blog Business 7 Business Continuity Plan Examples

7 Business Continuity Plan Examples

Written by: Danesh Ramuthi Nov 28, 2023

A business continuity plan (BCP) is a strategic framework that prepares businesses to maintain or swiftly resume their critical functions in the face of disruptions, whether they stem from natural disasters, technological failures, human error, or other unforeseen events.

In today’s fast-paced world, businesses face an array of potential disruptions ranging from cyberattacks and ransomware to severe weather events and global pandemics. By having a well-crafted BCP, businesses can mitigate these risks, ensuring the safety and continuity of their critical services and operations. To further safeguard their operations, integrating measures to protect against ransomware into their BCP is a natural and essential step.

Responsibility for business continuity planning typically lies with top management and dedicated planning teams within an organization. It is a cross-functional effort that involves input and coordination across various departments, ensuring that all aspects of the business are considered.

For businesses looking to develop or refine their business continuity strategies, there are numerous resources available. Tools like Venngage’s business plan maker and their business continuity plan templates offer practical assistance, streamlining the process of creating a robust and effective BCP. 

Click to jump ahead: 

7 business continuity plan examples

Business continuity types, how to write a business continuity plan, how often should a business continuity plan be reviewed, business continuity plan vs. disaster recovery plan, final thoughts.

In business, unpredictability is the only certainty. This is where business continuity plans (BCPs) come into play. These plans are not just documents; they are a testament to a company’s preparedness and commitment to sustained operations under adverse conditions. To illustrate the practicality and necessity of these plans, let’s delve into some compelling examples.

Business continuity plan example for small business

Imagine a small business specializing in digital marketing services, with a significant portion of its operations reliant on continuous internet connectivity and digital communication tools. This business, although small, caters to a global clientele, making its online presence and prompt service delivery crucial.

Scope and objective:

This Business Continuity Plan (BCP) is designed to ensure the continuity of digital marketing services and client communications in the event of an unforeseen and prolonged internet outage. Such an outage could be caused by a variety of factors, including cyberattacks, technical failures or service provider issues. The plan aims to minimize disruption to these critical services, ensuring that client projects are delivered on time and communication lines remain open and effective.

Operations at risk:

Operation: Digital Marketing Services Operation Description: A team dedicated to creating and managing digital marketing campaigns for clients across various time zones. Business Impact: High Impact Description: The team manages all client communications, campaign designs, and real-time online marketing strategies. An internet outage would halt all ongoing campaigns and client communications, leading to potential loss of business and client trust.

Recovery strategy:

The BCP should include immediate measures like switching to a backup internet service provider or using mobile data as a temporary solution. The IT team should be prepared to deploy these alternatives swiftly.

Immediate measures within the BCP should encompass alternatives like switching to a backup internet service provider or utilizing mobile data, supplemented by tools such as backup and recovery systems, cloud-based disaster recovery solutions, and residential proxies , while the IT team should be prepared to deploy these swiftly. 

Additionally, the company should have a protocol for informing clients about the situation via alternative communication channels like mobile phones.

Roles and responsibilities:

Representative: Alex Martinez Role: IT Manager Description of Responsibilities:

• Oversee the implementation of the backup internet connectivity plan.
• Coordinate with the digital marketing team to ensure minimal disruption in campaign management.
• Communicate with the service provider for updates and resolution timelines.

Business continuity plan example for software company

In the landscape of software development, a well-structured Business Continuity Plan (BCP) is vital. This example illustrates a BCP for a software company, focusing on a different kind of disruption: a critical data breach.

Scope and objectives:

This BCP is designed to ensure the continuity of software development and client data security in the event of a significant data breach. Such a breach could be due to cyberattacks, internal security lapses, or third-party service vulnerabilities. The plan prioritizes the rapid response to secure data, assess the impact on software development projects and maintain client trust and communication.

Operation: Software Development and Data Security Operation Description: The software development team is responsible for creating and maintaining software products, which involves handling sensitive client data. In the realm of software development, where the creation and maintenance of products involve handling sensitive client data, prioritizing security is crucial. Strengthen your software development team’s capabilities by incorporating the best antivirus with VPN features, offering a robust defense to protect client information and maintain a secure operational environment. The integrity and security of this data are paramount.

Business Impact: Critical Impact Description: A data breach could compromise client data, leading to loss of trust, legal consequences and potential financial penalties. It could also disrupt ongoing development projects and delay product releases.

The IT security team should immediately isolate the breached systems to prevent further data loss. They should then work on identifying the breach’s source and extent. Simultaneously, the client relations team should inform affected clients about the breach and the steps being taken. The company should also engage a third-party cybersecurity or pentest firm for an independent investigation and recovery assistance.

Representative: Sarah Lopez Role: Head of IT Security Contact Details: [email protected] Description of Responsibilities:

• Lead the initial response to the data breach, including system isolation and assessment.
• Coordinate with external cybersecurity experts for breach analysis and mitigation.
• Work with the legal team to understand and comply with data breach notification laws.
• Communicate with the software development team leaders about the impact on ongoing projects.

Related: 7 Best Business Plan Software for 2023

Business continuity plan example for manufacturing

In the manufacturing sector, disruptions can significantly impact production lines, supply chains, and customer commitments. This example of a Business Continuity Plan (BCP) for a manufacturing company addresses a specific scenario: a major supply chain disruption.

This BCP is formulated to ensure the continuity of manufacturing operations in the event of a significant supply chain disruption. Such disruptions could be caused by geopolitical events, natural disasters affecting key suppliers or transportation network failures. The plan focuses on maintaining production capabilities and fulfilling customer orders by managing and mitigating supply chain risks.

Operation: Production Line Operation Description: The production line is dependent on a steady supply of raw materials and components from various suppliers to manufacture products. Business Impact: High Impact Description: A disruption in the supply chain can lead to a halt in production, resulting in delayed order fulfillment, loss of revenue and potential damage to customer relationships.

The company should establish relationships with alternative suppliers to ensure a diversified supply chain. In the event of a disruption, the procurement team should be able to quickly switch to these alternative sources. Additionally, maintaining a strategic reserve of critical materials can buffer short-term disruptions. The logistics team should also develop flexible transportation plans to adapt to changing scenarios.

Representative: Michael Johnson Role: Head of Supply Chain Management Contact Details: [email protected] Description of Responsibilities:

• Monitor global supply chain trends and identify potential risks.
• Develop and maintain relationships with alternative suppliers.
• Coordinate with logistics to ensure flexible transportation solutions.
• Communicate with production managers about supply chain status and potential impacts on production schedules.

Related: 15+ Business Plan Templates for Strategic Planning

BCPs are essential for ensuring that a business can continue operating during crises. Here’s a summary of the different types of business continuity plans that are common:

• Operational : Involves ensuring that critical systems and processes continue functioning without disruption. It’s vital to have a plan to minimize revenue loss in case of disruptions.
• Technological : For businesses heavily reliant on technology, this type of continuity plan focuses on maintaining and securing internal systems, like having offline storage for important documents.
• Economic continuity : This type ensures that the business remains profitable during disruptions. It involves future-proofing the organization against scenarios that could negatively impact the bottom line.
• Workforce continuity : Focuses on maintaining adequate and appropriate staffing levels, especially during crises, ensuring that the workforce is capable of handling incoming work.
• Safety : Beyond staffing, safety continuity involves creating a comfortable and secure work environment where employees feel supported, especially during crises.
• Environmental : It addresses the ability of the team to operate effectively and safely in their physical work environment, considering threats to physical office spaces and planning accordingly.
• Security : Means prioritizing the safety and security of employees and business assets, planning for potential security breaches and safeguarding important business information.
• Reputation : Focuses on maintaining customer satisfaction and a good reputation, monitoring conversations about the brand and having action plans for reputation management.

As I have explained so far, a Business Continuity Plan (BCP) is invaluable. Writing an effective BCP involves a series of strategic steps, each crucial to ensuring that your business can withstand and recover from unexpected events. Here’s a guide on how to craft a robust business continuity plan:

1. Choose your business continuity team

Assemble a dedicated team responsible for the development and implementation of the BCP. The team should include members from various departments with a deep understanding of the business operations.

2. Outline your plan objectives

Clearly articulate what the plan aims to achieve. Objectives may include minimizing financial loss, ensuring the safety of employees, maintaining critical business operations, and protecting the company’s reputation.

3. Meet with key players in your departments

Engage with department heads and key personnel to gain insights into the specific needs and processes of each department. This helps in identifying critical functions and resources.

4. Identify critical functions and types of threats

Determine which functions are vital to the business’s survival and identify potential threats that could impact these areas. 

5. Carry on risk assessments across different areas

Evaluate the likelihood and impact of identified threats on each critical function. This assessment helps in prioritizing the risks and planning accordingly.

6. Conduct a business impact analysis (BIA)

Perform a BIA to understand the potential consequences of disruption to critical business functions. It has to be done in determining the maximum acceptable downtime and the resources needed for business continuity.

7. Start drafting the plan

Compile the information gathered into a structured document. The plan should include emergency contact information, recovery strategies and detailed action steps for different scenarios.

8. Test the plan for any gaps

Conduct simulations or tabletop exercises to test the plan’s effectiveness. This testing can reveal unforeseen gaps or weaknesses in the plan.

9. Review & revise your plan

Use the insights gained from testing to refine and update the plan. Continual revision ensures the plan remains relevant and effective in the face of changing business conditions and emerging threats.

Read Also: How to Write a Business Plan Outline [Examples + Templates]

A Business Continuity Plan (BCP) should ideally be reviewed and updated at least annually. 

The annual review ensures that the plan remains relevant and effective in the face of new challenges and changes within the business, such as shifts in business strategy, introduction of new technology or changes in operational processes. 

Additionally, it’s crucial to reassess the BCP following any significant business changes, such as mergers, acquisitions or entry into new markets, as well as after the occurrence of any major incident that tested the plan’s effectiveness. 

However, in rapidly changing industries or in businesses that face a high degree of uncertainty or frequent changes, more frequent reviews – such as bi-annually or quarterly – may be necessary. 

A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are two crucial components of organizational preparedness, yet they serve different functions. The BCP is aimed at preventing interruptions to business operations and maintaining regular activities. 

It focuses on aspects such as the location of operations during a crisis (like a temporary office or remote work), how staff will communicate and which functions are prioritized. In essence, a BCP details how a business can continue operating during and after a disruption​​​​.

On the other hand, a DRP is more specific to restoring data access and IT infrastructure after a disaster. It describes the steps that employees must follow during and after a disaster to ensure minimal function necessary for the organization to continue. 

Essentially, while a BCP is about maintaining operations, a DRP is about restoring critical functions, particularly IT-related, after a disruption has occurred​

It’s clear that having a robust and adaptable business continuity plan (BCP) is not just a strategic advantage but a fundamental necessity for businesses of all sizes and sectors. 

From small businesses to large corporations, the principles of effective business continuity planning remain consistent: identify potential threats, assess the impact on critical functions, and develop a comprehensive strategy to maintain operations during and after a disruption.

The process of writing a BCP, as detailed in this article, underscores the importance of a thorough and thoughtful approach. It’s about more than just drafting a document; it’s about creating a living framework that evolves with your business and the changing landscape of risks.

To assist in this crucial task, you can use Venngage’s business plan maker & their business continuity plan templates . These tools streamline the process of creating a BCP, ensuring that it is not only comprehensive but also clear, accessible and easy to implement. 

Discover popular designs

Infographic maker

Brochure maker

White paper online

Newsletter creator

Flyer maker

Timeline maker

Letterhead maker

Mind map maker

Ebook maker

What Is A Business Continuity Plan? [+ Template & Examples]

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

• Business Continuity Types
• Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

• Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

Crisis Communication and Management Kit

Manage, plan for, and communicate during your corporate crises with these crisis management plan templates.

• Free Crisis Management Plan Template
• 12 Crisis Communication Templates
• Post-Crisis Performance Grading Template
• Additional Crisis Best Management Practices

You're all set!

Click this link to access this resource at any time.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

Don't forget to share this post!

Related articles.

How to Navigate Customer Service During a Business Closure

10 Crisis Communication Plan Examples (and How to Write Your Own)

I Tried 7 Crisis Management Software to See if They’re Worth It (Results & Recommendations)

20 Crisis Management Quotes Every PR Team Should Live By

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

Manage, plan for, and communicate during a corporate crisis.

Service Hub provides everything you need to delight and retain customers while supporting the success of your whole front office

International Recruitment

Find the best candidates for your team

Hire full-time talent in 180+ countries

Easily manage and pay your contractors

Localized Benefits

Local benefits & insurances

Visa & Work Permit

Relocation and visa made easy

• Discover More

With no hidden fees

How we manage your data

Local HR Knowledge

About Horizons

Our borderless team and our global purpose

Success Stories

How businesses accelarate hiring with Horizons

Partner Program

Become a partner and benefit from unique offerings

Global Hubs

Discover our international offices

Join our mission to shaping the New World of Work

Shape your strategy with key insights

Inside Horizons

A behind-the-scenes look at the best EOR

Help Center

Learn about the Horizons platform

Contact our support team

Global Payroll Calculator

Calculate employment cost

Employee Misclassification Calculator

Calculate employee misclassification risk

What is a Business Continuity Plan (BCP)? Purpose, Template & Examples

• Marie Laure Troadec Legal Counsel
• August 29, 2023

Key Takeaways

1.  A business continuity plan is an essential risk management tool that helps organizations proactively prepare for unexpected disruptions and events, ensuring the continuity of critical operations.

2.  By identifying and assessing potential risks and threats to their operations, businesses can develop appropriate response strategies to prevent or minimize disruption during challenging times.

3.  Businesses should avoid certain pitfalls to successfully implement their business continuity plan. These include a lack of employee engagement, an over-reliance on technology, and a failure to test their plans.

4.  By proactively addressing these areas, businesses can increase the chances of successful implementation and execution of their business continuity plans.

Ensuring business continuity is a topic high on the agenda for most businesses and one that has become increasingly paramount in light of recent events: Few things have focused attention on the need to have a contingency plan more than the COVID-19 pandemic. The potential disruption caused by a pandemic, or indeed any other unforeseen event, to a business’s operations can have significant financial, legal, and reputational ramifications that can be mitigated or even prevented if appropriate measures are put in place.

This article delves into the essential elements of a business continuity plan (BCP) and provides valuable guidance on avoiding common pitfalls to help your business implement and execute a robust plan that safeguards your operations.

What is a Business Continuity Plan?

A business continuity plan is a risk management strategy that a business implements to protect its operations in the face of an unexpected event or disruption such as a natural disaster, cyberattack, or technological failure. By anticipating and preparing for potential crises or unplanned eventualities, businesses can take preemptive measures to ensure they remain operational and maintain a sense of normalcy despite interruptions.

The business continuity planning process enables businesses to assess potential threats to their operations and identify vulnerabilities that could impact their ability to function effectively. Through the implementation of a business continuity plan, business leaders can swiftly respond to emergencies, minimizing any potential downtime and mitigating the negative effects on their operations. This proactive approach can help businesses navigate challenging situations with relative ease and resilience, ensuring minimal impact on their productivity and profits.

Main Elements of a Business Continuity Plan

A robust and effective business continuity plan will comprise the following key elements that facilitate business resilience and preparedness during uncertain times.

• Business impact analysis
• During this phase, a business will identify and assess potential risks and threats to their organization’s operations. A business impact analysis (BIA) assesses the potential consequences of disruptions in critical business functions. This allows businesses to prioritize resources, allocate budgets, and develop strategies to minimize downtime and facilitate recovery.  
• Recovery strategies
• This step addresses the risks identified in the BIA by developing appropriate responses to prevent or minimize disruption. Recovery strategies outline the immediate actions required following an incident, those responsible for implementing them and coordinating the allocation of resources.
• Plan development
• The plan development phase involves developing the framework of the business continuity plan by establishing the relevant recovery teams, establishing communication channels, creating relocation plans, and gaining management buy-in.
• Testing and maintenance
• This phase involves training and testing the relevant teams and systems by conducting exercises to measure the effectiveness of the business continuity plan and identifying areas for improvement. Processes are also established for regularly reviewing and updating the business continuity plan to account for changes in technology, previous incidents, and evolving threats and risks.

Common Business Continuity Plan Pitfalls

To ensure the efficacy of their response during unexpected events or disruptions, organizations should be mindful of common mistakes encountered in the business continuity planning process. 

An awareness of the following issues can help businesses avoid certain pitfalls which could hinder their efforts in this area:

1. Lack of employee engagement

The success of any business continuity plan hinges on an organization’s ability to execute it successfully as even the most comprehensive and detailed plan will fall flat if it is ineffective in real-world situations.

The successful execution of a business continuity plan goes beyond senior management. To ensure business continuity in times of trouble it is essential that those on the ground have also been briefed on contingency measures and are ready to step into action accordingly.  Without adequate employee training and awareness, organizations run the risk of compromising critical business functions leading to further disruptions and losses.

By prioritizing employee engagement and involvement in the business continuity plan, organizations can strengthen and streamline their response efforts ensuring a robust and resilient response to potential disruptions, while fostering a culture of confidence and preparedness within their organization.

2. Overreliance on technology

While technological solutions play a crucial role and should be a feature of any robust business continuity plan, an overreliance on digital services and technical infrastructure can pose potential challenges for organizations. 

Sole or heavy reliance on this area increases the risk of a single point of failure. This is especially pertinent at a time when cyberattacks and data breaches are prevalent creating vulnerabilities in a business’ technological systems, and thereby undermining the effectiveness of its business continuity plan. Unforeseen events such as natural disasters which can lead to infrastructure damage and power outages can also severely compromise an organization’s ability to function effectively during a crisis.

To counter these problems, organizations should incorporate a diverse range of technological and non-technological solutions into their business continuity plan, taking into account manual processes and alternatives that are not solely dependent on digital services. Data backup options should also be put in place to help businesses restore swift operations and minimize extended downtime.

3. Failure to test

Without proper testing, the effectiveness of a business continuity plan remains theoretical rather than proven in practice. Regular testing enables businesses to identify and address any gaps or limitations in their plan, avoiding the risk of critical business functions being left vulnerable in an actual crisis situation.

Through drills, real-life simulations, and tabletop exercises, organizations can learn from real-world incidents, gaining practical insight into the feasibility of their business continuity plans and identifying any areas that require improvement. Regular testing plays a crucial role in helping businesses to optimize their response strategies and ensure resilience and readiness in the face of difficult or unforeseen circumstances.

By proactively addressing and avoiding these common pitfalls, businesses can develop comprehensive business continuity plans that help to bolster their resilience, minimize disruptions, and ensure the continuity of their operations during challenging times.

BCP Template

The precise content of your BCP will depend on the nature of your business. However, below is a useful template for a typical business: 

1. Introduction

• Purpose: Outline the purpose of the BCP.
• Scope: Specify which parts of the organization this BCP covers.
• Assumptions: State any assumptions made during the BCP’s creation.

2. Business Continuity Policy

Outline the company’s policy regarding business continuity. This can include the company’s commitment to employee safety, client service, data protection, etc.

3. Roles and Responsibilities

List the key personnel responsible for executing the BCP:

• Business Continuity Manager/Coordinator
• Crisis Communication Team
• Emergency Response Team
• IT Recovery Team
• Employee Assistance Team

4. Risk Assessment

Identify potential risks and threats:

• Natural disasters
• Technological failures
• Security breaches

5. Business Impact Analysis (BIA)

Identify the potential impacts of each threat:

• Financial impacts
• Reputational impacts
• Operational impacts
• Legal/Regulatory impacts

6. Business Continuity Strategies

Outline strategies for:

• Data backup and recovery
• Alternate work locations
• Communication protocols
• Supply chain management

7. Incident Response Plan

Details the immediate actions to be taken following an incident:

• Alert and notification procedures
• Evacuation procedures
• Safety checks

8. Recovery Plans

For each critical department/function, provide a detailed plan on how to resume operations:

• IT systems recovery
• Resumption of critical business functions
• Communication with stakeholders

9. Training and Testing

Outline how the plan will be tested and how often, as well as any training programs for employees:

• Tabletop exercises
• Full-scale drills
• Employee training sessions

10. Maintenance and Review

Describe how the plan will be kept current:

• Regularly scheduled reviews
• Updates following any changes in the business environment or operations
• Feedback loop from testing

11. Communication Protocols

Specify how communication will be maintained:

• Emergency contact lists
• Communication methods (phone, email, etc.)
• External communication (with media, stakeholders, etc.)

12. Appendices

• Resource lists
• Vendor contacts
• Floor plans
• Backup data locations

Business Continuity Plan Examples

If you are looking for some other examples of well-designed BCPs and BCP templates, check out the following: 

• Durham County Council’s BCP
• Chisholm & Winch (UK Construction Company)
• Ready (US Government Disaster Response Resource).

Developing and implementing business continuity plans

Expertise in critical business functions such as compliance, HR management, and global payroll solutions ensures your business can confidently navigate through unexpected challenges or crises. 

Contact us today to learn how we can support your business continuity efforts and provide the stability and peace of mind you need in an ever-changing world. 

Hire and pay talents with Horizons in 180+ countries

Related posts

Horizons x hofy: seamlessly supply, manage, service your global teams’ devices, horizons berlin: an evening with hr leaders, horizons x safetywing: get insurance for nomads and remote teams, employer of record (eor) vs. setting up your own entity.

• Marie Laure Troadec
• Oct 14, 2023

Hire Anywhere. Today.

Join 1,500+ companies already hiring with Horizons

Headquarters 71 Robinson Road #13-153 Singapore 068895 +65 3158 1382

Europe Skalitzer Str. 85/86 10997, Berlin +49 30 3119 9653

Americas 1700 S. Lamar Blvd Suite 338 Austin, Texas 78704 +1 (737) 265-6065

See more locations

Hire Global Teams. Anywhere.

71 Robinson Road #13-153 068895, Singapore

+65 3105 1170

Skalitzer Str. 85/86 10997, Berlin +49 30 3119 9653

1700 S. Lamar Blvd Suite 338 Austin, Texas 78704 +1 (737) 265-6065

Horizons © 2024   –  Privacy     Imprint & Terms    Third-Party Processor    GDPR Policy

Privacy Preference Centre

Advisory boards aren’t only for executives. Join the LogRocket Content Advisory Board today →

• Product Management
• Solve User-Reported Issues
• Find Issues Faster
• Optimize Conversion and Adoption

How to craft an effective business continuity plan

Let me take you back in time to the United Kingdom in the 1970s. Punk music was gaining popularity, and the Sex Pistols entered the punk rock scene with the force of a shooting star, capturing fans’ attention.

But as quickly as they arrived, they quickly left the scene. When they broke up in 1978 after a period of internal conflicts, legal troubles, and their frontman’s imprisonment, fans were left both shocked and surprised.

Just like the Sex Pistols, plenty of companies experience rapid growth and success, only to face unexpected challenges and internal conflicts that result in their downfall.

In this article, we’ll draw inspiration from the Sex Pistols’ turbulent journey to explore the concept of business continuity planning (BCP). We’ll look at what a BCP is, why you need one and delve into the strategies and contingency measures that can help you maintain your rhythm and continuity, even when faced with the inevitable storms that can disrupt your operations.

What is a business continuity plan?

A business continuity plan describes how you’ll continue your business when disaster hits. It is a structured strategy outlining how your organization will maintain essential functions when disaster strikes, to ensure minimal downtime and guarantee that operations continue.

Why do you need a BCP in place?

The BCP is crucial and revolves around ensuring your resilience and ability to continue operating in the face of unexpected disruptions, such as natural disasters, cyberattacks, or other emergencies.

Let’s look at it a bit closer, and understand some of the key reasons to have a BCP better:

Minimize downtime

Protect revenue and reputation, compliance and legal requirements, resource allocation, maintain customer service, employee safety.

A BCP helps you minimize downtime. It does this by providing a structured approach to quickly recover and resume your critical business functions.

Example: You’re a retail company with an extensive online presence. If your website experiences a cyberattack that takes it offline, a well-prepared BCP outlines the steps to take to mitigate the attack, get your website back up in no time, and allow you to continue serving your customers.

No one likes disruptions as they result in revenue loss and can damage your reputation. A BCP helps you protect against financial losses and keep customer trust.

Example: You’re the owner of a restaurant chain with multiple locations and one of your branches has a food safety crisis. A BCP can guide you in managing the crisis, ensuring food safety compliance, and communicating effectively with customers to maintain trust in the brand and other locations.

Some industries, like the financial, and pharma industries, have regulatory requirements that mandate businesses to have BCPs in place. Failure to do so has legal and financial consequences.

Example: You’re the owner of a FinTech company. You are required by regulators to have robust BCPs to ensure customer data security and financial system stability.

When a crisis hits you need the right resources to get you back up and running. A BCP helps allocate resources effectively during a crisis, ensuring that personnel, equipment, and materials are used efficiently to address the most critical needs.

Over 200k developers and product managers use LogRocket to create better digital experiences

Example: You’re a manufacturing company hit by a sudden supply chain disruption because the Suez Canal is blocked again. You use your BCP to allocate available resources to meet customer demands and minimize production delays.

When all hell breaks loose you want to make sure customer experience takes a minimum blow. A BCP outlines measures to maintain customer service and communication, so customers receive timely updates and support.

Example: You run an airline and there is a labor strike. Your BCP tells you how to manage customer inquiries, rebook affected passengers, and maintain a level of service.

Let’s not forget about the well-being of your employees. During a crisis, this is a top priority. A BCP includes procedures for evacuations, remote work arrangements, and employee support.

Example: There is a fire at your workplace. The BCP outlines evacuation routes, assembly points, and contact information for employees to report their safety status.

Business continuity planning: Steps for success

That’s a lot of reasons, right? Now that we addressed the necessity and urgency of having BCP, let’s look at 5 steps to creating a successful one:

• Analyze your company
• Assess the risk
• Create the procedures
• Get the word out
• Iterate and improve

1. Analyze your company

In this phase you conduct an analysis to identify critical activities, determine which activities must continue, which can be temporarily paused, and which can operate at a reduced capacity.

You then assess the financial impact of disruptions. This involves asking yourself the question, “How long can I operate without generating revenue and incurring recovery costs?”

As this step covers your whole company, it’s important to get key stakeholders involved from the beginning.

2. Assess the risk

Now you have a good overview of your critical processes and the impact of disruption. At this point, pivot your attention to the risks they face, how well you can handle when things don’t work as usual, and how long you can manage if things go wrong.

The goal here is to understand what could go wrong and find ways to avoid, reduce, or transfer them. This assessment will help you strengthen your preparedness and resilience.

More great articles from LogRocket:

• How to implement issue management to improve your product
• 8 ways to reduce cycle time and build a better product
• What is a PERT chart and how to make one
• Discover how to use behavioral analytics to create a great product experience
• Explore six tried and true product management frameworks you should know
• Advisory boards aren’t just for executives. Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.

Think about risks specific to your industry and location

It’s important to consider both internal (e.g. an IT system failure or employee shortage) and external threats (e.g. a natural disaster or supply chain disruption) to your critical business activities.

3. Create the procedures

Once you analyze and assess, you need to create procedures.

Develop detailed, step-by-step procedures to minimize risks to your organization’s people, operations, and assets. This can include changes to your operating model, such as using alternative suppliers or implementing remote work options.

4. Get the word out

A plan is just a plan and no one will know how to act if you don’t communicate.

This step is all about communication. Integrate the BCP into your operations, policies, and company culture, and train, test, and communicate with your employees.

And don’t forget that communication is not limited to your company only. Communicate with external stakeholders, customers, suppliers, and so forth.

5. Iterate and improve

Before implementing your BCP ensure its effectiveness.

Don’t worry there are plenty more options to test your BCP. Consider involving external stakeholders or vendors as it makes exercises more realistic. Frequently train those who are accountable for executing the BCP.

After experiencing a real incident or conducting a training exercise, update your plan to improve its ability to protect your business. Keep in mind that both your organization’s development and the circumstances you operate in change, so a regular review isn’t a luxury but a necessity.

How to structure your continuity plan

Now you have a high-level understanding, let’s look at how to structure your business continuity plan.

You can find a copy of the template I use here .

Make sure to include the following sections in your BCP:

Version history

Executive summary, functions and process prioritization, plan activation, governance and responsibilities, recovery plans, crisis communication plan, emergency location and contents, review and testing.

This section shows the revision history. It includes the version numbers of the changes made, by whom, when, and who approved the changes. The revision history allows anyone reading the BCP to understand how it has evolved over time.

The executive summary provides a brief summary of the key objectives, goals, scope, and applicability of the BCP.

This chapter outlines the critical functions and processes in scope of continuation in case of a disastrous event.

This section refers to the risk and business impact assessment outcome. Its aim is to set out what triggers the activation of the plan.

Governance and responsibilities talks about who has to act when the BCP is activated. It includes the members, a description of their responsibilities, contact details of the BCP team, and the chain of command during a crisis.

This section builds upon the business continuity strategies, specifically the one chosen when a disaster occurs. It describes the detailed recovery plans for each critical function, the procedures for restarting operations, resource allocation, and recovery time objectives (RTOs).

Here you cover the internal and external communication strategies. You also address employee awareness and training activities.

Now there is a good chance the disaster will require your crucial activities to temporarily continue at a different location. This section covers all details about the location and what needs to be available at the location.

The BCP is to be tested to reduce the risk of missing things or even worse failing. Here jot down the testing procedures and document results and lessons learned.

This section includes all appendices. Think about the following

• Supporting documents, such as contact lists, maps, and technical specifications
• References to external standards, guidelines, or regulations
• Training programs for BCP team members
• Review of insurance policies
• Financial reserves and funding for recovery efforts
• Procedures for keeping the BCP documentation up to date

Business continuity plan example

Earlier this year, the Koninklijke Nederlands Voetbal Bond (KNVB), which is the Royal Dutch Football Association, was hit by ransomware. The cyberattackers threatened to share personally identifiable information captured and the KNVB paid over one million euros to avoid this from happening.

What could have been done to mitigate the ransomware attack risk?

The Risk of the attack to succeed could have been mitigated with:

• Regular data backups
• Segmentation of networks
• Intrusion detection systems

How to ensure business continuity in case of ransomware?

In response to the ransomware incident, and to allow for continued business as usual as soon as possible, steps could include:

• Isolating affected systems
• Activating backups
• Notifying law enforcement
• Engaging with a cybersecurity incident response team

Key takeaways

A business continuity plan (BCP) is like a safety net for your business when things go haywire. It helps you keep going, avoiding downtime, revenue loss, and reputation hits. On top of that, it’s a legal must in certain industries.

To make a solid BCP, just follow five steps: figure out what’s crucial for your business, spot the risks, plan how to bounce back, make sure everyone knows the plan, and keep fine-tuning it.

Structurally, your BCP should have sections like history, a quick guide, what’s most important, when to activate it, who’s in charge, the nitty-gritty recovery plans, how communication is done, where to go in a crisis, how to test the BCP works, and some extra info.

Featured image source: IconScout

LogRocket generates product insights that lead to meaningful action

Get your teams on the same page — try LogRocket today.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Reddit (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Facebook (Opens in new window)
• #collaboration and communication
• #project management

Stop guessing about your digital experience with LogRocket

Recent posts:.

Drive growth with these 7 customer feedback tools

A customer feedback tool is a software solution or platform designed to collect, analyze, and manage feedback from customers.

Leader Spotlight: Motivating teams to hit customer-centric outcomes, with Kristina Bailey

Kristina Bailey discusses the careful balance of knowing the business outcomes you want to achieve while balancing customer outcomes.

Exploring augmented products: Beyond the core offering

Augmented products leverage technology and additional services to provide enhanced functionality, convenience, and value to users.

A guide to acceptance test-driven development (ATDD)

ATDD is an agile methodology involving collaboration to define acceptance criteria before starting any development.

Leave a Reply Cancel reply

10 Business Continuity Lessons Learned from the Pandemic

On one hand, if you’re reading this, your business must have come through the pandemic successfully – a true badge of honor. On the other hand, in your rush to get employees working from home, you most likely uncovered gaps in your business continuity plan.

Win-win. Your original business continuity plan achieved its goal; albeit with a little rushing, improvising and making-do during the disaster. And, the pandemic helped us figure out what services and processes actually are essential to our businesses so we can be ready for the next disaster.

Top 10 Business Continuity Lessons from the Pandemic

10. You need a disaster recovery plan and a business continuity strategy

Disaster recovery and business continuity are not the same, although many people get confused about this. While it is essential to have a disaster recovery plan in place to restore data and critical systems when an event hits, business continuity is your strategy to return your whole business to full functionality after a crisis.

9. Each department needs to have a plan

Many businesses found their business continuity plan was too simple and didn’t take into account which individual departments would need to conduct business from home. In planning business continuity, Protocol Networks talks with department heads to find out what their specific departments would need for business continuity.

8. Some “critical” processes weren’t necessarily critical

And, you probably discovered essential services that weren’t accounted for in your business continuity plan. A robust plan takes into account process, personnel, hardware and software so you aren’t scrambling around during a crisis, figuring out a way to provide full services.

7. IT infrastructure is different with remote work

OK, we already knew this, but many businesses were not prepared to move their workforces to remote locations. Preparing for remote work as a business continuity strategy means identifying processes and roles that can work remotely, along with ensuring employees have secure access to company IT systems, data and information.

From outfitting home offices with computers, monitors and headsets to setting up secure VPN connections and cloud access, IT is at the forefront of this essential strategy .

6. Cybercriminals are out in force

Although many businesses had at least some security solutions in place, moving workers out of the office increased security risks profusely. Hackers and scammers are reveling in sending pandemic-themed emails and malicious links to workers who are at home, stressed by the pandemic and preoccupied with others in the household who are homeschooling and doing their own jobs in the next room. Suffice it to say, your employees may not remember their cybersecurity awareness training. Issuing devices, covered by your business’ security and usage policies and protected by company security tools, is one consideration for your future business continuity plan.

5. Testing works!

There’s no such thing as being over-prepared when it comes to business continuity. Your plan must be tested regularly so any adjustments can be made in the calm outside of a crisis. Boston College CTO Peter Salvitti said his IT organization has been “fanatical” about testing its business continuity plan, and it paid off when employees and students moved relatively easily to remote work.

4. Redundancy bears repeating

The best way to protect your data from disaster is to implement redundancy plans . Take a minute to estimate the value of your company’s data – client records, payroll details, email chains, innumerable reports. It’s almost impossible to put a price on corporate data – losing it results in 60% of small businesses closing after a data breach.

Backing up the data from your entire organization isn’t simple. We make sure security, automatic updates and encryption, along with dozens of other aspects, are taken into account so you have a contingency against anything – fire, hurricane, pandemic.

3. Digital transformation has accelerated

Grandma now uses Zoom and goes to her doctors’ appointments in the living room. Before the pandemic lockdown, many people were still hesitant about telehealth appointments and even online shopping. Since March, though, Amazon has hired over 100,000 additional workers to accommodate the increase in orders. The sudden mass adoption of digital services will impact daily lives for years to come and will likely result in new business models and organizational structures.

2. The cloud will be the norm

Cloud computing implementation has skyrocketed since March. In just one week, Microsoft saw demand for Teams, its premier collaboration tool, climb almost 40%. The global cloud market is expected to grow from $233 billion in 2019 to $295 billion by 2021. If your organization isn’t using the cloud now, get ready for implementation in the near future. Businesses that were already using the cloud for most or all of their systems made the transition to remote work easily. In fact, many may just stay with remote work.

And, the No. 1 lesson learned …

Assess your business continuity plan now to review what was learned during the pandemic, what worked, what didn’t work and what needs to be done moving forward.

Business continuity is different for every business because of their unique needs. We listen to you before recommending specific solutions. We make sure all your stakeholders are heard and all your essential operations are accounted for in your business continuity plan. We’ll ask questions about problems you’re facing to determine the root cause of the issue. It could be process oriented, personnel related, your hardware or software.

Our team of engineers will review your business continuity/disaster recovery plans – for free – to identify gaps and areas for improvement. Let’s get together soon on this so you’re ready for the next disaster event. Click here to get your free business continuity plan review .

Get In Touch!

The team at Protocol Networks is ready to architect solutions and support your organization. Start the conversation today; contact us.

Protocol Networks

Massachusetts Office 685 South Street Wrentham, MA 02093

• 877.676.0146 ext. 701
• [email protected]
• Managed Services
• Consulting Services

Social Media

Service area.

Business Continuity Simplified

By Andy Marker | December 17, 2018 (updated October 24, 2021)

• Share on Facebook
• Share on LinkedIn

Link copied

Unexpected work interruptions can cripple a business and cause millions of dollars in expenses and lost business. Learn about the importance of business continuity planning and management from experts. 

In this article, you’ll learn the definition of a business continuity plan and the primary goal of business continuity planning . Additionally, you’ll learn the steps involved in business continuity planning and about the business continuity lifecycle .

What Is Business Continuity Management?

In business continuity management (BCM) , a company identifies potential threats to its activities and the threat impact. The company then develops plans to respond to those threats and continue activities through any crisis.

What Is a Business Continuity Plan?

A business continuity plan (BCP) describes how a business will continue to run during and after a crisis event. The BCP details guidelines, procedures, and work instructions to aid continuity.

To learn more about writing a plan, see our how-to guide to writing a business continuity plan .

What Is Business Continuity Planning?

Business continuity planning (BCP) refers to the work a company does to create a plan and system to deal with risks. Thorough planning seeks to prevent problems and ensure business processes continue during and after a crisis.

Business continuity planning ensures that the company deals with disruptions quickly, and minimizes the impact on operations. Business continuity planning is also called business resumption planning and continuous service delivery assurance (CSDA) .

What Is the Primary Goal of Business Continuity Planning?

The main goal of business continuity planning is to support key company activities during a crisis. Planning ensures a company can run with limited resources or restricted access to buildings. Continuity planning also aims to minimize revenue or reputation losses.   

A business continuity plan should outline several key things that an organization needs to do to prepare for potential disruptions to its activities, including the following:

• Recognize potential threats to a company.
• Assess potential impacts on the company’s daily activities.
• Provide a way to reduce these potential problems, and establish a structure that allows key company functions to continue throughout and after the event.
• Identify the resources the organization needs to continue operating, such as staffing, equipment, and alternative locations.

Business Continuity Planning Steps

A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan. 

The basic steps for writing a business continuity plan are as follows:

• Create a governance team.
• Complete your business impact analysis (BIA) and risk assessment documents.
• Document your plan. Remember to include detailed guidelines and procedures that cover key processes and facilities.
• Test and update the plan regularly.

The Business Continuity Management Lifecycle

Business continuity management includes preparing for and handling unexpected events. BCM has a six-step lifecycle. This cycle repeats during both in regular business times and crises, as you take the right steps to keep activities always running.

The BCM lifecycle includes the following points:

• Mitigate Risk: Proactively identify business continuity risks to your company, and plan how your company will respond.
• Prepare: Train staff on your business continuity plan and ensure they understand what they need to do to help the business respond.
• Respond: Ensure that your company and all employees respond appropriately to a crisis. Be prepared to adapt in the moment.
• Resolve: Ensure that the company plans how to communicate effectively with staff and that it does so appropriately during the crisis.
• Recover: Inform employees, customers, and other important people about the status of the crisis and your company’s response.
• Resume: Communicate with employees and others after the crisis ends.

What Are Business Continuity Risks or Events?

Also called business continuity events, business continuity risks are the most common events that can disrupt a company’s regular operations — these can be natural and human-made crises. Defining these risks is a vital part of business continuity planning.

Such events might include the following:

• Severe weather
• Natural disasters (tornadoes, floods, blizzards, earthquakes, fire, etc.)
• A physical security threat
• A recall of a company’s product
• Supply chain problems
• Threats to staffing and employee safety
• Accidents at an organization’s facilities
• Destruction to a company’s facilities or property
• Power disruptions
• Server crashes
• Failures in public and private services (communications, transportation, safety, etc.)
• Environmental disasters, including hazardous materials spills
• Network disruptions
• Human error/human-made hazards
• Stock market crashes
• Cyber attacks and hacker activity

Any of these triggers can result in broader problems for a company, such as danger or injury to staff and others, equipment damages, brand injury, and loss of income and net worth. Business continuity management and planning address and mitigate these contingencies.

What Is a Business Continuity Strategy?

A business continuity strategy is more often called a business continuity plan. The strategy includes the processes and structure a company uses to manage an unexpected event.

Some people consider business continuity strategy to be a step in the planning process. In the strategy phase, business continuity planners describe the overall approach a company should take to prevent, manage, and recover from a crisis.

An Overview of Business Continuity Management and Planning

There are several goals, key elements, and benefits to business continuity management and planning. The primary goals of management and planning are as follows:

• Build Company Resiliency: Doing so means that your company’s tools, buildings, and operations are resistant to — and not greatly affected by — most disruptions.
• Create a Plan for Recovery (with Contingencies that Aid in That Recovery): If a major event does cause problems, you should have a plan for how to recover quickly. That plan will include contingencies. For example, you should plan for how key operations will resume if there is a widespread power outage.

Business continuity management and planning generally cover the following areas, with differences depending on the organization and industry:

• Disaster Recovery: Disaster recovery involves recovering technology after a disruptive event. You can learn more about disaster recovery and download free templates in our comprehensive article .
• Emergency Management: Emergency management focuses on avoiding and mitigating catastrophic risks to staff and communities.
• Business Recovery: Considered part of business continuity, business recovery centers on short-term activities after a disruptive incident. The short-term is sometimes defined as less than 60 days.
• Business Resumption: This describes the longterm phase of recovery (60 or more days after an even), wherein the company returns to near-normal conditions.
• Crisis Management: Crisis management focuses on communicating with stakeholders during and after a crisis, and controlling damage during the event. To learn more, read our comprehensive guide to crisis management .
• Incident Management: Incident management is an ITIL (previously known as Information Technology Infrastructure Library) framework for reducing or eliminating downtime after an incident.
• Contingency Planning: This covers outlier risks that are unlikely to occur but which could have disastrous results.

“A well managed business continuity management program will help protect people, assets, and business processes,” says Scott Owens, founder and managing director of BluTinuity , a business continuity firm based in New Berlin, Wisconsin. “It may not be able to prevent all incidents. But it can reduce the likelihood of incidents, decrease response time, and lower the cost and impact of an incident.”

Key Elements of Business Continuity Management

All business continuity management programs should include a number of key elements, which serve to ensure that your plan is positioned for success and that you regularly update and improve it.   

These important elements include the following:

• Governance: This is the structure and team your business sets up to create and monitor the program.
• Business Alignment: This section details how your company’s current business continuity management and planning processes compare to expert approaches and industry standards.
• Continuity Strategy and Recovery Strategies: Include a detailed plan that assesses risks to your organization and how you can recover, should those risks become reality.
• Plan Documentation: Provide details on the plan that everyone in your company can access. To get started, see our roundup of free business continuity plan templates .
• Tactical Implementation: This section includes details on the specific ways your company plans to recover from certain types of incidents.
• Training: In this section, detail how you will train your staff to understand the business continuity plan and their role in it.
• Testing: Include real-world simulations of a crisis event, and test how your company and its employees respond and the effectiveness of your business continuity plans.
• Maintenance: Make changes to the plan where necessary to increase its effectiveness.
• Monitoring: This section details how you will continue to compare industry standards and expert advice to how your plan is working.

To learn about formal requirements for business continuity planning and management, see our comprehensive article on the ISO 22301 standard . 

The Costs of Business Continuity Management

The costs to do an appropriate job of business continuity management can be significant. However, some reports say that the cost of unforeseen downtime may be as much as $2.5 billion a year for Fortune 1000 companies.

Kurt Engemann, Ph.D., is Director of the Center for Business Continuity and Risk Management at Iona College in New York, Editor-in-Chief of the International Journal of Business Continuity and Risk Management and author of Business Continuity and Risk Management: Essentials of Organizational Resilience . In the book, he says that costs for business continuity preparation do not only include the groundwork to assess a company’s risks and plans to manage those risks. Rather, they also cover the needed backup facilities and equipment and company assets for emergency response. In addition, costs must cover resources for training employees and testing the plan.

Some experts have estimated that business continuity management and planning within only the crucial information technology aspects of companies can cost two to four percent of the information technology budget. But the costs are necessary, and worth it in the long run, according to business continuity experts.

“There is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis,” Engemann writes in his book. “Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective.”

When an organization’s top executives complain about the costs, Owens says, “Ask them what it would cost their organization for an hour of downtime. Or eight hours. Or 24 hours. Chances are the cost — financial, operational, and to brand and reputation — of having key business functions unavailable for an extended period are significant. They will most likely find business continuity management to be worth the investment.” 

Benefits of Business Continuity Management

Like Engemann, Owens points out that there are significant benefits to the investment organizations make in business continuity management, including the following:

• Mission Critical Processes: If you understand your key processes, you can plan to protect them and prioritize their recovery.
• Legal and Regulatory Compliance: Laws or regulations require companies in some industries to implement a formal business continuity management system.
• Satisfying Demands from Other Organizations: Some groups and companies may require that your company sets up BCM before they do business with you.
• Insurance Payments: To get the maximum payments from an insurance policy after an event, a company must have suitable business continuity management policies in place.
• Reputation Management: Your business’s brand will be greatly helped or hurt, depending on how an unforeseen event affects its operations.
• Competitive Advantage: A strong business continuity plan can offer your company the advantage over peers who are not as well prepared.
• Seamless Recovery: Cloud-based technologies make data backup, remote work, and business recovery affordable and accessible. Groups and businesses of all sizes can benefit from such tools. See our article on cloud computing for business continuity to learn more.
• Time Savings: Planning prevents teams from scrambling at the last minute to cobble together a recovery effort. Strong planning helps you get back online — and back on track — faster.

Michael Herrera, CEO of MHA Consulting , a business continuity and disaster recovery firm, cites two other significant benefits: 

• Keeping Customers and Avoiding Major Financial Losses: Getting operations back to normal quickly after an event means your company loses less money.

“Your customers aren’t as patient as you think they are,” Herrera explains. “They expect you to have a business continuity system and they expect you to be up and running. Their patience does run out.”

• Improving Day-to-Day Operations: Herrera says his firm’s clients often discover how business continuity planning gives them insights into the day-to-day operations of their company. “It really can help you with process improvement and getting a good understanding of what your business does every day.”

Additionally, strong business continuity planning will enable you to do the following:

• Officially declare a disaster and alert senior management.
• Assist in the development of an official public statement regarding a disaster and its effects on a business.
• Monitor your business’s progress and present the recovery status.
• Provide ongoing support and guidance to teams with pre-planned operations.
• Review critical processing, schedules, and backlogs to keep everyone up to date on status.
• Ensure businesses have both the resources and the information to deal with an unforeseen emergency.
• Reduce the risk that an emergency might pose to employees, clients, and vendors, etc.
• Provide a response for both man-made and environmental disasters.
• Improve overall business communication and response plans.
• Summarize both the operational and the financial impacts resulting from the loss of critical business functions.
• Allow businesses to plan for a loss of function that has potentially larger, more severe consequences.

See our article on the importance and benefits of business continuity planning to read more expert examples of how business continuity can bolster your company. 

Key Business Continuity Management and Planning Considerations

Companies don’t have to face business continuity planning alone. There are a variety of tools and services that can help, including the following:

Consultant Services

There are hundreds, if not thousands, of consultants and companies that can provide help with developing your business continuity plan. Below are a few things to think about in choosing one:

• How experienced are they? How long have they been around?
• What’s their reputation as a company? What do their clients say about them?
• Are they focused on a specific industry or area of business continuity, or do they have experience with a range of industries and a broad spectrum of business continuity?
• How do they think about business continuity (as a somewhat separate practice or something that needs to be ingrained within your organization)?
• How aligned is their advice with standards in your industry?

Business Continuity Software

There are also hundreds of pieces of business continuity software on the market. Here are some things to consider:

• Are you looking for software that will automate the development of plan components, or software that offers more in-depth help during the planning phase?
• What is the history of the software and the company behind it? How long has this particular software been on the market and what is the history and the reputation of the company behind it?
• Is the software being continually updated and improved?

Below are some specifics to consider as you test drive the software:

• Does it have an easy-to-use interface?
• Does it cover all aspects and components of business continuity, including business impact analysis and risk assessment ?
• Does it include sufficient storage for your company’s supporting documents?
• Does it provide secure portable access via mobile or other technologies, if a crisis interrupts your information technology systems?
• Does it provide strong data analytics?
• Is it secure and private?

Primary Things Your Organization’s Business Continuity Management System Should Accomplish

While your business continuity management system will have various elements and details, there are some primary things it should do for your organization. They correspond to the key elements listed earlier in this article. 

For example, a BCM system should help do the following: 

• Understand your company’s needs for business continuity and disaster preparedness. A BCM system should be able to assist company leaders in understanding the need for a business continuity management policy.
• Understand which processes should be recovered and in what order.
• Establish business continuity metrics to gauge success.
• Plan for communicating with customers, staff, and other stakeholders.
• Determine what tools, technology, and staffing are required to restore activities and support customers.
• Establish remote-work support or relocation plans for staff and activities.
• Implement ways to continually assess and manage continuity risks.
• Monitor and review how its business continuity management system is working.
• Continually improve the system.
• Respond effectively in a real-world crisis, and allow the business’s critical operations to continue and all operations to resume quickly.

Although nobody wants to think about disasters or the effort needed to prepare to meet and mitigate crises, the alternative is the potential loss of reputation, income, or the entire business. In sum, planning translates to determining your key processes, equipment, and tools, and applying basic recovery strategies. 

The Importance of Senior Organizational Leaders Strongly Supporting Your Business Continuity Management and Planning

Your senior leaders must strongly support your company’s business continuity management plan for it to succeed. Such leadership is key as storms, floods, pandemics, and data breaches increase in force and frequency.

“Make sure senior management is committed to the planning, development, execution, and implementation of a business continuity/disaster recovery program,” says Paul Kirvan , a business continuity consultant and a fellow of the Business Continuity Institute with 25 years of experience in business continuity work. “Otherwise, it simply won’t happen. Such programs work best if they have top-down support and funding, as opposed to being developed from the ground up.”

Business Continuity Plan Test Types

Testing verifies the effectiveness of your plan and provides training for participants. To ensure better communication, include suppliers, vendors, and other stakeholders in exercises. If appropriate, also consider including local emergency preparedness officials.  

There are four types of testing, and each requires increasing levels of planning, resources, and focus. You should try to run each type of drill regularly.

• Plan Review: Plan reviews are often the first test applied to a new plan. In this test, top management and some key BCP personnel review the relevance and completeness of a plan. Such a review can verify risk and BIA results, and help you check for gaps and inconsistencies among continuity documents.
• Tabletop or Structured Walkthrough: A tabletop test requires more preparation and time. It provides a role-playing exercise for recovery teams.
• Simulation or Walkthrough Drill: In a walkthrough drill, your continuity team physically completes the type of tasks they'd find in a crisis. They may practice evacuating a building during a fire, restoring a backup, or switching to another communication frequency.
• Functional or Live Scenario: Functional tests include a complete physical drill of continuity plans. Live tests may focus on one aspect of the plan or include the complete plan. They may include one part of the company or all team members.

Be sure to document what happened in the test so everyone involved in the exercise — and especially those who created the plan — can understand what did and didn’t go well, and can revise as necessary.

Business Continuity Management Policy Statement

A business continuity policy statement is a written document that outlines an organization’s business continuity management program. The policy statement should be communicated to all employees and should be signed and endorsed by the organization’s senior management.

See real-world examples of a business continuity policy statement .

Cultivating Awareness of Business Continuity Plans

The best business continuity system is useless if no one knows about it. Find ways to promote your plans in daily company activities, and discuss business continuity regularly in company and team meetings. Also, be sure to include the business continuity manager in cross-functional planning meetings so they can represent the business continuity perspective. Above all, exercise your plan, test your plan, and then test again.

What Is the Importance of a Business Continuity Plan?

A business continuity plan is vital to ensure that your company mitigates downtime during a crisis. Resuming activities quickly after an event also helps ensure your company’s financial health.

How to Write a Business Continuity Plan

It is crucial that your company set up a group of people to help create your business continuity plan. The group should include senior leadership, experts, and staff. A simple, practical plan is the best plan. At a minimum, include continuity team roles and duties, and team member contact information. You should also add guidelines and checklists for dealing with unforeseen events. 

Daily business functions rely on many resources — human, utilities, machines, and even paper, pens, and pencils. Business recovery after a disruptive event is no different. See our in-depth article on writing a business continuity plan for a complete list of resource types you may want to include in a plan.

You can ask certain questions as you form your strategy, and a business continuity plan usually includes common resources and elements. See our article on how to write a business continuity plan to learn more.

Business Continuity Plan Template

This template can help you document and track business operations in the event of a disruption/disaster to maintain critical processes. The plan includes space to record business function recovery priorities, recovery plans, and alternate site locations. Plan efficiently for disruption and minimize downtime, so your business maintains optimal efficiency.

Download Business Continuity Plan Template

Word | PowerPoint | PDF

You’ll find other most useful free, downloadable business continuity plan (BCP) templates, in Microsoft Word, PowerPoint, and PDF formats in this article . 

What Is a Business Impact Analysis and Why Is It an Important Part of a Business Continuity Plan?

A business impact analysis (BIA) is one of the most important parts of business continuity planning. The analysis considers how an unforeseen disruption could affect a company. BIA results also suggest how a business can recover from a crisis.

The business impact analysis will include details on the following:

• Recovery time objectives that outline the organization’s goals relating to how quickly various services and processes will resume after an event
• Financial impact of an incident
• Impact on customers
• Other possible impacts of an incident
• How the organization will prioritize recovery steps
• How the organization will prioritize critical services or products
• Identification of potential revenue loss
• Identification of additional expenses the organization will incur because of the event
• Identification of insurance an organization has or needs to have
• Identification of an organization’s dependencies on other agencies, companies, and providers

See our business impact analysis toolkit to find guidelines and templates to get started.

Risk Mitigation for Business Continuity

Risk assessment is one of the first steps in preparing your business continuity plan. 

Risk management includes identifying and ranking risks, and risk control includes identifying policies and procedures to avoid and contain risks. 

To learn more about risk management , read our comprehensive guide.

The Importance of Periodically Testing an Organization’s Business Continuity Plan

Even the best business continuity plans are useless if you do not continually test them in real-world mockups. Testing helps you continuously improve procedures, and also keeps plans synched with current business context.

Robert Sollars, a security trainer and consultant from Mesa, Arizona, says, “You must exercise your plan and train your employees in it. This can be costly and unwieldy at times, but it is an absolute must. I liken this to buying a Lamborghini and letting it sit in the garage, never starting it up, never driving it, never doing anything but admiring it. Your plan must be taken out and test driven at least two to three times per year. If you don’t test it, then when the real thing pops you will realize what the books, consultants, and experts have told you is useless for your organization. Testing it allows you to figure out the bugs and tweak the necessary items to make it more efficient and effective.”

Owens adds, “If you haven’t tested your plans, you aren’t ready for a disaster.”

You can do some testing through simpler table top exercises — for example, by talking through hypothetical incidents with your team. But Owens and other business continuity experts say organizations should also periodically do exercises that more closely mimic a real-world event.

“Organizations need to move … to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes,” he writes in a blog post about business continuity. “This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.”

The most important result from testing your plan is an understanding of where theoretical solutions won’t work in real events. This understanding will then allow your organization to amend the plan to be more effective.

What Is a Business Continuity Plan Governance Committee?

Many companies set up a business continuity plan governance committee, which consists of staff members and senior leaders (their continuity efforts is vital). Governance tasks include writing the business continuity plan and supervising ongoing plan maintenance.  

The committee is often responsible for the following duties:

• Approving the governance structure of the committee
• Clarifying the roles of committee members and others working on the plan
• Overseeing the creation of working groups to develop and implement the plan
• Providing overall direction and communicate important information to employees
• Approving the continuity plan and essential specifics within it
• Setting priorities within the plan

The committee often includes the following members:

• A senior leader from the business, often the sponsor
• A business continuity manager and assistant manager
• The company employee, or outside consultant, who will serve as overall coordinator of the business continuity plan
• The company’s security officer
• The company’s chief information officer, or information technology leader
• Representatives from the company’s business department, to help with the business impact analysis
• An administrative representative

How to Cultivate Resilience in Your Organization

A resilient organization has the tools and abilities to survive a disruptive event, and also regularly looks for new threats and adapts to changes in the organizational and industry landscape. Resilience experts recognize two types of resilience: reactive resilience uses a company’s existing processes to meet and overcome a crisis; proactive resilience anticipates disruptions and considers methods to prevent problems.  

Real World Example: Lessons Learned About Business Continuity from the Terrorist Attacks of Sept. 11, 2001

Organizational leaders and business continuity experts learned a lot from the terrorist attacks of September 11, 2001. Worst of all, the attacks killed thousands of people. But they also severely disrupted communications, financial transactions, and some commerce in New York City and throughout the world.

The following are among the lessons learned:

• Business continuity plans must be tested frequently, and updated where needed.
• The plans must assume a wide range of threats.
• The plans must take into account how much companies, agencies, and other entities depend on each other.
• Key people from any organization must be available and reachable when an incident happens.
• The ability to communicate, especially through landline phones, cell phones, and the internet, is vital.
• Sites that organizations use for backup of their digital information should be located at a distance from their primary information technology site.
• Employee support and counseling may be important during and after a crisis.
• An organization should store copies of its business continuity plan at a location apart from its primary location.
• Security perimeters around the scene of an incident may be large, which may affect employees’ access to organization facilities for long periods.

Legislation Governing Some Business Continuity Management and Planning

The United Kingdom did approved the Civil Contingencies Act in 2004, which requires businesses to have business continuity plans in place.

Some industries do have regulatory bodies that may impose business continuity requirements within those industries. For instance, the Financial Industry Regulatory Authority (FINRA) is a private self-regulatory organization overseeing the U.S. financial securities industry. FINRA established FINRA Rule 4370. This rule requires securities firms to create and maintain written business continuity plans. Utility bodies, such as North American Electric Reliability Corporation ( NERC ) and Federal Energy Regulatory Commission ( FERC ), also require continuity plans.

Guidelines, Standards, and Resources Providing Guidance on Business Continuity Management and Planning

Organizational leaders can use a number of standards set by industry and other groups to guide their business continuity planning and management programs. Below are some commonly used standards:

• ISO 22301 : Developed by the International Organization for Standardization (ISO), a standard-setting body, this group of standards sets out appropriate business continuity management practices. Learn more about how this standard can help businesses of all sizes in our guide to ISO 22301 . 
• NFPA 1600 : Developed by the National Fire Protection Association, the standard is one of the most widely recognized in the U.S. on emergency preparedness and business continuity.
• National Institute of Standards and Technology SP 800-34 : Sets contingency planning standards for federal information systems in the U.S.
• SPC-2009 — Organizational Resilience : Security, Preparedness and Continuity Management Systems provides critical business and infrastructure security standards developed by the American Society for Industrial Security.
• ISO 27000 : Standards for security in information technology systems, which include standards for business continuity in information technology. Learn more about ISO 27000 and find free checklists and templates . 
• DRI International : Professional Practices for Business Continuity Management
• Federal Emergency Management Agency (FEMA): Continuity Guidance Circular: Continuity Guidance for Non-Federal Entities: An 86-page formal document, the circular presents FEMA’s perspective on how businesses can prepare for disasters.
• Insurance Institute for Business & Home Safety: Open for Business Continuity Toolkit: This site offers a video, FAQ, and downloadable continuity planning tools.

What Is the Business Continuity Institute?

The Business Continuity Institute (BCI), based in the United Kingdom, is a non-profit professional organization providing education, certification, and leadership on business continuity management. The Institute has more than 8,000 members in more than 100 countries.

Improve Business Continuity Planning with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

• Skip to right header navigation
• Skip to main content
• Skip to secondary navigation
• Skip to primary sidebar
• Skip to footer

Business Continuity and Crisis Management Consultants

The Ultimate Guide to Business Continuity

Last Updated:  January 23rd, 2023

This article explains everything you need to know about Business Continuity.

You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.

We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.

What is Business Continuity?

Business continuity is a rapidly evolving discipline, so there’s understandably still a lot of confusion about what a business continuity program really encompasses. Google “what is a business continuity program” and you’ll see what I mean.

Sometimes the best way to understand something is by understanding what it’s not.

And a business continuity program is not:

• A business continuity plan (standing alone)
• An IT disaster recovery plan
• A software subscription
• An insurance policy from your insurer
• Filling out a template and checklist and putting your staff through a one-hour click-it and forget-about-it web-based training module

While these are all important pieces of a business continuity program (although arguably not insert-fork-in-eyes web training), they are not in themselves a comprehensive and effective business continuity program.

So then, what exactly  is  a business continuity program and what does it take to make sure your’s gets the job done?

Most simply, we think of business continuity planning as the discipline of making your organization more resilient, or able to solve big problems.

A business continuity program is the means by which you embed this discipline into your organization to build your capacity to prevent, withstand, and recover from unplanned disasters and adverse events. In the face of disruption, it ensures that you can continue operations and protect your most important assets, especially your people.

ISO, the international standards body, would further define business continuity in ISO 22300 as

The capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

The Value of Business Continuity

Here are some of the ways that we explain the value of a business continuity & crisis management program to help our clients win over their internal stakeholders:

• Investing in business continuity demonstrates that you value your people: Not only will you better protect human life and safety; you’ll also position your team to respond more quickly to recover, protect, and recover your organizational assets during and after a crisis. Your employees are your most important crisis management tool and investing in their well-being and safety will undoubtedly pay dividends during your next crisis.
• Business Continuity protects your organization’s most important assets: When done right, your business continuity & crisis management program should provide a structured process for identifying your organization’s most important assets and implementing a plan to hedge against the potential loss of or damage to those assets.
• Investing in Business Continuity protects your reputation and elevates you over the competition: It can take decades to build a reputation but only minutes to destroy it. When the next heatwave shuts down the power grid, you don’t want to be the hospital that’s forever remembered for its patients dying from heatstroke.
• Your business continuity & crisis management program helps your organization meet its compliance obligations: Business continuity & crisis management best practices often reflect the demands of regulatory and compliance obligations. As a result, investing in your program is also an indirect investment in helping to meet your compliance obligations. In addition, in many instances, ensuring operational continuity is an explicit regulatory imperative. PCI for payment processors and HITRUST , EHNAC , and DirectTrust for patient health information are just a few examples.
• An effective business continuity & crisis management program helps you identify and mitigate risk: A strong business continuity and crisis management program is rooted in identifying and preparing for specific risks, which inevitably helps your enterprise risk management team and other risk-focused teams on their mission of anticipating and avoiding those same risks. These teams also share many of the same stakeholders. So it’s no surprise that companies whose risk management and business continuity teams work together closely in a bone-building synergy create enormous value for their organization.

We’ve written extensively on the value of business continuity & crisis management programs.  Some of our best articles on the topic include What’s the Value of Business Continuity:  Beyond ROI , How to talk with your CEO about Business Continuity , Making the Case for your Business Continuity Program , and 10 Tips for framing your case for Business Continuity to Executives .  

Business Continuity is an important component of an overall Resilience Strategy

Business Continuity is important to an organization, but in our minds, it’s just one component in an overall resilience strategy for an organization. We believe there are fundamental components that every business should have in place if they want to make good on their overall resiliency imperatives.

“The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”

But like a lot of standards-based definitions, this leaves a lot to read between the lines.

At Bryghtpath, we think of resilience as a group of capabilities that supports an organization’s ability to solve big problems, continue operations, protect its assets, and most importantly, protect its people.

On a practical level, this is achieved with basic blocking & tackling—implementing certain key components in a logical way to prevent, plan for, respond to, and recover from disruption.

These core components consist of:

• Business Continuity
• IT Disaster Recovery  (or Technology Continuity)
• Crisis Management
• Enterprise Risk Management
• Information Security
• Physical Security  (or  Global Security , or  Corporate Security ), including  travel safety & security ,  Intelligence , &  workplace violence prevention
• Crisis Communications
• Life Safety and Emergency Procedures  (Evacuation, First Aid, Shelter-in-Place, etc.)

Implementing a full-blown resilience strategy from scratch is a tall challenge. We’ve written extensively about thinking through a resilience strategy for your organization, how to prioritize efforts, and working around roadblocks that may get put into your path in our article What is Resilience?

Business Continuity Policy

The ISO 22301 Standard calls for a business continuity policy for the organization that accomplishes 4 specific goals in clause 5.2.1:

• Is appropriate to the purpose of the organization:  In other words, the policy outlines a business continuity management system (BCMS) that is appropriate for the organization’s size, scope, and strategic objectives.
• Provides a framework for setting business continuity objectives:  The policy establishes a process by which the organization establishes objectives for the business continuity program and monitors progress towards those objectives. This generally means some sort of governance process, such as a business continuity steering committee, which sets and monitors these objectives.
• Includes a commitment to satisfy applicable requirements:  The policy must outline the organization’s intent to satisfy all appropriate internal and external requirements relevant to business continuity.  This might include things like HITRUST, ISO 22301, FFIEC, PCI, or other regulations or compliance frameworks applicable to your specific industry or company.
• Includes a commitment to continual improvement of the Business Continuity Management System (BCMS):   The policy must outline that the organization is committed to continually improving its business continuity program.

ISO 22301 further outlines that the business continuity policy must be communicated within the organization, specifically requiring in clause 5.2.2 that:

• The policy be available as documented information
• The policy be communicated within the organization
• The policy be available to interested parties, as appropriate

Beyond the industry standard requirements in ISO 22301, we typically use a Business Continuity Policy to set the strategic approach for a business continuity & crisis management program, delegate authority to the program for certain activities, define governance and accountability requirements, establish roles and responsibilities, and incorporate other documentation that provides more operational detail.

We believe it is important in a policy to clearly define terms like business continuity, disaster recovery, and crisis management – and assign responsibility for these components of an overall business continuity program to certain business units in the organization. The policy should also define the roles and responsibilities of executive sponsors and the steering committee in an organization.

Roles and Responsibilities within a Business Continuity Program

We believe that establishing clear roles and responsibilities within a Business Continuity Program are critical to its success.

Business Continuity and Crisis Management are often paired together in the same organization or as parts of a broader program, which might be called  Business Continuity ,   Business Continuity & Crisis Management , or just  Resilience  or something similar.  However, you choose to think of them, in almost every case they are part of the same broader program – and that program must have a governance structure with clear roles and responsibilities to be successful.

Here’s a breakdown of the most common roles  that should be established within a  Business Continuity & Crisis Management Program :

• Board of Directors:   Every board member has a fiduciary duty to exercise strategic level visibility and oversight over business continuity and crisis management. Importantly the board sets the foundation for success by promoting a company culture that recognizes the value of well-managing risk.
• Audit or Risk Committee:   Specific board oversight and strategic level visibility are typically delegated to the board’s risk or audit committee, as outlined in the committee charter. Sometimes another committee has this responsibility such as an operations or governance committee.
• Executive Management:  Each member of the executive team retains ultimate oversight and responsibility for crisis management & business continuity planning in their specific area of operations.
• Executive Sponsor:  One or two persons at the executive level (typically the general counsel, COO, CIO, CTO, or a C-Suite appointee) act as executive sponsors. They have direct oversight of the crisis management & business continuity program and usually chair the steering committee.
• Steering Committee Members: The business continuity & crisis management steering committee—usually an interdisciplinary team of six to eight people—meets quarterly or annually to ensure the program is aligned to corporate strategy and objectives and is maturing and making forward progress towards annual goals.
• Business Continuity & Crisis Management Program Manager:  The program manager has direct oversight and responsibility for business continuity & crisis management program operations, reporting, and day-to-day activities. They manage and set the programmatic expectations that guide the execution of the program throughout the year.

Well-defined and understood  roles and responsibilities  are critical to the success of your organization.

We’ve written a more detailed article on  Business Continuity Program Roles & Responsibilities  which provides much more context and insights that you may find valuable as you explore additional roles & responsibilities within your program.

Effective Business Continuity Governance

If you think that having good governance for your business continuity and crisis management program is just an exercise in bureaucratic box-checking, you’re missing the point.

Like most people who come to us with a problem, you might have issues:

• Getting your executives to care about your business continuity and crisis management program
• Getting other teams to participate in business continuity activities
• Getting IT to build the availability and disaster recovery strategies that you need to ensure continuity of operations for business teams

Here are some key benefits of strong & effective business continuity governance:

• Builds visibility and awareness for your business continuity program
• Helps identify and address gaps in your business continuity program
• Provides a mechanism for accountability
• Ensures compliance with ISO 22301

How to implement effective business continuity governance:

• Get your policy in place
• Set clear roles & responsibilities
• Build a strong steering committee

We’ve written an extensive article on business continuity governance that we think you’ll find helpful: Why good Business Continuity Governance is critical to Resilience .

Beyond having good governance in place, we strongly encourage identifying an executive sponsor (or sponsors) for your program that can champion your program internally with senior leadership.

Effective executive champions do a few key things that can help your program advance:

• Continually look for opportunities to build the case for business continuity with their peers
• Unapologetically forward your business continuity agenda
• Help your business continuity team anticipate strategic changes
• Act as a mentor and trusted source of help to you and your business continuity team

Executive champions are the proverbial wingman to the business continuity & crisis management team.

Learn more about the role that an executive champion can play in advancing your business continuity program in our article  How to Champion your Business Continuity Program as an Executive Sponsor .

The Business Continuity Steering Committee

We believe that a strong Business Continuity Steering Committee is an important part of a business continuity program as it provides you with an approach to governance overnight for your program.  It’s also a critically important forum for sharing the strategy, progress, and challenges that your program is facing as you seek to improve your organization’s resilience.

Some typical responsibilities for the Business Continuity Steering Committee might include:

• Provide strategic program guidance to ensure that the objectives of your business continuity program are achieved
• Promote an environment of ownership and accountability within business units
• Set priorities for program execution and risk mitigation
• Ensure that adequate resources are available to meet your program’s objectives
• Review the status of the program through a review of strategic and operational metrics provided by your team to the Steering Committee
• Review gaps in the program, such as the gaps between business requested technology RTOs and actual recovery capabilities – prioritizing actions to resolve, mitigate, or accept program gaps
• Continually improve the effectiveness of the Business Continuity program through the regular review of policies, objectives, audit results, management responses, program updates, preventative and corrective actions, and the review of after-action reports following activations and exercises.

Typically, the Steering Committee will be led by your Executive Sponsor(s) and consist of 6-8 leaders across your organization representing the major business and support organizations. We strongly recommend that a senior IT leader be one of the members due to the critically important technology dependencies in almost every organization.

We recommend that Steering Committees meet at least quarterly, but when starting up a new program you may want to have this group even meet monthly in order to provide guidance and insights while helping remove obstacles that arise during program implementation.

Business Continuity Lifecycle

A business continuity lifecycle helps illustrate to an organization the necessary processes to bring a business continuity program to life. It’s a cyclical process of assessing threats and impacts; developing, exercising, and maintaining plans.

The business continuity annual lifecycle generally consists of the following components, which are executed annually or every other year:

• Identify critical business processes and capture impacts of a disruption through the Business Impact Analysis
• Build procedural tasks and guidance for recovery of critical business processes in a Business Continuity Plan
• Validation of plan tasks and operation
• Build confidence & muscle memory
• Continual plan maintenance

Beyond the high-level illustration of an annual lifecycle there is a more detailed process lifecycle for Business Continuity that illustrates the connectivity between various components in a broader program, including risk assessment, disaster recovery, incident & crisis management, issues management & risk mitigation, and post-incident/crisis after-action reporting.

Why do you need a business continuity lifecycle?

Most businesses make the mistake of thinking that business continuity planning is a linear process, rather than a circular one.

They assess the most likely threats to their critical functions, develop plans to mitigate the impacts of those threats, conduct a few trainings and exercises, and consider the business continuity planning box to be “checked” for good. The result is a flat and lifeless program that quickly stales.

But your business and the threats that face it change and evolve over time. And when your plans for responding to those threats don’t, the resulting miscalibration all but guarantees that your company will become less resilient over time.

As any fitness buff will tell you (although I’m definitely not one of them), you have to continually use and exercise your hard-earned muscles if you want to maintain them. And because your body and environment change over time, you will probably have to adjust your routine to keep the same fitness results.

This example perfectly illustrates the need for a business continuity lifecycle—a cyclical process for assessing likely threats and their potential impacts on your business, developing plans to address those threats, and then exercising, reviewing, and improving those plans over time.

Once you’ve built your organization’s resilience muscles—with a comprehensive business impact analysis and thorough business continuity plans—you have to exercise and adjust those plans to ensure that your resilience muscles are always ready to do the job.

The business continuity lifecycle is how we do this.

We discuss the concepts behind a Business Continuity Framework in Episode #102 of our Managing Uncertainty Podcast .

You can obtain a copy of our Bryghtpath Business Continuity Framework here on our website . It’s the same process we use here at Bryghtpath in our  Business Continuity as a Service  (BCaaS) offering.

We’ve written an extensive article about the business continuity lifecycle that you may find valuable:   What (almost) everyone gets wrong about the business continuity lifecycle .

The Business Impact Analysis (BIA)

How many days can payroll be down before it impacts your business?

What about the servers that power customer networks? Or that internal VPN employees use to work remotely?

An hour? A day? A few weeks?

You may not know how long your business could survive with critical systems, business processes, facilities, or third-party service providers/suppliers.

For that reason, a thorough business impact analysis (BIA) is one of the most important steps you can take within your business continuity program.

Here’s what a business impact analysis is, why it’s important, and what you’ll learn by doing one.

Here’s the formal definition of a  business impact analysis  from the  ISO 22301 Standard :

• The process of analyzing the impact over time of a disruption on the organization. 

To say it more clearly: A business impact analysis is a thorough examination that exposes the likely impact a business disruption will have on the revenue, expenses, operations, and reputation of your company.

Here’s an example of what an impact analysis report looks like, including the impact over time across multiple different factors.

Recovery Time Objectives

Business disruptions aren’t usually isolated.

If a hurricane knocks your data center offline, your customers might be locked out of their systems, payroll might be down, the internal intranet might be inaccessible, and lots more.

Over and over, we’ve seen companies make the same mistake in this situation: They try to recover  every  system and  every  process all at once. And it’s a mistake that can easily cost a company millions of dollars.

That’s why recovery time objectives (RTOs) are so important.

Some systems and processes need to be recovered  now  — usually, these are the ones that generate revenue: customer products and records, sales pages on an eCommerce website, or similar systems.

Every minute these systems are down, they cost you money.

Other systems need to be recovered, but they don’t necessarily have to be recovered  immediately .

Payroll, for example, needs to be recovered quickly — but not necessarily ahead of revenue-generating systems.

A business impact analysis looks at each critical system in your business and assigns it an RTO.

With recovery time objectives in place, we can build a prioritized list of systems and processes to recover during a disruption — a key first step when creating a business continuity plan.

Conducting your Business Impact Analysis (BIA)

• Scope the Need:   Determine which areas we need to look at – we often do this through a high-level criticality survey to determine what are the critical functions or processes within an organization.  Often this helps us narrow the BIA to truly critical processes that need to be recovered within a short period of time.
• Schedule BIA Interviews and Assign Prework:  We identify everyone that we need to interview and send them some simple prework to complete before our conversation.  This often involves basic questions about their responsibilities and their history with previous business disruptions. That way they come to the interview with a clear idea of what we’ll be discussing.
• Conduct BIA Interviews:  The interviews are the most important part of the process — because this is where we uncover the strengths and weaknesses of your systems and processes. We capture details on your business process recovery time objectives (RTOs) and your dependencies (technologies, vendors/third parties, facilities, other business processes), and your recovery time needs for each of those.
• Prepare and Present a BIA Report:   When all the interviews are complete, we aggregate everything we’ve learned, including the impact of a disruption to revenue, expenses, and reputation in every area we’ve examined. Our report also includes our analysis of key systems and business processes, along with recovery time objectives for every area. The report also captures the interdependence of operations within your organization.

BIAs are an important foundation of your Business Continuity Program

Without a BIA, you’ll lack the data to properly prioritize your business continuity plan. In the worse case, you may even be overlooking critical systems and processes you never thought to include in the first place.

Without a BIA, you’re blind to the full impact a disruption could have on your revenue, expenses, and reputation.

With a BIA, you’ll have the data you need to plan a business continuity program that protects the  most  critical systems and processes first — and gives you a roadmap for recovering everything else in order of importance.

Learn more about the Business Impact Analysis (BIA)

We’ve written an extensive overview of the Business Impact Analysis (BIA ) that you may also find helpful with additional context and insights.

Business Continuity Plans

How long does the business continuity planning process take? And who should be involved?

I would love to be the definitive source of truth here, but in reality, there is no perfect answer. Size, location, industry, management structure, and existing reporting, resources, and experience—every company is different, as are their business continuity planning needs. These factors and more influence how we tailor our approach to business continuity planning with each of our diverse clients.

Still, like many you’re probably here because you’re getting ready to embark on the business continuity planning process and you have a lot of questions.

Bryghtpath has over 50 years of collective experience in business continuity planning working with a multitude of global clients in varied industries.

1. Establish the Fundamentals of Business Continuity Planning

When we start working with clients on their business continuity plan or BCP, the general end goal is always the same—create a plan to keep things running in the event of a disruption. But while most companies have the same vision for the outcomes of their business continuity planning process, they may have different ideas of how they are going to get there.

Your company should start the process by agreeing on a few fundamentals at the start.

• What are the plan objectives?
• Who will be responsible for creating and activating the plan?
• What resources are available for Business Continuity Planning?

2.  Assess Risks and Business Impacts

Just as the integrity of a well-built home depends on laying a sound foundation, so too does the effectiveness of a good business continuity plan rely on the right assumptions. A thorough business impact analysis, or BIA, is key to developing the accurate underlying assumptions that will ensure business continuity planning success.

3.  Select and Develop your Response & Recovery Strategies

The menu of response and recovery strategies is typically broken down by resource (i.e. workplace, workforce, 3rd parties, and technology) and also includes an estimation of the time needed to implement and the expected sustainable duration for each strategy.

Each separate recovery strategy should include a detailed procedure that further describes how that specific response and recovery strategy will be accomplished.

4.  Create your Response & Recovery Roadmap

After all available response and recovery options have been cataloged, the next step is to develop the procedures and guidelines that will serve as your business continuity plan roadmap. Your team will use this roadmap to help you initially assess the disruption, activate the appropriate response strategy, and carry out that strategy to completion.

A critical part of preparing your response and recovery roadmap is detailing how and when you will evaluate your plan. While the inherent nature of business disruptions precludes testing your business continuity plan in a practical sense, regularly reviewing the performance of your BCP can provide important insights and improvements.

Likewise, roles change, people leave, and technology and processes evolve. And disruptions that were once imaginable (like a global pandemic) may emerge as all-important. You should evaluate and update your BCP on a regular (at least annual) basis and also in an after-action to any specific response and recovery plan activations.

We’ve written a detailed article  4 Steps to Business Continuity Planning Success , that goes into further detail on business continuity planning that you may find helpful as well.

Business Continuity & IT Disaster Recovery

Business continuity and crisis management experts rarely talk about the gap between  business continuity  and IT disaster recovery planning.

But they should.

The distance between the IT disaster recovery program you have and what you need could be bigger than you think.

Like one of our clients whose IT disaster recovery plans for several critical systems needed to support a recovery time objective of 24 hours but were built for 7 days.

They’ve unknowingly been walking a tightrope over the Grand Canyon and hoping for the best. Because that 6-day gap could become a multi-million dollar problem in the face of a crisis.

My stomach is hovering somewhere above my head just thinking about it.

If you want to avoid canyon-sized gaps like this, and the potential consequences, your business continuity and IT disaster recovery functions need to work together closely.

But in most organizations, they aren’t working together at all.

Consequently, IT is often pressed to come up with its own answers to critical system requirements, such as availability, acceptable downtime or recovery time objectives (RTO), and recovery point objectives (RPO).

We think about Recovery Time Objective (RTO) as the maximum amount of time that a business process or IT system can be disrupted before the impact becomes unacceptable to the broader business.  We think about Recovery Point Objective (RPO) as the point in time to which systems and data must be recovered following a disruption (sometimes referred to as maximum data loss).

Here are three ways to close the gap between Business Continuity & IT Disaster Recovery:

• Make sure IT has a seat at the table:  While IT should ideally own the disaster recovery process, their input is critical to both your organization’s overall technology strategy and in determining system availability and recovery requirements in the event of a disaster. So the best and first way to close the gap between business continuity and IT disaster recovery is to ensure IT is represented in your business continuity and crisis management steering committee.
• Design your BIA process to capture the right data:  Expecting your IT team to architect the right IT disaster recovery solutions without the right data is a lot like putting four wheels on a car but no gas tank and expecting it to drive. Your business impact analysis  (BIA) should be designed to capture the key data that your IT team needs to design an effective IT disaster recovery plan.
• Stick to the standards (ISO 27031, more precisely):   ISO Standard 27031  is specifically focused on the information and communication technology requirements for business continuity and disaster preparedness. The standard is built to ensure your IT DR program satisfies crucial data security requirements and meets the needs of your enterprise operations. It also provides for IT-led disaster recovery exercises, which should be a part of every IT DR program.

We’ve written an extensive article on this topic that expands upon these ideas, outlines common reasons for this gap between business continuity & IT disaster recovery, and goes much farther into potential solutions that you may find helpful:   Closing the Gap between Business Continuity & IT Disaster Recovery .

Supply Chain Resiliency

“Companies routinely exaggerate the attractiveness of foreign markets, and that can lead to expensive mistakes.” -Pankaj Ghemawat, Global Professor of Management and Strategy at New York University’s Stern School of Business.

Ghemawat’s statement sounds like a round-up of recent supply chain woes at the hands of the COVID pandemic crisis.

Yet it comes from his prescient warning to industry sounded nearly two decades earlier in his landmark  article , “Distance Still Matters: The Hard Reality of Global Expansion.”

A critical one (in our humble opinion as  business continuity  &  crisis management  professionals) is that your business is only as resilient as your third parties.  And if you’re leaving them out of your business continuity and crisis management planning process, your business might not be as resilient as you think.

Here are some practical steps you can take to better understand the resilience of your third parties and in doing so, improve your ability to navigate the next crisis.

• Shore up your supply chain risk at the program level
• Identify vendors with a high disruption impact
• Conduct joint resilience exercises with your vendors and providers

Protect your investment in resilience and your business

Failing to include key vendors and providers in your resiliency planning is a lot like locking your front door but leaving the garage wide open.

When disaster strikes, you may quickly find out the hard way that your business is only as resilient as your third parties if you’ve failed to include them in the resiliency planning process.

Effective resiliency planning requires a holistic approach to assessing your dependencies, risks, and business continuity and crisis response.

We’ve written an extensive article on Supply Chain Resilience that provides additional context and deeper insights that you may find helpful:  Your supply chain may not be as resilient as you think .

Business Continuity Program Metrics

“Are there metrics we should be tracking?”

In short and emphatically, YES!

What metrics should you be tracking?

It depends:

• Do you really want to know whether your business continuity program is working; that your organization is resilient and actually prepared to respond to the next disruption?
• Or do you just want to make sure all of the boxes are checked?

This is not a trick question.

We think that everyone should want their business continuity program and your business continuity plans to actually work!

But if you don’t quite grasp the difference between the two, you’re not alone. I frequently encounter confusion around the fact that merely tracking business continuity program compliance—i.e., checking the boxes— isn’t the end game for business continuity success.

But it takes more than “Know the requirements-Do the things-Check the boxes” to gauge whether your business continuity program is effective and moving your organization towards its resiliency goals.

Employing the right combination of metrics—operational compliance, plan quality, and program maturity—are all equally important to understanding your organization’s true resilience.

Implementing a system that measures all three will give your organization the insights it needs to move your business continuity program to full maturity, sustainability, and success in responding to the next disruption.

Is your organization truly resilient, or are you just checking off the boxes?

1.  Operational Compliance Metrics

At the very least you should be tracking progress at the business unit or plan level for:

• Business Impact Analysis (BIA) completion
• Business Continuity Plan completion (if just getting started) or updates (if already in place)

Completion of business continuity exercises

• ​Whether after-action items identified in exercises have been addressed and improvements implemented

In short, your business continuity program manager should have a system to easily check and report on business unit progress towards basic business continuity program requirements.

For smaller organizations, a spreadsheet might be adequate for the job.

Large organizations with more complex operations may need a more robust solution.

2.  Quality Scoring

To avoid a situation where your plans look great on paper but fall flat in actual practice, many companies choose to implement a quality scoring system.

The concept is straightforward. Each business continuity plan is scored, often on a rubric of 1-10, based on criteria that are developed in alignment with both industry standards and company-specific needs.

Things that can impact this score include:

• Plan completeness
• The quality of recovery procedures
• Whether risks that have no available workaround have been acknowledged and accepted
• Business continuity exercise participation
• Continued training and evaluation

Quality scoring enables you to assess your team’s true resilience capabilities in response to a disruption. In short, it is an invaluable tool for understanding whether your business continuity program is truly effective or merely compliant and is one that I recommend every organization employ.

3.  Evaluating Program Maturity

We measure this progress using a proprietary model based on the ISO 22301 standard across 98 core factors or elements by evaluating how close each element aligns with the company’s pre-defined standards (as informed by both industry standards and the specific needs of the business), we can identify gaps in the program and the strategic objectives that are needed to bridge those gaps.

The maturity metric is the pinnacle of business continuity program performance and integral to ensuring the long-term sustainability of your resiliency program.

Getting the Metrics Right in your Business Continuity Program

• Just get started:   Start tracking some metrics.
• Make sure your business continuity program metrics support your organization’s strategic objectives :  Business continuity leaders can often get so caught up in the details that they forget about the importance of linking their business continuity program objectives to that of the company as a whole.  Whatever metrics you develop should help you establish direct connectivity between the two. This is especially important when it comes to making the business case for business continuity resources and tools.
• Implement the solution that’s right for you:   Your business continuity program doesn’t have to be world-class to work well. For example, some companies benefit from a robust SaaS business continuity software platform that can roll business continuity capabilities such as the Business Impact Analysis, business continuity planning, and more, including metrics, into one package. We have a few that we love and can help our clients on board, configure, and learn how to use effectively. Still, not everyone has hundreds of business continuity plans to manage across a business with dozens of units and a global presence. In that case, a less robust and expensive solution might be sufficient.

We’ve written a longer article,  3 Key Metrics for Business Continuity Program Success , that has additional context & detail along with example metric images that you may find helpful as well.

Plan-Do-Check-Act (PDCA)

There are endless explanations for why we humans find it so hard to make progress towards our goals—whether it be losing weight, saving money, or making strides in our business.

When it comes to organizational resiliency, one of the most common problems I see is not having a good system for implementing and improving your business continuity program.

Ad hoc efforts usually lead to ad hoc results. Opportunities for improvement slip through the cracks and your program quietly and unimpressively manages to subsist. Not exactly your dream scenario.

Especially considering the ramifications of being unprepared for the next disruption.

Meaningful improvements—whether to your waist size, your resiliency, or your bottom line—require a proven methodology to evaluate what’s working and what’s not. And to ensure that you’re making consistent efforts towards those improvements over time.

If your business continuity program doesn’t already have a system in place to do this, the Plan-Do-Check-Act model is a good place to start.

What is Plan-Do-Check-Act?

In early iterations, the PDCA model was referred to as the Deming-Shewhart cycle (named for its creators) and today is part of the foundational theory that undergirds  Lean Six Sigma ,  Kaizen , ISO standards, and other systems for quality management and improvement.

So if your organization already has a process for establishing and maintaining your programs, it likely shares many similarities to the Plan-Do-Check-Act model or is loosely based on the PDCA methodology.  Whatever your experience, you’ve likely heard of Plan-Do-Check-Act before, or at least seen it in practice.

But what exactly is Plan-Do-Check-Act and how can it help your organization better achieve its resiliency goals?

The PDCA model is based on a four-step closed-loop cycle that is used to improve a process or project over time. The steps, in short, are as follows:

• Plan:  Establish your objectives, processes, procedures, and resources
• Do:  Implement and operate your program or project as informed by your plan
• Check:  Gather data and evaluate the outcomes from the “do” phase
• Act:  Use insights from the “check” phase to identify corrective and preventive actions and drive continuous improvement over time

The PDCA process is continuous, rather than focused on a discrete endpoint.  The result is an upwards spiral of continuous program and project improvement that has the potential to bring tremendous gains when applied consistently and correctly. Nike and Toyota are but two commonly cited examples of organizations that have used the PDCA model with much success.

We’ve written an extensive article on using Plan-Do-Check-Act (PDCA) in your business continuity program that you may find helpful:   Plan-Do-Check-Act and your Business Continuity Program .

Business Continuity Awareness & Culture

In most organizations, the only times a business leader and their team learn about business continuity & crisis management is when the time comes to update their business impact analysis and associated plans – or when an incident or crisis occurs. It’s not a great way to drive business continuity awareness.

Instead, business continuity & crisis management leaders should be meeting and communicating regularly across the business to explain the program, highlight the program and organizational wins, and constantly explain how the program helps support the organization’s strategic business objectives.

When I first was asked over fifteen years ago to take over my then-employer’s business continuity program, I patiently explained to my would-be boss at the time that I knew very little about business continuity and crisis management. I would be a bad fit for the role.

He laughed, looked at me, and said, “I don’t need a subject matter expert Bryan. What I need is someone who understands how to communicate and can market & promote the program across the company.”

He was right.

This is an even more important topic at the time of this writing, in mid-2022, when there’s never been a time where business continuity & crisis management have been more important to an organization – and there’s never been a more important time to  make yourself important  as a business continuity leader.

How can you set about doing so within your organization?  Let’s dive in.

Telling your program’s story

Every great narrative starts with a bit of an origin story. Where did the program come from?  Why does it exist?  What is its mission?

In any story I set out to tell about business continuity & crisis management, I start with the whys.  Why do we do this?  Why does the program exist?  How does it support the organization’s strategic initiatives?

This information is then consolidated into a document I call the “walkaround deck”.  In my previous roles, I literally printed out a copy and carried it around in my planner so that I could tell the story at any time I needed to with any willing audience that would listen.  It was a constant feature at morning “coffee meetings” where I would meet with yet another peer from across the organization to share our program’s story and initiatives and learn how they might intersect with my colleague’s area of responsibility.

Once this presentation is put together, make plans to always keep it current, and then set about to speak at as many forums, team meetings, huddles, all-staff gatherings, or any other meeting you can wrangle an invitation to.  It should be the background for every meeting you have with officers and senior leaders in the organization – enabling you to share your program story, the results you have achieved, and how you are supporting the organization.

Working with Communications for Business Continuity Awareness

Your organization undoubtedly has some sort of communications function that supports internal communications.  They will need to be your new best friend.

Every company has channels for internal communications – an intranet, posters, digital signs, a newsletter, bulletin boards, internal social media, and more.  Meet with your communications team and learn how to submit content for these different channels.  Devise a simple communications strategy that supports monthly and/or quarterly communications as a starting point.  Aim to create a piece of quality content that helps reinforce your story, as we’ve outlined above, for each month or quarter on your communications strategy.

Don’t pass up any opportunity to tell your program’s story

A lot of business continuity & crisis management professionals are content to stay behind the scenes rather than being out front telling the story of their program.

Truly successful programs require leadership that is constantly working to tell the program’s story, gain new allies, and convert others to the cause of preparedness, business continuity, & crisis management.

Never be afraid to make yourself important.

We’ve written a two detailed articles on this topic that you may find helpful:  Effective Business Continuity Awareness Campaigns  and  Building a Resilience Culture in your Organization .

Business Continuity Industry Standards

Grounding your program in an industry-standards driven approach can help you build the right program for your organization’s unique culture, strategic objectives, and situation while ensuring that you’re adhering to best practices developed over decades by the world’s leading organizations.

There is not an established single standard for Business Continuity in the industry, however, there are several widely accepted industry standards for Business Continuity that can help provide you with a foundational approach to your organization’s business continuity strategy. Using one of these standards will save you from reinventing the wheel by describing the key program elements that you should consider as a part of your Business Continuity program in your organization.

NFPA 1600 Standard on Continuity, Emergency, and Crisis Management

National Fire Protection Agency (NFPA) 1600  is a U.S. emergency planning specification that has also become globally accepted. NFPA was the first of the business continuity standards to appear after 9/11. The United States Department of Homeland Security adopted the standard that the  NFPA site  calls “as a voluntary consensus standard for emergency preparedness.” Likewise, the 9/11 Commission report recognized NFPA 1600 as the national preparedness standard.

Despite such endorsements, NFPA 1600 is still a guideline, not a requirement. It includes nine chapters on business continuity program management, planning, implementation, training, exercises and tests, and program improvement. Annex B provides checklists for ongoing self-evaluation.

Our article  An overview of the NFPA 1600 Standard goes into greater detail on this important industry standard.

ISO 22301 Security and resilience — Business continuity management systems — Requirements

The International Standards Organization or ISO is a global institution that researches and creates industry and other standards. All its specifications are voluntary. ISO can’t enforce these or any other standards. ISO simply provides guidelines for what you should do.

The ISO 22301 Standard interoperates with all of the other ISO Standards, which are often used for Enterprise Risk Management, Information Security, and Disaster Recovery.

At Bryghtpath, we typically utilize ISO 22301 as the basis for our Resiliency Diagnosis process, also known as Business Continuity Program Evaluations .

ASIS Business Continuity Guideline – A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery

Published by ASIS International, an association of security practitioners, the  ASIS Business Continuity Guideline  is, as it says, a step-by-step, detailed outline for approaching business continuity. Although perhaps less well-known and therefore less commonly adapted, the plain language makes it an accessible reference.

Incident Command System (ICS) & the National  Incident Management System (NIMS)

The Incident Command System , or ICS, is used by public agencies to manage emergencies. You’ll see this used by police, fire, emergency management, public health, and related government agencies. Some businesses use ICS or an ICS-aligned approach to work together with public agencies during emergencies. This is a commonly used approach by energy utilities and hospitals/healthcare organizations (through the Hospital Incident Command System or HICS, documented below). You can learn more about ICS at FEMA’s Emergency Management Institute ICS Resource Center page .

The  National Incident Management System (NIMS) was established by FEMA and includes the Incident Command System (ICS). NIMS is used as the standard for emergency management by all public agencies in the United States for both planned and emergency events. You can learn more about NIMS at FEMA’s National Incident Management System resource page .

By themselves, NIMS and ICS do not define how to best organize the Crisis Management Framework & Plan for an organization, but they do provide a number of principles that can be applied to private sector crisis management programs.

Hospital Incident Command System (HICS)

The  hospital incident command system  ( HICS ) is an emergency response and preparedness system for hospitals. It enhances a hospital’s emergency capabilities both as an individual facility and as part of a broader response community.  HICS  also provides guidance for performing daily operations, pre-planned event and non-emergencies.

The Hospital Incident Command System  began to be implemented during the late  1980s  in the United States, and similar systems have also been implemented in other countries. The  California Emergency Medical Services Authority  ( EMSA ) publishes the  HICS  Guidebook for the United States .

Our article,  An Overview of the Hospital Incident Command System (HICS) , provides much greater detail and context about this widely accepted standard for healthcare organizations.

Additional Resources on Industry Standards

• Article:  Business Continuity Standards – How each can help you
• Podcast:  Managing Uncertainty – Episode #124 – Business Continuity Standards – Which is right for you?

Business Continuity Software

Gartner’s  Magic Quadrant  does a really good job of identifying the top software solutions in the field.

But there are two problems with relying solely on Gartner.

• Staleness :  Gartner does not update their reports annually, so information can quickly become stale–their most current one on business continuity management program software solutions is nearly three years old.
• Specificity :  Gartner can tell you what solutions are best in the industry, but not necessarily which solutions are best for your particular company and its specific needs.

Interestingly enough, the business continuity management software solutions that we most often recommend to our clients (like Fusion) are also the ones that happen to rank well with Gartner. It’s a good place to start.

Then, here are some other factors to consider:

• Does it meet your most important needs?
• Does their business continuity program methodology align with yours?
• Can the vendor demonstrate all of its advertised capabilities?

What’s the best business continuity software?

There are a lot of good business continuity software solutions. Here we discuss our favorites and the pros and cons of other popular ones.

• Fusion Risk Management :  Fusion is our hands-down favorite and the one that we usually recommend to clients.
• Castellan :  Castellan’s cloud-based business continuity software is well regarded – and our colleagues who have used it love its performance and capabilities.
• Infinite Blue :  Infinite Blue offers the BC in a Cloud, Cenari, and Sendigo solutions that cover operational resilience (business continuity, disaster recovery, and more)
• Archer :  Archer is a long-term player in the space that is widely used – often we see our clients using Archer’s platform because they’re already using it for other capabilities, such as Governance, Risk, and Compliance.
• ServiceNow :  ServiceNow is a newer player in the Business Continuity software space following their acquisition of Fairchild Resiliency Solution’s software product.  Similar to Archer, many companies use the ServiceNow Business Continuity capabilities because they’re already using ServiceNow for its industry leading IT Service Management capabilities.

We’ve written an extensive article  How to Choose the Best Business Continuity Software that provides an overview of the market, the benefits of using business continuity software, and how to make the business case to your senior leaders to bring software into your program.

Business Continuity Case Studies

Case Studies provide a way to learn from previous continuity situations and from the efforts of other organizations to implement business continuity programs.  We’ve included case studies from articles on our website along with some of the relevant work that we’ve done with clients below that you may find valuable.

• A major U.S. electric, natural gas, and nuclear energy company, faced with the challenge of ever-increasing threats against their generation, distribution, and transmission capabilities, turned to Bryghtpath’s  Resiliency Diagnosis  to evaluate their  business continuity  and  crisis management  program and improve the resilience of their organization.  Read the full case study here.
• A major healthcare technology company partnered with Bryghtpath to build, improve, and  manage its business continuity program  on a day-to-day basis through our Business Continuity as a Service offering.   Read the full case study here.
• A major US-based home decor retailer approached Bryghtpath to build & implement a business continuity & crisis management program from scratch.   Read the full case study here.
• A for-profit university with a global presence, working through a sale to a private equity firm and multiple challenges to its business model, turned to Bryghtpath for interim security leadership to rapidly mature their  global security ,  business continuity , and  crisis management  program while realigning their team against new strategic business objectives.  Read the full case study here.

Getting help with your Business Continuity Program

Designing, implementing, and supporting a Business Continuity program is a tall order. Often the best approach is to seek professional help from an industry leader that can help you build and maintain the program that is best for your organization’s challenges.

Here are some ways to get help with your Business Continuity program.

Trusted Advisors

Every company will deal with business disruptions and crisis situations. Sometimes having a trusted advisor on retainer can help you be better prepared, coach you through immediate actions to take to keep your team safe, and keep your business running despite the impacts from the critical moments.

Some of the reasons to use a trusted advisor are:

• The value of an outside perspective. It’s not easy to know how your business continuity program compares to leading programs in other companies. That’s why an outside perspective can be invaluable.
• Guaranteed availability during a disruption or crisis event.  When a disruption happens, it will help tremendously if you have an established relationship with a business continuity and crisis management expert. For example, at some point in March of 2020, your company had a senior leadership meeting to discuss the rapidly evolving COVID-19 pandemic. Maybe you were in the room for that meeting. Maybe you were part of really difficult decisions — everything from the health of your employees to laying people off to cut costs. If so, what was it like? Did you have a plan in place? Or were you forced to improvise?
• Guidance for media inquiries.   Your phone rings. It’s a reporter from your local newspaper or TV station. “We have a report that your CEO was arrested last night for driving while intoxicated. Do you want to comment?” Would you know what to say?
• Proactive messaging for known risks. Some businesses know in advance that a specific type of disruption is likely. For example, a business that operates cloud-based software  will have downtime. It’s just a matter of when. We call these “known risks.” For our clients with these known risks, we help them get ahead of these issues by working proactively  before  a disruption happens.
• Assistance for your executives & board of directors.  Having an existing relationship with a business continuity and crisis management expert can be a major benefit when dealing with senior executives and boards of directors.
• Access to a network of information. If a major natural disaster happens in your location, where will you go for up-to-date information? If a major political demonstration happens in your town — and it threatens to get out of control — how will you stay up to date with what’s happening? When you work with a business continuity and crisis management expert like Bryghtpath, you gain access to a wide network of information that simply may not be available through local news sources.

How to Choose a Business Continuity Consultant

Writing for  TechTarget.com , Richard Jones, a VP at Burton Group, advises, “[T]he first step (after agreeing that a BCP is in order) is deciding who will lead the process. In-house personnel may be qualified, but if not a consultant is what you need”–or it could be a combination of the two.

It may be possible to do the job without a “hired gun.” In that case Jones advises looking for someone already on board who has led at least two successful business continuity exercises in organizations off similar sizes in approximately the same market to the organization.

Also, this updated  piece  from Continuity Central also has some sage advice on the subject. The organization should ask these three key questions:

• If there is a staff member having the necessary knowledge, is it sufficiently up to date and “broad enough to develop a fully rounded business continuity plan?
• If the staff person is not completely “up to speed,” would additional training fill the gaps in areas of deficient expertise?
• Could an external consultant work with the staff member and minimize the amount of consultancy time needed?

We’ve written a detailed article,  8 Things to Consider When Choosing a Business Continuity Consultant , that you may also find helpful.

Sometimes you have a lot of the program in place, but you’re working harder than ever and just not making a lot of forward progress on your business continuity objectives.  Books and podcasts and other training just isn’t getting it done for you.

We’ve often found in these circumstances that working with a coach for a one-on-one coaching session can help you get unstuck, gain clarity, and take their next best step.

Here are some benefits from Business Continuity Coaching that we’ve seen in our experience:

• An outsider’s perspective . Sometimes, you’re too close to the problem to see it accurately. An outsider’s perspective can be the simple insight you need to find the solutions that are probably already in front of you.
• Encouragement and support . Discussing your business challenges with a trusted expert can help you uncover new solutions to your business continuity & crisis management problems or validate the ones that you already have in mind.
• Validation for your ideas. If you’re struggling to get buy-in within your organization, the gravitas of an outside coach or consultant may be just what you need to get your leaders on board.
• An insider’s network. Having a pre-established relationship with a business continuity and crisis management expert can ensure that you are able to quickly find the information and the help that you need when you need it most.

Could coaching be the right solution for you?  Here are some factors to consider:

• You need help with a problem.  An effective coach can help you see your problem more clearly and create an actionable plan to move forward.
• You’re new to the job or in need of specific capabilities. Regular coaching with a business continuity and crisis management expert can help you confidently address emergent challenges and build your professional playbook until you’re ready to stand on your own.
• You’re ready to level up. Individual or group coaching, or some combination of both, can be invaluable in helping you reach the next level in your business continuity program or career.

If you’re ready for actionable insights and a no-BS game plan to take charge of your professional and programmatic success, coaching might just be your next best step.

For additional coaching insights, read our full article  5 Ways Coaching can help your Business Continuity and Crisis Management Program .

Outsourcing your Business Continuity Program

Another option is to completely outsource your Business Continuity Program to a third-party .  It’s often referred to as Business Continuity Managed Services or Business Continuity as a Service .

There are several reasons why you might choose this as an option:

• Hiring an in-house team can be difficult
• In-House teams have high fixed costs
• It’s more difficult to scale an in-house team quickly when a disruption happens

There are several ways to structure using a third-party to manage your Crisis Management Program, three of the most common approaches are:

• Development of your crisis management program
• Facilitation of crisis management exercises
• Help when you experience a crisis

We’ve written a more in-depth article about Business Continuity as a Service – How to Outsource your Continuity Program that covers approaches to doing so – and how to incorporate Crisis Management managed services as well.

Evaluating your Business Continuity Program

In the event of a significant disruption to your organization, how will your company respond?

But this much is certain:  your business will face unexpected disruptions.

Understanding how your program and capabilities stack up is the first step to being able to mature your program – even if you don’t have a formal business continuity & crisis management program today.

Evaluating your business continuity program helps you know exactly where you stand and how to rapidly improve your current state of resiliency.

As we outlined above in our section about Business Continuity Metrics, we believe in measuring program maturity against defined industry standards – ISO 22301 in our case most typically.

A thorough standards-based evaluation of your business continuity program leads to a better understanding of how your organizational resilience stacks up – and helps you understand the path you’ll need to follow to further mature your program.

We’ve written a more detailed article about evaluating business continuity programs that you may find helpful. You can also learn about Bryghtpath’s proprietary Resiliency Diagnosis process that we use to evaluate business continuity & crisis management programs.

Business Continuity Certifications

You might be wondering about business continuity certifications.

Do you need one to be competitive for business continuity jobs?

Which business continuity certification should you get?

What does it take to get and maintain a business continuity certification?

Do you need a business continuity certification?

While it’s certainly possible to grow your way into a business continuity position from within your organization, it’s best to start working towards a certification as soon as you can.

If you’re looking to start a career in business continuity, most jobs will require you to be professionally certified or will expect you to be certified within a certain period of time. This is especially true if you already have the years of experience required for standard industry certifications; being eligible but not having a certification will stand out as a red flag.

If you’ve been lucky enough to climb your way up the ladder to a business continuity position from within, adding a formal certification to your war chest will be invaluable to getting the internal support and resources you need to carry out your program objectives. And while different training and certifications vary, you will no doubt benefit from the new tools, resources, and network that come through training and affiliation with your choice of certifying body.

In short, I’ve never heard anyone who regretted getting some sort of business continuity certification. Most wish they had done it sooner.

Leading Business Continuity Certifications

In the business continuity industry, the two main certification bodies are the  Disaster Recovery Institute International  (DRII) and the  Business Continuity Institute  (BCI).

In our experience, DRII is the most commonly accepted designation in North America. Its headquarters is in the U.S. and has been around since 1988.  BCI, established in 1994, is based in the UK and is more widely recognized for locations in Europe, Asia, Africa, and the Middle East, but their presence has been growing across North America over the past decade.

In our article  C hoosing the Right Business Continuity Certification , we break down the various business continuity certifications and provide some guidance on choosing the right one for you.

Where to learn more about Business Continuity

There are a number of great options available for learning more about Business Continuity – and many of them are completely free.

Here are some of our favorites.

Free Training

There are a number of free training resources available online that might provide you with answers to some of your questions about Business Continuity. Here are some available free options:

• FEMA’s Emergency Management Institute :  Free courses covering many aspects of crisis management, continuity of operations, emergency management, and related topics.
• Bryghtpath’s Free Introductory Courses :  Our free 101 introductory courses are intended to provide an overview of a particular subject matter in a way that helps both the novice and highly experienced business leader or individual contributor be able to make an immediate impact in their area of responsibility.
• Bryghtpath’s YouTube Channel:   Hours of free video, webinars, and other presentations covering crisis management, business continuity, and crisis communications.
• Bryghtpath’s Webinars & Videos : Our webinars and videos are intended to help you learn more about  business continuity ,  crisis management ,  disaster recovery , exercises , and  crisis communications .

Paid Training

• Bryghtpath’s 5-Day Business Continuity Accelerator :   Our 5-Day Business Continuity Accelerator is an interactive online workshop designed to take you through a hard look at your existing business continuity program – and lay out a plan to rapidly mature your program in just days.We run this course quarterly – learn more, get on the waitlist, or enroll in the next session here on our website .

Business Continuity, Crisis Management, & Resiliency Facebook Group

Connect with hundreds of other Business Continuity, Crisis Management, & Resiliency Professionals in our free Facebook Group.

Our free Facebook Group is a forum for discussion around organizational resilience, business continuity, continuity of operations, emergency management, and crisis management.  The intent of the group is to serve as an active exchange of information, questions, and news related to our profession.

You’ll find daily articles, regular discussion topics, and a safe and welcoming environment for your questions related to your career and moving your program forward.

We hope to see you there!

Join the Free Facebook Group  >>

Books aren’t the best answer for everyone for learning about business continuity, but they are relatively inexpensive and provide a lot of deep insight into a specific topic.

We’ve published our Professional Reading List , which contains our best recommendations for personal study and contemplation that will assist you as you continue to grow in our profession.

There are a number of great (and FREE!) Business Continuity Podcasts.  These podcasts can help you continue to grow your knowledge and skills in these important areas as you seek to mature your organization’s program.

Here are a few of our favorites:

• Managing Uncertainty :  Our own weekly podcast covering business continuity, crisis management, and crisis communications.  Learn more at our Managing Uncertainty Podcast archive .
• Harvard NPLI Leader ReadyCast :  Featuring real-world lessons, best practices, and action-oriented insights for the “You’re It” moments when you are called to lead. Each episode features insights from frontline leaders and the faculty of the Harvard National Preparedness Leadership Institute (NPLI) program.
• Resilient :  Resilient is a podcast series from Deloitte that features authentic, engaging, and thought-provoking conversations with CEOs, senior executives, government officials, board members, and people outside the business world. Hear their personal stories about how they led through a crisis, navigated through disruption, and managed through significant risk events. Discover what they learned about embracing risk, improving performance, and leading confidently in a volatile world.

We’ve outlined a longer list of our favorite business continuity & crisis management podcasts in our article  Top Business Continuity & Crisis Management Podcasts .

Executive Education Programs

The challenges involved in business continuity and crisis management are complex and ever-changing, making ongoing education a crucial part of any executive’s long-term strategies. Understanding the various points of vulnerability for your business, gaining best practices in business continuity management, defining risks and prepping emergency management procedures aren’t skills that are often taught in traditional universities but must often be learned on the job or as part of your networking with peers. Business Continuity & Crisis Management Executive Programs can assist with this opportunity.

Finding a  business continuity executive education  opportunity not only provides you with an opportunity for learning more about the topic but is a valuable networking opportunity as you learn with other professionals who are looking for the most proactive ways to prepare their business for the future.

Some of the top Executive Education Programs include:

• Harvard’s National Preparedness Leadership Institute
• MIT’s Crisis Management & Business Continuity Courage
• Bryant University’s Business Continuity Certificate Program
• PECB’s Business Continuity Management Program

We’ve recapped these programs along with several other options in our article  Top Business Continuity & Crisis Management Executive Programs .

Free Resources

We’ve put together a ton of free resources to help you in your quest to navigate uncertainty and disruption.

Learn more at our Free Resources page on our website.

About the Author

Bryan is a Member of the Business Continuity Institute (MBCI) and a Master Business Continuity Professional (MBCP).

Learn more about Bryan and his background in business continuity & crisis management in his biography .

We can help.

Let the experts at Bryghtpath put their decades of Business Continuity experience to work for your organization

We have the experience, tools, and partnerships to help your organization successfully manage the rough waters ahead – and ensure your organization is prepared.

Learn more about our Business Continuity capabilities, read about the results we’ve generated for our clients , or book a meeting today .

I’D LIKE TO TALK TO BRYGHTPATH

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

• Active Shooter Programs
• Business Continuity as a Service (BCaaS)
• IT Disaster Recovery Consulting
• Resiliency Diagnosis®️
• Global Security Operations Center (GSOC)
• Emergency Planning & Exercises
• Intelligence & Global Security Consulting
• Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

After-Action Templates

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/mep/business-continuity-planning

Manufacturing Extension Partnership (MEP)

Business continuity planning.

Business continuity planning enables you to create an easy-to-use, actionable business continuity planning solution to prepare for the impact of a broad range of threats including natural disasters, disease outbreaks, accidents and terrorism. In addition business continuity planning can help when you face technology-related hazards like the failure of systems, equipment or software. MEP Centers can assist you in developing a plan unique to your needs.

If your company needs to create or tweak a business continuity plan, I highly suggest reaching out to Purdue MEP!

—Doug Ellington, Director of Finance, Estes Design and Manufacturing Read the Success Story

Illuminating Possibilities to Achieve ISO Certification

Business Continuity Plans: Lessons Learned From Puerto Rico

For more information or assistance with business continuity planning, please contact your local MEP Center .

If you would like someone to contact you about business continuity planning , please complete the form below.

For General Information

• MEP Headquarters [email protected] (301) 975-5020 100 Bureau Drive, M/S 4800 Gaithersburg, MD 20899-4800

• Skip to primary navigation
• Skip to content

• North America
• South America
• Finance and Banking
• Professional Business Services
• Technology Quickship
• Workspace Recovery
• Alternate Email and Communications
• Imaging Services
• Testing Services
• Work From Home
• Warehousing & Logistics

Business Continuity Success Stories

Pronto Recovery is a global business continuity solutions and technology hardware provider. We offer business continuity solutions when disaster strikes. Unlike most industry providers with only a few centralized depots, we’ve strategically placed our depots with equipment around the globe enabling us to deliver hardware to your alternate site or specified location within 24 hours or less.

Quickship in North America: Los Angeles, USA

Quickship in south america: sao paulo, brazil, quickship in europe: berlin, germany, workplace recovery during hurricane harvey, business continuity solutions during hurricane sandy.

Whether you need quickship computing hardware for recovery, temporary rental equipment, or alternate workspace locations for business continuity, we provide you with flexible and cost effective recovery options that works best for your company’s needs, so you can keep your business up and running in order to minimize downtime and potential loss of revenue.

Subscribe to Pronto Recovery Monthly Newsletter

Follow pronto recovery on social media.

Cookie consent

By clicking “Accept” , you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Improved Business Continuity Planning (BCP) and execution for leading Investment firm

The challenge: find a better way to manage Business Continuity Planning

A global alternative investment management firm, which manages more than $40 billion in assets, needed a better way to manage its Business Continuity Planning (BCP) and execution. The firm conducts four global BCP tests a year, each one involving over 50 resources dispersed around the world.

Cutover was chosen as the solution because it creates an “operational theater” that enables status monitoring and full visualization, elevates virtual team collaboration, and forms the much sought-after system of record throughout the implementation event.

Greater flexibility and insurance against failure with improved Business Continuity Planning

When the firm initially began using Cutover, the teams imported the planning spreadsheets they used at the time. However, they quickly became proficient at building plans directly within Cutover and no longer use spreadsheets in this capacity. 

Cutover provided greater flexibility and insurance against unexpected changes ruining events. For the very first BCP test in Cutover, the Implementation Manager was rushed into hospital due to a medical emergency . If this had happened before Cutover, the team would have had to cancel the event, but they decided to continue with the help of the SaaS-based platform, due to the accessibility and visibility provided. The event was executed successfully and the Implementation Manager was able to monitor progress from his hospital bed on his cell phone. Previously, without this key person, progress could not have been made, and the test would have been halted.

Reduced risk with better BCP

Cutover provided the following benefits to the firm:

• Business continuity event plan invocation
• Reduced risk relating to the invocation and control of a business continuity event plan
• Enhanced communication and improved collaboration and culture around the execution of BCP events. 

Find out more about how Cutover can improve your technology resilience 

Future expansion into new use cases

After a year of using Cutover for its BCP test planning and execution, the firm is now starting to use Cutover for other diverse use cases including a major office move.

Download this case study

Download the case study

British financial institution saves £12m per annum on change, cutover integrations case studies, a global bank's self-guided journey to the cloud, major stock exchange migrating over 400 apps to the cloud, american multinational investment bank successfully deploys servicenow for the first time, global payments team in multinational bank improves ongoing tech change with cutover.

Experience the power of Collaborative Automation for yourself.

Get the latest cutover updates and insights in a monthly newsletter.

Business Continuity Plan Examples | Kuali Ready

Real-life business continuity plan examples.

Is your college ready to face a natural disaster, terrorist attack, or other unforeseen emergency? No higher education institution really expects something like a fire, flood, loss of power, criminal attack, or pandemic to interrupt daily operations, but it is something every college and university should be prepared for.

Having a business continuity plan can ensure smooth communication and continued learning in the face of any unexpected emergency. It will give you greater peace of mind, minimize disruptions, and protect the financial standing and brand of your institution—no matter what happens.

Check out our guide for real-life business continuity examples you can learn from as you create your own plan.

1. NYU Faces Challenges on 9/11

Despite the incredible tragedy of 9/11, New York University had a thorough business continuity plan that allowed them to face the challenges of the nation’s biggest terrorist attack. The university declared an emergency right after the second World Trade Center tower was hit. And within 45 minutes, they had a full emergency command center up and running.

This command center allowed them to easily communicate with government agencies, handle crises like the evacuation of four residence halls, alert students of emergency services, and support the emotional well-being of the NYC community at large.

Though the emergency response was relatively smooth, NYU learned from the events of 9/11 and has further honed its business continuity plan to secure the physical and electronic infrastructure of the university in the face of future disaster.

2. Hurricane Harvey Threatens an Internet Marketing Firm

Back in August of 2017, a Texas internet marketing firm proved that having a detailed business continuity plan could make or break a business in the face of disaster. When Hurricane Harvey hit their area, the company’s office was damaged beyond repair.

Fortunately, the company relied on secure data storage in the cloud to allow staff members to work remotely as soon as the storm hit. They were able to maintain operations and never lost any of their most important documents. The plan worked so well that the company decided to continue to allow employees to work remotely, even once the company established a new office space.

3. A Tunnel Fire Spreads at the University of Notre Dame

Thousands of Notre Dame students and faculty were affected by a fire that began in a utility tunnel in August of 2009 . The fire spread to destroy communications between 36 campus buildings during the first week of the fall semester.

Luckily, the university had a solid business continuity plan in place, along with a formal incident response and emergency operations center. Because they had already tested several plans using emergency simulations, they were able to immediately alert the appropriate responders using their established chain of command. They sent an EOC activation notice, created an incident assessment within a few hours of the fire, and quickly coordinated recovery of the communications infrastructure.

4. Ransomware Attacks in the City of Atlanta

In March of 2018, the city of Atlanta faced ransomware attacks on their government computer systems, compromising police records, court documents, and public services like parking, utilities, and more. It took several months for the city to fully recover from the attack, and it cost the city more than $17 million overall.

Though IT professionals worked quickly to recover city services and protect data, there are many areas where their business continuity plan could have been improved: e.g. stronger passwords, better management of passwords, and a well-thought out process for restoring essential services.

Create Your Business Continuity Plan with Kuali-Ready

These four business continuity plan examples are sure to help you when it’s time to create your own plan. But if you’re looking for more help creating your own customized plans, check out Kuali Ready .

Because our software is specifically designed for higher education institutions, we can help ensure you’re meeting accreditation requirements and are ready for any disaster. We’ll walk you through every step of the process and give you effective strategies for building your continuity plans. Learn more today.

REQUEST A DEMO

Let's setup a time to see Kuali in action!

• Share full article

For more audio journalism and storytelling, download New York Times Audio , a new iOS app available for news subscribers.

• May 10, 2024   •   27:42 Stormy Daniels Takes the Stand
• May 9, 2024   •   34:42 One Strongman, One Billion Voters, and the Future of India
• May 8, 2024   •   28:28 A Plan to Remake the Middle East
• May 7, 2024   •   27:43 How Changing Ocean Temperatures Could Upend Life on Earth
• May 6, 2024   •   29:23 R.F.K. Jr.’s Battle to Get on the Ballot
• May 3, 2024   •   25:33 The Protesters and the President
• May 2, 2024   •   29:13 Biden Loosens Up on Weed
• May 1, 2024   •   35:16 The New Abortion Fight Before the Supreme Court
• April 30, 2024   •   27:40 The Secret Push That Could Ban TikTok
• April 29, 2024   •   47:53 Trump 2.0: What a Second Trump Presidency Would Bring
• April 26, 2024   •   21:50 Harvey Weinstein Conviction Thrown Out
• April 25, 2024   •   40:33 The Crackdown on Student Protesters

Stormy Daniels Takes the Stand

The porn star testified for eight hours at donald trump’s hush-money trial. this is how it went..

Hosted by Michael Barbaro

Featuring Jonah E. Bromwich

Produced by Olivia Natt and Michael Simon Johnson

Edited by Lexie Diao

With Paige Cowett

Original music by Will Reid and Marion Lozano

Engineered by Alyssa Moxley

Listen and follow The Daily Apple Podcasts | Spotify | Amazon Music | YouTube

This episode contains descriptions of an alleged sexual liaison.

What happened when Stormy Daniels took the stand for eight hours in the first criminal trial of former President Donald J. Trump?

Jonah Bromwich, one of the lead reporters covering the trial for The Times, was in the room.

On today’s episode

Jonah E. Bromwich , who covers criminal justice in New York for The New York Times.

Background reading

In a second day of cross-examination, Stormy Daniels resisted the implication she had tried to shake down Donald J. Trump by selling her story of a sexual liaison.

Here are six takeaways from Ms. Daniels’s earlier testimony.

There are a lot of ways to listen to The Daily. Here’s how.

We aim to make transcripts available the next workday after an episode’s publication. You can find them at the top of the page.

The Daily is made by Rachel Quester, Lynsea Garrison, Clare Toeniskoetter, Paige Cowett, Michael Simon Johnson, Brad Fisher, Chris Wood, Jessica Cheung, Stella Tan, Alexandra Leigh Young, Lisa Chow, Eric Krupke, Marc Georges, Luke Vander Ploeg, M.J. Davis Lin, Dan Powell, Sydney Harper, Mike Benoist, Liz O. Baylen, Asthaa Chaturvedi, Rachelle Bonja, Diana Nguyen, Marion Lozano, Corey Schreppel, Rob Szypko, Elisheba Ittoop, Mooj Zadie, Patricia Willens, Rowan Niemisto, Jody Becker, Rikki Novetsky, John Ketchum, Nina Feldman, Will Reid, Carlos Prieto, Ben Calhoun, Susan Lee, Lexie Diao, Mary Wilson, Alex Stern, Dan Farrell, Sophia Lanman, Shannon Lin, Diane Wong, Devon Taylor, Alyssa Moxley, Summer Thomad, Olivia Natt, Daniel Ramirez and Brendan Klinkenberg.

Our theme music is by Jim Brunberg and Ben Landsverk of Wonderly. Special thanks to Sam Dolnick, Paula Szuchman, Lisa Tobin, Larissa Anderson, Julia Simon, Sofia Milan, Mahima Chablani, Elizabeth Davis-Moorer, Jeffrey Miranda, Renan Borelli, Maddy Masiello, Isabella Anderson and Nina Lassam.

Jonah E. Bromwich covers criminal justice in New York, with a focus on the Manhattan district attorney’s office and state criminal courts in Manhattan. More about Jonah E. Bromwich

Advertisement