what business continuity plan (bcp) team is responsible for declaring the severity of an incident

• Skip to right header navigation
• Skip to main content
• Skip to secondary navigation
• Skip to footer

Business Continuity and Crisis Management Consultants

Business Continuity Program Roles & Responsibilities

July 6, 2021 By //  by  Bryan Strawser

Have questions about your business continuity program? You’re not alone.

When we talk to businesses about their business continuity program and business continuity plans, we get asked everything from “What is one?” —at the most basic level, many businesses also don’t understand that a business continuity plan, or BCP, is fundamentally different from a disaster recovery plan; the former is focused on keeping your business running through a disruption and the latter on resuming and recovering technology applications and infrastructure after a major technology disruption occurs—to questions on a more granular level, like:

• What are the important roles in a business continuity program and plan?
• What do those roles and responsibilities mean?
• How do these roles interrelate?
• How do we ensure we place the right people in each role?

As risk management and business continuity planning experts, Bryghtpath helps companies cut through all this confusion and get clear about the path to business continuity planning success.

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link .

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

• Active Shooter Programs
• Business Continuity as a Service (BCaaS)
• IT Disaster Recovery Consulting
• Resiliency Diagnosis®️
• Crisis Communications
• Global Security Operations Center (GSOC)
• Emergency Planning & Exercises
• Intelligence & Global Security Consulting
• Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

After-Action Templates

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

Best Practices: Business Continuity & Disaster Recovery

Business continuity planning (BCP) and disaster recovery (DR) are all about preparing for and responding to major adverse events.

These events are very rare so you don’t get much opportunity to test and validate the BCP and DR capability from live practice like you do in most other areas.

So if they’re rare, why bother?

Why shift focus away from things that do happen regularly?

Your customers and other stakeholders understand and accept that sometimes things go wrong. But your ability to respond to them has high expectations. It’s front and center when something does go wrong. In these types of events, the stakes are higher. If you fail to respond effectively to major events it can cause a contract termination or a long-lasting negative impact on your reputation. On the more positive side of that; effective response in disaster scenarios is the best way to build long-term trust and positive customer sentiment.

What types of events are we talking about?

The definition of what types and severity of events trigger your BCP and DR Plans should be based on your own assessment of your company and environment.

The starting point is to consider the surrounding processes like service desk, incident management and sometimes change management. These processes each define how to manage related 'events'. At some threshold, depending on how they’re designed, they will fall short of defining sufficient methods to deal with those (critical) events. For example, if your CTO leaves disgruntled and takes most of the development team with him, you're unlikely to manage that with the service desk. Or if you end up in the news for a privacy breach, it's not the same run-of-the-mill incident response.

As a rule of thumb guide for when to enact the BCP/DR rather than a routine service desk or incident response, you might consider;

• when is an event serious enough to notify Executive Management or even the Board?
• Is it a once in a 3-year event? Or for more mature and stable businesses perhaps a once in a 10-year event? ie. sufficiently rare that it would be a drop-everything and respond situation.
• Will this event require additional management on top of, or instead of, the standard processes?
• Could this event put the business on hold, have a major adverse impact on customers, or catastrophic consequences if managed poorly?

If the answer to any of those is yes, that type or severity of event is likely to require enacting your BCP/DR plans. It’s a good idea to define these types of events within the BCP, DRP, and/or incident management policies and procedures so that everyone is clear on the difference and when each type of response is appropriate.

The types of events to consider, usually in combination with a level of severity, are;

• System outages
• Production data corruption
• Data security breaches
• System security breaches
• Public relations matters
• Attempted or successful external attacks
• Loss of key office locations
• Loss of key personnel
• Any failures that halt critical business functions that your customers rely on
• Third-party failure or breach

How do these events fit into each of the 'plans'?

There is a lot of overlap between the plans for incident response, business continuity, and disaster recovery. They may all be combined into one document and defined process or separated. Generally, the difference is; incident management covers all types of adverse, system-related events regardless of severity and type. Disaster recovery is focused on major IT disruptions for the technical, system side to be able to recover systems, data, and production services in a fast, secure and effective manner. Business continuity covers the broader handling of major adverse events including the non-technical side of it and surrounding non-technical processes of responding to adverse events.

The Business Continuity Plan is commonly believed to be all about the physical offices. But it should also consider the likes of security breaches, loss of key personal, downtime in any key functional areas (people, processes or systems related), and third-party-related issues. It should consider anything that may prevent the continuity of important business functions, your services, or even the survival of your business.

What's documented in each of these plans?

Incident Management & Response

The Incident Management Policy, and/or the Incident Response Plan/Policy should cover end-to-end handling of unplanned and adverse events. This includes how they are identified, assessed, classified, and then the response to those, how they may be 'closed' (the criteria or requirements), and any post-incident review activities for 'lessons learned' to prevent a recurrence. There should also be a clear linkage to the Change Management Policy or process for how incidents feed into product fixes and the relative priority of those compared to other product change plans. Incident Management is explored further in Best Practices: Incident Management . 

Disaster Recovery Plan (DRP)

The Disaster Recovery Plan is directly linked to both the incident management process and the Business Continuity Plan. Its focus is how to recover the critical system functions in the event of a major event that disrupts them.

In contrast to the BCP that has a broader operational focus, the DRP is focused on the technical side of recovering data and systems back to normal operation. In modern times with infrastructure as a service and integrated DRP functions, the DRP is often a very simple process and document. It may simply set out the steps to recover data and the systems from backup, as well as a periodic (quarterly, annual) review process to verify the recovery practices are successful. It may also be supported by multiple availability zones for automatic failover in a disaster scenario where a data center is lost. The DRP like any policy document should set out roles and responsibilities, as well as any key external or internal contacts related to effectively enacting the plans.

Business Continuity Plan (BCP)

The BCP is often the most comprehensive of these three areas. It needs to broadly identify and address any types of events that may disrupt the continuity of your people, processes, systems, or services. For those events, it needs to clearly identify the key dependencies, specific objectives and priorities, and the practical components of how to respond effectively. Then like all policies, procedures and plans it should set out roles and responsibilities and the overall governance of how the BCP is reviewed, updated, and verified periodically.

Business Impact Analysis (BIA)

The BCP may start with a Business Impact Analysis; what are the critical functions and what happens if they are impacted? This is a good starting point to understanding what types of events may disrupt the continuity of your business, by which events impact these critical functions.

Recovery Time Objectives (RTO's)

Following on directly from the BIA, how quickly do these critical functions need to be recovered before it has a significant adverse impact. That may be, for example, your customers are materially impacted and unable to continue their own operations, or the impact is serious enough it causes repetitional damage or financial damage if there are covenants in your contract.

Scenarios & Responses

The scenarios usually come from a brainstorming exercise to come up with a list of possible events that may cause a continuity issue or requiring enactment of the BCP in some form. They should consider the business impact to identify the event types but also form high-level response plans that fit with the recovery objectives. For the purpose of the BCP, you may find grouping scenarios is worthwhile, where the responses are likely to be similar for similar types of events. The response plans should be high-level enough that they can be quickly and easily referenced and followed, but also sufficiently clear or linked to further detail, to enable them to be effectively carried out. It's often appropriate to point to "who" as opposed to "what" will be done, as most major events require discretion at the time. But you want to ensure it's the right person with authority, expertise, and the right resources to be managing it.

Incident Response Team

The Incident Response Team is a predefined team of responsible participants for coordinating and executing the BCP. This team should have a prior briefing on the essentials of their role and feel prepared to be able to enact the BCP. In the BCP itself, there should be contact details for this team for other members of the business to know whom to contact in the event that the BCP may need to be triggered, or is in practice.

Response Playbooks

The response playbooks or steps should include the high-level pre-planned steps that may be necessary if the types of BCP events occur. This may be a flow chart, a sequence of considerations, or a step-by-step guide. It's impossible to completely plan out all steps that may be performed in the event of an unforeseen event, which is the nature of when the BCP is enacted. The purpose is to prompt considerations that may otherwise be missed, forgotten, or poorly executed in the heat of the moment. Having this reference point helps reduce the likelihood of that poor execution.

There are various other things that can be included in the Business Continuity and Disaster Recovery Plans. These should each be tested at least annually to check that they are appropriate and effective. Often that's done via a desk-based run-through or simple simulations, as it's not always feasible to do live tests or more real-world simulations. The purpose of doing some form of testing is to validate the assumptions made in the BCP and DR Plans and identify areas of improvement to better prepare. It may be as simple as identifying that the plan has a communications plan but the list of contacts to communicate with has not been prepared yet.

AssuranceLab's Best Practices Series

AssuranceLab's best practices series is about highlighting the "real operational benefits" that come from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 2 and ISO 27001.

• HR & Payroll

Building a Business Continuity Plan (BCP)

Whether you are a business owner or work for a large enterprise, business continuity planning will help you respond faster when disruption strikes and minimize the negative impact on your business. Most businesses who are surviving the Covid-19 have had a good Business Continuity Plan in place, though many have improvised and learnt along the way.

Not having a BCP puts you at the risk of either being unable to continue selling or in some cases unable to ship products during unplanned disruptions or pandemics. Your businesses ability to recover from these unplanned disruptions will be much slower and less effective if a BCP is not in place, eventually impacting both your revenue and your brand reputation.

What is a Business Continuity Plan?

A business continuity plan (BCP) is a process that documents and outlines how a business will continue operating during an unplanned service disruption. Business continuity planning or BCP is the process involved in creating a system of prevention and recovery from possible threats to your business. It contains contingencies for business processes, human resources, assets and business partners, and every other aspect of the company that might be affected. The BCP ensures that the personnel and the assets are protected and can function quickly in the event of a disaster.

The BCP plans typically contain a checklist that includes equipment and supplies, data backups, and backup site locations. Plans can also identify plan administrators and have contact information for emergency responders, key personnel, and backup site providers. In addition, the BCP may provide detailed strategies on how business operations can be managed for both long-term and short-term outages.

The critical component of a business continuity plan (BCP) is its disaster recovery plan containing the strategies for handling IT disruptions to networks, personal computers, servers, and mobile devices. The BCP should cover how to re-establish office productivity and enterprise software to meet the essential business needs. Manual workarounds should be outlined in the BCP to continue until computer systems can be restored.

There are a few primary aspects to a business continuity plan for the key applications and processes as mentioned below:

• High availability : It provides for the capability and processes to have access to applications regardless of local failures. These failures might be in the physical facilities, business processes, or IT software or hardware.
• Continuous operations : It safeguards the ability to keep things running during a major disruption, as well as during planned outages such as planned maintenance or scheduled backups
• Disaster recovery : Establishes ensures a way to recover the data center at a different site if disaster destroys the primary site or otherwise renders it inoperable.

Why Is Business Continuity Planning (BCP) Important and Needed?

Most businesses are open to a host of disasters that vary in various degrees, from minor issues to catastrophic issues, and BCPs are crucial. BCP is usually meant to help a company to continue operating in the event of disruptions or threats. This could result in a loss of profit, and higher costs, leading to a drop in profitability. Businesses can not rely on insurance alone because it does not cover all the costs and the customers who move to the competition.

Developing a comprehensive BCP is difficult because systems are distributed and integrated across a hybrid IT environment, creating potential vulnerabilities. Linking critical systems together can help you manage higher expectations. However, it complicates business continuity planning – along with resiliency, disaster recovery, security and regulatory compliance.

If one of the links in the chain breaks or is under attack, the impact can ripple throughout the entire business. An business can face revenue loss and erode customer trust if it fails to maintain the business resiliency, even while rapidly adapting and responding to opportunities and risks.

Business Continuity is an on-going cyclical process of risk assessment, management, and review to ensure that the business can continue if risks materialize. The effective implementation of business continuity has 6 stages:

• Policy and Program Management
• Embedding business continuity
• Implementation

What is the difference between Business Continuity Plan (BCP) and Business Continuity Management (BCM)?

BCP should be developed and implemented well in advance for a business to ensure its effectiveness. Business Continuity Management (BCM) is a structure for maintenance and management of the BCP. Most companies already may have countermeasures to avoid accidents and disasters. The application team's BCP should focus on what the people on that team need to do in order to continue supporting the application and bringing it back online.

What are the Types of Continuity Plans?

1. Business Continuity Plan (BC Plan) - A Business Continuity Plan or BC Plan comprises clearly defined and documented procedures and information for use when a disaster occurs.

2. Occupant Emergency Planning (OEP) - Occupant Emergency Planning or OEP is a process that provides the response procedures for the occupants of a facility in a situation posing a potential threat to personnel's health and safety environment or property.

3. Incident Response Plan (IR Plan) - Incident Response Plan is the documentation of the pre-determined set of instructions or procedures or to detect, respond to, and limit consequences of a cyber attack against an organization's IT systems.

4. Continuity of Operations Plan (COOP) - A Continuity of Operations Plan or COOP is a determined set of procedures or instructions that describe how an organization's essential functions will be sustained for up to 30 days as a result of a disaster event before returning to normal operations.

5. Disaster Recovery Plan (DR Plan) - A disaster recovery plan (DR Plan) is a clearly defined and documented plan describing how an organization deals with potential IT disasters.

6. Continuity of Support Plan (CS Plan) - Continuity of Support Plan or CS Plan is the documentation of a determined set of procedures or instructions that describe how to sustain major applications and general support systems in the event of significant disruption.

7. Business Resumption Plan (BRP) - Business Resumption Plan or BR plan is the documentation of the determined set of instructions or procedures that describe how business processes will be recovered, resume, and restored after a significant disruption has occurred.

What are the Business Continuity Strategies?

The output of the business continuity strategy would generally include a system for mitigation, crisis response, and recovery.

(a) Mitigation Strategy

The mitigation strategy comes from the risk assessment performed in the initial "Risk Analysis and Analysis phase". Therefore, risks that remain high in spite the presence of the mitigating controls should be reviewed.

The reasons to review are to check if:

• Are the controls that are implemented ineffectively? Are there other causes that drive the likelihood or impact the variables despite the controls?
• Are there multiple causes of a risk? Have we addressed all risks or only some of them? The high-risk threats can't be ignored and should be mitigated to the best of our abilities.

Some of these threats must be identified, and more attempts must be made to lower their risk. In addition, they must be implemented to prevent any potential disruption.

A mechanism should be in place to detect and sound the alarm should a threat materialize. These detection mechanisms could take the form of monitoring tools that records and captures abnormal changes in the environment or process.

While it is better to prevent disasters from happening, it is impossible to say with a hundred percent certainty that one will never occur. Therefore, in the unfortunate event that a disaster causes the business operations to be disrupted, a good strategy is required to ensure effective and timely recovery and resumption.

(b) Recovery Strategy

The recovery strategy should focus on re-establishing or re-gaining what has been lost in the disaster stage

• From people, systems, facilities, records, equipment, etc
• Know what has the disaster deprived the organization of?
• What resource need to be recovered to allow the organization to carry out its critical business functions?
• How quickly must these resources be made available?
• How to acquire these resources within the acceptable time frame?
• What resources could be built or developed by the organization in anticipation of a disaster?
• The model gives the highest level of recovery assurance as the critical resource is guaranteed.
• Facilities, like a hot site, could be built so that a vital functions can be immediately up and running during disaster.

An organization that does not choose not to own spare resources could lease the resource. Some organizations may choose to procure resources only when a disaster occurs. In developing the recovery strategy, you can consider getting back the resources needed to continue critical business operations. It would be best if you, kept in mind that the recovery is within the prescribed RTOs for these vital operations.

If a resource can not be recovered in this time, interim measures are often called Temporary Operating Procedures (TOP) are carried out.

(c) Crisis Response Strategy

Usually an organization does not have and incident management or response plan. Crisis response strategy should also include a response component that are the prioritized activities that the organization would undertake in a disaster. These activities include emergency responses, like situational assessment, evacuation,  and modes of communication.

How do you Write a Good Business Continuity Plan?

A successful business continuity plan has the following elements:

1. Define the team structure

Create a core team with personnel from throughout the organization, including information technology, executive leaders, facilities and real estate, communications, physical security, human resources, finance, and other service departments. Develop a defined decision-making hierarchy. So that people do not wonder who has the responsibility or authority to make a given decision. Create a support teams devoted to related functions such as communications,  business readiness, and emergency response

2. Establish a plan

Identify potential disruptions to your business process which can affect any of your organization's locations, such as epidemics, power outages, fires, etc. Try to base your plan on worst-case scenarios to keep the number of scenarios manageable. Always prioritize the essential operations and who will perform them. Determine how employees will work-from-home in the event of prolonged outages like the Covid-19 pandemic. Remember to update your plan annually to reflect changes in the criticality and dependency of applications, risk management, business priorities, business locations, operations and other considerations

3. Test your business continuity plan

Always conduct full emergency simulations annually. This includes crisis communications, safety drills, and workplace recovery processes. Remember to measure your test results and strive for continuous improvements, whether they are application availability goals or personnel safety assurances.

4. Create a crisis communications strategy

Establish emergency notification procedures. This should incorporate both push and pull systems to communicate quickly. Identify all the stakeholders for crisis emergency communications, including employees, clients, vendors, contractors, media and executive management. Have a scripted communication that can be easily updated and ready to transmit immediately for such situations.

5. Educate people on safety procedures

Always educate and train your workforce so that they are aware of the processes they should follow in the event of an emergency. Always consult with your local and federal agencies in emergency response training and other guidance for your program. Remember to conduct employee drills to help personnel become familiar with procedures, such as finding emergency exits

We have you covered with a ready to use BCP Template so you can have your business continuity plan ready in minutes.

What is the Difference between a BCP and a Disaster Recovery Plan?

Let us have a closer look at business continuity vs. disaster recovery plan:

• The BCP focuses on keeping business operational during a disaster, while disaster recovery focuses on restoring data access and IT infrastructure after a disaster. In other words, the BCP is concerned with keeping the shop open even under unusual or unfavorable circumstances. At the same time, the latter focuses on returning it to normal as soon as possible.
• The disaster recovery strategies mostly involve creating additional employee safety measures, such as conducting purchasing emergency supplies or fire drills. Combining the two plans allows a business to focus on maintaining operations and ensuring that employees are safe.
• The goal of a practical business continuity plan limit operational downtime. Meanwhile, effective disaster recovery plans limit abnormal or inefficient system functions.
• A BCP ensures communication methods such as phones and network servers continue operating amid a crisis. A disaster recovery strategy helps ensure an organization's ability to return to full functionality after a disaster occurs.
• The business continuity focuses on keeping the business open in some capacity, while disaster recovery focuses on getting operations back to its original normal.
• Some companies may incorporate disaster recovery strategies as part of their overall business continuity plans. Disaster recovery is a step in the broader process of safeguarding a company against all of its contingencies.

How can Deskera help with Business Continuity Planning?

Deskera helps with business continuity by making critical business processes systems independent. Deskera is an all-in-one online, cloud-based business software that helps businesses remove their dependency on centralized systems.

Move accounting, finance, sales, purchase, inventory management, leads management, sales operations, after sales support, payroll, leaves and expense management completely online with Deskera All In One Business Software.

With Deskera, you can run your business anywhere, any time. You can work in office, or remotely, from your laptop on a browser or on the award winning Deskera mobile app , to keep things running at all times.

Deskera gives you the overall view of how your business in running at the moment from anywhere. Deskera can help you view your inventory and view financial reports whenever you need them.

Deskera helps you automate your business with its fast CRM system, manage your employees with attendance and payroll, and finally manage your financial reports, inventory, shipping and finally banking integrations to keep track of your payments and revenue coming in.

Key Takeaways

• Business continuity planning (BCP) is the fundamental steps a business undergoes to create a recovery and prevention system from potential threats such as natural disasters or cyber-attacks
• Business impact analysis, organization, recovery,  and training are all the steps corporations need to follow when creating a Business Continuity Plan
• BCPs are designed to protect assets and personnel to make sure they can function quickly whenever disaster strikes
• BCP should determine how those risks will affect operations
• BCP should implement safeguards and procedures to mitigate the risks
• BCPs should constantly be tested to ensure there are no weak links that can be identified and corrected.
• BCP should review and test the process to make sure that they work and it is up to date

Download the free BCP template here.

10 Tips for CFOs to Navigate Growth Complexities

Total Quality Management: A Comprehensive Guide to Quality Control Techniques

How can Firms Manage Quality Control while Scaling?

Hey! Try Deskera Now!

Everything to Run Your Business

Get Accounting, CRM & Payroll in one integrated package with Deskera All-in-One .

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

Home  >  Learning Center  >  Business continuity planning (BCP)  

Article's content

Business continuity planning (bcp), what is business continuity.

In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures.

The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability.

Start with a business continuity plan

Business continuity management starts with planning how to maintain your critical functions (e.g., IT, sales and support) during and after a disruption.

A business continuity plan (BCP) should comprise the following element

1. Threat Analysis

The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include:

2. Role assignment

Every organization needs a well-defined chain of command and substitute plan to deal with absence of staff in a crisis scenario. Employees must be cross-trained on their responsibilities so as to be able to fill in for one another.

Internal departments (e.g., marketing, IT, human resources) should be broken down into teams based on their skills and responsibilities. Team leaders can then assign roles and duties to individuals according to your organization’s threat analysis.

3. Communications

A communications strategy details how information is disseminated immediately following and during a disruptive event, as well as after it has been resolved.

Your strategy should include:

• Methods of communication (e.g., phone, email, text messages)
• Established points of contact (e.g., managers, team leaders, human resources) responsible for communicating with employees
• Means of contacting employee family members, media, government regulators, etc.

From electrical power to communications and data, every critical business component must have an adequate backup plan that includes:

• Data backups to be stored in different locations. This prevents the destruction of both the original and backup copies at the same time. If necessary, offline copies should be kept as well.
• Backup power sources, such as generators and inverters that are provisioned to deal with power outages.
• Backup communications (e.g., mobile phones and text messaging to replace land lines) and backup services (e.g., cloud email services to replace on-premise servers).

Load balancing business continuity

Load balancing  maintains business continuity by distributing incoming requests across multiple backend servers in your data center. This provides redundancy in the event of a server failure, ensuring continuous application uptime.

In contrast to the reactive measures used in failover and  disaster recovery  (described below) load balancing is a preventative measure.  Health monitoring  tracks server availability, ensuring accurate load distribution at all times—including during disruptive events.

Disaster recovery plan (DCP) – Your second line of defense

Even the most carefully thought out business continuity plan is never completely foolproof. Despite your best efforts, some disasters simply cannot be mitigated. A disaster recovery plan (DCP) is a second line of defense that enables you to bounce back from the worst disruptions with minimal damage.

As the name implies, a disaster recovery plan deals with the restoration of operations after a major disruption. It’s defined by two factors: RTO and  RPO .

• Recovery time objective (RTO)  – The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services. A different RTO should be assigned to each of your business components according to their importance (e.g., ten minutes for network servers, an hour for phone systems).
• Recovery point objective (RPO)  – The point to which your state of operations must be restored following a disruption. In relation to backup data, this is the oldest age and level of staleness it can have. For example, network servers updated hourly should have a maximum RPO of 59 minutes to avoid data loss.

Deciding on specific RTOs and RPOs helps clearly show the technical solutions needed to achieve your recovery goals. In most cases the decision is going to boil down to choosing the right failover solution.

See how Imperva Load Balancer can help you with business continuity planning.

Choosing the right failover solutions

Failover  is the switching between primary and backup systems in the event of failure, outage or downtime. It’s the key component of your disaster recovery and business continuity plans.

A failover system should address both RTO and RPO goals by keeping backup infrastructure and data at the ready. Ideally, your failover solution should seamlessly kick in to insulate end users from any service degradation.

When choosing a solution, the two most important aspects to consider are its technological prowess and its service level agreement (SLA). The latter is often a reflection of the former.

For an IT organization charged with the business continuity of a website or web application, there are three failover options:

• Hardware solutions  – A separate set of servers, set up and maintained internally, are kept on-premise to come online in the event of failure. However, note that keeping such servers at the same location makes them potentially susceptible to being taken down by the same disaster/disturbance.
• DNS services  – DNS services are often used in conjunction with hardware solutions to redirect traffic to a backup server(s) at an external data center. A downside of this setup includes  TTL-related delays  that can prevent seamless disaster recovery. Additionally, managing both DNS and internal data center hardware failover solutions is time consuming and complicated.
• On-edge services  – On-edge failover is a managed solution operating from off-prem (e.g., from the  CDN  layer). Such solutions are more affordable and, most importantly, have no TTL reliance, resulting in near-instant failover that allows you to meet the most aggressive RTO goals.

Latest Blogs

• Industry Perspective

Lynne Murray

Apr 2, 2024 3 min read

Brian Robertson

Mar 11, 2024 4 min read

Feb 28, 2024 5 min read

, Paul Steen

Feb 26, 2024 5 min read

, Shiri Margel

Dec 1, 2023 5 min read

Latest Articles

• Regulation & Compliance

621.6k Views

197.5k Views

42.4k Views

40.8k Views

39.9k Views

35.9k Views

29.9k Views

26.1k Views

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The 10th Annual Bad Bot Report

The evolution of malicious automation over the last decade

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

ID Management Platform

Design mobile id cards.

Create custom designs that cater to the requirements of your organization.

Import Card Data

We offer multiple ways to import and update cardholder data.

ID Photo Management

Manage and moderate your cardholder’s submitted ID photos.

Design & Print Physical ID Cards

Design and print ID cards directly from your web browser.

Issue Digital IDs via Email

Send email invitations to guide users in installing their ID cards.

Manage Issued ID Cards

Monitor card installations and update the status of your issued digital ID cards.

Integrations

Cloud card printing    .

Integrate with third-party cloud print services to create advanced physical card designs and trigger print jobs.

Card Data Sync

Integrate with third-party systems to sync your card data regularly.

View All Integrations

Get in touch.

Our mission, our vision and our team.

Have a question? We have the answers!

Partner With Us

Join our partner network to expand your product offering, and target strategic customers.

Disaster Recovery and Business Continuity Plan

Updated Annually

The purpose of this business continuity plan is to prepare the company in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. All company sites are expected to implement preventive measures whenever possible to minimize operational disruptions and to recover as rapidly as possible when an incident occurs. The plan identifies vulnerabilities and recommends necessary measures to prevent extended voice communications service outages. It is a plan that encompasses all company system sites and operations facilities.

The scope of this plan is limited to Production Information Systems and Company Offices. This is a business continuity plan, not a daily problem resolution procedures document.

Plan Objectives

• Serves as a guide for the Company recovery teams.
• References and points to the location of critical data.
• Provides procedures and resources needed to assist in recovery.
• Identifies vendors and customers that must be notified in the event of a disaster.
• Assists in avoiding confusion experienced during a crisis.
• Identifies alternate sources for supplies, resources, and locations.
• Documents storage, safeguarding, and retrieval procedures for vital records.

Assumptions

• Key people (team leaders or alternates) will be available following a disaster.
• A national disaster such as a nuclear war is beyond the scope of this plan.
• This document and all vital records survive the disaster and are accessible.
• Each team will have its own documented recovery procedures.

Disaster Definitions

Any loss of utility service (power, water), connectivity (system sites), or catastrophic event (weather, natural disaster, vandalism) that causes an interruption in the service provided by Company operations. The plan identifies vulnerabilities and recommends measures to prevent extended service outages.

Recovery Teams

• Emergency management team (EMT)
• Disaster recovery team (DRT)
• IT technical services (IT)

Team Member Responsibilities

• Each team member will designate an alternate
• All members should keep an updated calling list and contact info of their team.
• All members should keep a copy of this plan for reference at home and at work.
• All team members should familiarize themselves with the contents of this plan.

Instructions for using this plan

7A. Invoking the plan This plan becomes effective when a disaster occurs and remains in effect until operations are resumed at the original location or a replacement location and control is returned to the appropriate management.

7B. Disaster declaration The senior management team, with input from the EMT, DRT, and IT, is responsible for declaring a disaster and activating the various recovery teams as outlined in this plan. The EMT and DRT will respond based on the directives specified by senior management.

7C. Notification Regardless of the disaster circumstances, or the identity of the person(s) first made aware of the disaster, the EMT and DRT must be activated immediately if any problem at any system or facility would cause the production systems to go down or there is a certain indication that they are about to go down.

External Communications

Senior management will designate public relations personnel to be the principal contacts with the media (radio, television, and print), regulatory agency, government agencies, and other external organizations following a formal disaster declaration. No other personnel is to discuss the situation with the media without consulting with public relations on each instance.

Emergency management standards

The following procedures are to be followed by system operations personnel and other designated Company personnel in the event of an emergency.

A. Data backup policy

Full and incremental backups should be taken to preserve corporate information assets and should be performed Backups should be stored in a secure, geographically separate location from the original.

B. Emergency Locations In the event of any situation where access to a building is denied, personnel should report to alternate locations. Primary and secondary locations are listed below.

Primary location Boston Office 397 Moody St. #202 Waltham, MA 02453, USA

C. In the event of a natural disaster In the event of a major catastrophe affecting the Company facility or Data Center, immediately notify senior management.

– Step 1. Notify EMT and DRT of pending events, if time permits. – Step 2. If the impending natural disaster can be tracked, begin preparation of site within 48 hours as follows:

• Deploy portable power supplies
• Deploy support personnel
• Deploy replacement modems and phones
• Acquire basic necessities such as:
• Cash for one week
• Food and water for one week
• Supplies, including batteries, flashlights, medical supplies, etc.

Step 3: 24 hours prior to event:

• Create an image of the system and files
• Backup critical system elements
• Verify backup power supplies
• Create backups of e-mail, file servers, etc
• Notify senior management

D. In the event of a fire If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as soon as possible if the situation warrants it.

· Attempt to extinguish minor fires using hand-held fire extinguishers. · Call 9-1-1 in the event of a major fire and immediately evacuate the area. · A supervisor should remain nearby until the fire department arrives. · In the event of a major catastrophe, notify senior management.

– Step 1: Dial 9-1-1 to contact the fire department. – Step 2: Immediately notify all facility personnel of the situation and evacuate – Step 3: Alert the EMT and DRT. – Step 4: Notify Building Security. – Step 5: Contact appropriate vendor personnel to aid in the decision regarding the protection of equipment. – Step 6: All personnel evacuating the facilities will meet at their assigned outside location

E. In the event of a network services provider outage

In the event of a network service provider outage to any location, the guidelines and procedures in this section are to be followed.

Procedure – Step 1: Notify senior management of the outage. – Step 2: Determine the cause of the outage and the timeframe for its recovery. – Step 3: If the outage will be greater than one hour, route all calls via alternate services like mobile phones and all data via Mobile Hotspots.

F. In the event of a flood or water damage In the event of a flood or broken water pipe within any facilities, the guidelines and procedures in this section are to be followed.

Procedure – Step 1: Assess the situation and determine if outside assistance is needed; if this is the case, dial 9-1-1 immediately. – Step 2: Immediately notify all other personnel in the facility of the situation. – Step 3: If water is not endangering equipment, contact repair personnel immediately. – Step 4: If water is of a major quantity, immediately implement power-down procedures. While power-down procedures are in progress, evacuate the area

Plan Review and Maintenance

This plan must be reviewed semi-annually and should be exercised on an annual basis. Additionally, it is important to review the listing of personnel and phone numbers contained within the plan regularly. The hard-copy version of the plan will be stored in a common location where it can be viewed by site personnel and the EMT and DRT. Electronic versions will be available via the Company extranet.

Alert / Verification / Declaration Phase

A. Notification of incident If in-hours: Upon observation or notification of a potentially serious situation during working hours at a system/facility, ensure that personnel on site have enacted standard emergency and evacuation procedures if appropriate and notify the EMT and DRT.

If outside hours: Upon observation or notification of a potentially serious situation after working hours at a system/facility, contact IT personnel and if appropriate and notify the EMT and DRT.

B. Provide status to EMT and DRT Contact EMT and/or DRT and provide the following information: – Location of disaster – Type of disaster (e.g., fire, hurricane, flood) – Summarize the damage or Impact (e.g., minimal, heavy)

– Summarize System or Facility that is down – Summarize Steps to discover/reproduce – Document the Time it was discovered

C. Decide course of action Based on the information obtained, the EMT and/or DRT need to decide how to respond to the event: mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility.

D. Inform team members of the decision

• If a disaster is not declared, the location response team will continue to address and manage the situation through its resolution and provide periodic status updates to the EMT/DRT.
• If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for deployment.
• The EMT or DRT will declare a disaster if the situation is not likely to be resolved within predefined time frames. The person who is authorized to declare a disaster must also have at least one backup person who is also authorized to declare a disaster in the event the primary person is unavailable.

E. Contact general vendors Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the appropriate recovery actions including contacting appropriate vendors.

F. Conduct detailed damage assessment Under the direction of local authorities and/or EMT/DRT, assess the damage to the affected location and/or assets. Include vendors/providers of installed equipment to ensure that their expert opinion regarding the condition of the equipment is determined ASAP.

Building access permitting:

• Conduct an on-site inspection of affected areas to assess damage to essential hard copy records (files, manuals, contracts, documentation, etc.) and electronic data.
• Obtain information regarding damage to the facility (s) (e.g., environmental conditions, physical structure integrity, furniture, and fixtures) from the DRT.

Develop a restoration priority list, identifying facilities, vital records, and equipment needed for resumption activities that could be operationally restored and retrieved quickly.

G. Contact DRT: Decide to continue to the Business Recovery Phase

The EMT and DRT gather information regarding the event; contacts senior management and provides them with detailed information on the status. Based on the information obtained, senior management decides whether to continue to the business recovery phase of this plan at an alternate site or to continue to address the situation at the affected site(s).

Business Recovery Phase

This section documents the steps necessary to activate business recovery plans to support full restoration of systems or facility functionality at an alternate/recovery site that would be used for an extended period of time.

A. Gather system and facility operation requirements B. Notify IT staff/Coordinate relocation to the new facility C. Secure funding for relocation Make arrangements in advance with local banks, credit card companies, hotels, office suppliers, food suppliers, etc. D. Notify EMT and corporate business units of recovery startup Notify the appropriate company personnel. Inform them of any changes to processes or procedures, contact information, hours of operation, etc. E. Operations recovered Assuming all relevant operations have been recovered to an alternate site, and employees are in place to support operations, the company can declare that it is functioning in a normal manner at the recovery location.

Home | ©2024 ID123 Inc. ID123® is a registered trademark of ID123 Inc.

• Advisera Home
• ISO in General

Partner Panel

ISO 22301 Documentation Toolkits

Iso 22301 training.

• Documentation Toolkits
• White Papers
• Templates & Tools

Where to Start

New ai tool.

• Live Consultations
• Consultant Directory
• For Consultants

Dejan Kosutic

• Get Started

Beyond the BCM Manager: Additional roles to consider during the disruptive incident

A crisis or disaster is something that no organization, regardless of its size, wants to go through. Because of this, many of them adopt business continuity practices, such as Business Continuity Management Systems (BCMS) based on ISO 22301 , to minimize the chances of such events occurring and, if they occur, to minimize their impacts and resume activities as quickly as possible.

A key element in minimization of impacts and resumption of activities is the Business Continuity Plan (BCP) , which lays out the people to be involved, activities to be performed, and resources to be allocated during a disruptive incident, and depending upon the organization’s size and complexity, could include anywhere from a few people to dozens of professionals. For more information, see Business continuity plan: How to structure it according to ISO 22301 .

This article addresses an important point when elaborating BCPs: during disruptive incidents , many activities may have to be performed in parallel, and not considering this may overwhelm team members or all of the team. To help handle this, I will be presenting critical roles that should be considered in a BCP when designating responsibilities, so the team can have a better chance to meet BCP objectives.

BCP lifecycle and responsibilities

Taking as reference ISO 22301, clauses 8.4 and 8.5, a BCP lifecycle can be described by these general steps:

Elaboration: definition of scenarios under which a disruptive event can occur, and what to do to handle such potentially catastrophic incidents.

Testing: performing of exercises and simulations to ensure plans, personnel, and resources will work properly during a disruptive event.

Execution: when a disruptive event hits the organization, impacts must be minimized and business processes must be resumed and recovered as defined in BCP objectives.

Updating: critical reviews must be performed after plan testing or activation, so the plan can be corrected or improved.

During elaboration, testing, and updating, BCPs are generally under the responsibility of a person in the role of Business Continuity Management (BCM) Manager, or someone who inherits this function. For more information about the BCM Manager, read The challenging role of the ISO 22301 BCM Manager .

During a disruptive event, a BCP is under the responsibility of roles previously defined, which can be roughly divided into business decision makers, BCP manager, BCP leader, and BCP team members.

Other business continuity frameworks, such as the “Good Practices Guidelines” (GPG) from Business Continuity Institute (BCI), and the “Special Publication 800-34” (Contingency Planning Guide for Federal Information Systems) from NIST (National Institute of Standards and Technology), have similar structures that can make use of these recommendations.

How does an event disrupt a business and impact the BCP?

We can say that an incident disrupts business when the disruption lasts longer than what would be acceptable by an organization, and this can occur when:

• external infrastructure failure prevents the organization from delivering products and/or providing services (e.g., an interrupted road, or a massive DDOS attack against the Internet)
• the organization’s infrastructure is unable to deliver products and/or provide services (e.g., fire at a facility, or a data loss after a ransomware attack)
• the organization’s workforce is unable to perform its activities (e.g., after an accident, or epidemic)

If each of these situations alone were no longer a major problem, when they occur together, e.g., as a consequence of a major natural disaster, they make things even worse, because the BCP team must:

• coordinate efforts with external parties to handle the external infrastructure failure
• perform the activities defined to handle the internal failure
• assist wounded personnel and support their families

As you can see, these activities may be very different from each other and cannot be prioritized to the detriment of each other.

Critical roles to be considered in a BCP

Since every organization may be hit by an event that can result in the situation described previously, how should it consider that situation when developing its BCP?

The basic idea is to avoid making any single person responsible for activities covering more than one line of action (external efforts, internal continuity activities, and personnel assistance). And you may accomplish that by organizing activities considering these roles:

HR leader: team member responsible for all activities related to people affected by the event (workforce, visitors, contractors, and other people). The team designated to him should take care of personnel evacuation, first aid to the wounded, and contact with emergency services and personnel families.

Business leader: team member responsible for all activities related to coordination with external infrastructure, taking care, for example, of alternative routes and suppliers. As well as being responsible for ensuring products and services are resumed, he also should be the contact with those responsible for internal infrastructure recovering.

Infrastructure leader: team member responsible for activities related to internal infrastructure recovery. This role can be subdivided, if necessary, according to the type of infrastructure (e.g., physical infrastructure, IT, etc.).

Communications leader: team member who is the point of contact with media and public services, to avoid communication misunderstandings.

Note that since these are roles, there is no need to have one person to exclusively perform each role. Your organization must only take care to not designate two or more of these roles to the same person.

What if splitting the roles is not possible?

When an organization, because of its size or resources, is not able to split roles in its BCP team, it should check what impact this situation will have on its Recovery Time Objective ( RTO ), and make proper adjustments, either by allocating more people or redefining recovery priorities and/or objectives.

Related Products

ISO 27001 Premium Documentation Toolkit

ISO 27001 Lead Auditor Course

Upcoming free webinar.

Related Articles

You may unsubscribe at any time. For more information, please see our privacy notice .

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

The incident response plan you never knew you had

Five strategies to give your incident response plan a headstart by using key components of the existing business continuity plan (bcp)..

Computer incidents today are a far cry from those of the past. Computer incidents involving data breaches today can take down businesses and leadership, in much the same way or greater than an earthquake or fire can destroy a company through a physical business outage. Data breaches such as that at Target have shown that having the ability to recognize an incident quickly and escalate up to appropriate leadership is a critical business competency.

Instead of reinventing the wheel why not leverage the existing business continuity plan (BCP) to build the computer incident response plan (CIRP)? The business continuity plan in all likelihood is in place and may have some measure of review and exercise already. By leveraging important elements of the existing BCP and resources, the security team can jump start the CIRP and obtain a faster and more responsive organization.

[ ALSO ON CSO: Business continuity and disaster recovery planning: The basics ]

Here are five strategies to give you a head start in putting together your incident response plan by using built-in and existing components of the BCP.

1.      Use the existing business recovery structure and organization

The existing BCP usually has a well laid out management and reporting structure that is to be activated during an outage. Rather than create a separate reporting and management structure for the CIRP, try and use the existing BCP structure where possible. In smaller to midsize organizations where leadership wears many hats it is quite possible that you will find 75 percent or greater overlap between the management response team for the CIRP and that of the BCP.

The leadership team that is usually pulled in for a business continuity incident will most likely consist of the same senior management that would be required to weigh in on a computer-related incident. I would combine the leadership team from both plans into a single leadership team that is common to both the business continuity and computer incident response plans. For example, in the event of a computer incident, the internal audit team will need to be in the loop but in a business continuity incident that may not be the case. On the other hand in a business continuity incident, the physical security team will definitely need to be in the loop but not necessarily on the audit team. However a common leadership team can include leaders from both the audit and physical security teams, who can be brought in as needed for the incident response.

2.      Combine roles and responsibilities

The business recovery coordinator is the central figure around who rotates the response to a business outage. The incident response manager plays a similar role in the CIRP plan. In addition and oftentimes, the business continuity manager will be reporting into the information security team. Instead of having a separate coordinator for business continuity and another coordinator/manager for computer incident response, consider using the same role and business continuity person for both.

3.      Reuse processes

The methods for triggering the response and the communication to the leadership team will also have much in common with each other. For example the role and process of the incident response manager, to triage and determine initial incident severity and escalate, can be similar in both the BCP and the CIRP.

4.      Common contact information

The BCP usually has well defined call trees and organization hierarchies with contact information already identified. In many case this information is kept up-to-date. Leverage this information and reference this BCP contact information in the CIRP, rather than trying to maintain a separate and parallel system

5.      Combining exercises

The BCP program usually has an annual exercise wherein either a table top simulation or an actual exercise is attempted. The usual scenarios are fire, power outages, earthquakes etc. Consider combining the annual BCP exercise with a CIRP exercise. This exercise can use a data breach related incident or a crypto-locker takedown as the exercise scenario. Using a computer-related incident sheds light to upper management on the importance of the computer related outage or breach and builds awareness that the scale of a computer-related incident can rival and surpass that of the traditional physical security outages.

The extent of the overlap between the business continuity plan and the computer incident response plan can vary widely. For some organizations it may be good business sense to combine the two entirely and have a single incident response plan. For others depending on regulatory environments, it might be better to still keep the two plans separate but combine elements where possible.

[ ALSO ON CSO: 10 tips to make sure you are ready when a disaster strikes ]

At the end of the day, the business continuity plan and the computer incident response plan both require that a manager be defined, a process for leadership decision making and communication be established and appropriate teams and resources be brought in for remediation and recovery. The onus in both cases is on speed of decision making and fast response. Having a single team that is trained and aware of their roles is far more efficient than multiple teams and documents which require additional overhead.

Related content

The best free weapon to fight phishing fraud, taking the vulnerability management program from good to great, 10 reasons for csos to be thankful, holiday messaging tips for the security team, from our editors straight to your inbox.

George Viegas is an information security professional providing management-level leadership, guidance and value in the planning and delivery of global information security strategies, initiatives, solutions and services.

His information security background spans various verticals including banking, financial services, media and entertainment in U.S. and global business environments.

The opinions expressed in this blog are those of George Viegas and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

Most popular authors

Show me more

Top 6 bad cybersecurity habits of smbs.

Open-source scanner can identify risky Microsoft SCCM configurations

Attackers exploit critical zero-day flaw in Palo Alto Networks firewalls

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

LockBit feud with law enforcement feels like a TV drama

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Incident Response Plan vs Business Continuity Plan

May 8, 2023

An Incident Response Plan (IRP) and a Business Continuity Plan (BCP) are two key components of a comprehensive risk management strategy. They have different goals but can complement each other to help ensure your business is prepared for any disruption. Understanding the differences between these two plans can help you create a contingency plan that meets all of your business’s needs.

An incident response plan (IRP) and a business continuity plan (BCP) are two important documents that organizations should have in place to protect their data and operations. While they are both essential for any organization , they serve different purposes.

An incident response plan is designed to help an organization respond quickly and effectively to security incidents such as data breaches, malware attacks, or other cyber threats. Apart from the disaster recovery plan .

It outlines the steps that should be taken in each phase of incident response, including detection, containment, eradication, recovery, and post-incident analysis.

An effective IRP should also include roles and responsibilities for each team member involved in the process .

On the other hand, a business continuity plan is designed to help an organization prepare for unexpected events that could disrupt its operations. This includes natural disasters such as floods or earthquakes and human-caused disruptions like power outages or cyberattacks.

A BCP outlines the processes and procedures necessary for keeping critical operations running during these events. It also includes strategies for restoring normal operations once the event has passed.

Both an incident response plan and a business continuity plan are essential components of any organization’s cybersecurity strategy and key performance indicators for business continuity management.

They provide guidance on how to respond to incidents quickly and efficiently while minimizing disruption to operations so that businesses can remain secure and resilient in the face of any threat.

What is an Incident Response Plan?

An incident response plan (IRP) is a set of documented procedures that outlines the steps to be taken in the event of a security incident. It should include details on detecting, responding to, and limiting the consequences of malicious cyber activity.

The plan should also identify roles and responsibilities for security team members and provide guidance on how to communicate with stakeholders. Response procedures of service attacks and cyber incidents.

The incident response plan typically consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves creating an inventory of assets and identifying potential threats.

Identification is when the security team identifies a malicious event or breach. Containment focuses on limiting the scope and impact of an attack by isolating affected systems or networks.

Eradication involves removing any malicious code or actors from the system. Recovery focuses on restoring normal operations while maintaining data integrity . Finally, lessons learned look at what went wrong during the incident and how it can be prevented in future incidents.

An IRP is designed to address specific incidents or emergencies. Incident response vs business continuity outlines how the organization will respond if it faces an incident or emergency, such as a natural disaster , security breach, or power outage.

The plan should include details on how to alert employees, customers, and other stakeholders; assign roles and responsibilities; assess the damage; take corrective action; and restore operations as quickly as possible.

It should also include information on where to find critical data, such as customer records or financial documents, in case they are destroyed or lost during the incident.

What is a Business Continuity Plan?

A BCP focuses more broadly on how to maintain operations in spite of disruptions . This could include anything from natural disasters to computer system malfunctions. Unlike an IRP, which focuses mainly on responding to an emergency after it has occurred, a BCP looks at ways to prevent potential disruptions from occurring in the first place by developing strategies for dealing with them if they do occur.

A well-crafted BCP will also provide guidance on testing processes and procedures before an incident occurs so that businesses can be sure their plans are effective when needed most.

What’s the difference between BCPs, DRPs, & Incident Response Plans

Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), and Incident Response Plans (IRPs) are all important components of an organization’s contingency planning business continuity functions. BCPs are designed to help organizations prepare for and recover from any disruption , whether natural disasters, cyber-attacks, or other unforeseen events.

DRPs focus on the recovery of IT systems and data after a disaster or cyber incident has occurred. IRPs are specific procedures that should be followed when responding to a cyber-attack or other security incident.

Why is an Incident Response Plan Critical to Maintain Business Continuity?

The internet isn’t yet vulnerable to attacks, so it won’t happen. When you suffer unauthorized access to a computer network or other device, the effects may become overwhelming. Disaster Recovery Plans can help reduce risks and prepare for the future.

Recovery plans may reduce the time and cost associated with a security or data breach itself, allowing stakeholders to restructure forensic digital evidence to reduce recovery time, customer churns, and negative publicity. According to the Ponemon Institute, data breaches cost about $3.6m annually.

Who is Responsible for Developing an Incident Response Plan?

CSIRT will assess, classify and address security incidents if deemed relevant to the business. Incident response teams must be composed: Security experts should help and support the affected human resources, , and the team must execute technical and operational measures.

Incident response managers are responsible for the supervision of the investigation, surveillance, and recovery of a specific incident. The company will provide the firm with a severe breach to other employees, regulatory agencies, customer groups and the public if the breach happens.

The individual or team responsible for developing the IRP should have knowledge of the organization’s IT infrastructure and security policies. They should also have experience with incident response processes and procedures. In addition to developing the plan, they should also be responsible for training staff on how to use it in case of a security incident.

Developing Incident response plans and business continuity plans

Identify the plan’s objectives and goals.

Your goal is to maintain business continuity and ensure that you are unable to perform key activities in your essential business operations. These include key business operations throughout the organization: operations personnel, public relations, and communications.

However, each business has its own goal, which is crucial to its operation. It may be different according mainly to the type and size of the company. Once your goal is identified , map your strategic plans accordingly. Make sure the objectives are fully understood.

Identify the important business functions ​

When you’re considering whether your company will operate as an emergency response team or if your business needs other emergency management services, they need assistance. In addition to meeting customer needs, a company must maintain constant supplies of materials, keep track of inventories and meet ship-to-ship targets.

Identify the threat

The only way to reduce security threats accurately is by evaluating their severity. Start with infected hardware or patient zeros. The idea here is to find out who triggered the incident.

Only identifying the incident can give a reliable indication of deteriorating conditions. Instead of replicating the infected device, it is important that you find all the distinct indicators that indicate compromise that can then be used to search your entire property to find additional evidence of compromise.

Create an Incident Response Team

The response to incidents must involve a number of cross-functional leadership roles, as well as anyone else you believe is helpful within the group. Design a leader capable of making the right decisions and making consistent progress.

All staff members should have specialist knowledge in all technical and non-technical domains, a few examples of this include forensic investigations. Requiring outside specialists in incident handling.

Establish a communication plan

In the event of a catastrophe, a proper crisis communications plan is required. You need a communication strategy to communicate effectively with stakeholders within your own organization’s emergency management . In emergencies , communication may be limited by a sample message written for vendors, partners or staff. Incident response teams can improve their coordination of activity based on a carefully planned communication plan .

Conduct a Risk Assessment and Business Impact Analysis (BIA)

The BIA can identify significant threats to the organisation.

Keep the plan updated ​

Business continuity planning is essentially a long-term process . It should be evaluated continuously for its effectiveness. In emergency scenarios, teams may test their readiness through simulation tests. Based on data, adjust plans and review them.

Backup the important data ​

Take a copy of anything you can’t lose. Consider anything from client info through employee documents to company e-mail. The product also requires easy access in a disaster , enabling the firm to return quickly.

Many organisations store large amounts of information online but often rely upon paper documents. Contract documents, tax returns, and payroll documents have many examples . To prevent the loss of documents, use hard copies whenever possible.

What is the importance of an incident management plan? ​

Having ignored recent developments would have been a mistake, if not a major mistake. It’s essential to manage your business . Disruptions can be dangerous for companies – but even for smaller ones.

90% of small business owners are in financial trouble in a year. Those companies risk losing their customers, revenue, and good reputation.

Continue Business Operations

This helps maintain your business operation when a crisis strikes, reducing financial losses too. It gives everyone involved a sense of security and reassures them that your business will continue to grow. Communication across organizations is essential for keeping all employees informed.

It may cause problems in many organizations, with a large number of employees working remotely or with offices worldwide. Organisations should look at introducing solutions to facilitate instant, easy communication.

Gain competitive advantage

Make it easy to convince customers to come to your firm with an effective emergency response plan . How we respond to a crisis reflects much on our business reputation. Write an inspiring tale. Rapid thinking is a good way to be prepared to face the toughest competition.

Protect Your Supply Chain

Remember, natural disasters also affect suppliers . Assuring the distribution of risk across the supply chain ensures your plan provides for supply chain stability.

Reduce Financial Risk

Rapid action during a crisis can reduce the downtime in your business if needed . Longer downtime means greater costs and increased risks . Minimise the risk of damage by replacing functional items as quickly as possible.

When designing your organization’s risk management strategy , it’s important to consider both an Incident Response Plan and a Business Continuity Plan. While they have different goals—the former addressing specific incidents while the latter looking at broader strategies for maintaining operations—they can complement each other when properly implemented.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.

Building a Saas Business Continuity Plan Template

Business Continuity vs Disaster Recovery vs Incident Response plans

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Reach out to understand more about Enterprise Risk Management, Project Management and Business Continuity.

© 2024 Risk Management

What is a Business Continuity Plan?

A Business Continuity Plan (BCP) is a detailed document that outlines how an organization will continue to operate through an unplanned disruption in service. The BCP is not just a regulatory requirement within many industries, but should be considered as a guide to reduce the time it takes for operations to return to normal. It plays a critical role in an organization’s Operational Resilience .

Inability to react swiftly to sudden disruption such as a cyberattack could result in a loss of revenue, impacted data integrity, reputational damage, litigation, and potential punitive action from regulatory bodies.

What is included in a Business Continuity Plan?

The list of items that should be contained within a BCP include, but are not limited to, the following:

• Identification and analysis of critical business functions across your organization. These functions should be prioritized based on their importance to the business.

• The risks to these business functions, detailed and considered depending on their severity. Total risk tolerance and appetite as a business should also be considered, so that decision makers can better categorize the risks that fall outside of a pre-agreed risk tolerance range.

• Strategies and mitigation actions that help protect critical business functions.

• Evidence of strategic testing across critical functions using key metrics.

• Evidence of testing stressed exit and non-stressed exit plans for all important third-party outsourcing arrangements to ensure impact stays within pre-agreed risk tolerances.

• Report and dashboard details, to allow the BCP to be updated over time based on data.

Teradata take on Business Continuity Planning

Businesses must shift their thinking to future-proof their organization. Threats to the business can come from a variety of sources, and may not even be the result of a direct attack. Hybrid and multi-cloud infrastructure can help increase resilience by introducing agility, flexibility and choice to critical infrastructure decisions.

More on Business Continuity Planning

Operational resilience combats systemic risk, business continuity for financial services, if facebook can go down, what about you.