U.S. flag

An official website of the United States government

Here’s how you know

world globe

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

business continuity planning guide

Business Continuity Planning

world globe

Organize a business continuity team and compile a  business continuity plan  to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

  • Business Continuity Plan Situation Manual
  • Business Continuity Plan Test Exercise Planner Instructions
  • Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

feature_mini img

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

What Is A Business Continuity Plan? [+ Template & Examples]

Swetha Amaresan

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

executives discussing business continuity plan

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

Free Download: Crisis Management Plan & Communication Templates

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

  • Business Continuity Types
  • Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

  • Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

business continuity planning guide

Crisis Communication and Management Kit

Manage, plan for, and communicate during your corporate crises with these crisis management plan templates.

  • Free Crisis Management Plan Template
  • 12 Crisis Communication Templates
  • Post-Crisis Performance Grading Template
  • Additional Crisis Best Management Practices

You're all set!

Click this link to access this resource at any time.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

Business Continuity Plan

Don't forget to share this post!

Related articles.

How to Navigate Customer Service During a Business Closure

How to Navigate Customer Service During a Business Closure

10 Crisis Communication Plan Examples (and How to Write Your Own)

10 Crisis Communication Plan Examples (and How to Write Your Own)

I Tried 7 Crisis Management Software to See if They’re Worth It (Results & Recommendations)

I Tried 7 Crisis Management Software to See if They’re Worth It (Results & Recommendations)

20 Crisis Management Quotes Every PR Team Should Live By

20 Crisis Management Quotes Every PR Team Should Live By

Social Media Crisis Management: Your Complete Guide [Free Template]

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

What Is Contingency Planning? [+ Examples]

Manage, plan for, and communicate during a corporate crisis.

Service Hub provides everything you need to delight and retain customers while supporting the success of your whole front office

Business Continuity Simplified

By Andy Marker | December 17, 2018 (updated October 24, 2021)

  • Share on Facebook
  • Share on LinkedIn

Link copied

Unexpected work interruptions can cripple a business and cause millions of dollars in expenses and lost business. Learn about the importance of business continuity planning and management from experts. 

In this article, you’ll learn the definition of a business continuity plan and the primary goal of business continuity planning . Additionally, you’ll learn the steps involved in business continuity planning and about the business continuity lifecycle .

What Is Business Continuity Management?

In business continuity management (BCM) , a company identifies potential threats to its activities and the threat impact. The company then develops plans to respond to those threats and continue activities through any crisis.

What Is a Business Continuity Plan?

A business continuity plan (BCP) describes how a business will continue to run during and after a crisis event. The BCP details guidelines, procedures, and work instructions to aid continuity.

To learn more about writing a plan, see our how-to guide to writing a business continuity plan .

What Is Business Continuity Planning?

Business continuity planning (BCP) refers to the work a company does to create a plan and system to deal with risks. Thorough planning seeks to prevent problems and ensure business processes continue during and after a crisis.

Business continuity planning ensures that the company deals with disruptions quickly, and minimizes the impact on operations. Business continuity planning is also called business resumption planning and continuous service delivery assurance (CSDA) .

What Is the Primary Goal of Business Continuity Planning?

The main goal of business continuity planning is to support key company activities during a crisis. Planning ensures a company can run with limited resources or restricted access to buildings. Continuity planning also aims to minimize revenue or reputation losses.   

A business continuity plan should outline several key things that an organization needs to do to prepare for potential disruptions to its activities, including the following:

  • Recognize potential threats to a company.
  • Assess potential impacts on the company’s daily activities.
  • Provide a way to reduce these potential problems, and establish a structure that allows key company functions to continue throughout and after the event.
  • Identify the resources the organization needs to continue operating, such as staffing, equipment, and alternative locations.

Business Continuity Planning Steps

A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan. 

The basic steps for writing a business continuity plan are as follows:

  • Create a governance team.
  • Complete your business impact analysis (BIA) and risk assessment documents.
  • Document your plan. Remember to include detailed guidelines and procedures that cover key processes and facilities.
  • Test and update the plan regularly.

The Business Continuity Management Lifecycle

Business continuity management includes preparing for and handling unexpected events. BCM has a six-step lifecycle. This cycle repeats during both in regular business times and crises, as you take the right steps to keep activities always running.

The BCM lifecycle includes the following points:

  • Mitigate Risk: Proactively identify business continuity risks to your company, and plan how your company will respond.
  • Prepare: Train staff on your business continuity plan and ensure they understand what they need to do to help the business respond.
  • Respond: Ensure that your company and all employees respond appropriately to a crisis. Be prepared to adapt in the moment.
  • Resolve: Ensure that the company plans how to communicate effectively with staff and that it does so appropriately during the crisis.
  • Recover: Inform employees, customers, and other important people about the status of the crisis and your company’s response.
  • Resume: Communicate with employees and others after the crisis ends.

What Are Business Continuity Risks or Events?

Also called business continuity events, business continuity risks are the most common events that can disrupt a company’s regular operations — these can be natural and human-made crises. Defining these risks is a vital part of business continuity planning.

Such events might include the following:

  • Severe weather
  • Natural disasters (tornadoes, floods, blizzards, earthquakes, fire, etc.)
  • A physical security threat
  • A recall of a company’s product
  • Supply chain problems
  • Threats to staffing and employee safety
  • Accidents at an organization’s facilities
  • Destruction to a company’s facilities or property
  • Power disruptions
  • Server crashes
  • Failures in public and private services (communications, transportation, safety, etc.)
  • Environmental disasters, including hazardous materials spills
  • Network disruptions
  • Human error/human-made hazards
  • Stock market crashes
  • Cyber attacks and hacker activity

Any of these triggers can result in broader problems for a company, such as danger or injury to staff and others, equipment damages, brand injury, and loss of income and net worth. Business continuity management and planning address and mitigate these contingencies.

What Is a Business Continuity Strategy?

A business continuity strategy is more often called a business continuity plan. The strategy includes the processes and structure a company uses to manage an unexpected event.

Some people consider business continuity strategy to be a step in the planning process. In the strategy phase, business continuity planners describe the overall approach a company should take to prevent, manage, and recover from a crisis.

An Overview of Business Continuity Management and Planning

There are several goals, key elements, and benefits to business continuity management and planning. The primary goals of management and planning are as follows:

  • Build Company Resiliency: Doing so means that your company’s tools, buildings, and operations are resistant to — and not greatly affected by — most disruptions.
  • Create a Plan for Recovery (with Contingencies that Aid in That Recovery): If a major event does cause problems, you should have a plan for how to recover quickly. That plan will include contingencies. For example, you should plan for how key operations will resume if there is a widespread power outage.

Business continuity management and planning generally cover the following areas, with differences depending on the organization and industry:

  • Disaster Recovery: Disaster recovery involves recovering technology after a disruptive event. You can learn more about disaster recovery and download free templates in our comprehensive article .
  • Emergency Management: Emergency management focuses on avoiding and mitigating catastrophic risks to staff and communities.
  • Business Recovery: Considered part of business continuity, business recovery centers on short-term activities after a disruptive incident. The short-term is sometimes defined as less than 60 days.
  • Business Resumption: This describes the longterm phase of recovery (60 or more days after an even), wherein the company returns to near-normal conditions.
  • Crisis Management: Crisis management focuses on communicating with stakeholders during and after a crisis, and controlling damage during the event. To learn more, read our comprehensive guide to crisis management .
  • Incident Management: Incident management is an ITIL (previously known as Information Technology Infrastructure Library) framework for reducing or eliminating downtime after an incident.
  • Contingency Planning: This covers outlier risks that are unlikely to occur but which could have disastrous results.

business continuity planning guide

“A well managed business continuity management program will help protect people, assets, and business processes,” says Scott Owens, founder and managing director of BluTinuity , a business continuity firm based in New Berlin, Wisconsin. “It may not be able to prevent all incidents. But it can reduce the likelihood of incidents, decrease response time, and lower the cost and impact of an incident.”

Key Elements of Business Continuity Management

All business continuity management programs should include a number of key elements, which serve to ensure that your plan is positioned for success and that you regularly update and improve it.   

These important elements include the following:

  • Governance: This is the structure and team your business sets up to create and monitor the program.
  • Business Alignment: This section details how your company’s current business continuity management and planning processes compare to expert approaches and industry standards.
  • Continuity Strategy and Recovery Strategies: Include a detailed plan that assesses risks to your organization and how you can recover, should those risks become reality.
  • Plan Documentation: Provide details on the plan that everyone in your company can access. To get started, see our roundup of free business continuity plan templates .
  • Tactical Implementation: This section includes details on the specific ways your company plans to recover from certain types of incidents.
  • Training: In this section, detail how you will train your staff to understand the business continuity plan and their role in it.
  • Testing: Include real-world simulations of a crisis event, and test how your company and its employees respond and the effectiveness of your business continuity plans.
  • Maintenance: Make changes to the plan where necessary to increase its effectiveness.
  • Monitoring: This section details how you will continue to compare industry standards and expert advice to how your plan is working.

To learn about formal requirements for business continuity planning and management, see our comprehensive article on the ISO 22301 standard . 

The Costs of Business Continuity Management

The costs to do an appropriate job of business continuity management can be significant. However, some reports say that the cost of unforeseen downtime may be as much as $2.5 billion a year for Fortune 1000 companies.

Kurt Engemann, Ph.D., is Director of the Center for Business Continuity and Risk Management at Iona College in New York, Editor-in-Chief of the International Journal of Business Continuity and Risk Management and author of Business Continuity and Risk Management: Essentials of Organizational Resilience . In the book, he says that costs for business continuity preparation do not only include the groundwork to assess a company’s risks and plans to manage those risks. Rather, they also cover the needed backup facilities and equipment and company assets for emergency response. In addition, costs must cover resources for training employees and testing the plan.

Some experts have estimated that business continuity management and planning within only the crucial information technology aspects of companies can cost two to four percent of the information technology budget. But the costs are necessary, and worth it in the long run, according to business continuity experts.

“There is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis,” Engemann writes in his book. “Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective.”

When an organization’s top executives complain about the costs, Owens says, “Ask them what it would cost their organization for an hour of downtime. Or eight hours. Or 24 hours. Chances are the cost — financial, operational, and to brand and reputation — of having key business functions unavailable for an extended period are significant. They will most likely find business continuity management to be worth the investment.” 

Benefits of Business Continuity Management

Like Engemann, Owens points out that there are significant benefits to the investment organizations make in business continuity management, including the following:

  • Mission Critical Processes: If you understand your key processes, you can plan to protect them and prioritize their recovery.
  • Legal and Regulatory Compliance: Laws or regulations require companies in some industries to implement a formal business continuity management system.
  • Satisfying Demands from Other Organizations: Some groups and companies may require that your company sets up BCM before they do business with you.
  • Insurance Payments: To get the maximum payments from an insurance policy after an event, a company must have suitable business continuity management policies in place.
  • Reputation Management: Your business’s brand will be greatly helped or hurt, depending on how an unforeseen event affects its operations.
  • Competitive Advantage: A strong business continuity plan can offer your company the advantage over peers who are not as well prepared.
  • Seamless Recovery: Cloud-based technologies make data backup, remote work, and business recovery affordable and accessible. Groups and businesses of all sizes can benefit from such tools. See our article on cloud computing for business continuity to learn more.
  • Time Savings: Planning prevents teams from scrambling at the last minute to cobble together a recovery effort. Strong planning helps you get back online — and back on track — faster.

Michael Herrera, CEO of MHA Consulting , a business continuity and disaster recovery firm, cites two other significant benefits: 

  • Keeping Customers and Avoiding Major Financial Losses: Getting operations back to normal quickly after an event means your company loses less money.

business continuity planning guide

“Your customers aren’t as patient as you think they are,” Herrera explains. “They expect you to have a business continuity system and they expect you to be up and running. Their patience does run out.”

  • Improving Day-to-Day Operations: Herrera says his firm’s clients often discover how business continuity planning gives them insights into the day-to-day operations of their company. “It really can help you with process improvement and getting a good understanding of what your business does every day.”

Additionally, strong business continuity planning will enable you to do the following:

  • Officially declare a disaster and alert senior management.
  • Assist in the development of an official public statement regarding a disaster and its effects on a business.
  • Monitor your business’s progress and present the recovery status.
  • Provide ongoing support and guidance to teams with pre-planned operations.
  • Review critical processing, schedules, and backlogs to keep everyone up to date on status.
  • Ensure businesses have both the resources and the information to deal with an unforeseen emergency.
  • Reduce the risk that an emergency might pose to employees, clients, and vendors, etc.
  • Provide a response for both man-made and environmental disasters.
  • Improve overall business communication and response plans.
  • Summarize both the operational and the financial impacts resulting from the loss of critical business functions.
  • Allow businesses to plan for a loss of function that has potentially larger, more severe consequences.

See our article on the importance and benefits of business continuity planning to read more expert examples of how business continuity can bolster your company. 

Key Business Continuity Management and Planning Considerations

Companies don’t have to face business continuity planning alone. There are a variety of tools and services that can help, including the following:

Consultant Services

There are hundreds, if not thousands, of consultants and companies that can provide help with developing your business continuity plan. Below are a few things to think about in choosing one:

  • How experienced are they? How long have they been around?
  • What’s their reputation as a company? What do their clients say about them?
  • Are they focused on a specific industry or area of business continuity, or do they have experience with a range of industries and a broad spectrum of business continuity?
  • How do they think about business continuity (as a somewhat separate practice or something that needs to be ingrained within your organization)?
  • How aligned is their advice with standards in your industry?

Business Continuity Software

There are also hundreds of pieces of business continuity software on the market. Here are some things to consider:

  • Are you looking for software that will automate the development of plan components, or software that offers more in-depth help during the planning phase?
  • What is the history of the software and the company behind it? How long has this particular software been on the market and what is the history and the reputation of the company behind it?
  • Is the software being continually updated and improved?

Below are some specifics to consider as you test drive the software:

  • Does it have an easy-to-use interface?
  • Does it cover all aspects and components of business continuity, including business impact analysis and risk assessment ?
  • Does it include sufficient storage for your company’s supporting documents?
  • Does it provide secure portable access via mobile or other technologies, if a crisis interrupts your information technology systems?
  • Does it provide strong data analytics?
  • Is it secure and private?

Primary Things Your Organization’s Business Continuity Management System Should Accomplish

While your business continuity management system will have various elements and details, there are some primary things it should do for your organization. They correspond to the key elements listed earlier in this article. 

For example, a BCM system should help do the following: 

  • Understand your company’s needs for business continuity and disaster preparedness. A BCM system should be able to assist company leaders in understanding the need for a business continuity management policy.
  • Understand which processes should be recovered and in what order.
  • Establish business continuity metrics to gauge success.
  • Plan for communicating with customers, staff, and other stakeholders.
  • Determine what tools, technology, and staffing are required to restore activities and support customers.
  • Establish remote-work support or relocation plans for staff and activities.
  • Implement ways to continually assess and manage continuity risks.
  • Monitor and review how its business continuity management system is working.
  • Continually improve the system.
  • Respond effectively in a real-world crisis, and allow the business’s critical operations to continue and all operations to resume quickly.

Although nobody wants to think about disasters or the effort needed to prepare to meet and mitigate crises, the alternative is the potential loss of reputation, income, or the entire business. In sum, planning translates to determining your key processes, equipment, and tools, and applying basic recovery strategies. 

The Importance of Senior Organizational Leaders Strongly Supporting Your Business Continuity Management and Planning

Your senior leaders must strongly support your company’s business continuity management plan for it to succeed. Such leadership is key as storms, floods, pandemics, and data breaches increase in force and frequency.

business continuity planning guide

“Make sure senior management is committed to the planning, development, execution, and implementation of a business continuity/disaster recovery program,” says Paul Kirvan , a business continuity consultant and a fellow of the Business Continuity Institute with 25 years of experience in business continuity work. “Otherwise, it simply won’t happen. Such programs work best if they have top-down support and funding, as opposed to being developed from the ground up.”

Business Continuity Plan Test Types

Testing verifies the effectiveness of your plan and provides training for participants. To ensure better communication, include suppliers, vendors, and other stakeholders in exercises. If appropriate, also consider including local emergency preparedness officials.  

There are four types of testing, and each requires increasing levels of planning, resources, and focus. You should try to run each type of drill regularly.

  • Plan Review: Plan reviews are often the first test applied to a new plan. In this test, top management and some key BCP personnel review the relevance and completeness of a plan. Such a review can verify risk and BIA results, and help you check for gaps and inconsistencies among continuity documents.
  • Tabletop or Structured Walkthrough: A tabletop test requires more preparation and time. It provides a role-playing exercise for recovery teams.
  • Simulation or Walkthrough Drill: In a walkthrough drill, your continuity team physically completes the type of tasks they'd find in a crisis. They may practice evacuating a building during a fire, restoring a backup, or switching to another communication frequency.
  • Functional or Live Scenario: Functional tests include a complete physical drill of continuity plans. Live tests may focus on one aspect of the plan or include the complete plan. They may include one part of the company or all team members.

Be sure to document what happened in the test so everyone involved in the exercise — and especially those who created the plan — can understand what did and didn’t go well, and can revise as necessary.

Business Continuity Management Policy Statement

A business continuity policy statement is a written document that outlines an organization’s business continuity management program. The policy statement should be communicated to all employees and should be signed and endorsed by the organization’s senior management.

See real-world examples of a business continuity policy statement .

Cultivating Awareness of Business Continuity Plans

The best business continuity system is useless if no one knows about it. Find ways to promote your plans in daily company activities, and discuss business continuity regularly in company and team meetings. Also, be sure to include the business continuity manager in cross-functional planning meetings so they can represent the business continuity perspective. Above all, exercise your plan, test your plan, and then test again.

What Is the Importance of a Business Continuity Plan?

A business continuity plan is vital to ensure that your company mitigates downtime during a crisis. Resuming activities quickly after an event also helps ensure your company’s financial health.

How to Write a Business Continuity Plan

It is crucial that your company set up a group of people to help create your business continuity plan. The group should include senior leadership, experts, and staff. A simple, practical plan is the best plan. At a minimum, include continuity team roles and duties, and team member contact information. You should also add guidelines and checklists for dealing with unforeseen events. 

Daily business functions rely on many resources — human, utilities, machines, and even paper, pens, and pencils. Business recovery after a disruptive event is no different. See our in-depth article on writing a business continuity plan for a complete list of resource types you may want to include in a plan.

You can ask certain questions as you form your strategy, and a business continuity plan usually includes common resources and elements. See our article on how to write a business continuity plan to learn more.

Business Continuity Plan Template

business continuity planning guide

This template can help you document and track business operations in the event of a disruption/disaster to maintain critical processes. The plan includes space to record business function recovery priorities, recovery plans, and alternate site locations. Plan efficiently for disruption and minimize downtime, so your business maintains optimal efficiency.

Download Business Continuity Plan Template

Word | PowerPoint | PDF

You’ll find other most useful free, downloadable business continuity plan (BCP) templates, in Microsoft Word, PowerPoint, and PDF formats in this article . 

What Is a Business Impact Analysis and Why Is It an Important Part of a Business Continuity Plan?

A business impact analysis (BIA) is one of the most important parts of business continuity planning. The analysis considers how an unforeseen disruption could affect a company. BIA results also suggest how a business can recover from a crisis.

The business impact analysis will include details on the following:

  • Recovery time objectives that outline the organization’s goals relating to how quickly various services and processes will resume after an event
  • Financial impact of an incident
  • Impact on customers
  • Other possible impacts of an incident
  • How the organization will prioritize recovery steps
  • How the organization will prioritize critical services or products
  • Identification of potential revenue loss
  • Identification of additional expenses the organization will incur because of the event
  • Identification of insurance an organization has or needs to have
  • Identification of an organization’s dependencies on other agencies, companies, and providers

See our business impact analysis toolkit to find guidelines and templates to get started.

Risk Mitigation for Business Continuity

Risk assessment is one of the first steps in preparing your business continuity plan. 

Risk management includes identifying and ranking risks, and risk control includes identifying policies and procedures to avoid and contain risks. 

To learn more about risk management , read our comprehensive guide.

The Importance of Periodically Testing an Organization’s Business Continuity Plan

Even the best business continuity plans are useless if you do not continually test them in real-world mockups. Testing helps you continuously improve procedures, and also keeps plans synched with current business context.

Robert Sollars, a security trainer and consultant from Mesa, Arizona, says, “You must exercise your plan and train your employees in it. This can be costly and unwieldy at times, but it is an absolute must. I liken this to buying a Lamborghini and letting it sit in the garage, never starting it up, never driving it, never doing anything but admiring it. Your plan must be taken out and test driven at least two to three times per year. If you don’t test it, then when the real thing pops you will realize what the books, consultants, and experts have told you is useless for your organization. Testing it allows you to figure out the bugs and tweak the necessary items to make it more efficient and effective.”

Owens adds, “If you haven’t tested your plans, you aren’t ready for a disaster.”

You can do some testing through simpler table top exercises — for example, by talking through hypothetical incidents with your team. But Owens and other business continuity experts say organizations should also periodically do exercises that more closely mimic a real-world event.

“Organizations need to move … to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes,” he writes in a blog post about business continuity. “This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.”

The most important result from testing your plan is an understanding of where theoretical solutions won’t work in real events. This understanding will then allow your organization to amend the plan to be more effective.

What Is a Business Continuity Plan Governance Committee?

Many companies set up a business continuity plan governance committee, which consists of staff members and senior leaders (their continuity efforts is vital). Governance tasks include writing the business continuity plan and supervising ongoing plan maintenance.  

The committee is often responsible for the following duties:

  • Approving the governance structure of the committee
  • Clarifying the roles of committee members and others working on the plan
  • Overseeing the creation of working groups to develop and implement the plan
  • Providing overall direction and communicate important information to employees
  • Approving the continuity plan and essential specifics within it
  • Setting priorities within the plan

The committee often includes the following members:

  • A senior leader from the business, often the sponsor
  • A business continuity manager and assistant manager
  • The company employee, or outside consultant, who will serve as overall coordinator of the business continuity plan
  • The company’s security officer
  • The company’s chief information officer, or information technology leader
  • Representatives from the company’s business department, to help with the business impact analysis
  • An administrative representative

How to Cultivate Resilience in Your Organization

A resilient organization has the tools and abilities to survive a disruptive event, and also regularly looks for new threats and adapts to changes in the organizational and industry landscape. Resilience experts recognize two types of resilience: reactive resilience uses a company’s existing processes to meet and overcome a crisis; proactive resilience anticipates disruptions and considers methods to prevent problems.  

Real World Example: Lessons Learned About Business Continuity from the Terrorist Attacks of Sept. 11, 2001

Organizational leaders and business continuity experts learned a lot from the terrorist attacks of September 11, 2001. Worst of all, the attacks killed thousands of people. But they also severely disrupted communications, financial transactions, and some commerce in New York City and throughout the world.

The following are among the lessons learned:

  • Business continuity plans must be tested frequently, and updated where needed.
  • The plans must assume a wide range of threats.
  • The plans must take into account how much companies, agencies, and other entities depend on each other.
  • Key people from any organization must be available and reachable when an incident happens.
  • The ability to communicate, especially through landline phones, cell phones, and the internet, is vital.
  • Sites that organizations use for backup of their digital information should be located at a distance from their primary information technology site.
  • Employee support and counseling may be important during and after a crisis.
  • An organization should store copies of its business continuity plan at a location apart from its primary location.
  • Security perimeters around the scene of an incident may be large, which may affect employees’ access to organization facilities for long periods.

Legislation Governing Some Business Continuity Management and Planning

The United Kingdom did approved the Civil Contingencies Act in 2004, which requires businesses to have business continuity plans in place.

Some industries do have regulatory bodies that may impose business continuity requirements within those industries. For instance, the Financial Industry Regulatory Authority (FINRA) is a private self-regulatory organization overseeing the U.S. financial securities industry. FINRA established FINRA Rule 4370. This rule requires securities firms to create and maintain written business continuity plans. Utility bodies, such as North American Electric Reliability Corporation ( NERC ) and Federal Energy Regulatory Commission ( FERC ), also require continuity plans.

Guidelines, Standards, and Resources Providing Guidance on Business Continuity Management and Planning

Organizational leaders can use a number of standards set by industry and other groups to guide their business continuity planning and management programs. Below are some commonly used standards:

  • ISO 22301 : Developed by the International Organization for Standardization (ISO), a standard-setting body, this group of standards sets out appropriate business continuity management practices. Learn more about how this standard can help businesses of all sizes in our guide to ISO 22301 . 
  • NFPA 1600 : Developed by the National Fire Protection Association, the standard is one of the most widely recognized in the U.S. on emergency preparedness and business continuity.
  • National Institute of Standards and Technology SP 800-34 : Sets contingency planning standards for federal information systems in the U.S.
  • SPC-2009 — Organizational Resilience : Security, Preparedness and Continuity Management Systems provides critical business and infrastructure security standards developed by the American Society for Industrial Security.
  • ISO 27000 : Standards for security in information technology systems, which include standards for business continuity in information technology. Learn more about ISO 27000 and find free checklists and templates . 
  • DRI International : Professional Practices for Business Continuity Management
  • Federal Emergency Management Agency (FEMA): Continuity Guidance Circular: Continuity Guidance for Non-Federal Entities: An 86-page formal document, the circular presents FEMA’s perspective on how businesses can prepare for disasters.
  • Insurance Institute for Business & Home Safety: Open for Business Continuity Toolkit: This site offers a video, FAQ, and downloadable continuity planning tools.

What Is the Business Continuity Institute?

The Business Continuity Institute (BCI), based in the United Kingdom, is a non-profit professional organization providing education, certification, and leadership on business continuity management. The Institute has more than 8,000 members in more than 100 countries.

Improve Business Continuity Planning with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Advisory boards aren’t only for executives. Join the LogRocket Content Advisory Board today →

LogRocket blog logo

  • Product Management
  • Solve User-Reported Issues
  • Find Issues Faster
  • Optimize Conversion and Adoption

How to craft an effective business continuity plan

business continuity planning guide

Let me take you back in time to the United Kingdom in the 1970s. Punk music was gaining popularity, and the Sex Pistols entered the punk rock scene with the force of a shooting star, capturing fans’ attention.

How To Craft An Effective Business Continuity Plan

But as quickly as they arrived, they quickly left the scene. When they broke up in 1978 after a period of internal conflicts, legal troubles, and their frontman’s imprisonment, fans were left both shocked and surprised.

Just like the Sex Pistols, plenty of companies experience rapid growth and success, only to face unexpected challenges and internal conflicts that result in their downfall.

In this article, we’ll draw inspiration from the Sex Pistols’ turbulent journey to explore the concept of business continuity planning (BCP). We’ll look at what a BCP is, why you need one and delve into the strategies and contingency measures that can help you maintain your rhythm and continuity, even when faced with the inevitable storms that can disrupt your operations.

What is a business continuity plan?

A business continuity plan describes how you’ll continue your business when disaster hits. It is a structured strategy outlining how your organization will maintain essential functions when disaster strikes, to ensure minimal downtime and guarantee that operations continue.

Why do you need a BCP in place?

The BCP is crucial and revolves around ensuring your resilience and ability to continue operating in the face of unexpected disruptions, such as natural disasters, cyberattacks, or other emergencies.

Let’s look at it a bit closer, and understand some of the key reasons to have a BCP better:

Minimize downtime

Protect revenue and reputation, compliance and legal requirements, resource allocation, maintain customer service, employee safety.

A BCP helps you minimize downtime. It does this by providing a structured approach to quickly recover and resume your critical business functions.

Example: You’re a retail company with an extensive online presence. If your website experiences a cyberattack that takes it offline, a well-prepared BCP outlines the steps to take to mitigate the attack, get your website back up in no time, and allow you to continue serving your customers.

No one likes disruptions as they result in revenue loss and can damage your reputation. A BCP helps you protect against financial losses and keep customer trust.

Example: You’re the owner of a restaurant chain with multiple locations and one of your branches has a food safety crisis. A BCP can guide you in managing the crisis, ensuring food safety compliance, and communicating effectively with customers to maintain trust in the brand and other locations.

Some industries, like the financial, and pharma industries, have regulatory requirements that mandate businesses to have BCPs in place. Failure to do so has legal and financial consequences.

Example: You’re the owner of a FinTech company. You are required by regulators to have robust BCPs to ensure customer data security and financial system stability.

When a crisis hits you need the right resources to get you back up and running. A BCP helps allocate resources effectively during a crisis, ensuring that personnel, equipment, and materials are used efficiently to address the most critical needs.

business continuity planning guide

Over 200k developers and product managers use LogRocket to create better digital experiences

business continuity planning guide

Example: You’re a manufacturing company hit by a sudden supply chain disruption because the Suez Canal is blocked again. You use your BCP to allocate available resources to meet customer demands and minimize production delays.

When all hell breaks loose you want to make sure customer experience takes a minimum blow. A BCP outlines measures to maintain customer service and communication, so customers receive timely updates and support.

Example: You run an airline and there is a labor strike. Your BCP tells you how to manage customer inquiries, rebook affected passengers, and maintain a level of service.

Let’s not forget about the well-being of your employees. During a crisis, this is a top priority. A BCP includes procedures for evacuations, remote work arrangements, and employee support.

Example: There is a fire at your workplace. The BCP outlines evacuation routes, assembly points, and contact information for employees to report their safety status.

Business continuity planning: Steps for success

That’s a lot of reasons, right? Now that we addressed the necessity and urgency of having BCP, let’s look at 5 steps to creating a successful one:

  • Analyze your company
  • Assess the risk
  • Create the procedures
  • Get the word out
  • Iterate and improve

1. Analyze your company

In this phase you conduct an analysis to identify critical activities, determine which activities must continue, which can be temporarily paused, and which can operate at a reduced capacity.

You then assess the financial impact of disruptions. This involves asking yourself the question, “How long can I operate without generating revenue and incurring recovery costs?”

As this step covers your whole company, it’s important to get key stakeholders involved from the beginning.

2. Assess the risk

Now you have a good overview of your critical processes and the impact of disruption. At this point, pivot your attention to the risks they face, how well you can handle when things don’t work as usual, and how long you can manage if things go wrong.

The goal here is to understand what could go wrong and find ways to avoid, reduce, or transfer them. This assessment will help you strengthen your preparedness and resilience.

More great articles from LogRocket:

  • How to implement issue management to improve your product
  • 8 ways to reduce cycle time and build a better product
  • What is a PERT chart and how to make one
  • Discover how to use behavioral analytics to create a great product experience
  • Explore six tried and true product management frameworks you should know
  • Advisory boards aren’t just for executives. Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.

Think about risks specific to your industry and location

It’s important to consider both internal (e.g. an IT system failure or employee shortage) and external threats (e.g. a natural disaster or supply chain disruption) to your critical business activities.

3. Create the procedures

Once you analyze and assess, you need to create procedures.

Develop detailed, step-by-step procedures to minimize risks to your organization’s people, operations, and assets. This can include changes to your operating model, such as using alternative suppliers or implementing remote work options.

4. Get the word out

A plan is just a plan and no one will know how to act if you don’t communicate.

This step is all about communication. Integrate the BCP into your operations, policies, and company culture, and train, test, and communicate with your employees.

And don’t forget that communication is not limited to your company only. Communicate with external stakeholders, customers, suppliers, and so forth.

5. Iterate and improve

Before implementing your BCP ensure its effectiveness.

Don’t worry there are plenty more options to test your BCP. Consider involving external stakeholders or vendors as it makes exercises more realistic. Frequently train those who are accountable for executing the BCP.

After experiencing a real incident or conducting a training exercise, update your plan to improve its ability to protect your business. Keep in mind that both your organization’s development and the circumstances you operate in change, so a regular review isn’t a luxury but a necessity.

How to structure your continuity plan

Now you have a high-level understanding, let’s look at how to structure your business continuity plan.

You can find a copy of the template I use here .

Make sure to include the following sections in your BCP:

Version history

Executive summary, functions and process prioritization, plan activation, governance and responsibilities, recovery plans, crisis communication plan, emergency location and contents, review and testing.

This section shows the revision history. It includes the version numbers of the changes made, by whom, when, and who approved the changes. The revision history allows anyone reading the BCP to understand how it has evolved over time.

The executive summary provides a brief summary of the key objectives, goals, scope, and applicability of the BCP.

This chapter outlines the critical functions and processes in scope of continuation in case of a disastrous event.

This section refers to the risk and business impact assessment outcome. Its aim is to set out what triggers the activation of the plan.

Governance and responsibilities talks about who has to act when the BCP is activated. It includes the members, a description of their responsibilities, contact details of the BCP team, and the chain of command during a crisis.

This section builds upon the business continuity strategies, specifically the one chosen when a disaster occurs. It describes the detailed recovery plans for each critical function, the procedures for restarting operations, resource allocation, and recovery time objectives (RTOs).

Here you cover the internal and external communication strategies. You also address employee awareness and training activities.

Now there is a good chance the disaster will require your crucial activities to temporarily continue at a different location. This section covers all details about the location and what needs to be available at the location.

The BCP is to be tested to reduce the risk of missing things or even worse failing. Here jot down the testing procedures and document results and lessons learned.

This section includes all appendices. Think about the following

  • Supporting documents, such as contact lists, maps, and technical specifications
  • References to external standards, guidelines, or regulations
  • Training programs for BCP team members
  • Review of insurance policies
  • Financial reserves and funding for recovery efforts
  • Procedures for keeping the BCP documentation up to date

Business continuity plan example

Earlier this year, the Koninklijke Nederlands Voetbal Bond (KNVB), which is the Royal Dutch Football Association, was hit by ransomware. The cyberattackers threatened to share personally identifiable information captured and the KNVB paid over one million euros to avoid this from happening.

What could have been done to mitigate the ransomware attack risk?

The Risk of the attack to succeed could have been mitigated with:

  • Regular data backups
  • Segmentation of networks
  • Intrusion detection systems

How to ensure business continuity in case of ransomware?

In response to the ransomware incident, and to allow for continued business as usual as soon as possible, steps could include:

  • Isolating affected systems
  • Activating backups
  • Notifying law enforcement
  • Engaging with a cybersecurity incident response team

Key takeaways

A business continuity plan (BCP) is like a safety net for your business when things go haywire. It helps you keep going, avoiding downtime, revenue loss, and reputation hits. On top of that, it’s a legal must in certain industries.

To make a solid BCP, just follow five steps: figure out what’s crucial for your business, spot the risks, plan how to bounce back, make sure everyone knows the plan, and keep fine-tuning it.

Structurally, your BCP should have sections like history, a quick guide, what’s most important, when to activate it, who’s in charge, the nitty-gritty recovery plans, how communication is done, where to go in a crisis, how to test the BCP works, and some extra info.

Featured image source: IconScout

LogRocket generates product insights that lead to meaningful action

Get your teams on the same page — try LogRocket today.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • #collaboration and communication
  • #project management

business continuity planning guide

Stop guessing about your digital experience with LogRocket

Recent posts:.

Drive Growth With These 7 Customer Feedback Tools

Drive growth with these 7 customer feedback tools

A customer feedback tool is a software solution or platform designed to collect, analyze, and manage feedback from customers.

business continuity planning guide

Leader Spotlight: Motivating teams to hit customer-centric outcomes, with Kristina Bailey

Kristina Bailey discusses the careful balance of knowing the business outcomes you want to achieve while balancing customer outcomes.

business continuity planning guide

Exploring augmented products: Beyond the core offering

Augmented products leverage technology and additional services to provide enhanced functionality, convenience, and value to users.

business continuity planning guide

A guide to acceptance test-driven development (ATDD)

ATDD is an agile methodology involving collaboration to define acceptance criteria before starting any development.

business continuity planning guide

Leave a Reply Cancel reply

  • Skip to right header navigation
  • Skip to main content
  • Skip to secondary navigation
  • Skip to primary sidebar
  • Skip to footer

Bryghtpath

Business Continuity and Crisis Management Consultants

The Ultimate Guide to Business Continuity

business continuity planning guide

Last Updated:  January 23rd, 2023

This article explains everything you need to know about Business Continuity.

You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.

We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.

What is Business Continuity?

Business continuity is a rapidly evolving discipline, so there’s understandably still a lot of confusion about what a business continuity program really encompasses. Google “what is a business continuity program” and you’ll see what I mean.

Sometimes the best way to understand something is by understanding what it’s not.

And a business continuity program is not:

  • A business continuity plan (standing alone)
  • An IT disaster recovery plan
  • A software subscription
  • An insurance policy from your insurer
  • Filling out a template and checklist and putting your staff through a one-hour click-it and forget-about-it web-based training module

While these are all important pieces of a business continuity program (although arguably not insert-fork-in-eyes web training), they are not in themselves a comprehensive and effective business continuity program.

So then, what exactly  is  a business continuity program and what does it take to make sure your’s gets the job done?

Most simply, we think of business continuity planning as the discipline of making your organization more resilient, or able to solve big problems.

A business continuity program is the means by which you embed this discipline into your organization to build your capacity to prevent, withstand, and recover from unplanned disasters and adverse events. In the face of disruption, it ensures that you can continue operations and protect your most important assets, especially your people.

ISO, the international standards body, would further define business continuity in ISO 22300 as

The capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

The Value of Business Continuity

business continuity planning guide

Here are some of the ways that we explain the value of a business continuity & crisis management program to help our clients win over their internal stakeholders:

  • Investing in business continuity demonstrates that you value your people: Not only will you better protect human life and safety; you’ll also position your team to respond more quickly to recover, protect, and recover your organizational assets during and after a crisis. Your employees are your most important crisis management tool and investing in their well-being and safety will undoubtedly pay dividends during your next crisis.
  • Business Continuity protects your organization’s most important assets: When done right, your business continuity & crisis management program should provide a structured process for identifying your organization’s most important assets and implementing a plan to hedge against the potential loss of or damage to those assets.
  • Investing in Business Continuity protects your reputation and elevates you over the competition: It can take decades to build a reputation but only minutes to destroy it. When the next heatwave shuts down the power grid, you don’t want to be the hospital that’s forever remembered for its patients dying from heatstroke.
  • Your business continuity & crisis management program helps your organization meet its compliance obligations: Business continuity & crisis management best practices often reflect the demands of regulatory and compliance obligations. As a result, investing in your program is also an indirect investment in helping to meet your compliance obligations. In addition, in many instances, ensuring operational continuity is an explicit regulatory imperative. PCI for payment processors and HITRUST , EHNAC , and DirectTrust for patient health information are just a few examples.
  • An effective business continuity & crisis management program helps you identify and mitigate risk: A strong business continuity and crisis management program is rooted in identifying and preparing for specific risks, which inevitably helps your enterprise risk management team and other risk-focused teams on their mission of anticipating and avoiding those same risks. These teams also share many of the same stakeholders. So it’s no surprise that companies whose risk management and business continuity teams work together closely in a bone-building synergy create enormous value for their organization.

We’ve written extensively on the value of business continuity & crisis management programs.  Some of our best articles on the topic include What’s the Value of Business Continuity:  Beyond ROI , How to talk with your CEO about Business Continuity , Making the Case for your Business Continuity Program , and 10 Tips for framing your case for Business Continuity to Executives .  

Business Continuity is an important component of an overall Resilience Strategy

Business Continuity is important to an organization, but in our minds, it’s just one component in an overall resilience strategy for an organization. We believe there are fundamental components that every business should have in place if they want to make good on their overall resiliency imperatives.

business continuity planning guide

“The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”

But like a lot of standards-based definitions, this leaves a lot to read between the lines.

At Bryghtpath, we think of resilience as a group of capabilities that supports an organization’s ability to solve big problems, continue operations, protect its assets, and most importantly, protect its people.

On a practical level, this is achieved with basic blocking & tackling—implementing certain key components in a logical way to prevent, plan for, respond to, and recover from disruption.

These core components consist of:

  • Business Continuity
  • IT Disaster Recovery  (or Technology Continuity)
  • Crisis Management
  • Enterprise Risk Management
  • Information Security
  • Physical Security  (or  Global Security , or  Corporate Security ), including  travel safety & security ,  Intelligence , &  workplace violence prevention
  • Crisis Communications
  • Life Safety and Emergency Procedures  (Evacuation, First Aid, Shelter-in-Place, etc.)

Implementing a full-blown resilience strategy from scratch is a tall challenge. We’ve written extensively about thinking through a resilience strategy for your organization, how to prioritize efforts, and working around roadblocks that may get put into your path in our article What is Resilience?

Business Continuity Policy

The ISO 22301 Standard calls for a business continuity policy for the organization that accomplishes 4 specific goals in clause 5.2.1:

  • Is appropriate to the purpose of the organization:  In other words, the policy outlines a business continuity management system (BCMS) that is appropriate for the organization’s size, scope, and strategic objectives.
  • Provides a framework for setting business continuity objectives:  The policy establishes a process by which the organization establishes objectives for the business continuity program and monitors progress towards those objectives. This generally means some sort of governance process, such as a business continuity steering committee, which sets and monitors these objectives.
  • Includes a commitment to satisfy applicable requirements:  The policy must outline the organization’s intent to satisfy all appropriate internal and external requirements relevant to business continuity.  This might include things like HITRUST, ISO 22301, FFIEC, PCI, or other regulations or compliance frameworks applicable to your specific industry or company.
  • Includes a commitment to continual improvement of the Business Continuity Management System (BCMS):   The policy must outline that the organization is committed to continually improving its business continuity program.

ISO 22301 further outlines that the business continuity policy must be communicated within the organization, specifically requiring in clause 5.2.2 that:

  • The policy be available as documented information
  • The policy be communicated within the organization
  • The policy be available to interested parties, as appropriate

Beyond the industry standard requirements in ISO 22301, we typically use a Business Continuity Policy to set the strategic approach for a business continuity & crisis management program, delegate authority to the program for certain activities, define governance and accountability requirements, establish roles and responsibilities, and incorporate other documentation that provides more operational detail.

We believe it is important in a policy to clearly define terms like business continuity, disaster recovery, and crisis management – and assign responsibility for these components of an overall business continuity program to certain business units in the organization. The policy should also define the roles and responsibilities of executive sponsors and the steering committee in an organization.

Roles and Responsibilities within a Business Continuity Program

We believe that establishing clear roles and responsibilities within a Business Continuity Program are critical to its success.

Business Continuity and Crisis Management are often paired together in the same organization or as parts of a broader program, which might be called  Business Continuity ,   Business Continuity & Crisis Management , or just  Resilience  or something similar.  However, you choose to think of them, in almost every case they are part of the same broader program – and that program must have a governance structure with clear roles and responsibilities to be successful.

Here’s a breakdown of the most common roles  that should be established within a  Business Continuity & Crisis Management Program :

  • Board of Directors:   Every board member has a fiduciary duty to exercise strategic level visibility and oversight over business continuity and crisis management. Importantly the board sets the foundation for success by promoting a company culture that recognizes the value of well-managing risk.
  • Audit or Risk Committee:   Specific board oversight and strategic level visibility are typically delegated to the board’s risk or audit committee, as outlined in the committee charter. Sometimes another committee has this responsibility such as an operations or governance committee.
  • Executive Management:  Each member of the executive team retains ultimate oversight and responsibility for crisis management & business continuity planning in their specific area of operations.
  • Executive Sponsor:  One or two persons at the executive level (typically the general counsel, COO, CIO, CTO, or a C-Suite appointee) act as executive sponsors. They have direct oversight of the crisis management & business continuity program and usually chair the steering committee.
  • Steering Committee Members: The business continuity & crisis management steering committee—usually an interdisciplinary team of six to eight people—meets quarterly or annually to ensure the program is aligned to corporate strategy and objectives and is maturing and making forward progress towards annual goals.
  • Business Continuity & Crisis Management Program Manager:  The program manager has direct oversight and responsibility for business continuity & crisis management program operations, reporting, and day-to-day activities. They manage and set the programmatic expectations that guide the execution of the program throughout the year.

Well-defined and understood  roles and responsibilities  are critical to the success of your organization.

We’ve written a more detailed article on  Business Continuity Program Roles & Responsibilities  which provides much more context and insights that you may find valuable as you explore additional roles & responsibilities within your program.

Effective Business Continuity Governance

If you think that having good governance for your business continuity and crisis management program is just an exercise in bureaucratic box-checking, you’re missing the point.

Like most people who come to us with a problem, you might have issues:

  • Getting your executives to care about your business continuity and crisis management program
  • Getting other teams to participate in business continuity activities
  • Getting IT to build the availability and disaster recovery strategies that you need to ensure continuity of operations for business teams

business continuity planning guide

Here are some key benefits of strong & effective business continuity governance:

  • Builds visibility and awareness for your business continuity program
  • Helps identify and address gaps in your business continuity program
  • Provides a mechanism for accountability
  • Ensures compliance with ISO 22301

How to implement effective business continuity governance:

  • Get your policy in place
  • Set clear roles & responsibilities
  • Build a strong steering committee

We’ve written an extensive article on business continuity governance that we think you’ll find helpful: Why good Business Continuity Governance is critical to Resilience .

Beyond having good governance in place, we strongly encourage identifying an executive sponsor (or sponsors) for your program that can champion your program internally with senior leadership.

Effective executive champions do a few key things that can help your program advance:

  • Continually look for opportunities to build the case for business continuity with their peers
  • Unapologetically forward your business continuity agenda
  • Help your business continuity team anticipate strategic changes
  • Act as a mentor and trusted source of help to you and your business continuity team

Executive champions are the proverbial wingman to the business continuity & crisis management team.

Learn more about the role that an executive champion can play in advancing your business continuity program in our article  How to Champion your Business Continuity Program as an Executive Sponsor .

The Business Continuity Steering Committee

We believe that a strong Business Continuity Steering Committee is an important part of a business continuity program as it provides you with an approach to governance overnight for your program.  It’s also a critically important forum for sharing the strategy, progress, and challenges that your program is facing as you seek to improve your organization’s resilience.

Some typical responsibilities for the Business Continuity Steering Committee might include:

  • Provide strategic program guidance to ensure that the objectives of your business continuity program are achieved
  • Promote an environment of ownership and accountability within business units
  • Set priorities for program execution and risk mitigation
  • Ensure that adequate resources are available to meet your program’s objectives
  • Review the status of the program through a review of strategic and operational metrics provided by your team to the Steering Committee
  • Review gaps in the program, such as the gaps between business requested technology RTOs and actual recovery capabilities – prioritizing actions to resolve, mitigate, or accept program gaps
  • Continually improve the effectiveness of the Business Continuity program through the regular review of policies, objectives, audit results, management responses, program updates, preventative and corrective actions, and the review of after-action reports following activations and exercises.

Typically, the Steering Committee will be led by your Executive Sponsor(s) and consist of 6-8 leaders across your organization representing the major business and support organizations. We strongly recommend that a senior IT leader be one of the members due to the critically important technology dependencies in almost every organization.

We recommend that Steering Committees meet at least quarterly, but when starting up a new program you may want to have this group even meet monthly in order to provide guidance and insights while helping remove obstacles that arise during program implementation.

Business Continuity Lifecycle

business continuity planning guide

A business continuity lifecycle helps illustrate to an organization the necessary processes to bring a business continuity program to life. It’s a cyclical process of assessing threats and impacts; developing, exercising, and maintaining plans.

The business continuity annual lifecycle generally consists of the following components, which are executed annually or every other year:

  • Identify critical business processes and capture impacts of a disruption through the Business Impact Analysis
  • Build procedural tasks and guidance for recovery of critical business processes in a Business Continuity Plan
  • Validation of plan tasks and operation
  • Build confidence & muscle memory
  • Continual plan maintenance

Beyond the high-level illustration of an annual lifecycle there is a more detailed process lifecycle for Business Continuity that illustrates the connectivity between various components in a broader program, including risk assessment, disaster recovery, incident & crisis management, issues management & risk mitigation, and post-incident/crisis after-action reporting.

Why do you need a business continuity lifecycle?

Most businesses make the mistake of thinking that business continuity planning is a linear process, rather than a circular one.

They assess the most likely threats to their critical functions, develop plans to mitigate the impacts of those threats, conduct a few trainings and exercises, and consider the business continuity planning box to be “checked” for good. The result is a flat and lifeless program that quickly stales.

But your business and the threats that face it change and evolve over time. And when your plans for responding to those threats don’t, the resulting miscalibration all but guarantees that your company will become less resilient over time.

As any fitness buff will tell you (although I’m definitely not one of them), you have to continually use and exercise your hard-earned muscles if you want to maintain them. And because your body and environment change over time, you will probably have to adjust your routine to keep the same fitness results.

This example perfectly illustrates the need for a business continuity lifecycle—a cyclical process for assessing likely threats and their potential impacts on your business, developing plans to address those threats, and then exercising, reviewing, and improving those plans over time.

Once you’ve built your organization’s resilience muscles—with a comprehensive business impact analysis and thorough business continuity plans—you have to exercise and adjust those plans to ensure that your resilience muscles are always ready to do the job.

The business continuity lifecycle is how we do this.

We discuss the concepts behind a Business Continuity Framework in Episode #102 of our Managing Uncertainty Podcast .

You can obtain a copy of our Bryghtpath Business Continuity Framework here on our website . It’s the same process we use here at Bryghtpath in our  Business Continuity as a Service  (BCaaS) offering.

We’ve written an extensive article about the business continuity lifecycle that you may find valuable:   What (almost) everyone gets wrong about the business continuity lifecycle .

The Business Impact Analysis (BIA)

How many days can payroll be down before it impacts your business?

What about the servers that power customer networks? Or that internal VPN employees use to work remotely?

An hour? A day? A few weeks?

You may not know how long your business could survive with critical systems, business processes, facilities, or third-party service providers/suppliers.

For that reason, a thorough business impact analysis (BIA) is one of the most important steps you can take within your business continuity program.

Here’s what a business impact analysis is, why it’s important, and what you’ll learn by doing one.

Here’s the formal definition of a  business impact analysis  from the  ISO 22301 Standard :

  • The process of analyzing the impact over time of a disruption on the organization. 

To say it more clearly: A business impact analysis is a thorough examination that exposes the likely impact a business disruption will have on the revenue, expenses, operations, and reputation of your company.

Here’s an example of what an impact analysis report looks like, including the impact over time across multiple different factors.

business continuity planning guide

Recovery Time Objectives

Business disruptions aren’t usually isolated.

If a hurricane knocks your data center offline, your customers might be locked out of their systems, payroll might be down, the internal intranet might be inaccessible, and lots more.

Over and over, we’ve seen companies make the same mistake in this situation: They try to recover  every  system and  every  process all at once. And it’s a mistake that can easily cost a company millions of dollars.

That’s why recovery time objectives (RTOs) are so important.

Some systems and processes need to be recovered  now  — usually, these are the ones that generate revenue: customer products and records, sales pages on an eCommerce website, or similar systems.

Every minute these systems are down, they cost you money.

Other systems need to be recovered, but they don’t necessarily have to be recovered  immediately .

Payroll, for example, needs to be recovered quickly — but not necessarily ahead of revenue-generating systems.

A business impact analysis looks at each critical system in your business and assigns it an RTO.

With recovery time objectives in place, we can build a prioritized list of systems and processes to recover during a disruption — a key first step when creating a business continuity plan.

Conducting your Business Impact Analysis (BIA)

business continuity planning guide

  • Scope the Need:   Determine which areas we need to look at – we often do this through a high-level criticality survey to determine what are the critical functions or processes within an organization.  Often this helps us narrow the BIA to truly critical processes that need to be recovered within a short period of time.
  • Schedule BIA Interviews and Assign Prework:  We identify everyone that we need to interview and send them some simple prework to complete before our conversation.  This often involves basic questions about their responsibilities and their history with previous business disruptions. That way they come to the interview with a clear idea of what we’ll be discussing.
  • Conduct BIA Interviews:  The interviews are the most important part of the process — because this is where we uncover the strengths and weaknesses of your systems and processes. We capture details on your business process recovery time objectives (RTOs) and your dependencies (technologies, vendors/third parties, facilities, other business processes), and your recovery time needs for each of those.
  • Prepare and Present a BIA Report:   When all the interviews are complete, we aggregate everything we’ve learned, including the impact of a disruption to revenue, expenses, and reputation in every area we’ve examined. Our report also includes our analysis of key systems and business processes, along with recovery time objectives for every area. The report also captures the interdependence of operations within your organization.

BIAs are an important foundation of your Business Continuity Program

Without a BIA, you’ll lack the data to properly prioritize your business continuity plan. In the worse case, you may even be overlooking critical systems and processes you never thought to include in the first place.

Without a BIA, you’re blind to the full impact a disruption could have on your revenue, expenses, and reputation.

With a BIA, you’ll have the data you need to plan a business continuity program that protects the  most  critical systems and processes first — and gives you a roadmap for recovering everything else in order of importance.

Learn more about the Business Impact Analysis (BIA)

We’ve written an extensive overview of the Business Impact Analysis (BIA ) that you may also find helpful with additional context and insights.

Business Continuity Plans

How long does the business continuity planning process take? And who should be involved?

I would love to be the definitive source of truth here, but in reality, there is no perfect answer. Size, location, industry, management structure, and existing reporting, resources, and experience—every company is different, as are their business continuity planning needs. These factors and more influence how we tailor our approach to business continuity planning with each of our diverse clients.

Still, like many you’re probably here because you’re getting ready to embark on the business continuity planning process and you have a lot of questions.

Bryghtpath has over 50 years of collective experience in business continuity planning working with a multitude of global clients in varied industries.

business continuity planning guide

1. Establish the Fundamentals of Business Continuity Planning

When we start working with clients on their business continuity plan or BCP, the general end goal is always the same—create a plan to keep things running in the event of a disruption. But while most companies have the same vision for the outcomes of their business continuity planning process, they may have different ideas of how they are going to get there.

Your company should start the process by agreeing on a few fundamentals at the start.

  • What are the plan objectives?
  • Who will be responsible for creating and activating the plan?
  • What resources are available for Business Continuity Planning?

2.  Assess Risks and Business Impacts

Just as the integrity of a well-built home depends on laying a sound foundation, so too does the effectiveness of a good business continuity plan rely on the right assumptions. A thorough business impact analysis, or BIA, is key to developing the accurate underlying assumptions that will ensure business continuity planning success.

3.  Select and Develop your Response & Recovery Strategies

business continuity planning guide

The menu of response and recovery strategies is typically broken down by resource (i.e. workplace, workforce, 3rd parties, and technology) and also includes an estimation of the time needed to implement and the expected sustainable duration for each strategy.

Each separate recovery strategy should include a detailed procedure that further describes how that specific response and recovery strategy will be accomplished.

4.  Create your Response & Recovery Roadmap

After all available response and recovery options have been cataloged, the next step is to develop the procedures and guidelines that will serve as your business continuity plan roadmap. Your team will use this roadmap to help you initially assess the disruption, activate the appropriate response strategy, and carry out that strategy to completion.

A critical part of preparing your response and recovery roadmap is detailing how and when you will evaluate your plan. While the inherent nature of business disruptions precludes testing your business continuity plan in a practical sense, regularly reviewing the performance of your BCP can provide important insights and improvements.

Likewise, roles change, people leave, and technology and processes evolve. And disruptions that were once imaginable (like a global pandemic) may emerge as all-important. You should evaluate and update your BCP on a regular (at least annual) basis and also in an after-action to any specific response and recovery plan activations.

We’ve written a detailed article  4 Steps to Business Continuity Planning Success , that goes into further detail on business continuity planning that you may find helpful as well.

Business Continuity & IT Disaster Recovery

Business continuity and crisis management experts rarely talk about the gap between  business continuity  and IT disaster recovery planning.

But they should.

The distance between the IT disaster recovery program you have and what you need could be bigger than you think.

Like one of our clients whose IT disaster recovery plans for several critical systems needed to support a recovery time objective of 24 hours but were built for 7 days.

They’ve unknowingly been walking a tightrope over the Grand Canyon and hoping for the best. Because that 6-day gap could become a multi-million dollar problem in the face of a crisis.

My stomach is hovering somewhere above my head just thinking about it.

If you want to avoid canyon-sized gaps like this, and the potential consequences, your business continuity and IT disaster recovery functions need to work together closely.

But in most organizations, they aren’t working together at all.

business continuity planning guide

Consequently, IT is often pressed to come up with its own answers to critical system requirements, such as availability, acceptable downtime or recovery time objectives (RTO), and recovery point objectives (RPO).

We think about Recovery Time Objective (RTO) as the maximum amount of time that a business process or IT system can be disrupted before the impact becomes unacceptable to the broader business.  We think about Recovery Point Objective (RPO) as the point in time to which systems and data must be recovered following a disruption (sometimes referred to as maximum data loss).

Here are three ways to close the gap between Business Continuity & IT Disaster Recovery:

  • Make sure IT has a seat at the table:  While IT should ideally own the disaster recovery process, their input is critical to both your organization’s overall technology strategy and in determining system availability and recovery requirements in the event of a disaster. So the best and first way to close the gap between business continuity and IT disaster recovery is to ensure IT is represented in your business continuity and crisis management steering committee.
  • Design your BIA process to capture the right data:  Expecting your IT team to architect the right IT disaster recovery solutions without the right data is a lot like putting four wheels on a car but no gas tank and expecting it to drive. Your business impact analysis  (BIA) should be designed to capture the key data that your IT team needs to design an effective IT disaster recovery plan.
  • Stick to the standards (ISO 27031, more precisely):   ISO Standard 27031  is specifically focused on the information and communication technology requirements for business continuity and disaster preparedness. The standard is built to ensure your IT DR program satisfies crucial data security requirements and meets the needs of your enterprise operations. It also provides for IT-led disaster recovery exercises, which should be a part of every IT DR program.

We’ve written an extensive article on this topic that expands upon these ideas, outlines common reasons for this gap between business continuity & IT disaster recovery, and goes much farther into potential solutions that you may find helpful:   Closing the Gap between Business Continuity & IT Disaster Recovery .

Supply Chain Resiliency

“Companies routinely exaggerate the attractiveness of foreign markets, and that can lead to expensive mistakes.” -Pankaj Ghemawat, Global Professor of Management and Strategy at New York University’s Stern School of Business.

Ghemawat’s statement sounds like a round-up of recent supply chain woes at the hands of the COVID pandemic crisis.

Yet it comes from his prescient warning to industry sounded nearly two decades earlier in his landmark  article , “Distance Still Matters: The Hard Reality of Global Expansion.”

business continuity planning guide

A critical one (in our humble opinion as  business continuity  &  crisis management  professionals) is that your business is only as resilient as your third parties.  And if you’re leaving them out of your business continuity and crisis management planning process, your business might not be as resilient as you think.

Here are some practical steps you can take to better understand the resilience of your third parties and in doing so, improve your ability to navigate the next crisis.

  • Shore up your supply chain risk at the program level
  • Identify vendors with a high disruption impact
  • Conduct joint resilience exercises with your vendors and providers

Protect your investment in resilience and your business

Failing to include key vendors and providers in your resiliency planning is a lot like locking your front door but leaving the garage wide open.

When disaster strikes, you may quickly find out the hard way that your business is only as resilient as your third parties if you’ve failed to include them in the resiliency planning process.

Effective resiliency planning requires a holistic approach to assessing your dependencies, risks, and business continuity and crisis response.

We’ve written an extensive article on Supply Chain Resilience that provides additional context and deeper insights that you may find helpful:  Your supply chain may not be as resilient as you think .

Business Continuity Program Metrics

“Are there metrics we should be tracking?”

In short and emphatically, YES!

What metrics should you be tracking?

It depends:

  • Do you really want to know whether your business continuity program is working; that your organization is resilient and actually prepared to respond to the next disruption?
  • Or do you just want to make sure all of the boxes are checked?

This is not a trick question.

We think that everyone should want their business continuity program and your business continuity plans to actually work!

But if you don’t quite grasp the difference between the two, you’re not alone. I frequently encounter confusion around the fact that merely tracking business continuity program compliance—i.e., checking the boxes— isn’t the end game for business continuity success.

But it takes more than “Know the requirements-Do the things-Check the boxes” to gauge whether your business continuity program is effective and moving your organization towards its resiliency goals.

Employing the right combination of metrics—operational compliance, plan quality, and program maturity—are all equally important to understanding your organization’s true resilience.

Implementing a system that measures all three will give your organization the insights it needs to move your business continuity program to full maturity, sustainability, and success in responding to the next disruption.

Is your organization truly resilient, or are you just checking off the boxes?

1.  Operational Compliance Metrics

business continuity planning guide

At the very least you should be tracking progress at the business unit or plan level for:

  • Business Impact Analysis (BIA) completion
  • Business Continuity Plan completion (if just getting started) or updates (if already in place)

Completion of business continuity exercises

  • ​Whether after-action items identified in exercises have been addressed and improvements implemented

In short, your business continuity program manager should have a system to easily check and report on business unit progress towards basic business continuity program requirements.

For smaller organizations, a spreadsheet might be adequate for the job.

Large organizations with more complex operations may need a more robust solution.

2.  Quality Scoring

business continuity planning guide

To avoid a situation where your plans look great on paper but fall flat in actual practice, many companies choose to implement a quality scoring system.

The concept is straightforward. Each business continuity plan is scored, often on a rubric of 1-10, based on criteria that are developed in alignment with both industry standards and company-specific needs.

Things that can impact this score include:

  • Plan completeness
  • The quality of recovery procedures
  • Whether risks that have no available workaround have been acknowledged and accepted
  • Business continuity exercise participation
  • Continued training and evaluation

Quality scoring enables you to assess your team’s true resilience capabilities in response to a disruption. In short, it is an invaluable tool for understanding whether your business continuity program is truly effective or merely compliant and is one that I recommend every organization employ.

3.  Evaluating Program Maturity

business continuity planning guide

We measure this progress using a proprietary model based on the ISO 22301 standard across 98 core factors or elements by evaluating how close each element aligns with the company’s pre-defined standards (as informed by both industry standards and the specific needs of the business), we can identify gaps in the program and the strategic objectives that are needed to bridge those gaps.

The maturity metric is the pinnacle of business continuity program performance and integral to ensuring the long-term sustainability of your resiliency program.

Getting the Metrics Right in your Business Continuity Program

  • Just get started:   Start tracking some metrics.
  • Make sure your business continuity program metrics support your organization’s strategic objectives :  Business continuity leaders can often get so caught up in the details that they forget about the importance of linking their business continuity program objectives to that of the company as a whole.  Whatever metrics you develop should help you establish direct connectivity between the two. This is especially important when it comes to making the business case for business continuity resources and tools.
  • Implement the solution that’s right for you:   Your business continuity program doesn’t have to be world-class to work well. For example, some companies benefit from a robust SaaS business continuity software platform that can roll business continuity capabilities such as the Business Impact Analysis, business continuity planning, and more, including metrics, into one package. We have a few that we love and can help our clients on board, configure, and learn how to use effectively. Still, not everyone has hundreds of business continuity plans to manage across a business with dozens of units and a global presence. In that case, a less robust and expensive solution might be sufficient.

We’ve written a longer article,  3 Key Metrics for Business Continuity Program Success , that has additional context & detail along with example metric images that you may find helpful as well.

Plan-Do-Check-Act (PDCA)

There are endless explanations for why we humans find it so hard to make progress towards our goals—whether it be losing weight, saving money, or making strides in our business.

When it comes to organizational resiliency, one of the most common problems I see is not having a good system for implementing and improving your business continuity program.

Ad hoc efforts usually lead to ad hoc results. Opportunities for improvement slip through the cracks and your program quietly and unimpressively manages to subsist. Not exactly your dream scenario.

Especially considering the ramifications of being unprepared for the next disruption.

Meaningful improvements—whether to your waist size, your resiliency, or your bottom line—require a proven methodology to evaluate what’s working and what’s not. And to ensure that you’re making consistent efforts towards those improvements over time.

If your business continuity program doesn’t already have a system in place to do this, the Plan-Do-Check-Act model is a good place to start.

What is Plan-Do-Check-Act?

business continuity planning guide

In early iterations, the PDCA model was referred to as the Deming-Shewhart cycle (named for its creators) and today is part of the foundational theory that undergirds  Lean Six Sigma ,  Kaizen , ISO standards, and other systems for quality management and improvement.

So if your organization already has a process for establishing and maintaining your programs, it likely shares many similarities to the Plan-Do-Check-Act model or is loosely based on the PDCA methodology.  Whatever your experience, you’ve likely heard of Plan-Do-Check-Act before, or at least seen it in practice.

But what exactly is Plan-Do-Check-Act and how can it help your organization better achieve its resiliency goals?

The PDCA model is based on a four-step closed-loop cycle that is used to improve a process or project over time. The steps, in short, are as follows:

  • Plan:  Establish your objectives, processes, procedures, and resources
  • Do:  Implement and operate your program or project as informed by your plan
  • Check:  Gather data and evaluate the outcomes from the “do” phase
  • Act:  Use insights from the “check” phase to identify corrective and preventive actions and drive continuous improvement over time

The PDCA process is continuous, rather than focused on a discrete endpoint.  The result is an upwards spiral of continuous program and project improvement that has the potential to bring tremendous gains when applied consistently and correctly. Nike and Toyota are but two commonly cited examples of organizations that have used the PDCA model with much success.

We’ve written an extensive article on using Plan-Do-Check-Act (PDCA) in your business continuity program that you may find helpful:   Plan-Do-Check-Act and your Business Continuity Program .

Business Continuity Awareness & Culture

In most organizations, the only times a business leader and their team learn about business continuity & crisis management is when the time comes to update their business impact analysis and associated plans – or when an incident or crisis occurs. It’s not a great way to drive business continuity awareness.

business continuity planning guide

Instead, business continuity & crisis management leaders should be meeting and communicating regularly across the business to explain the program, highlight the program and organizational wins, and constantly explain how the program helps support the organization’s strategic business objectives.

When I first was asked over fifteen years ago to take over my then-employer’s business continuity program, I patiently explained to my would-be boss at the time that I knew very little about business continuity and crisis management. I would be a bad fit for the role.

He laughed, looked at me, and said, “I don’t need a subject matter expert Bryan. What I need is someone who understands how to communicate and can market & promote the program across the company.”

He was right.

This is an even more important topic at the time of this writing, in mid-2022, when there’s never been a time where business continuity & crisis management have been more important to an organization – and there’s never been a more important time to  make yourself important  as a business continuity leader.

How can you set about doing so within your organization?  Let’s dive in.

Telling your program’s story

Every great narrative starts with a bit of an origin story. Where did the program come from?  Why does it exist?  What is its mission?

In any story I set out to tell about business continuity & crisis management, I start with the whys.  Why do we do this?  Why does the program exist?  How does it support the organization’s strategic initiatives?

This information is then consolidated into a document I call the “walkaround deck”.  In my previous roles, I literally printed out a copy and carried it around in my planner so that I could tell the story at any time I needed to with any willing audience that would listen.  It was a constant feature at morning “coffee meetings” where I would meet with yet another peer from across the organization to share our program’s story and initiatives and learn how they might intersect with my colleague’s area of responsibility.

Once this presentation is put together, make plans to always keep it current, and then set about to speak at as many forums, team meetings, huddles, all-staff gatherings, or any other meeting you can wrangle an invitation to.  It should be the background for every meeting you have with officers and senior leaders in the organization – enabling you to share your program story, the results you have achieved, and how you are supporting the organization.

Working with Communications for Business Continuity Awareness

Your organization undoubtedly has some sort of communications function that supports internal communications.  They will need to be your new best friend.

Every company has channels for internal communications – an intranet, posters, digital signs, a newsletter, bulletin boards, internal social media, and more.  Meet with your communications team and learn how to submit content for these different channels.  Devise a simple communications strategy that supports monthly and/or quarterly communications as a starting point.  Aim to create a piece of quality content that helps reinforce your story, as we’ve outlined above, for each month or quarter on your communications strategy.

Don’t pass up any opportunity to tell your program’s story

A lot of business continuity & crisis management professionals are content to stay behind the scenes rather than being out front telling the story of their program.

Truly successful programs require leadership that is constantly working to tell the program’s story, gain new allies, and convert others to the cause of preparedness, business continuity, & crisis management.

Never be afraid to make yourself important.

We’ve written a two detailed articles on this topic that you may find helpful:  Effective Business Continuity Awareness Campaigns  and  Building a Resilience Culture in your Organization .

Business Continuity Industry Standards

Grounding your program in an industry-standards driven approach can help you build the right program for your organization’s unique culture, strategic objectives, and situation while ensuring that you’re adhering to best practices developed over decades by the world’s leading organizations.

There is not an established single standard for Business Continuity in the industry, however, there are several widely accepted industry standards for Business Continuity that can help provide you with a foundational approach to your organization’s business continuity strategy. Using one of these standards will save you from reinventing the wheel by describing the key program elements that you should consider as a part of your Business Continuity program in your organization.

NFPA 1600 Standard on Continuity, Emergency, and Crisis Management

National Fire Protection Agency (NFPA) 1600  is a U.S. emergency planning specification that has also become globally accepted. NFPA was the first of the business continuity standards to appear after 9/11. The United States Department of Homeland Security adopted the standard that the  NFPA site  calls “as a voluntary consensus standard for emergency preparedness.” Likewise, the 9/11 Commission report recognized NFPA 1600 as the national preparedness standard.

Despite such endorsements, NFPA 1600 is still a guideline, not a requirement. It includes nine chapters on business continuity program management, planning, implementation, training, exercises and tests, and program improvement. Annex B provides checklists for ongoing self-evaluation.

Our article  An overview of the NFPA 1600 Standard goes into greater detail on this important industry standard.

ISO 22301 Security and resilience — Business continuity management systems — Requirements

The International Standards Organization or ISO is a global institution that researches and creates industry and other standards. All its specifications are voluntary. ISO can’t enforce these or any other standards. ISO simply provides guidelines for what you should do.

The ISO 22301 Standard interoperates with all of the other ISO Standards, which are often used for Enterprise Risk Management, Information Security, and Disaster Recovery.

At Bryghtpath, we typically utilize ISO 22301 as the basis for our Resiliency Diagnosis process, also known as Business Continuity Program Evaluations .

ASIS Business Continuity Guideline – A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery

Published by ASIS International, an association of security practitioners, the  ASIS Business Continuity Guideline  is, as it says, a step-by-step, detailed outline for approaching business continuity. Although perhaps less well-known and therefore less commonly adapted, the plain language makes it an accessible reference.

Incident Command System (ICS) & the National  Incident Management System (NIMS)

The Incident Command System , or ICS, is used by public agencies to manage emergencies. You’ll see this used by police, fire, emergency management, public health, and related government agencies. Some businesses use ICS or an ICS-aligned approach to work together with public agencies during emergencies. This is a commonly used approach by energy utilities and hospitals/healthcare organizations (through the Hospital Incident Command System or HICS, documented below). You can learn more about ICS at FEMA’s Emergency Management Institute ICS Resource Center page .

The  National Incident Management System (NIMS) was established by FEMA and includes the Incident Command System (ICS). NIMS is used as the standard for emergency management by all public agencies in the United States for both planned and emergency events. You can learn more about NIMS at FEMA’s National Incident Management System resource page .

By themselves, NIMS and ICS do not define how to best organize the Crisis Management Framework & Plan for an organization, but they do provide a number of principles that can be applied to private sector crisis management programs.

Hospital Incident Command System (HICS)

The  hospital incident command system  ( HICS ) is an emergency response and preparedness system for hospitals. It enhances a hospital’s emergency capabilities both as an individual facility and as part of a broader response community.  HICS  also provides guidance for performing daily operations, pre-planned event and non-emergencies.

The Hospital Incident Command System  began to be implemented during the late  1980s  in the United States, and similar systems have also been implemented in other countries. The  California Emergency Medical Services Authority  ( EMSA ) publishes the  HICS  Guidebook for the United States .

Our article,  An Overview of the Hospital Incident Command System (HICS) , provides much greater detail and context about this widely accepted standard for healthcare organizations.

Additional Resources on Industry Standards

  • Article:  Business Continuity Standards – How each can help you
  • Podcast:  Managing Uncertainty – Episode #124 – Business Continuity Standards – Which is right for you?

Business Continuity Software

Gartner’s  Magic Quadrant  does a really good job of identifying the top software solutions in the field.

But there are two problems with relying solely on Gartner.

  • Staleness :  Gartner does not update their reports annually, so information can quickly become stale–their most current one on business continuity management program software solutions is nearly three years old.
  • Specificity :  Gartner can tell you what solutions are best in the industry, but not necessarily which solutions are best for your particular company and its specific needs.

Interestingly enough, the business continuity management software solutions that we most often recommend to our clients (like Fusion) are also the ones that happen to rank well with Gartner. It’s a good place to start.

Then, here are some other factors to consider:

  • Does it meet your most important needs?
  • Does their business continuity program methodology align with yours?
  • Can the vendor demonstrate all of its advertised capabilities?

What’s the best business continuity software?

There are a lot of good business continuity software solutions. Here we discuss our favorites and the pros and cons of other popular ones.

  • Fusion Risk Management :  Fusion is our hands-down favorite and the one that we usually recommend to clients.
  • Castellan :  Castellan’s cloud-based business continuity software is well regarded – and our colleagues who have used it love its performance and capabilities.
  • Infinite Blue :  Infinite Blue offers the BC in a Cloud, Cenari, and Sendigo solutions that cover operational resilience (business continuity, disaster recovery, and more)
  • Archer :  Archer is a long-term player in the space that is widely used – often we see our clients using Archer’s platform because they’re already using it for other capabilities, such as Governance, Risk, and Compliance.
  • ServiceNow :  ServiceNow is a newer player in the Business Continuity software space following their acquisition of Fairchild Resiliency Solution’s software product.  Similar to Archer, many companies use the ServiceNow Business Continuity capabilities because they’re already using ServiceNow for its industry leading IT Service Management capabilities.

We’ve written an extensive article  How to Choose the Best Business Continuity Software that provides an overview of the market, the benefits of using business continuity software, and how to make the business case to your senior leaders to bring software into your program.

Business Continuity Case Studies

Case Studies provide a way to learn from previous continuity situations and from the efforts of other organizations to implement business continuity programs.  We’ve included case studies from articles on our website along with some of the relevant work that we’ve done with clients below that you may find valuable.

  • A major U.S. electric, natural gas, and nuclear energy company, faced with the challenge of ever-increasing threats against their generation, distribution, and transmission capabilities, turned to Bryghtpath’s  Resiliency Diagnosis  to evaluate their  business continuity  and  crisis management  program and improve the resilience of their organization.  Read the full case study here.
  • A major healthcare technology company partnered with Bryghtpath to build, improve, and  manage its business continuity program  on a day-to-day basis through our Business Continuity as a Service offering.   Read the full case study here.
  • A major US-based home decor retailer approached Bryghtpath to build & implement a business continuity & crisis management program from scratch.   Read the full case study here.
  • A for-profit university with a global presence, working through a sale to a private equity firm and multiple challenges to its business model, turned to Bryghtpath for interim security leadership to rapidly mature their  global security ,  business continuity , and  crisis management  program while realigning their team against new strategic business objectives.  Read the full case study here.

Getting help with your Business Continuity Program

Designing, implementing, and supporting a Business Continuity program is a tall order. Often the best approach is to seek professional help from an industry leader that can help you build and maintain the program that is best for your organization’s challenges.

Here are some ways to get help with your Business Continuity program.

Trusted Advisors

Every company will deal with business disruptions and crisis situations. Sometimes having a trusted advisor on retainer can help you be better prepared, coach you through immediate actions to take to keep your team safe, and keep your business running despite the impacts from the critical moments.

Some of the reasons to use a trusted advisor are:

  • The value of an outside perspective. It’s not easy to know how your business continuity program compares to leading programs in other companies. That’s why an outside perspective can be invaluable.
  • Guaranteed availability during a disruption or crisis event.  When a disruption happens, it will help tremendously if you have an established relationship with a business continuity and crisis management expert. For example, at some point in March of 2020, your company had a senior leadership meeting to discuss the rapidly evolving COVID-19 pandemic. Maybe you were in the room for that meeting. Maybe you were part of really difficult decisions — everything from the health of your employees to laying people off to cut costs. If so, what was it like? Did you have a plan in place? Or were you forced to improvise?
  • Guidance for media inquiries.   Your phone rings. It’s a reporter from your local newspaper or TV station. “We have a report that your CEO was arrested last night for driving while intoxicated. Do you want to comment?” Would you know what to say?
  • Proactive messaging for known risks. Some businesses know in advance that a specific type of disruption is likely. For example, a business that operates cloud-based software  will have downtime. It’s just a matter of when. We call these “known risks.” For our clients with these known risks, we help them get ahead of these issues by working proactively  before  a disruption happens.
  • Assistance for your executives & board of directors.  Having an existing relationship with a business continuity and crisis management expert can be a major benefit when dealing with senior executives and boards of directors.
  • Access to a network of information. If a major natural disaster happens in your location, where will you go for up-to-date information? If a major political demonstration happens in your town — and it threatens to get out of control — how will you stay up to date with what’s happening? When you work with a business continuity and crisis management expert like Bryghtpath, you gain access to a wide network of information that simply may not be available through local news sources.

How to Choose a Business Continuity Consultant

Writing for  TechTarget.com , Richard Jones, a VP at Burton Group, advises, “[T]he first step (after agreeing that a BCP is in order) is deciding who will lead the process. In-house personnel may be qualified, but if not a consultant is what you need”–or it could be a combination of the two.

It may be possible to do the job without a “hired gun.” In that case Jones advises looking for someone already on board who has led at least two successful business continuity exercises in organizations off similar sizes in approximately the same market to the organization.

Also, this updated  piece  from Continuity Central also has some sage advice on the subject. The organization should ask these three key questions:

  • If there is a staff member having the necessary knowledge, is it sufficiently up to date and “broad enough to develop a fully rounded business continuity plan?
  • If the staff person is not completely “up to speed,” would additional training fill the gaps in areas of deficient expertise?
  • Could an external consultant work with the staff member and minimize the amount of consultancy time needed?

We’ve written a detailed article,  8 Things to Consider When Choosing a Business Continuity Consultant , that you may also find helpful.

Sometimes you have a lot of the program in place, but you’re working harder than ever and just not making a lot of forward progress on your business continuity objectives.  Books and podcasts and other training just isn’t getting it done for you.

We’ve often found in these circumstances that working with a coach for a one-on-one coaching session can help you get unstuck, gain clarity, and take their next best step.

Here are some benefits from Business Continuity Coaching that we’ve seen in our experience:

  • An outsider’s perspective . Sometimes, you’re too close to the problem to see it accurately. An outsider’s perspective can be the simple insight you need to find the solutions that are probably already in front of you.
  • Encouragement and support . Discussing your business challenges with a trusted expert can help you uncover new solutions to your business continuity & crisis management problems or validate the ones that you already have in mind.
  • Validation for your ideas. If you’re struggling to get buy-in within your organization, the gravitas of an outside coach or consultant may be just what you need to get your leaders on board.
  • An insider’s network. Having a pre-established relationship with a business continuity and crisis management expert can ensure that you are able to quickly find the information and the help that you need when you need it most.

Could coaching be the right solution for you?  Here are some factors to consider:

  • You need help with a problem.  An effective coach can help you see your problem more clearly and create an actionable plan to move forward.
  • You’re new to the job or in need of specific capabilities. Regular coaching with a business continuity and crisis management expert can help you confidently address emergent challenges and build your professional playbook until you’re ready to stand on your own.
  • You’re ready to level up. Individual or group coaching, or some combination of both, can be invaluable in helping you reach the next level in your business continuity program or career.

If you’re ready for actionable insights and a no-BS game plan to take charge of your professional and programmatic success, coaching might just be your next best step.

For additional coaching insights, read our full article  5 Ways Coaching can help your Business Continuity and Crisis Management Program .

Outsourcing your Business Continuity Program

Another option is to completely outsource your Business Continuity Program to a third-party .  It’s often referred to as Business Continuity Managed Services or Business Continuity as a Service .

There are several reasons why you might choose this as an option:

  • Hiring an in-house team can be difficult
  • In-House teams have high fixed costs
  • It’s more difficult to scale an in-house team quickly when a disruption happens

There are several ways to structure using a third-party to manage your Crisis Management Program, three of the most common approaches are:

  • Development of your crisis management program
  • Facilitation of crisis management exercises
  • Help when you experience a crisis

We’ve written a more in-depth article about Business Continuity as a Service – How to Outsource your Continuity Program that covers approaches to doing so – and how to incorporate Crisis Management managed services as well.

Evaluating your Business Continuity Program

In the event of a significant disruption to your organization, how will your company respond?

business continuity planning guide

But this much is certain:  your business will face unexpected disruptions.

Understanding how your program and capabilities stack up is the first step to being able to mature your program – even if you don’t have a formal business continuity & crisis management program today.

Evaluating your business continuity program helps you know exactly where you stand and how to rapidly improve your current state of resiliency.

As we outlined above in our section about Business Continuity Metrics, we believe in measuring program maturity against defined industry standards – ISO 22301 in our case most typically.

A thorough standards-based evaluation of your business continuity program leads to a better understanding of how your organizational resilience stacks up – and helps you understand the path you’ll need to follow to further mature your program.

We’ve written a more detailed article about evaluating business continuity programs that you may find helpful. You can also learn about Bryghtpath’s proprietary Resiliency Diagnosis process that we use to evaluate business continuity & crisis management programs.

Business Continuity Certifications

You might be wondering about business continuity certifications.

Do you need one to be competitive for business continuity jobs?

Which business continuity certification should you get?

What does it take to get and maintain a business continuity certification?

Do you need a business continuity certification?

While it’s certainly possible to grow your way into a business continuity position from within your organization, it’s best to start working towards a certification as soon as you can.

If you’re looking to start a career in business continuity, most jobs will require you to be professionally certified or will expect you to be certified within a certain period of time. This is especially true if you already have the years of experience required for standard industry certifications; being eligible but not having a certification will stand out as a red flag.

If you’ve been lucky enough to climb your way up the ladder to a business continuity position from within, adding a formal certification to your war chest will be invaluable to getting the internal support and resources you need to carry out your program objectives. And while different training and certifications vary, you will no doubt benefit from the new tools, resources, and network that come through training and affiliation with your choice of certifying body.

In short, I’ve never heard anyone who regretted getting some sort of business continuity certification. Most wish they had done it sooner.

Leading Business Continuity Certifications

In the business continuity industry, the two main certification bodies are the  Disaster Recovery Institute International  (DRII) and the  Business Continuity Institute  (BCI).

In our experience, DRII is the most commonly accepted designation in North America. Its headquarters is in the U.S. and has been around since 1988.  BCI, established in 1994, is based in the UK and is more widely recognized for locations in Europe, Asia, Africa, and the Middle East, but their presence has been growing across North America over the past decade.

In our article  C hoosing the Right Business Continuity Certification , we break down the various business continuity certifications and provide some guidance on choosing the right one for you.

Where to learn more about Business Continuity

There are a number of great options available for learning more about Business Continuity – and many of them are completely free.

Here are some of our favorites.

Free Training

There are a number of free training resources available online that might provide you with answers to some of your questions about Business Continuity. Here are some available free options:

  • FEMA’s Emergency Management Institute :  Free courses covering many aspects of crisis management, continuity of operations, emergency management, and related topics.
  • Bryghtpath’s Free Introductory Courses :  Our free 101 introductory courses are intended to provide an overview of a particular subject matter in a way that helps both the novice and highly experienced business leader or individual contributor be able to make an immediate impact in their area of responsibility.
  • Bryghtpath’s YouTube Channel:   Hours of free video, webinars, and other presentations covering crisis management, business continuity, and crisis communications.
  • Bryghtpath’s Webinars & Videos : Our webinars and videos are intended to help you learn more about  business continuity ,  crisis management ,  disaster recovery , exercises , and  crisis communications .

Paid Training

  • Bryghtpath’s 5-Day Business Continuity Accelerator :   Our 5-Day Business Continuity Accelerator is an interactive online workshop designed to take you through a hard look at your existing business continuity program – and lay out a plan to rapidly mature your program in just days.We run this course quarterly – learn more, get on the waitlist, or enroll in the next session here on our website .

Business Continuity, Crisis Management, & Resiliency Facebook Group

Connect with hundreds of other Business Continuity, Crisis Management, & Resiliency Professionals in our free Facebook Group.

Our free Facebook Group is a forum for discussion around organizational resilience, business continuity, continuity of operations, emergency management, and crisis management.  The intent of the group is to serve as an active exchange of information, questions, and news related to our profession.

You’ll find daily articles, regular discussion topics, and a safe and welcoming environment for your questions related to your career and moving your program forward.

We hope to see you there!

Join the Free Facebook Group  >>

Books aren’t the best answer for everyone for learning about business continuity, but they are relatively inexpensive and provide a lot of deep insight into a specific topic.

We’ve published our Professional Reading List , which contains our best recommendations for personal study and contemplation that will assist you as you continue to grow in our profession.

There are a number of great (and FREE!) Business Continuity Podcasts.  These podcasts can help you continue to grow your knowledge and skills in these important areas as you seek to mature your organization’s program.

Here are a few of our favorites:

  • Managing Uncertainty :  Our own weekly podcast covering business continuity, crisis management, and crisis communications.  Learn more at our Managing Uncertainty Podcast archive .
  • Harvard NPLI Leader ReadyCast :  Featuring real-world lessons, best practices, and action-oriented insights for the “You’re It” moments when you are called to lead. Each episode features insights from frontline leaders and the faculty of the Harvard National Preparedness Leadership Institute (NPLI) program.
  • Resilient :  Resilient is a podcast series from Deloitte that features authentic, engaging, and thought-provoking conversations with CEOs, senior executives, government officials, board members, and people outside the business world. Hear their personal stories about how they led through a crisis, navigated through disruption, and managed through significant risk events. Discover what they learned about embracing risk, improving performance, and leading confidently in a volatile world.

We’ve outlined a longer list of our favorite business continuity & crisis management podcasts in our article  Top Business Continuity & Crisis Management Podcasts .

Executive Education Programs

The challenges involved in business continuity and crisis management are complex and ever-changing, making ongoing education a crucial part of any executive’s long-term strategies. Understanding the various points of vulnerability for your business, gaining best practices in business continuity management, defining risks and prepping emergency management procedures aren’t skills that are often taught in traditional universities but must often be learned on the job or as part of your networking with peers. Business Continuity & Crisis Management Executive Programs can assist with this opportunity.

Finding a  business continuity executive education  opportunity not only provides you with an opportunity for learning more about the topic but is a valuable networking opportunity as you learn with other professionals who are looking for the most proactive ways to prepare their business for the future.

Some of the top Executive Education Programs include:

  • Harvard’s National Preparedness Leadership Institute
  • MIT’s Crisis Management & Business Continuity Courage
  • Bryant University’s Business Continuity Certificate Program
  • PECB’s Business Continuity Management Program

We’ve recapped these programs along with several other options in our article  Top Business Continuity & Crisis Management Executive Programs .

Free Resources

We’ve put together a ton of free resources to help you in your quest to navigate uncertainty and disruption.

Learn more at our Free Resources page on our website.

About the Author

business continuity planning guide

Bryan is a Member of the Business Continuity Institute (MBCI) and a Master Business Continuity Professional (MBCP).

Learn more about Bryan and his background in business continuity & crisis management in his biography .

We can help.

Let the experts at Bryghtpath put their decades of Business Continuity experience to work for your organization

We have the experience, tools, and partnerships to help your organization successfully manage the rough waters ahead – and ensure your organization is prepared.

Learn more about our Business Continuity capabilities, read about the results we’ve generated for our clients , or book a meeting today .

I’D LIKE TO TALK TO BRYGHTPATH

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

  • Active Shooter Programs
  • Business Continuity as a Service (BCaaS)
  • IT Disaster Recovery Consulting
  • Resiliency Diagnosis®️
  • Global Security Operations Center (GSOC)
  • Emergency Planning & Exercises
  • Intelligence & Global Security Consulting
  • Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Business Continuity

  • Data Protection
  • Cyber Vault
  • Real-Time Encryption Detection
  • What Is an Air Gap
  • 3-2-1 rule in Data Backup
  • Cyber Resilience
  • Total Cost of Ownership (TCO)
  • Business Continuity Guide
  • Disaster Recovery Guide
  • Ransomware Recovery Guide

The Only Guide You Will Need

From the definition of business continuity and its related plans, to the description of the planning involved in establishing the business continuity plan, right down to its management, we cover everything in this ultimate Business Continuity guide.

20 min Read

What Is Business Continuity?

High-profile events and disasters such as terrorist attacks, natural disasters, and data breaches have increased global awareness of the need for robust business continuity practices and strategies.

business continuity planning guide

Business continuity encompasses the people, processes, technologies, and frameworks needed for an organization to ensure the continuous delivery of critical business functions when a disaster occurs. The business continuity definition also includes the prevention and mitigation of such disruptions from happening in the first place.

Company leaders have a crucial role to play in ensuring the resilience and continuity of business operations during crisis events.

Business continuity does not have an end date or state. It is a continuous process that keeps on evolving to adapt to never-ending business transformations and changes in the business environment. 

Business Resilience vs. Business Continuity: What's the Difference?

Although both terms are sometimes used interchangeably within business circles, there are several subtle differences.

Business resilience describes the ability to return to a state of functionality that may either be the same as prior to a disruptive event, or a new state that enables operations in a new reality. It includes disaster response, incidence response, and business continuity management. A truly resilient organization is impervious to the effect and fallout of various kinds of disasters or disruptions.

On the other hand, business continuity assists companies to return to functional status by addressing the consequences of outages and disruptions to business operations. The goal of business continuity is to return the business to a state of operation/functionality prior to a disruptive event, in the shortest amount of time and with the least amount of disruption. It does this by reducing and preventing data loss and the risk of reputational harm by mitigating the consequences of disastrous events. 

Essentially, business continuity is concerned with helping a company resume operations immediately when a disaster occurs while business resilience is the company's ability to resist and adapt to disruptive events or trends.

The Plans in Business Continuity

Multiple plans result from the business continuity planning process. They are all considered part of the business continuity plan (BCP).

Business Continuity Plan (BCP): business continuity initiatives, strategy, policies, standards, and planning activities produce this plan. It is all encompassing and includes the other plans below, or at least references to them.

Disaster Recovery Plan (DRP) : this plan will focus on business continuity from an IT / technology infrastructure standpoint.

Crisis Management Plan (CMP) : this identifies the chain-of-command and provides criteria to determine if a crisis has occurred —and therefore the activation of the BCP and related emergency response— the reporting and response management of the crisis, along with a communication plan.

Emergency Response Plan (ERP) : also called Incident Response Plan, this details the actions that need to take place to mitigate the immediate effects or consequences of an event responsible for business disruption. The priority of this plan is the safety of people directly or indirectly involved in the business. Then comes the protection of the business infrastructure (IT, building, equipment). Once the response phase is completed, it is possible to move to the Restore, Recover and Resume phases.

business continuity planning guide

Business Continuity Plan (BCP) vs. Disaster Recovery Plan (DRP): What Are the Key Differences?

What Does Business Continuity Mean in a Business Emergency?

It means that the organization has made adequate preparations and has the ability to execute a business continuity plan that addresses customers, people, processes and technology. 

Ensuring Services or Products Are Delivered (Customers)

At its core, business continuity proactively ensures that organizations can still execute mission-critical operations and deliver products or services to customers during a disruption.

Proper business continuity mandates different responses to different levels of threats and disruptions. This is done for one major reason - to ensure that the products and services that are most vital to customers aren't disrupted.

Supporting Employees (People)

The scope of business continuity covers the safety and security of human resources - from executive and middle management down to frontline workers - along with organizational assets and systems.

Since disasters and business emergencies can be confusing, business continuity planning takes cognizance of how, when, and what kind of information is delivered to employees…once disaster strikes.  

To help support company staff during operational disruptions and emergencies, business continuity ensures that employees have key information on how the organization plans to respond. Everyone needs to know what to expect from the BCM team as it implements strategies to navigate the company back to a state of normalcy.

Knowing Which Steps and Actions to Take (Process)

Company management and key personnel need to know what steps to take when faced with incidents that result in a business emergency.

A business continuity plan typically includes the contact information of relevant personnel, a guide on how to use the BCP document as well as clear guidelines on what to do to maintain critical operations. The plan should be honest about service level agreements (SLA) , recovery point and recovery time objectives ( RPO and RTO ) and identify what employees should or should not do to assist processes, facilities, and team members stay operational and productive.  

The Crisis Management and Emergency Response plans would actually provide detailed step-by-step procedures to follow to address particular situations addressed in the BCP.

Having the Right Disaster Recovery Solution in Place (Technology)

It's imperative for organizations going through the business continuity planning process to leverage the right technologies.

In recent years, there has been a significant increase in the number of disaster recovery (DR) solutions, due to the prevalence of cloud computing applications and the aftermath of the COVID-19 pandemic.  

Depending on their DR needs, enterprises can build or rent off-site disaster recovery facilities or leverage a variety of cloud-based options such as disaster recovery as a service (DRaaS) . These offerings come with a range of tools and services that offer incident response capabilities such as DR, backup, and restore to prevent data loss and ensure the high availability of IT systems and databases. It is all about having the right solution to execute the DR plan .

Managing Business Continuity: The BC Management Team

While business continuity processes and strategies are designed to help organizations stay on track during unexpected disruptions, the success of these strategies depends largely on how well they are executed.

Business continuity management (BCM) teams are critical to the design and implementation of business continuity plans. They provide the insight, focus, and leadership that keeps a business on its feet when disaster strikes.  As such, deciding who is responsible for business continuity planning, and collating the resources and technologies needed to help them operate effectively are indispensable parts of business continuity initiatives.

Putting together a strong BCM team is challenging. A world-class business continuity team is cross-functional and includes personnel drawn from pockets of expertise across the entire organization, from executives to team members drawn from legal, facilities, finance/accounting, IT, HR, etc. The roles and responsibilities of individual BCM team members are outlined in the business continuity policy.

Regardless of company size, industry vertical, or business objectives, the BCM team should comprise the following:

Every BCM team must be headed by a company leader with the skill and experience to oversee business continuity efforts and make high-level decisions on the focus of the BCM team. The sponsor is usually drawn from the ranks of senior management.

For large enterprises, the Risk Management Officer may lead the BCM team assisted by someone from the IT department. In smaller organizations, the CTO or CFO may be picked to head the BCM team.

The Business Continuity Steering Committee or Office  

This is an interdisciplinary team at the C-suite level usually made of people overseeing key functions in the organization (COO, CIO, CSO, CISO, CPO, Legal Counsel, etc.). Their role is to ensure the BC program stays in lock-step with the corporate strategy, that proper resources are allocated and that goals are established and met within set timeframes.

In most instances, the BC Sponsor is also the chair of the Steering Committee when it exists.

The Business Continuity Plan Owners   

In larger organizations, the Business Unit or group leaders are accountable for the creation and maintenance of their own BCP, under the established policies, standards and processes set at the BC program level.

Business Continuity Planners and Managers  

The BC planners are the people in charge of developing the actual business continuity plan for their business unit or group. In larger enterprise, they will report to a BCP owner. In smaller organizations, they may just be reporting to the BC Program manager, and help to develop the BCP for various functions of the business.

The BC manager role is to ensure the BCP readiness by coordinating and organizing simulation exercises, training of the resources that would be involved in any BC activation plan. He also ensure a feedback loop into the process by bringing up any challenges that may arise during exercises testing the BCP.

BC planner and manager functions can be fulfilled by the same person. Again the size and global footprint of an organization will impact how these roles are set up.

Crisis Management Team (CMT) and Emergency Response Team (ERT)   

These are the people who are responsible for executing the BCP when it gets activated and they : 

1) Ensure all the activities get triggered and implemented,  

2) Make sure the proper resources get allocated,  

3) Make decisions to adjust the course of operations as needed,  

4) Execute the workflows and steps of the BCP ,  

5) Provide updates/reporting on the situation and its evolution on the ground .  

In some organizations this might be two teams, working closely together outside of a crisis, and obviously during one. In that scenario, the CMT would mainly cover areas 1) to 3) while the ERT would take care of 3) and 4). The overlap over decision-making (3) considers that adjustments can be made on the ground but also at higher level.

Crisis Communication Management Team (CCMT)   

Some organizations may also have a dedicated Crisis Communication Team that manages communication with the media and all key stakeholders of the organization (employees, customers, partners, etc.) during a crisis.  

The Map to Recovery: The Business Continuity Plan (BCP)

Business continuity planning culminates in the production of a business continuity plan that usually becomes a living document, constantly evolving.

The BCP is the tangible asset an organization produces to translate its strategy and approach to deal with disruptions and ensure its business can continue to operate. Because it is the result of a cyclical process —business continuity planning— it will evolve over time. Regular testing of the BCP usually brings its own set changes and adjustments too, making the BCP an actual living document.

Developed by the business continuity managers and planners, it will become the recovery map the crisis and emergency teams will rely on when disaster strikes.  

What Is a Business Continuity Plan?

The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. 

According to ISO 22301 ¹ , a business continuity plan is defined as “documented procedures that guide organizations to complete the four R’s: R espond, R ecover, R esume, and R estore to a pre-defined level of operations following disruption.” 

The business continuity plan aims at meeting the four R’s against defined types of risks that can affect the organization's operations —such as floods, fires, disease outbreaks, weather-related events, cyber-attacks, and other external threats— for specified sites or geographical areas. 

Key Elements of a Business Continuity Plan

There is unfortunately no one-size-fits-all template that can be applied but at least the elements listed should be considered as minimum requirements. 

The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. The BCP should at a minimum contain the following elements:

  • Contact information of the key individuals in charge of the BCP 
  • A revision log with reference to documentation that describes change management procedures - This is key for audit purposes and to ensure that only the latest versions of a BCP are available. It also enables to connect changes and BCP testing, by highlighting what elements of a test drove changes in the BCP. 
  • Information about and/or references to BC governance, policies and standards  
  • The purpose and scope of the BCP - As seen later there will most likely be multiple BCPs developed for a single organization, to address specific types of disruptions over specific entities or locations. So, it is key to know what is the intended application of a particular BCP.
  • Instructions about how to use the plan end-to-end , from activation to de-activation phases 
  • Service Level Agreements (SLAs) over key business processes, defining the amount of time within which these processes must be restored.
  • References to Disaster Recovery, Crisis Management and Emergency Response plans and procedures along with the identification of key roles and individuals. 
  • References to Runbooks detailing all applicable procedures step-by-step, with checklists and flow diagrams.
  • A glossary of terms used in the plan  
  • A schedule showing dates for reviewing, testing and updating the plan, along with a record of past test dates and references to the results of these tests.

Each organization will have other items deemed important that will make it to their BCP. There is unfortunately no one-size-fits-all template that can be applied to meet every business needs.

The Lifecycle of an Active BCP

Great, you have a solid BCP. And now what? What happens when a crisis hits?

BCP Activation

A business continuity plan can be activated at multiple levels of the business continuity chain-of-command. This is how a business is best protected as it enables speed over its BCP activation when required. Obviously, this will vary with the type of disruption as not all disruptions are equal.

The response to a pandemic such as COVID-19 would  provide more time to plan and decide what parts of a BC plan to activate. In this case, it is most likely that the activation decision would be taken at the highest level of the chain. 

In contrast, the event of a shooting in a building office would most likely trigger the activation of that local BCP by the members of the teams located there. The activation would put in motion various elements of the BCP, including the reporting and potential further activations up the chain of command. The situation may end up being managed at a different level later for various reasons. 

The BCP should ensure that many members of the BC team, at various level of the organization, are empowered to act as leaders and activate a BCP, in order to enable a swift response when needed. Proper availability and coverage of these individuals is essential (designated backups in case of absence, redundancy in locations, shifts, etc.).   

Systems and procedures should also be in place to record events as they take place, or soon after (time stamps for events or decisions, people or agencies involved, etc). 

BCP De-activation

It is the responsibility of the Crisis Management Team to decide when the BCP needs or can be de-activated. The highest “ranked” individual in the activated crisis management cell is the one to make the call.

The BCP should incorporate the criteria to be met to start the deactivation process, and during the step-down process itself (validate at each step that the situation meets set criteria and conditions). At this stage, it is usually easier to properly document all these steps, and record time stamps, decision-makers names, and any other pieces of information that may be valuable for a later review of the response to a disruption. 

Other Consideration: BCP Accessibility

While it is impossible to list all the considerations that could apply to an organization’s BCP, there is one that is essential: the accessibility to the BCP, and any runbooks describing the applicable procedures step-by-step.

Training is of course important to make a lot of the activities and tasks feel like second nature for the individuals involved in executing the BCP, however it is still highly probable that during a crisis there will be a need to check some elements of the BCP.

However old-fashion this might feel, having print versions of the BCP available in designated locations is important, since some disruptions may bring down the IT infrastructure of an organization, or even the local grid, hence limiting or preventing any access to digital documents. Obviously, that adds another layer of management to ensure these documents are kept up-to-date. Other options can include having digital copies of a BCP hosted on other secured 3rd party systems or platforms. 

The Journey to a BCP: Business Continuity Planning

Business continuity planning is a top priority for any organization looking to minimize downtime and maintain the high availability of systems, products, and services, regardless of disastrous occurrences.

Business continuity planning describes the process of establishing risk management procedures and protocols (that should be followed in the event of a disaster) to prevent interruptions to mission-critical services and help re-establish full operational functionality as quickly as possible. It culminates in the production of a business continuity plan (BCP).  

The Key Parts to Business Continuity Planning

To ensure that the most likely scenarios are covered, the planning process involves identifying critical functions and the possible risks and disasters that would cause the failure/downtime of said functions.

The nature and severity of these threats will guide the rest of the planning process. The key parts of the business continuity planning process are:  

  • Identification of critical functions or business processes - Reveals what processes are critical to maintaining and running in the event of an unplanned disruption in order to prioritize and focus recovery there 
  • Business Impact Analysis (BIA) - A systematic process used first to evaluate the disruptive effects of disasters, accidents, or emergencies on critical business processes.
  • Risk Assessment - Identifies all potential hazards to a company such as technology failures, cyberattacks, or natural disasters. It is also used to determine risk mitigation strategies and implementations.
  • Establishment of Service Level Agreements (SLAs) - Based on the information collected from the previous stages, realistic and appropriate SLAs must be defined for specific services/teams supporting particular business functions or processes. This will drive technology solutions and processes used to deliver on these SLAs.
  • Communications - Crisis communication management involves many parts and must be well planned in order to ensure clear and consistent information to many stakeholders during a crisis, which include: media, employees, customers, partners, agencies, etc.
  • Testing and Maintenance - Testing the resulting BCP is essential to identify gaps and make improvements. Planning BCP testing should help determine test frequency, but also how to partially or fully test the BCP, i.e. what method to use. 

The various analysis and planning processes highlighted above will lead to the creation of other plans —and their related procedures— that are part of the business continuity plan, such as: 

  • Disaster Recovery Plan 
  • Crisis Management Plan, which will include the communication aspect. 
  • Emergency Response Plan   

While driven and led by the BCM team, a lot of cross-organizational and cross-functional work and teams are involved to feed into and receive information from the various activities taking place to establish the BCP. This is not an easy task that requires a lot of coordination and alignment, hence the necessity to have a dedicated team managing that planning process.  

Establish Key Business Continuity Metrics: MTD and MTDL

Through the business impact analysis (BIA), an organization will estimate the downtime it can tolerate for a given process or function, and the maximum data loss it can handle. These limits are reflected in the SLAs.

Within the context of business continuity, an SLA represents a promise about how long a business process or function will remain unavailable in the event of a disruption. It assumes the commitment of every party involved.

Maximum tolerable downtime (MTD) and maximum tolerable data loss (MTDL) are two of the most important metrics of any business continuity plan, and are reflected in the business continuity SLAs related to each critical business process and/or function.

Risk Assessment, BIA, SLA, RTO and RPO: What's the Link? MTD and MTDL

What is a Service Level Agreement (SLA) in Business Continuity

MTD and MTDL: Differences and Considerations

MTD, also referred to as maximum allowable downtime (MAD), is the longest downtime an organization can tolerate before facing serious repercussions. It is measured in units of time.

MTD is made of several components, including recovery time objective (RTO), meaning setting things up to stay below its defined value is more complex and involves several teams.

MTDL determines the most amount of data or transactions the business can afford to lose over a specific business process or function. This limit is measured in units of time. MTDL will directly inform the DR team about the recovery point objective (RPO) that needs to be achieved to meet the SLA of a specific business process.

Where To Begin Your Business Continuity Planning

Let’s take a look at the core steps company leaders must undertake when embarking on business continuity planning.

Start With A Thorough Prep-work and a Strong Disaster Recovery Plan

The key parts of the business continuity planning —risk assessment, BIA, identification of critical functions— contribute to determine the business requirements for the DR plan, mainly through the establishment of SLAs. There is no shortcut: that is the tedious prep-work that has to be done in order to deliver a strong disaster recovery plan. 

A strong disaster recovery plan is a core part of your business continuity strategy and is integral to its success. The DRP focuses on the technology infrastructure required as well as the specific steps organizations must take to resume operations and access their data easily following a disaster. The DRP should include the following 

  • plan goals and objectives 
  • authentication tools 
  • incident response and recovery steps 
  • the DR policy statement 
  • key action steps and guidelines for when to use the plan 
  • responsibilities of individual DR team members  
  • contact information of personnel needed to enact critical recovery tasks. 

Train a Strong BCM Team

Designating who will manage and implement your BCP, and all its related plans, is of paramount importance to the success of business continuity initiatives. As mentioned previously, the BCM team is broad, considering it goes from the sponsor, steering committee, program manager, plan owners and planners to the crisis and emergency response teams spanning across all the areas of the business. Therefore training and simulation exercises are critical to help prepare your BCM team for when an actual disruption occurs. 

Since it's difficult to know ahead of time how well your BCM team would perform during an actual crisis, continuous training will go a long way in ensuring they're ready to oversee and execute the BCP when disaster strikes. Training also includes getting BCM team members up to speed on the latest BCM best practices. The team can also leverage cloud-based or on-premise business continuity management software to help pinpoint areas of risk, create and update plans and conduct BIAs. 

Have Something Small In Place, Test It And Grow From There

Traditionally, business continuity planning was largely the province of big businesses and most plans seem to be designed with large enterprises in mind. However, anyone can undertake BCP without breaking the bank or straining already limited company resources. Savvy business leaders can begin their BCP journey with a small but easily scalable plan. 

The plan could target one specific area at a time (such as IT assets and sensitive business data) and expand to include other business areas and processes. Such a plan should be rigorously tested to minimize loopholes and vulnerabilities. Over time, company leadership can expand the initial BCP to ensure 360-degree business continuity across the entire organization. 

Business Continuity: How to Do It the Right Way

A solution that fits your BCDR strategy, and delivers on data protection and recovery.

BC planning takes inputs from the Risk Assessment, BIA, identification of critical functions and defined SLAs to establish the appropriate processes, procedures and technology solutions to be implemented and enabling the DR plan to achieve the defined SLAs. 

To protect your data from disasters and instantly recover applications without data loss, companies need a reliable data protection mechanism and cost-effective BCDR solution in place. A lot of enterprise-grade applications and databases have the built-in capability to handle data replication synchronously and asynchronously. 

However, this is not a viable option for business continuity purposes. Companies need a single data protection solution that supports their business continuity strategy and objectives, and that provides ransomware resilience, DR, restore and testing capabilities. This solution should be designed to work independently of any resource or host platform on a company's IT estate and scalable enough to protect single applications as well as large clusters or multisite environments. 

business continuity planning guide

What is Zerto Solution?

Short video (1 min 21 sec ) explaining what Zerto does and how it helps to deliver business continuity.

Zerto Solution: Overview

To exit, click outside the image

Zerto Solution Overview

Introducing Zerto for Business Continuity

Zerto , built on a foundation of continuous data protection, enables continuous availability which is essential to achieve business continuity. Zerto's solution provides everything you need for ransomware resilience , disaster recovery , and data mobility while delivering the very best recovery time objective (RTO) and recovery point objective (RPO) possible.

With easy implementation and deployment, the Zerto solution can scale with your organization to ensure continuous data protection for all of your business-critical and lower tier applications. 

Get in Touch!

Speak to one of our specialists today to find out how Zerto can help your business to achieve business continuity.

MORE RESOURCES ON BUSINESS CONTINUITY SEE ALL

Business continuity & disaster recovery in healthcare.

Understand the unique challenges facing the healthcare industry and how, by adopting business continuity & disaster recovery, they can become more resilient.

Business Continuity and Disaster Recovery in the Cloud Era

Learn the different types of Cloud BCDR solutions along with their pros and cons, and then see how Zerto addresses these challenges and improves upon many of the traditional solutions that leave gaps in cloud-based BCDR .

Essential Guide: Disaster Recovery

After reviewing Business Continuity, let's look at what is involved in getting Disaster Recovery right in this online guide.

1. ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements

Do not sell or share my personal information

Your privacy preferences for Zerto's websites has been saved. We will serve only essential cookies moving forward on this browser

StartupNation

  • Branding and Marketing
  • Business and Life Planning
  • wjr business beat
  • Management and Operations
  • social media
  • Technology and Web
  • Inspiration for Entrepreneurs

business continuity planning guide

  • Administrative Matters
  • Legal, Insurance & Compliance
  • Plan Your Business
  • Protect Your Business
  • Succession & Exit Strategies

The Ultimate Guide to Continuity Planning for Your Small Business

' src=

Businesses face a variety of potential emergencies and threats that can disrupt their operations.

From natural disasters to cybersecurity attacks, it’s pivotal to safeguard your business in case something happens. 

Enter: Business continuity planning. 

Let’s take a closer look at what business continuity planning is and why it matters.

We’ll explore different threats that may occur and disrupt operations — along with some practical strategies you can implement to promote business resilience. 

You’ll also discover a helpful template you can use to create your own business continuity plan.

Let’s get started.

What is business continuity planning?

Business continuity planning means creating a strategy to help your business continue (or quickly resume) normal operations after a disruptive event. 

It involves identifying potential threats and developing measures to mitigate them , such as:

  • Implementing backup systems
  • Creating contingency plans
  • Establishing protocols for emergency response

It’s about keeping your business up and running, even in challenging circumstances.

Verizon Digital Ready: Providing Entrepreneurs the Skills and Knowledge They Need

Let’s take a closer look at the business continuity planning process and why you need a recovery plan. 

What could disrupt my business, and what should I include in my plan?

Businesses face a variety of emergencies and disasters that can disrupt their operations and impact their ability to continue functioning. 

Especially brick-and-mortar businesses and ecommerce brands .

One example is natural disasters , such as hurricanes, earthquakes, or floods, which can cause:

  • Widespread damage to infrastructure
  • Power outages
  • Supply chain disruptions. 

To safeguard against such events, businesses need comprehensive business continuity plans that identify critical business functions and outline recovery strategies. 

Effective business continuity plans involve senior management and a dedicated business continuity team to implement and maintain the plans. This could be an entire task force or a small group of proactive problem-solvers. 

Another type of emergency that businesses need to safeguard against is a major disaster, whether a fire, cyber attack, or prolonged system failure. 

To address these scenarios, you need a robust disaster recovery plan in place. 

This should outline steps to recover data and restore systems to maintain essential business processes. 

Preparing your business continuity plan: A Template 

Below, you’ll find a simple template you can use when preparing your business continuity plan.  

Use the following template to plan your proactive tactics and your reactive responses. Both are pivotal to helping your business remain as resilient as possible.

We’ll also outline some specific strategies you can use in a bit.

Business continuity planning template 

(Enter Business Name)’s Business Continuity Plan

Below, you’ll find our preventative and reactive responses to potential threats and emergencies.

Organization’s Name: ____________________________

Business owner: ____________________________

Senior management: ____________________________

Dedicated business continuity team members: _____________________________

Our critical business functions include:

Our proactive strategies include:

(Enter strategies to help prevent something from disrupting your business — such as data backup services.)

Our recovery strategies include…

  • Strategy to recover data: ________________________________________________________

________________________________________________________

  • Strategy to restore systems:
  • Strategy to maintain essential business processes:

Last Updated: (Enter Date)

Now that you have a template to reference, let’s review some strategies you can use to safeguard your business. 

The following business continuity strategies can help you prevent emergencies — or handle them without major disruption to your business operations.

1. Use Cloud Security Posture Management (CSPM) to remain resilient against cyber attacks

The important role technology plays in ensuring business continuity can’t be overstated. 

A crucial aspect of this is safeguarding your business’s digital assets and operations. 

10 Cybersecurity Tips Every Entrepreneur Should Know

This is where Cloud Security Posture Management (CSPM) becomes pivotal. CSPM isn’t a buzzword — it’s a foundational element in protecting your business from cyber threats and uninterrupted operations.

Imagine your business’s cloud infrastructure as a complex network of digital highways. 

Just as traffic rules and signs maintain order and safety on the road, CSPM sets the guidelines and monitors your cloud environment to prevent disruptions and security breaches. 

business continuity planning guide

By regularly scanning your cloud environments for misconfigurations and non-compliance issues, CSPM tools act as vigilant guards . This ensures your business’ cloud infrastructure is operational, secure, and compliant with industry standards.

2. Use a scheduling app to manage employee schedules in case of an emergency 

When it comes to business continuity planning, scheduling apps for employees play a crucial role in ensuring team and operational stability during emergencies. 

These apps provide the flexibility and convenience to easily plan upcoming shifts or rearrange the entire schedule. 

business continuity planning guide

In the event of an emergency, such as unexpected absences or sudden changes in staffing requirements , you can quickly adjust and fill any gaps in your team’s schedule. 

These apps also offer features like shift swapping , which allows employees to request or exchange shifts as a backup plan. 

With the ability to easily reschedule and redistribute work hours, you can maintain productivity and continuity even in challenging situations.

Sign Up for The Start: A Newsletter Built for Entrepreneurs

3. use aws backup to protect internal data .

AWS backup offers a powerful solution for safeguarding and protecting internal data.

business continuity planning guide

With AWS Backup, businesses can rely on robust data security measures to uphold business continuity and facilitate uninterrupted operations.

By implementing AWS backup services, your critical data will be protected and easily recoverable — even in the face of crises. 

4. Use Enterprise Resource Planning (ERP) systems to create a strong foundation for continued success 

Don’t let the name fool you. Enterprise Resource Planning (ERP) systems are a special type of technology that can greatly benefit small businesses . 

They’re comprehensive software solutions businesses use to integrate and manage various core operations , such as:

  • Customer relationship management
  • Human resources
  • Procurement
  • Supply chain

With an ERP system, you’ll have a central database that allows different departments within your organization to share and access information in real-time. 

This streamlines processes, improves efficiency, and promotes collaboration by providing a unified data management and decision-making platform. The result? A whole myriad of benefits. 

business continuity planning guide

When it comes to ERP systems, reliability is key. A trusted option for this is SAP ERP. 

However, implementing and customizing SAP ERP for small businesses can be complex with its advanced features. That’s where the expertise of reliable SAP consulting solutions comes into play. 

Getting guidance from experts not only makes the implementation process smoother but also ensures the ERP system fits perfectly within your business’s unique needs. This is especially crucial for small businesses since they rely on more limited resources than enterprise-level companies. 

5. Protect your reputation with the right business entity

The legal structure you choose for your business can protect your reputation in case of a devastating emergency.

For instance, if an intense cyber attack leads to data leaks and large financial losses, there’s a chance you won’t be held personally responsible for your business’ debts or losses.

business continuity planning guide

In other words… the way you registered your business to begin with may help you stay in business later. 

Registering a business in Texas as an LLC, for example, offers the potential for limited liability protection. In this case, any member of the LLC has the chance not to be held personally liable. With this in mind, your team could pivot as needed without harming brand credibility. 

Texas also has more flexibility for LLC businesses, such as no requirement for meeting minutes. This makes it easier to fulfill legal requirements as a business, so you have the best chance of receiving personal liability protection.

But don’t take our word for it.  

Always seek legal advice from a registered agent or business consultant. 

They’ll go over your liabilities with you and your goals to help you uncover the best legal framework. Ask them to help you choose a structure that can protect your business (or at least your personal assets) from potential threats. 

If you’ve already chosen a structure, meet with your agent to talk about the possibility of choosing another option if needed. 

They’ll need to know:

  • What kind of business do you have
  • What outside threats would you like to prevent 
  • Your personal and business assets
  • Your business’ more specific top risks (i.e., location-based or industry-based risks)
  • What state you’re in or would like to get registered in
  • How many employees do you have
  • How much your business is earning  
  • Key factors about how your business operates 

Business continuity planning is essential for any organization striving for success and resilience. 

With a plan in place, you’ll be able to proactively identify potential risks, establish clear protocols, and allocate resources efficiently. 

Use the template we provided for a structured framework to create your personalized plan. 

Go over the prevention and reactive strategies we covered with your dedicated business continuity team and tailor them to your needs. 

That’s it for now. 

Here’s to your continued success!

Image by 8photo on Freepik

Most Read: What Is the Average Income of a Subway Restaurant Franchise Owner?

  • business continuity
  • business security
  • cybersecurity
  • protect your business
  • Sales and CRM

' src=

Related Posts

business continuity planning guide

Top 10 Benefits of Choosing .NET for Application Development

business continuity planning guide

Verizon Digital Ready: $10K Grants are Back! Plus, the Skills Entrepreneurs Need

hybrid cloud

Disaster Recovery Planning in IT Infrastructure Services

skills

9 Essential Skills You Need to Start and Run a Successful Business

Go to homepage business.govt.nz business.govt.nz

Business.govt.nz, in association with, continuity and contingency planning.

Continuity and contingency planning is about being prepared for all types of disruptions, for example, an earthquake, broken equipment or losing a supplier — and quickly getting back on your feet.

Use this step-by-step guide to get your plan sorted. It’s vital to your business’s survival.

Business Continuity Planning = Plan B

A business continuity plan (BCP) pinpoints the most important parts of your business, identifies potential risks to these critical pieces and prepares you to recover as quick and easy as possible. Contingency planning is a crucial part of continuity planning — it means having a backup if your original plan no longer works. It’s your plan B.

Your BCP shouldn’t be limited to what to do after a natural disaster. It should cover any risks or threats that could disrupt your most important business activities.

Watch: Plan for the unexpected

Video transcript: Plan for the unexpected

[Audio/Visual: Upbeat music starts playing with blue introduction screen with white business.govt.nz logo. The words “Plan for the unexpected” appear on screen for a few seconds. The screen cuts to a profile shot of the male presenter against a blue background. He is wearing an ivory blazer over a white dress shirt.]

It’s never a bad idea to prepare for the unexpected,

[Visual: the letters “BCP” appear on the top right of the screen in white, bold letters. Bellow this, the acronym is spelt out: “Business Continuity Planning”. This stays on screen for a few seconds.]

and business continuity planning is a plan B for your business. It pinpoints the most important parts of your business, identifies potential risks to these critical pieces and prepares you to recover as quickly and easily as possible.

[Visual: the screen cuts to an upper body shot of the presenter.]

Business owners aren’t legally required to do business continuity planning, but there are many reasons to put time and energy into it.

[Visual: the screen cuts to a profile shot of the presenter.]

it’s important to note that a continuity plan is different from emergency planning.

[Visual: the screen cuts to a shot of the defence force wearing high-vis vests. The back of one of the vests says “Response Manager”. After a few seconds, the shot changes to a broken, twisted train track covered in fallen trees. After a few seconds, the shot changes to the New Zealand Navy loading bags and supplies onto a boat.]

While emergency plans cover in-the-moment procedures in a crisis, like a natural disaster, business continuity planning, or BCP, covers how you’ll get core parts of your business up and running again.

[Visual: the screen cuts to an upper body shot of the presenter against a blue background. A title appears in the top right “BCP step-by-step guide”. This disappears after a few seconds]

So, here’s a step-by-step guide to business continuity planning.

We’re going to ask you a range of questions and we recommend that you note down your answers, and then form this into the first draft of your BCP.

[Visual: the screen cuts to a profile shot of the presenter on the left-hand side of the screen. A title appears on the top right of the screen in white, bold text “Step 1 – Identify key products or services”. Below the title, bullet points appear as the presenter lists them:

  • Risks to profitable activity]

Step 1. Identify key products or services

What are the biggest risks to your most profitable activity? How can you reduce these risks?

[Visual: the bullet point changes to:

  • Essential to key activities]

What is essential to produce or carry out these key activities, like. raw materials, or a fully functioning website?

  • Least profitable activity]

What is your least profitable activity? Are you prepared to pause or stop this until you get back on your feet?

[Visual: the bullet point disappears and the title changes to “Step 2 – Identify key internal people. Below this, bullet points appear as the presenter lists them:

  • Staff or business partners]

Step 2. Identify key internal people

If you have staff, could your business continue without some or all of them on deck?

  • One person for key tasks]

Does your business rely heavily on one person for key tasks? What happens if this person is unavailable?

  • Temporary staff]
  • How might you get temporary staff at short notice?

[Visual: the title changes to “Step 3 – Identify key connections”. Bullet points appear below the title as the presenter lists them:

  • Suppliers, providers, clients]

Step 3. Identify key connections

These might be suppliers, service providers, clients or regular customers.

  • Robust supply chain]
  • How robust is your supply chain?
  • Backup suppliers / manufacturers]

If your business relies on external suppliers or manufacturers, do you have a backup if something goes wrong?

  • Alternative transport solutions]

If your business uses transport to deliver products or services, what are your alternatives if something goes wrong?

  • Good relationships]

Who might help you get back on your feet?

  • Access premises or IT systems]
  • Who can help if you can’t get into your premises or IT systems?

[Visual: the title changes to “Step 4 – Identify essential equipment and supplies”. Below this, bullet points appear as the presenter lists them:

  • Rent alternative equipment or premises]

Step 4. Identify essential equipment and supplies

  • If you rely on your own equipment to make products, could you borrow or rent alternative equipment or premises if yours are out of action?
  • Suitable staff devices]

Could your staff use their home computers for work if business computers are unavailable

[Visual: the title changes to “Step 5 – Consider relocation options”. Below this, bullet points appear as the presenter lists them:

  • An alternative site or home]

Step 5. Consider relocation options

  • If you need to vacate your usual premises unexpectedly, how can you keep your business ticking along?

Could staff work from an alternative site, or from home, if your premises can’t be used?

  • Communicate with customers]
  • If you need to move, how can you best communicate with your customers about your new location — and from your new location?

[Visual: the title changes to “Consider insurance options”. Below this, bullet points appear as the presenter lists them:

  • Business interruption insurance]

Step 6. Consider insurance options

What could go wrong with your business or at work? Is it covered by insurance? Business interruption insurance can help to cover losses after an emergency.

[Visual: the title changes to “Identify who would run the business in your absence”. Below this, bullet points appear as the presenter lists them:

  • Who takes over important tasks?

Step 7. Identify who would run the business in your absence

If something takes you or another important team member away from the business, who can take over those important tasks?

  • Each member’s role]

If there’s a major disruption, what is each member’s role in getting the business back on its feet?

[Visual: the title changes to “Step 8 – keep contact details handy”. Below this, bullet points appear as the presenter lists them:

  • Emergency services
  • Clients and suppliers
  • Insurance details
  • Security company
  • Neighbouring businesses]

Step 8. Keep contact details handy

  • Do you have emergency contact details handy? This list may include staff, emergency services, clients and suppliers. You may also include your insurance details, security company and neighbouring businesses.

[Visual: the title changes to “Step 9 – back up important data”. Below this, bullet points appear as the presenter lists them:

  • Customer details
  • Spreadsheets]

Step 9. Back up important data

What data — customer details, emails, files and spreadsheets — are critical to your business?

[Visual: the bullet points change to:

  • Personnel files
  • Bank details
  • Tax documents]

What sensitive data — personnel files, bank details, tax documents — do you need to keep safe?

Do you regularly back up data on a hard drive, server or in the cloud? If you don’t do this already, it’s a good time to start!

[Visual: the title changes to “Step 10 – Put it into practice]

And finally, step 10. Put it into practice

Much like emergency plans, a business continuity plan shouldn’t just sit on the shelf. It needs to be tried and tested at least once a year. This doesn’t need to be expensive or time-consuming.

[Visual: a link, “getready.govt.nz/prepared” appears on the bottom right of the screen.]

For a downloadable guide and template that walks you through important steps of BCP, see the Wellington Emergency Management Office website Get Prepared.

[Audio / Visual: The music slowly fades out while a blue outro screen appears with the business.govt.nz logo in the centre of the screen. This logo disappears and the Ministry of Business, Innovation, and Employment logo appears on the left-hand side and the Te Kāwanatanga o Aotearoa, New Zealand Government logo appears on the right-hand side.] [Video ends]

Watch: Building a resilient business

Video transcript: Building a resilient business

[Audio/Visual: Upbeat music starts playing with blue introduction screen with white business.govt.nz logo. The words “Resilience tips to build a strong business and future” appear on screen for a few seconds. The screen cuts to a profile shot of the male presenter against a blue background. He is wearing an ivory blazer over a white dress shirt.]

Resilience is a company’s capacity to absorb stress, recover critical functionality, and thrive in altered circumstances.

[Visual: the screen cuts to a shot of a busy café with customers sat down at tables and waitstaff taking orders and delivering food.]

As the business environment grows more dynamic and unpredictable, resilience is only becoming more important.

[Visual: the screen cuts to a shot of two woman sitting with a laptop at a dining table and taking notes.]

Building a resilient business is about planning and developing routine practices to become more resilient.

[Visual: the screen cuts to a profile shot of the presenter. The words “Building a resilient business” appears on the top right in bold white text. This disappears after a few seconds.]

Here are some simple, practical, steps that will get you well on the way to surviving in a crisis and, potentially, also thriving in the aftermath. 

[Visual: the screen cuts to an upper body shot of the presenter on the left side of the screen. The words “Step 1: Be alert to changing conditions” appears on the top right of the screen.]

Step 1. Be alert to changing conditions. 

Business crises are not necessarily natural disasters; 

[Visual: the screen cuts to a shot of two disused petrol pumps, followed by a shot of a woman plugging in her electric car.]

a slow creep of changing customer tastes can be just as critical to your business as an earthquake.

[Visual: the screen cuts to an upper body shot of the presenter on the left side of the screen.]

Be involved in industry and local business associations and networking groups; 

[Visual: the screen cuts to a shot of three people sitting and talking at a café. This last for a few seconds and then cuts back to the upper body shot of the presenter.]

Get to know your neighbours, customers, suppliers, competitors, and local community.

The more people you know and interact with, the more information they will funnel your way that is relevant to your business. This information may enable you to adapt your business before a crisis develops. 

[Visual: the words “Step 2: Identify core business needs” appear on the right side of the screen.]

Step 2. Identify core business needs.

The easiest way to do this is to put some of your scenarios to your team.

[Visual: the screen cuts to a shot of three tradies with toolbelts talking at a building site. After a few seconds, the shot cuts to two workers at a bakery. Both workers are wearing aprons, hairnets and facemasks and cutting and rolling dough.]

These can range from the simple; if you are a bakery, then discuss “what do we do if we come in one morning and the oven does not work?”, 

to the more complicated “what do we do if there is a fire in our building and everything inside is damaged?” 

[Visual: the screen cuts to a shot of two women looking at notepads and talking in a warehouse. There are tall commercial storage racks in the background, and staff pushing trolleys and operating a forklift.]

Make sure you consider people, premises, processes and technology.

The point is not to come up with right or wrong answers but to explore what your options may be, as well as revealing the key vulnerabilities of your business. 

When coming up with scenarios, consider the following questions:

[Visual: a titles “Step 2: Identify core business needs” shows up on the top right of the screen. The title stays on screen. Below this, a bullet point appears:

  • What are the things your business needs to operate?]

What are the things your business needs to operate? And how might they be vulnerable?

[Visual: the bullet point changes below the title to say “How vulnerable to damage are your premises?”]

How vulnerable to damage are your premises?

[Visual: the bullet point changes below the title to say, “How vulnerable are your key suppliers?”]

How vulnerable are your key suppliers?

[Visual: the bullet point changes to say, “What are your risks in getting things you need to operate?”. After a few seconds, the bullet point and title both disappear.]

What are your risks in getting things you need to operate?

These sessions may result in follow up plans or agreements, or they may simply provide you with a pre thought out course of action that can be easily carried out in the heat of a crisis.

[Visual: the screen cuts to three people sitting at a table with a laptop in an office setting. They are talking and smiling.]

Make the activity fun and keep repeating it. 

[Visual: the screen cuts to an upper body shot of the presenter on the left side of the screen. Text appears on the right side of the screen “Step 3: Getting back together”.]

Step 3. Getting back together.

Being able to contact each other is a key first step to beginning recovery from a major disaster. 

[Visual: a bullet point appears under the “Step 3: Getting back together” title: - Communications systems resilient.]

Are your communications systems resilient and ready?

[Visual: the bullet point changes to “IT system down”, and a second bullet point appears below this “Office access”.]

Do you know how to contact your staff, your suppliers, and your key customers if your IT system is down and you cannot get into your office?

[Visual: the second bullet point disappears, the first one changes to “Alternative contact information”.]

Do you have alternative contact information for when landline or mobile networks are down?

[Visual: the bullet point changes to “Information location access” and disappears after a few seconds.]

Does anyone else in your organisation know where to find this information if you are not there?

[Visual: Three new bullet points show up: 

  • Compile a list of contact details
  • Electronic and paper format
  • Update periodically.

The bullet points and original title disappear after a few seconds on screen.]

Compile a list of contact details and make multiple copies in both electronic and paper format, then set a reminder to check that it’s up to date periodically. 

[Visual: a title “Step 4: Backup your data” appears on screen in bold white text. This stays on screen with changing bullet points as points are made.]

Step 4. Backup your data

Be clear about what data is critical to the operation of your business. 

[Visual: a bullet point appears below the title:

  • Critical operational data
  • Mobile phone data
  • Off site copies.

These disappear after a few seconds.]

Most firms ensure their accounting data is backed up – but what about your customer contact lists, process manuals, and important contracts? 

Is the information stored on your mobile phone also stored elsewhere? Is there a backup copy off site?

Generally, the quicker you can get your key systems up and running, the less interruption to your cash flow.

[Visual: a title “Step 5: Cultivate open-mindedness and adaptability” appears on screen in bold white text.]

Step 5. Cultivate open-mindedness and adaptability.

[Visual: the screen cuts to a shot of an old-fashioned rotary dial phone. After a few seconds the shot changes to a man in high-vis in working on a tablet. There are pallets, workbenches and a forklift in the background.]

If you have a rigid way of doing things and seeing the world, then you will have difficulty in adapting to the new circumstances presented by a crisis. 

[Visual: the screen cuts to a profile shot of the presenter against a blue background.]

If innovation or creative thinking is not your thing, perhaps someone else in the business can be this champion? 

[Visual: the screen cuts to a shot of a woman sitting in front of a computer. There is another lady stood next to her pointing at the computer screen.]

If you’re the go-to person for any problems or issues, start trying to develop your team’s ability to come up with solutions by asking them what they suggest. 

[Visual: the screen cuts to a profile shot of the presenter against a blue background. A bullet point appears saying “Test vital business operation”.]

In summary, test the things that are vital for your business operation. 

[Visual: the bullet point changes to read “Identifying your core business”.]

Refer to the lessons learned in identifying your core business needs, and ensure any plans you create are tested, or at the very least ask: “But what if…?”. 

[Visual: the bullet point changes to read “Conduct a trial data restore”.]

If you have physical backup systems like power, phones, and IT, then switch to them once a month and conduct a trial restore of your computer data. 

[Visual: the bullet point changes to read “Run new scenarios annually”.]

And continue to run new scenario exercises at least annually.

[Audio / Visual: The music slowly fades out while a blue outro screen appears with the business.govt.nz logo in the centre of the screen. This logo disappears and the Ministry of Business, Innovation, and Employment logo appears on the left-hand side and the Te Kāwanatanga o Aotearoa, New Zealand Government logo appears on the right-hand side.]

[Video ends]

A continuity plan is different from emergency planning.

Emergency plans cover in-the-moment procedures in a crisis, for example, a natural disaster. BCP covers how you’ll get core parts of your business up and running again.

Emergency planning

Why you need to plan

Business owners aren’t legally required to do business continuity planning (BCP) but there are many reasons to put time and energy into it. Many small businesses struggle to reopen after a disaster. Planning greatly improves the likelihood that your business will survive — so it should be on your must-do list.

Other reasons to do BCP:

  • It’s a plus for potential buyers and investors — it shows you’ve thought about other scenarios than simply business-as-usual. It gives your staff confidence, especially if you get them involved in planning.
  • It helps you spot good opportunities for your business now, for example, outsourcing payroll.
  • It could help you negotiate lower insurance premiums — the more resilient you are, the more likely insurers will consider you a lower risk.

Don’t let your plans gather dust on the shelf.

Step-by-step guide to business continuity planning.

This guide will get you thinking about how to protect the most important aspects of your business.

As you go through each step, consider:

  • your particular risks if something goes wrong
  • how you might get back to business-as-usual as quickly and smoothly as possible
  • what the options are if you can’t get back to business as usual.

It’s important to think of different options rather than absolutes.

Questions to ask:

  • What are the biggest risks to your most profitable activity? How can you reduce these risks? 
  • What is essential to produce or carry out these key activities, for example, raw materials, a fully functioning website?
  • Can you get by without your full suite of products or services? 
  • What is your least profitable activity? Be prepared to pause or stop this until you get back on your feet.

These might be staff or business partners — or your board, if you have one.

  • If you have staff, could your business continue without some or all of them on deck? 
  • Does your business rely heavily on one person for key tasks? What happens if this person is unavailable? What are the main duties of all staff? 
  • How can you support staff and their families if they are affected?

Casual workers at short notice

Dahlia runs a café and both her servers are off with the flu. But she has a plan in a place for this situation — Student Job Search. She already has a job ad written up and on file, plus job search login details and instructions on how to post an ad.

She gets the ad up first thing in the morning. Temporary servers are in their aprons by the lunch rush.

Just like the rest of her employees, these casual workers need an employment agreement.

Dahlia uses business.govt.nz's online Employment Agreement Builder to quickly put together simple and legally safe agreements. She keeps these on file for next time she needs to call on these workers, or hire new casual employees.

Type of employment agreement: Casual employee (external link)  — Employment Agreement Builder

  • If your business relies on external suppliers or manufacturers, do you have a backup if something goes wrong? 
  • If your business uses transport to deliver products or services, what are your alternatives if something goes wrong? Can you rent vehicles? What if the port, airport, road or rail system is disrupted? Could customers come to you in the short term?
  • Who might help you get back on your feet? Do you have good relationships with your bank, landlord or advisors?
  • Could your staff use their home computers for work if business computers are unavailable? Find out who has suitable devices — the business can help pay for internet use.
  • Could staff work from an alternative site, or from home, if your premises can’t be used? You may want to ask your main suppliers, customers — even competitors — if they could spare room in their premises in an emergency.

Leasing or buying premises

Making the best of it

After the Christchurch earthquake, two panel-beating businesses could no longer work from their premises. They both had access to a temporary workspace, but it wasn’t big enough for all their workers.

Partnering up was an obvious solution — the owners had already been thinking about sharing a space due to rent rises.

They decided to offer a 24-hour service, with staff working in shifts around the clock in the temporary workspace.

This short-term solution — which drew on their contingency planning in case of rent rises — meant they could keep revenue coming in after the emergency.

  • What could go wrong with my business or at work?
  • Have I got it covered? 
  • Is business interruption insurance, which covers against losses after an emergency, a good option?

Cover your assets (external link) — Resilient Organisations

Step 7. Identify who can run the business in your absence

  • If something takes you or another important team member away from the business, who can take over important tasks? 
  • If there’s a major disruption, what is each staff member’s role in getting the business back on its feet?
  • When were contact details last updated — is it time to check for any changes?
  • What data — customer details, emails, files and spreadsheets — are critical to your business? 
  • What sensitive data — personnel files, bank details, tax documents — do you need to keep safe? 
  • Do you regularly back up data on a hard drive, server or in the cloud? It’s time to start if you don’t do this already.

Storing and backing up data

Step 10. Put it into practice

Much like emergency plans, a business continuity plan shouldn’t sit on the shelf. It needs to be tried and tested with relevant staff at least once a year. This doesn’t need to be expensive or time-consuming.

Run 20-minute stress test exercises where you give staff a scenario to plan for. Rather than fixating on the cause of the disruption, e.g. a natural disaster or power cut, focus on how to manage the consequences:

  • What will they do if an important machine isn’t working? 
  • What options do they have if the premises are closed for a week or longer?

No two crises are the same. But together, you may find similar solutions to different situations. Your plan will change as your business evolves, so make sure you debrief after each test and update the plan if necessary.

Staff need to know what to do even if you’re not available. Make sure your plan is easily accessible.

For a downloadable guide and template that walks you through important steps of BCP, see Wellington Emergency Management Office’s website Get Prepared.

Prepare your business (external link) — Get Ready

Resilient Organisations has resources to help small businesses thrive in any environment.

Guides for businesses (external link) — Resilient Organisations

Earthquake preparedness checklist [PDF, 356 KB]  — Resilient Organisations

Do talk to your bank manager about how to manage cash flow through a disaster.

How helpful did you find this information.

"Rate this" is required

You must enable JavaScript to submit this form

Related content

H&s risks at work.

If risks can’t be reasonably eliminated, the law says you must take “reasonably practicable steps” to minimise them.

10-step business plan

Quick-focus planning to make sure you work on the right things for your growing business — every day.

Business confidence

Our best tips, tools and visual guides to boost and test your knowledge and skills.

Mental health and wellbeing support

Tools, tips and resources to help you, your team and your business stay happy and healthy.

  • Community Login

March 26, 2020

Whether it’s a fire, flood, earthquake or pandemic, disasters can strike at a moment’s notice and many organizations are unprepared to respond and still function. In times of crisis, a well-thought out business continuity plan is critical to prevent interruptions to the business.

To enable your organization to respond quickly during a disaster, you need to put a current, reliable plan in the hands of all personnel who are responsible for carrying out any part of the BCP.  The lack of a plan doesn’t just mean your organization will take longer than necessary to recover from an event or incident — you could go out of business for good. Your employees need to understand what needs to be done to get the business back on track as quickly as possible.

Your BCP should be thorough and include readiness procedures to protect against possible threats and information on roles and responsibilities. Leaders need to be identified, understand their responsibilities and be equipped with relevant information to act during a crisis situation.

Google Legal  is one organization who has spent the time to develop a robust Business Continuity Plan. Here are the steps they used to prepare their plan.

Business Continuity Plan Development at Google

By Mary O’Carroll, Director of Legal Operations, Google and President of CLOC

With help from  Deloitte , Google’s Legal Department embarked on a project to create a business continuity plan for the department. To help others we would like to share the process that we used during the development of our Business Continuity Plan and the learnings we experienced. This how-to guide outlines the steps that were used to create our BCP.

Project Goal

Implement an event-neutral, impact-oriented, broad business continuity program to reduce the impacts and to support the expeditious recovery of critical legal processes in the event of a disaster.

Project Objectives: Prioritize Legal Business Processes

  • Determine Qualitative and Quantitative Impacts
  • Identify Dependencies
  • Determine Recovery Requirements and Timeframes

Project Approach:

  • Understand the Process (Create process maps)
  • Conduct Business Impact Analysis (Understand the potential impacts from disruption and the resources required to perform your processes)
  • Plan for Recovery (Develop recovery plans)

business continuity planning guide

UNDERSTAND THE PROCESS

Meet with leads across each practice group or area in your department.  Create high level process maps for each key process or workstream that takes place on that team.  

Things to consider in each process:

  • Which location(s) is your process executed from?
  • Are there other business processes / areas that you depend on to perform your process?
  • What systems/tools/applications are needed?
  • Are there specific skills / resources that are essential to perform your
  • Are there critical documents / vital records that you need access to in order to perform your process?
  • Does the process rely on a 3rd party?

CONDUCT A BUSINESS IMPACT ANALYSIS (BIA)

A BIA is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. Create your list of prioritized processes based on your BIA, focusing on critical workstreams by utilizing a questionnaire to ensure consistency across impact areas.

Outputs/Deliverables: Develop a prioritized list of processes based on impacts

Take each process or workstream in the department and rank them based on the five following impact areas across multiple time frames.  Create an objective five point scale for each of these impact areas that define the magnitude of the impact.  

  • Financial impact : Impact on the finances of the organization (potential decrease in revenue, impact on cash flow) resulting from a business disruption.
  • Legal and regulatory penalties :  Exposure of the organization to legal liabilities, penalties, and regulatory sanctions due to non-compliance with applicable regulations or adherence to legal and contractual obligation following a business interruption.
  • Client experience :  Number of or percentage of clients or customers affected, how quickly the situation will impact clients, and risk of losing clients temporarily or permanently.
  • Employee experience :  Risk to employee morale/culture which could result in high employee turnover resulting from a business disruption.
  • External brand image:  Impact to public confidence in the organization and negative publicity resulting from a business disruption.

Example:  Rate each workflow across this matrix on a scale from 1-5

business continuity planning guide

NEXT STEPS: PLAN FOR RECOVERY

As a result of the BIA effort, we prioritized recovery efforts for the Legal Department and identified resources required for each process to be operational. The recommended next steps were to:

  • Develop recovery procedures for prioritized business areas and processes
  • Design, conduct, and evaluate tests to socialize, validate and improve procedures

Determine the recovery requirements for each critical workstream based on the following five areas:

  • Building requirements : Which of the tasks can be supported by working remotely?  Are there alternate strategies to continue operations in case the primary facility is not available?
  • Process dependency requirements : What processes within the Legal Department or other departments do you need in order to restore to normal operations? Is there a workaround available to support your team until the identified dependencies are available?
  • Technology requirements:  Identify all the applications that your team requires for the identified business processes. Can the identified processes be performed without the application for a limited time – indicate the workaround where applicable?
  • Human resource requirements:  What are various roles/titles within your team that are critical for defined business processes? How many personnel are available at each assigned role? How many personnel are required to support each business process at various time-periods after a disruption? How many of the personnel within each assigned role have the remote working capability? Are resources available at an alternate location?
  • Third party requirements:  Is there a key third party vendor who supports the identified processes?

Effective recovery procedures address short-, medium-, and long-term outages and account for the following considerations:

  • Building Specific Strategies
  • Technology Specific Strategies
  • Human Resources Strategies
  • 3rd Party Strategies
  • Dependencies
  • Focus on Impacts

business continuity planning guide

KEY TAKEAWAYS AND LEARNINGS

Having a concrete business continuity plan plays an essential role in today’s environment at Google Legal. We learned that the most valuable part of the entire exercise was sitting down with team leaders and having a conversation about what is critical and how we might think about recovering those workflows. Given how much organizations move and change over time, it is a lofty expectation to develop BCPs for each workflow and to ensure they are kept up to date.  Setting aside a regular time to revisit that conversation each year and talk through the “what ifs” ensures that we’re aligned on how we would proceed.  

A clear, concise and well communicated BCP is not just a nice to have, it’s a critical necessity in today’s world.

We use cookies to improve your experience on our website. By clicking “Accept Cookies”, you consent to store on your device all the technologies described in our Privacy Policy. To find out more about the cookies we use and how to change your settings if you do not want cookies to be placed on your device, please read our Privacy Policy .

Accept Cookies

  • +1 (800) 826-0777
  • VIRTUAL TOUR
  • Mass Notification
  • Threat Intelligence
  • Employee Safety Monitoring
  • Travel Risk Management
  • Emergency Preparedness
  • Remote Workforce
  • Location and Asset Protection
  • Business Continuity
  • Why AlertMedia
  • Who We Serve
  • Customer Spotlights
  • Resource Library
  • Downloads & Guides

Minimizing Downtime With a Comprehensive Disaster Recovery Plan Checklist

Minimizing Downtime With a Comprehensive Disaster Recovery Plan Checklist

Preparing for recovery starts long before a disaster occurs. Use this checklist to help plan ahead to minimize disruptions and downtime from any business disaster.

Blog-CTA-Sidebar-Graphic-BusinessContinuity-Checklist

  • Checklist Infographic

13-Step Disaster Recovery Plan Checklist

When a disaster strikes—whether it’s a crippling ransomware event or a destructive natural disaster—a smooth recovery process is critical to getting back on your feet. But that recovery doesn’t simply unfold as soon as the storm recedes. Rapid operational recovery starts with planning long before the disaster even occurs.

Before Hurricane Michael hit Panama City in 2018, Coca-Cola Bottling Company UNITED, Inc., thought they were thoroughly prepared for the storm and recovery. “We have a really extensive hurricane preparedness plan across all of our coastal locations,” explains Gianetta Jones, Vice President & Chief People Officer. But the Category 5 storm caused severe damage to cell phone infrastructure that the Coca-Cola team was not ready for. Gianetta told us on The Employee Safety Podcast , “We had to pivot and purchased several very expensive satellite phones for our operators that were local to be able to communicate with us at the corporate office.”

Flexibility is necessary in disaster recovery, as disasters hardly follow a predictable plan. But the right preparation can make it possible to adapt and maximize your time and resources through recovery. A comprehensive disaster recovery plan is not just a “good-to-have” safety net; it serves as a roadmap for resuming operations efficiently and effectively, minimizing the impact on your business and clients. And a great way to get started on your disaster recovery planning process (or to review and reassess your standing plan) is with a disaster recovery plan checklist.

Whether you’re facing natural calamities, cyberattacks, or technological failures, this checklist will guide you through establishing robust protocols to protect your assets, data, and your operational continuity.

Download Our Business Continuity Checklist

business continuity planning guide

1. Assess the risks and impacts

Conduct a thorough risk assessment to identify potential disasters and emergencies and look for vulnerabilities. Then, perform a detailed business impact analysis to understand the potential impact of disasters on your business operations. These assessments will help you determine what disasters you must prepare for and what recovery might be necessary.

2. Coordinate with departments and identify stakeholders

Engage all internal departments to gather input and ensure comprehensive coverage. In particular, you’ll want to work with teams involved in emergency preparedness, IT, business continuity, security, and any other function that may be impacted by the event. Additionally, determine any stakeholders, internal and external, crucial to the recovery processes.

3. Review past emergencies

Analyze any previous incidents your organization has been through to learn from past emergencies and refine your current planning efforts. You can also look at organizations similar in size and industry to understand how they have experienced disasters.

4. Assemble the leadership team

The disaster recovery team members will be dedicated to managing the disaster recovery process, though not necessarily executing the entire disaster recovery plan themselves. They will serve as important leaders and decision-makers throughout the process.

5. Document systems and processes

Thoroughly record all critical business systems and processes. This might include software applications, physical items in your facility, digital systems, on-site and off-site resources, or processes vital to your operations. If it is something that a disaster might impact, it should be considered in this step.

Once you have your list, do the following for each item:

For example, when building an IT disaster recovery plan, you’ll want to document all your IT systems, identify the most critical pieces of IT infrastructure, and arrange for data backups, secondary data centers, and other data protection for any critical data that may be impacted.

6. Analyze your recovery needs

Perform a detailed recovery analysis for each type of disaster that could impact the business. Include the following steps in this analysis:

7. Set up your recovery plan templates

If you are using a disaster recovery plan template, you’ll want to make copies of the template pages to fill out. You want a tailored recovery plan for each type of disaster, so multiple versions of the template are a must.

8. Assign personnel

Identify and document all personnel who will be involved in each recovery and response plan. Write down their roles and responsibilities within the recovery efforts and contact information.

9. Establish the activation criteria

Set clear criteria for when to activate the disaster recovery plan. Clarify the turning point between disaster response procedures and disaster recovery, so you don’t hesitate in the event of a disaster.

10. Write the recovery plan

The previous disaster recovery checklist stages prepare you to document your plan. Detail the specific steps and strategies to recover from each disaster you may face.

11. List resources and related documents

Document all the resources required for the recovery plan and their locations. Include links or references to any related plans and supportive documentation. This might include your business continuity plan , risk assessments from earlier in the process, or documentation for a specific recovery strategy.

12. Develop a communication plan

Communication is critical to recovery, so ensure your plan includes a clear process for reaching your employees, stakeholders, and external resources. Design a comprehensive emergency communication plan detailing:

13. Evaluate your response

Don’t make the mistake of building out your disaster recovery plan and assuming it can stay the same year after year. Not only are the disaster scenarios you face likely to change, but your organization will also grow and change; what worked for recovery at one point won’t necessarily work weeks, months, or years later. Regularly test, evaluate, and update the disaster recovery plan to ensure it still meets your business needs over time.

Planning for Resilience Through Operational Failback

With the right plan in place, recovery doesn’t have to feel like a disaster in and of itself. Develop a comprehensive disaster recovery plan with this checklist to keep your whole team on the same page and align their efforts.

Unlike an IT system failback, to recover your business operations, you often need to build them back up one by one. Following all 13 steps, you can ensure you don’t miss a critical system in your DR plan, and you minimize the effort it takes to quickly and confidently return to normal operations.

More Articles You May Be Interested In

Guide to ISO 22301 for Business Continuity Management

Business Continuity Checklist

Please complete the form below to receive this resource.

Check Your Inbox!

The document you requested has been sent to your provided email address.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Cookie Notice

ER9

  • Understanding Business Continuity vs BDR: A Guide
  • About Invenio IT
  • Business Continuity

7 Real-Life Business Continuity Plan Examples You’ll Want to Read

Picture of Tracy Rock

  • March 14, 2022

Group-meeting

It’s no secret that we believe in the importance of disaster preparedness and business continuity  at every organization. But what does that planning actually look like when it’s put to the test in a real-world scenario?

Today, we look at 7 business continuity examples to show how organizations have worked to minimize downtime (or not) after critical events.

Business Continuity Examples: the best in class and the failures of BCP

1) ransomware disrupts ireland’s healthcare system  .

For years, healthcare organizations have been a top target for ransomware attacks. The critical nature of their operations, combined with notoriously lax IT security throughout the industry, are a magnet for ransomware groups looking for big payouts.

But despite the warnings, healthcare orgs still remain vulnerable. A prime example was the 2021 ransomware attack on Ireland’s healthcare system (HSE) – the fallout from which was still being understood nearly a year later.

According to reports, the attack had a widespread impact on operations:

  • Dozens of outpatient services were shut down
  • IT outages affected at least 5 hospitals, including Children’s Health Ireland (CHI) at Crumlin Hospital
  • Employee payment systems were knocked offline, delaying pay for 146,000 staff
  • Covid-19 test results were delayed and a Covid-19 vaccine portal went offline
  • Appointments were canceled across numerous facilities and medical departments
  • Near-full recovery and restoration of all servers and applications took more than 3 months

All told, the attack was projected to cost more than $100 million in recovery efforts alone. That figure does not include the projected costs to implement a wide range of new security protocols that were recommended in the wake of the attack.

Like several of the business continuity examples highlighted below, the Ireland attack did have some good disaster recovery methods in place. Despite the impact of the event, there were several mitigating factors that prevented the attack from being even worse, such as:

  • Once the attack was known, cybersecurity teams shut down more than 85,000 computers to stop the spread.
  • Disaster recovery teams inspected more than 2,000 IT systems, one by one, to contain the damage and ensure they were clean.
  • Cloud-based systems were not exposed to the ransomware.

However, there was some luck involved.

As HSE raced to contain the damage from the attack and secured a High Court Injunction to restrain the sharing of its hacked data, the attackers suddenly released the decryption key online. Without that decryption, HSE would not have had adequate data backup systems to recover from the attack. As the group concluded in its post-incident review :

“It is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape. Therefore it is highly likely that segments of data for backup would have remained encrypted, resulting in significant data loss. It is also likely to have taken considerably longer to recover systems without the decryption key.”

2) The city of Atlanta is hobbled by ransomware

There has been no shortage of other headline-making ransomware attacks over the last few years. But one that stands out (and whose impact reverberated for at least a year after the incident) was the March 2018 SamSam  ransomware attack on the City of Atlanta .

The attack devastated the city government’s computer systems:

  • Numerous city services were disrupted, including police records, courts, utilities, parking services and other programs.
  • Computer systems were shut down for 5 days, forcing many departments to complete essential paperwork by hand.
  • Even as services were slowly brought back online over the following weeks, the full recovery took months.

Attackers demanded a $52,000 ransom payment. But when all was said and done, the full impact of the attack was projected to cost more than $17 million. Nearly $3 million alone was spent on contracts for emergency IT consultants and crisis management firms.

In many ways, the Atlanta ransomware attack is a lesson in inadequate business continuity planning. The event revealed that the city’s IT was woefully unprepared for the attack. Just two months prior, an audit found 1,500 to 2,000 vulnerabilities in the city’s IT systems, which were compounded by “obsolete software and an IT culture driven by ‘ad hoc or undocumented’ processes,” according to  StateScoop .

Which vulnerabilities allowed the attack to happen? Weak passwords, most likely. That is a common entry point for SamSam attackers, who use brute-force software to guess thousands of password combinations in a matter of seconds. Frankly, it’s an unsophisticated method that could have been prevented with stronger password management protocols.

Despite the business continuity missteps, credit should still be given to the many IT professionals (internal and external) who worked to restore critical city services as quickly as possible. What’s clear is that the city did have some disaster recovery procedures in place that allowed it to restore critical services. If it hadn’t, the event likely would have been much worse.

3) Fire torches office of managed services provider (MSP)

Here’s an example of business continuity done right:

In 2013, lightning struck an office building in Mount Pleasant, South Carolina, causing a fire to break out. The offices were home to Cantey Technology, an IT company that hosts servers for more than 200 clients.

The fire torched Cantey’s network infrastructure, melting cables and burning its computer hardware. The equipment was destroyed beyond repair and the office was unusable. For a company whose core service is hosting servers for other companies, the situation looked bleak. Cantey’s entire infrastructure was destroyed.

But ultimately, Cantey’s clients never knew the difference:

  • As part of its business continuity plan, Cantey had already moved its client servers to a remote data center, where continual backups were stored.
  • Even though Cantey’s staff were forced to move to a temporary office, its clients never experienced any interruption in service.

It was an outcome that could have turned out very differently. Only five years prior, the company had kept all of its client servers on site. But founder Willis Cantey made the right determination that this setup created too many risks. All it would take is one major on-site disruption to wipe out his entire business, as well as his clients’ businesses, potentially leaving him exposed to legal liabilities as well.

Cantey thus implemented a more comprehensive business continuity plan and moved his clients’ servers off-site. And in doing so, he averted disaster.

4) Computer virus infects UK hospital network

In another post , we highlighted one of the worst business continuity examples we saw in 2016 – before ransomware had become a well-known threat in the business community.

On October 30, 2016, a nasty “computer virus” infected a network of hospitals in the UK, known as the Northern Lincolnshire and Goole NHS Foundation Trust. At the time, little was known about the virus, but its impact on operations was devastating:

  • The virus crippled its systems and halted operations at three separate hospitals for five days.
  • Patients were literally turned away at the door and sent to other hospitals, even in cases of “major trauma” or childbirth.
  • In total, more than 2,800 patient procedures and appointments were canceled because of the attack. Only critical emergency patients, such as those suffering from severe accidents, were admitted.

Remarkably, a report in Computing.co.uk speculated that there had been no business continuity plan document in place. Even if there had been, clearly there were failings. Disaster scenarios can be truly life-or-death at healthcare facilities. Every healthcare organization must have a clear business continuity plan outlined with comprehensive measures for responding to a critical IT systems failure. If there had been in this case, the hospitals likely could have remained open with little to no disruption.

The hospital system was initially tight-lipped about the attack. But in the year following the incident, it became clear that ransomware was to blame – specifically, the Globe2 variant.

Interestingly, however, hospital officials did not say the ransomware infection was due to an infected email being opened (which is what allows most infections to occur). Instead, they said a misconfigured firewall was to blame. (It’s unclear then exactly how the ransomware passed through the firewall—it may have come through inboxes after all.) Unfortunately, officials knew about the firewall misconfiguration before the attack occurred, which is what makes this incident a prime example of a business continuity failure. The organization had plans to fix the problem, but they were too late. The attack occurred “before the necessary work on weakest parts of the system had been completed.”

5) Electric company responds to unstable WAN connection

Here is another example of well-executed business continuity.

After a major electric company in Georgia  experienced failure  with one of its data lines, it took several proactive steps to ensuring its critical systems would not experience interruption in the future. The company implemented a FatPipe WARP at its main site, bonding two connections to achieve redundancy, and it also readied plans for a third data line. Additionally, the company replicated its mission-critical servers off-site, incorporating its own site-failover WARP.

According to Disasterrecovery.org:

“Each office has a WARP, which bonds lines from separate ISPs connected by a fiber loop. They effectively established data-line failover at both offices by setting up a single WARP at each location. They also accomplished a total site failover solution by implementing the site failover between the disaster recovery and main office locations.”

While the initial WAN problem was minimal, this is a good example of a company that is planning ahead to prevent a worst-case scenario. Given the critical nature of the utility company’s services (which deliver energy to 170,000 homes across five counties surrounding Atlanta), it’s imperative that there are numerous failsafes in place.

6) German telecom giant rapidly restores service after fire

Among the better business continuity examples we’ve seen, incident management solutions are increasingly playing an important role.

Take the case of a German telecom company that discovered a dangerous fire was encroaching on one of its crucial facilities. The building was a central switching center, which housed important telecom wiring and equipment that were vital to providing service to millions of customers.

The company uses an incident management system from Simba, which alerted staff to the fire, evaluated the impact of the incident, automatically activated incident management response teams and sent emergency alerts to Simba’s 1,600 Germany-based employees. The fire did indeed reach the building, ultimately knocking out the entire switching center. But with an effective incident management system in place, combined with a redundant network design, the company was able to fully restore service within six hours.

7) Internet marketing firm goes mobile in face of Hurricane Harvey

Research shows that 40-60% of small businesses never reopen their doors after a major disaster. Here’s an example of one small firm that didn’t want to become another statistic.

In August 2017, Hurricane Harvey slammed into Southeast Texas, ravaging homes and businesses across the region. Over 4 days, some areas received more than 40 inches of rain. And by the time the storm cleared, it had caused more than $125 billion in damage.

Countless small businesses were devastated by the hurricane. Gaille Media, a small Internet marketing agency, was  almost  one of them. Despite being located on the second floor of an office building, Gaille’s offices were flooded when Lake Houston overflowed. The flooding was so severe, nobody could enter the building for three months. And when Gaille’s staff were finally able to enter the space after water levels receded, any hopes for recovering the space were quickly crushed. The office was destroyed, and mold was rampant.

The company never returned to the building. However, its operations were hardly affected.

That’s because Gaille kept most of its data stored in the cloud, allowing staff to work remotely through the storm and after. Even with the office shuttered, they never lost access to their critical documents and records. In fact, when it came time to decide where to relocate, the owner ultimately decided to keep the company decentralized, allowing workers to continue working remotely (and providing a glimpse of how other businesses around the world would similarly adapt to disaster during the Covid-19 pandemic three years later).

Had the company kept all its data stored at the office, the business may never have recovered.

Examples of poor business continuity planning

Some of the real-life business continuity examples above paint a picture of what can go wrong when there are lapses in continuity planning. But what exactly do those lapses look like? What are the specific failures that can increase a company’s risk of disaster?

Here are the big ones:

  • No business continuity plan: Every business needs a BCP that outlines its unique threats, along with protocols for prevention and recovery.
  • No risk assessment: A major component of your BCP is a risk assessment that should define how your business is at risk of various disaster scenarios. We list several examples of these risks below.
  • No business impact analysis: The risk assessment is useless without an analysis of how those threats actually affect the business. Organizations must conduct an impact analysis to understand how various events will disrupt operations and at what cost.
  • No prevention: Business continuity isn’t just about keeping the business running in a disaster. It’s about risk mitigation as well. Companies must be proactive about implementing technologies and protocols that will  prevent  disruptive events from occurring in the first place.
  • No recovery plan:  Every disaster scenario needs a clear path to recovery. Without such protocols and systems, recovery will take far longer, if it happens at all.

Examples of threats to your business continuity

It’s important to remember that business-threatening disasters can take many forms. It’s not always a destructive natural disaster. In fact, it’s far more common to experience disaster from “the inside” – events that hurt your productivity or affect your IT infrastructure and are just as disruptive to your operations.

Example threats include:

  • Cyberattacks
  • Malware and viruses
  • Network & internet disruptions
  • Hardware/software failure
  • Natural disasters
  • Severe weather
  • Flooding (including pipe bursts)
  • Terrorist attacks
  • Office vandalism/destruction
  • Workforce stoppages (transportation blockages, strikes, etc.)

The list goes on and on. Any single one of these threats can disrupt your business, which is why it’s so important to take continuity planning seriously.

Business continuity technology

Within IT, data loss is often the primary focus of business continuity and disaster recovery (BC/DR). And for good reason …

Data is the lifeblood of most business operations today, encompassing all the emails, files, software and operating systems that companies depend on every day. A major loss of data, whether caused by ransomware, human error or some other event, can be disastrous for businesses of any size.

Backing up that data is thus a vital component of business continuity planning.

Today’s  best data backup systems  are smarter and more resilient than they were even just a decade ago. Solutions from Datto, for example, are built with numerous features to ensure continuity, including hybrid cloud technology (backups stored both on-site and in the cloud), instant virtualization, ransomware detection and automatic backup verification, just to name a few.

Like other BC initiatives, a data backup solution itself won’t prevent data-loss events from occurring. But it does ensure that businesses can rapidly recover data if/when disaster strikes, so that operations are minimally impacted – and that’s the whole point of business continuity.

Learn more: request a free demo

For more information on data backup solutions from Datto,  request a free demo  – or contact our business continuity experts at Invenio IT by calling (646) 395-1170 or by emailing  [email protected] .

Get The Ultimate Business Continuity Resource for IT Leaders

Join 23,000+ readers in the Data Protection Forum

Related articles.

datto-competitors

BCDR Faceoff: How Do Datto Competitors Stack Up? What are the Alternatives?

bundle-of-books-laptop

Do you know what makes Datto Encryption So Secure?

Get-Datto-SIRIS

The Truth about All Datto SIRIS Models for BCDR

locations-pins

Where’s My Data? 411 on Datto Locations around the Globe

Protection

2023 Guide to Datto SaaS Protection for M365 and Google Workspace

Cybersecurity.

© 2023 InvenioIT. All rights reserved.

linkedin

business continuity planning guide

  • Computers & Technology
  • Networking & Cloud Computing

Amazon prime logo

Enjoy fast, free delivery, exclusive deals, and award-winning movies & TV shows with Prime Try Prime and start saving today with fast, free delivery

Amazon Prime includes:

Fast, FREE Delivery is available to Prime members. To join, select "Try Amazon Prime and start saving today with Fast, FREE Delivery" below the Add to Cart button.

  • Cardmembers earn 5% Back at Amazon.com with a Prime Credit Card.
  • Unlimited Free Two-Day Delivery
  • Streaming of thousands of movies and TV shows with limited ads on Prime Video.
  • A Kindle book to borrow for free each month - with no due dates
  • Listen to over 2 million songs and hundreds of playlists
  • Unlimited photo storage with anywhere access

Important:  Your credit card will NOT be charged when you start your free trial or if you cancel during the trial period. If you're happy with Amazon Prime, do nothing. At the end of the free trial, your membership will automatically upgrade to a monthly membership.

Buy new: .savingPriceOverride { color:#CC0C39!important; font-weight: 300!important; } .reinventMobileHeaderPrice { font-weight: 400; } #apex_offerDisplay_mobile_feature_div .reinventPriceSavingsPercentageMargin, #apex_offerDisplay_mobile_feature_div .reinventPricePriceToPayMargin { margin-right: 4px; } -33% $49.99 $ 49 . 99 FREE delivery Friday, May 17 Ships from: Amazon.com Sold by: Amazon.com

Return this item for free.

Free returns are available for the shipping address you chose. You can return the item for any reason in new and unused condition: no shipping charges

  • Go to your orders and start the return
  • Select the return method

Save with Used - Very Good .savingPriceOverride { color:#CC0C39!important; font-weight: 300!important; } .reinventMobileHeaderPrice { font-weight: 400; } #apex_offerDisplay_mobile_feature_div .reinventPriceSavingsPercentageMargin, #apex_offerDisplay_mobile_feature_div .reinventPricePriceToPayMargin { margin-right: 4px; } $31.11 $ 31 . 11 FREE delivery Friday, May 17 on orders shipped by Amazon over $35 Ships from: Amazon Sold by: NatoorBooks1

Kindle app logo image

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required .

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

QR code to download the Kindle App

Image Unavailable

Business Continuity Planning: A Step-By-Step Guide with Planning Forms, 3rd Edition

  • To view this video download Flash Player

business continuity planning guide

Business Continuity Planning: A Step-By-Step Guide with Planning Forms, 3rd Edition Paperback – October 30, 2007

Purchase options and add-ons.

"Kenneth Fulmer, CBCP, has produced an important and useful guide for the business continuity planning novice… and upholds many of the principles you will find promoted and supported by the Business Continuity Institute and encouraged as part of Business Continuity Management good practices… In more than thirty years as a business continuity practitioner, I have seen many small and medium-size businesses pay the penalty for lack of preparedness. Often, overwhelmed by the jargon employed by many practitioners and the mistaken concepts that business continuity is too costly, that it is only for the "big boys," and that they do not have the resources or knowledge base, they choose to take the risk instead. For many, it is an unfortunate choice because much can be done with reasonable commitment to avoid business disruptions or mitigate the impact for those that are unavoidable… In this excellent primer, Mr. Fulmer sets out a simple, concise, and, most of all, logical roadmap both for developing the justification for a business continuity/disaster recovery program as well as for developing and maintaining the resultant plan.

Larry Kalmis, FBCI, Project Executive, Virtual Corporation and Chairman, Business Continuity Institute

  • Print length 200 pages
  • Language English
  • Publication date October 30, 2007
  • Dimensions 8.5 x 0.46 x 11 inches
  • ISBN-10 1931332215
  • ISBN-13 978-1931332217
  • See all details

The Amazon Book Review

Frequently bought together

Business Continuity Planning: A Step-By-Step Guide with Planning Forms, 3rd Edition

Customers who viewed this item also viewed

Business Continuity For Dummies

Editorial Reviews

From the publisher.

My advice to the reader is to do the best you can, as soon as you can, to address the business continuity requirements of your organization - your business' survival may depend on it!

From the Inside Flap

Melvin Musson, Fellow, Business Continuity Institute (FBCI) Business Continuity Planning Manager, Internal Audit Edward Jones, St. Louis, Missouri

From the Back Cover

a[ CD-ROM contains checklists, tables, and worksheets and is a useful and practical toolkit to supplement the text and help establish needed documentation.

About the Author

Product details.

  • Publisher ‏ : ‎ Rothstein Associates, Incorporated; 3rd Enlarged ed. edition (October 30, 2007)
  • Language ‏ : ‎ English
  • Paperback ‏ : ‎ 200 pages
  • ISBN-10 ‏ : ‎ 1931332215
  • ISBN-13 ‏ : ‎ 978-1931332217
  • Item Weight ‏ : ‎ 15.9 ounces
  • Dimensions ‏ : ‎ 8.5 x 0.46 x 11 inches
  • #356 in Risk Management (Books)
  • #4,115 in Systems & Planning
  • #14,396 in Business Management (Books)

Customer reviews

Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.

To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.

  • Sort reviews by Top reviews Most recent Top reviews

Top reviews from the United States

There was a problem filtering reviews right now. please try again later..

business continuity planning guide

Top reviews from other countries

business continuity planning guide

  • Amazon Newsletter
  • About Amazon
  • Accessibility
  • Sustainability
  • Press Center
  • Investor Relations
  • Amazon Devices
  • Amazon Science
  • Sell on Amazon
  • Sell apps on Amazon
  • Supply to Amazon
  • Protect & Build Your Brand
  • Become an Affiliate
  • Become a Delivery Driver
  • Start a Package Delivery Business
  • Advertise Your Products
  • Self-Publish with Us
  • Become an Amazon Hub Partner
  • › See More Ways to Make Money
  • Amazon Visa
  • Amazon Store Card
  • Amazon Secured Card
  • Amazon Business Card
  • Shop with Points
  • Credit Card Marketplace
  • Reload Your Balance
  • Amazon Currency Converter
  • Your Account
  • Your Orders
  • Shipping Rates & Policies
  • Amazon Prime
  • Returns & Replacements
  • Manage Your Content and Devices
  • Recalls and Product Safety Alerts
  • Conditions of Use
  • Privacy Notice
  • Consumer Health Data Privacy Disclosure
  • Your Ads Privacy Choices
  • Skip to main content
  • Skip to "About this site"

Language selection

  • Search and menus

A guide to business continuity planning. : D82-37/2013E-PDF

"This publication provides a summary and general guidelines for business continuity planning (BCP). While governments, not-for-profit institutions, and non-governmental organizations also deliver critical services, private organizations must continuously deliver products and services to satisfy shareholders and to survive. Although they differ in goals and functions, BCP can be applied by all organizations."

Permanent link to this Catalogue record: publications.gc.ca/pub?id=9.909160&sl=0

  • MARC XML format
  • MARC HTML format

Request alternate formats

IMAGES

  1. Business Continuity Planning: A Step-by-Step Guide with Downloadable

    business continuity planning guide

  2. Ultimate 10 Step Business Continuity Plan Checklist

    business continuity planning guide

  3. How to create an effective business continuity plan?

    business continuity planning guide

  4. What Is A Business Continuity Plan?

    business continuity planning guide

  5. PPT: Business Continuity Planning

    business continuity planning guide

  6. Business Continuity Planning in 4 Steps [Infographic]

    business continuity planning guide

VIDEO

  1. Business Continuity Planning

  2. Business Continuity Planning

  3. BUSINESS CONTINUITY AND DATA RECOVERY PART 1

  4. BUSINESS CONTINUITY AND DATA RECOVERY PART 3

  5. Business continuity planning

  6. Business Continuity Planning BCP

COMMENTS

  1. Business Continuity Planning

    Business Continuity Training Part 3: Planning Process Step 2. The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should "define" their business continuity plan objectives. View on YouTube.

  2. ISO 22301 Business Continuity Management Made Easy

    The Business Manager's Quick-Start Guide to ISO 22301; ISO 22301 Requirements. Key Definitions Related to ISO 22301; ... The ISO 22301 standard can provide benefits for your business continuity planning, even if your organization chooses not to pursue certification, or the review process that confirms your business continuity system meets all ...

  3. What Is A Business Continuity Plan? [+ Template & Examples]

    A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders.

  4. All about Business Continuity Planning

    A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan. The basic steps for writing a business continuity plan are as follows: Create a governance team.

  5. Business Continuity Plan: Example & How to Write

    A business continuity plan is a practical guide developed by companies to enable continuous operations in the event of major business disruptions like natural disasters and global lockdowns. Business continuity planning usually involves analyzing the impact of disrupted business processes and determining recovery strategies with management ...

  6. How to craft an effective business continuity plan

    Create the procedures. Get the word out. Iterate and improve. 1. Analyze your company. In this phase you conduct an analysis to identify critical activities, determine which activities must continue, which can be temporarily paused, and which can operate at a reduced capacity.

  7. PDF Yale University Business Continuity Planning Quick Start Guide

    Business Continuity Planning - Quick Start Guide (Rev; Sept. 2019) Page 5 Helpful Definitions: Business Continuity (BC) is the framework for ensuring continued operations with little or no interruption regardless of the circumstances or events.

  8. The Ultimate Guide to Business Continuity

    Bryghtpath's 5-Day Business Continuity Accelerator: Our 5-Day Business Continuity Accelerator is an interactive online workshop designed to take you through a hard look at your existing business continuity program - and lay out a plan to rapidly mature your program in just days.We run this course quarterly - learn more, get on the ...

  9. PDF The Definitive Guide to Business Continuity Planning

    Welcome to the Definitive Guide to Business Continuity Planning—the indispensable resource for developing your business continuity plan. This handbook can be used to guide you in developing a BC plan from start to finish, or as a tool to test and improve your existing plan, or for anything in between.

  10. Business Continuity Planning: A Step-by-Step Guide With Planning Forms

    This easy workbook format shows managers new to Business Continuity Planning how to quickly develop a basic plan and keep it updated. If you've been tasked with developing a basic business continuity plan and aren't sure where to start, this workbook with sample forms, checklists, templates, and plans will walk you step-by-step through the process.

  11. Business Continuity: The Only Guide You Will Need

    Business Continuity Plan (BCP): business continuity initiatives, strategy, policies, standards, and planning activities produce this plan. It is all encompassing and includes the other plans below, or at least references to them. Disaster Recovery Plan (DRP): this plan will focus on business continuity from an IT / technology infrastructure standpoint.

  12. The Ultimate Guide to Continuity Planning for Your Small Business

    Business continuity planning means creating a strategy to help your business continue (or quickly resume) normal operations after a disruptive event. It involves identifying potential threats and developing measures to mitigate them, such as: Implementing backup systems. Creating contingency plans.

  13. PDF FEMA National Continuity Programs

    This Guide to Continuity Program Management expands on continuity program management guidance found in the Continuity Guidance. Circular (CGC) and Federal Continuity Directives (FCD) 1 and 21. It provides guidance and templates to assist continuity program managers Figure 1: CGC and planners to develop a Multi-Year Strategic Plan (MYSP ...

  14. 5 Step Guide to Business Continuity Planning (BCP) in 2021

    Step 4: Maintenance. A business continuity plan should not be treated as a one-time exercise. It needs to be maintained, so the organization's structural and people changes are updated regularly. The key personnel might move on from the firm, and this would need to be updated in the Business Impact Analysis and BCP.

  15. PDF Business Continuity Plan Guide

    Business Continuity Plan Guide When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes ...

  16. PDF Architect's Guide to Business Continuity

    Architect's Guide to Business Continuity Guidance for reducing firm disruption Business Continuity Planning is preparation—of people, premises, technology, information, supply chains, stakeholders, and reputation—for adverse events so the firm can continue to provide services, generate revenue, and reduce the negative

  17. PDF How prepared are you?

    Business Continuity Management (BCM) is about identifying those parts of your organisation that you can't afford to lose - such as information, stock, premises, staff - and planning how to maintain these, if an incident occurs. Any incident, large or small, whether it is natural, accidental or deliberate, can cause major disruption to your

  18. 7 top business continuity certifications to consider in 2024

    3. ISO 22301 Certified Business Continuity Manager (CBCM) Certification details: The ISO 22301 Certified Business Continuity Manager (CBCM) is a designation offered by Certified Information Security (CIS) organization. The CBCM is based on the ISO 22301:2019 standard, which defines a framework for planning and operating a business continuity management system.

  19. Continuity and contingency planning

    Continuity and contingency planning is about being prepared for all types of disruptions, for example, an earthquake, broken equipment or losing a supplier — and quickly getting back on your feet. Use this step-by-step guide to get your plan sorted. It's vital to your business's survival. Business Continuity Planning = Plan B.

  20. A Guide to Business Continuity Planning for Small Businesses ...

    Whether faced with an unexpected economic downturn or a physical disaster, adaptability is the key to swiftly pivot and continue moving forward. B - Backbone: BCP is the essential foundation of ...

  21. Business Continuity Planning (BCP) How-To Guide

    This how-to guide outlines the steps that were used to create our BCP. Project Goal. Implement an event-neutral, impact-oriented, broad business continuity program to reduce the impacts and to support the expeditious recovery of critical legal processes in the event of a disaster. ... Having a concrete business continuity plan plays an ...

  22. Disaster Recovery Plan Checklist & Free Template

    13-Step Disaster Recovery Plan Checklist. 1. Assess the risks and impacts. Conduct a thorough risk assessment to identify potential disasters and emergencies and look for vulnerabilities. Then, perform a detailed business impact analysis to understand the potential impact of disasters on your business operations.

  23. 7 Real-Life Business Continuity Plan Examples to Learn From

    6) German telecom giant rapidly restores service after fire. Among the better business continuity examples we've seen, incident management solutions are increasingly playing an important role. Take the case of a German telecom company that discovered a dangerous fire was encroaching on one of its crucial facilities.

  24. disaster recovery plan (DRP)

    A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume operations after an unplanned incident. A DRP is an essential part of a business continuity plan ( BCP ). It's applied to the aspects of an organization that depend on a functioning IT infrastructure.

  25. Business Continuity Planning: A Step-By-Step Guide with Planning Forms

    The Planning Forms on CD-ROM are numerous and detailed. These forms can be of great assistance to the reader who is trying to develop a plan. Business Continuity Planning is designed for use by entry-level professionals as well as by interested non-professionals. The book is very easily to read and is logically organized.

  26. A guide to business continuity planning. : D82-37/2013E-PDF

    A guide to business continuity planning. Publication type : Monograph : Language [English] Other language editions : Format : Electronic : Electronic document : View D82-37-2013-eng.pdf (PDF, 107 KB). Note(s) Issued also in French under title: Guide de planification de la continuité des activités. "Date modified: 2013-11-14." Publishing ...