business continuity plan test

Business continuity plan maintenance: How to review, test and update your BCP

A professional updating their business continuity plan on a tablet.

We've written before about how all organizations need to have a robust business continuity plan . A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.

Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist. Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.

Is Business Continuity Plan Maintenance Important?

Those who were best-prepared have shown themselves to be most resilient when it comes to facing the challenges of Covid-19 . The pandemic has provided an all-too-live example of the need for a plan B. If ever there was a time to be confident in your business continuity strategy, it's now. However, it's a mistake to think that creating a BCP is a one-time exercise; that once you've put your plan in place, you can sit back and breathe a sigh of relief. There's no room for complacency in business continuity ' the threats you face are ever-changing, and the potential remedial actions need to evolve in tandem. Your business continuity plan might follow best practice guidelines. You might be certified to ISO23301 standards and have put in place the ideal team to manage your disaster planning and BCP strategy. But none of this compensates for a BCP that has grown stale, failing to move with the times when it comes to identifying the latest threats and using the newest approaches to tackle them. That's why reviewing, testing and updating your BCP is as vital as the process of creating a plan in the first place.

Questions You Should Ask When Scheduling BCP Reviews and Drills

Your BCP plan needs to be a living document . Creating a BCP isn't a one-off; once you have put your plan in place, you should ask yourself the following questions:

How often should a business continuity plan be reviewed?
How often should a business continuity plan be tested?
How often should a business continuity plan be updated?

Here we look at each of these questions and identify the best strategies for testing, updating and reviewing your plan.

The Importance of the Business Continuity Plan Review

Why is it important for the business continuity plan reports to be submitted and reviewed regularly? There are several reasons:

The nature and severity of the threats you face may change
Your business operations may have evolved, leading to, for instance, a larger number of entities or subsidiaries to consider in your planning or new operating geographies . You may have taken your company public , which brings with it a range of new regulatory obligations
Your personnel may have changed, so the people responsible for continuity planning may re no longer be current

Your business continuity plan should be reviewed when any of these situations apply. How often you should review your plan is another question organizations often ask; cio.com recommends that you '''Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.''' Feedback from employees is essential in the review. Intentionally seek input from those involved in creating the plan and those involved in its execution. What can they tell you about changes to staff, operations or other factors that impact the plan? This is particularly important if you have numerous locations or remote operations where changes might not be immediately apparent to people sitting in a headquarters building. Ensuring your plan is based on comprehensive, accurate information about all your entities and subsidiaries ' a '''single source of truth' for your entire organization ' is vital. Putting in place a checklist is often a good strategy for any business review, and your BCP is no exception. Consider creating a business continuity plan review checklist to ensure you capture all the elements you need to consider. And of course, if you've been unfortunate enough to face a business continuity issue that forced the enactment of your plan, you can use the real-life experience you gained to finesse it. What worked well; what should be changed?

Business Continuity Plan Testing Considerations and Best Practices

Testing is an equally essential stage in ongoing BCP management. What should testing your business continuity plan look like? And during what stage of the business continuity lifecycle do we need to test the business continuity plan? Of course, the real test is an incident itself. But doing business continuity drills will give you the reassurance that your plan is robust enough to face a real incident ' and enables you to determine this in a less pressured way than waiting for a real crisis.

Business Continuity Plan Testing Types

When it comes to types of business continuity plan testing, there are three main routes: a table-top exercise, a structured walk-through or full disaster simulation testing.

First: Table-top or role-playing exercises allow everyone involved in the plan to go through it and identify any missing steps, inconsistencies or errors. Second: A walk-through is a more in-depth test of your approach, with everyone involved examining their own responsibilities to spot any weak points. Third: A full simulation of a possible disaster goes a step further, creating a scenario that mirrors an actual disaster to determine whether your plan enables you to maintain operations. It should include your internal team, alongside any vendors or relevant external partners like security or maintenance companies. However you test your plan, it should be rigorous - CIO suggests that '''you try to break it' to ensure that it's fit for purpose. And whatever route ' or combination of approaches ' you choose, you should carry out business continuity plan testing at least once a year.

How To Keep Your Business Continuity Plan Current

Of course, however comprehensive your reviews and testing, they're of no benefit if you don't act on the findings. Updating your BCP is the final stage in the business continuity plan maintenance lifecycle, taking on board the results of your walk-through or simulation and finessing your plan to adopt any improvements noted during your reviews and tests. How often should a business continuity plan be updated? Every time you identify any shortcomings ' whether this is due to your testing/reviewing regime or whenever any errors or omissions come to light. What elements should you consider in an update? While all aspects of your plan are worth checking to ensure they remain current, some areas deserve singling out for special attention:

Your contact list: To ensure you have up-to-date details of everyone you need to contact in the event of an incident.
Your business entities and subsidiaries data : This forms the basis for your plan. Do you have an up-to-date picture of your organizational structure? Do you have accurate information on all your legal entities and critical functions?
Challenge assumptions: Play devil's advocate to challenge your beliefs about incidents that could occur.
Your technologies and systems: Including entity data management software , CRM systems and other IT systems central to supporting your operations.

Maintain Confidence in Your BCP

It's clear, then, that putting in place a BCP is only the first step. Reviewing, testing and updating your plan are all equally important stages. In other words, business continuity plan maintenance is crucial. Underpinning all of this is the need for reliable data on your organizational structure, people, systems and dependencies. Diligent's software suite can help you create the single source of truth you need to manage all your business entities effectively. Find out more by getting in touch with us for a no-obligation demo.

Solutions Solutions

Board Management
Enterprise Risk Management
Audit Management
Market Intelligence

Resources Resources

Research & Reports

Company Company

Your data matters.

How to test a Business Continuity Plan

In times of crisis or disruption, a well-designed and thoroughly tested business continuity plan is essential for organizations to maintain operations and minimize the impact on their business. Testing a business continuity plan helps identify any gaps or weaknesses, allowing for necessary adjustments and improvements to be made. In this guide, we will discuss the importance of testing a business continuity plan and provide a step-by-step approach to conducting tests. Additionally, we will highlight how Fixinc, a leading consultancy in the field, can support organizations in establishing and testing their business continuity plans.

Why Test a Business Continuity Plan?

Testing a business continuity plan is crucial to ensure its effectiveness. Just having a plan in place does not guarantee that it will work as expected during an actual emergency. By testing the plan, organizations can:

Identify Weaknesses: Testing helps identify any weaknesses or gaps in the plan, allowing organizations to make necessary improvements. This ensures that all aspects of the plan, including communication, infrastructure, and processes, are well-suited to handle potential disruptions.
Validate Assumptions: Business continuity plans are often built on assumptions about how the organization and its systems will respond to a crisis. Testing provides an opportunity to validate these assumptions and adjust the plan accordingly.
Train Personnel: Testing the plan enables organizations to train their employees on their roles and responsibilities during an emergency. This helps ensure that everyone knows what to do and can respond effectively.
Build Confidence: Regular testing instills confidence in employees, stakeholders, and customers, as they know that the organization is well-prepared to handle potential disruptions. This can help maintain trust and minimize any negative impact on the business.

How to Test a Business Continuity Plan

Define Test Objectives: Begin by clearly defining the objectives of the test. What do you want to achieve? Are you testing specific processes, technologies, or systems? Establishing clear objectives will help guide the testing process.
Select Test Methods: There are various methods to test a business continuity plan, such as tabletop exercises, simulations, or full-scale drills. Choose a method that aligns with your objectives and resources.
Develop Test Scenarios: Create realistic scenarios that simulate potential emergencies or disruptions. Consider various types of incidents, such as natural disasters, cyber-attacks, or supply chain disruptions. These scenarios should challenge the plan and test its effectiveness.
Engage Stakeholders: Ensure that all relevant stakeholders, including key personnel, department heads, and external partners, are involved in the testing process. Effective coordination and communication are essential for successful testing.

How Fixinc Can Support Your Organization

Fixinc, a trusted consultancy specializing in business continuity planning, offers comprehensive support to organizations looking to establish or improve their business continuity plans. Their team of experienced consultants can assist with:

Plan Development: Fixinc can help develop a tailored business continuity plan that aligns with your organization's specific needs and industry best practices. By leveraging their expertise, you can ensure that your plan is comprehensive and effective.
Testing and Assessment: Fixinc can guide your organization through the testing process, facilitating tabletop exercises, simulations, or full-scale drills. Their consultants provide valuable insights and feedback, helping you identify areas for improvement.
Plan Updates: As threats evolve and organizational needs change, business continuity plans require regular updates. Fixinc can support you in reviewing and updating your plan to ensure it remains relevant and robust.
Training and Awareness: Fixinc offers training sessions and workshops to educate employees and stakeholders on business continuity best practices. Their experts can help your organization build a culture of preparedness and ensure everyone understands their roles during a crisis.

Testing a business continuity plan is critical to ensure its effectiveness and the organization's ability to withstand potential disruptions. By following a structured approach and engaging the expertise of consultants like Fixinc, organizations can confidently face unforeseen challenges, minimize downtime, and safeguard their long-term success. Remember, a well-constructed plan combined with regular testing is the key to an effective business continuity strategy.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute professional advice. Organizations should consult with their own business continuity experts and legal counsel for specific guidance tailored to their unique circumstances.

Leading senior advisors guiding you to success.

Fixinc advisory board your on-call resilience solution for incident response. we are only human. the high intensity response to an event can challenge the best of us; understandably mistakes happen. with the fixinc advisory board, we aim to reduce those mistakes, provide the highest level of support and advice, and help you and your people make confident decisions. our mission is to modernise corporate resilience and provide the next level of tactical, operational, and strategic response. alignment we understand 80% of your industry problems., best practice is just the start., ai is coming, 'normal' is shifting, we don't do 'one-off'., understanding the fixinc ecoystem..

Our mission is to become the world's most valuable and trusted resilience ecosystem. We are doing this by creating a community of the very best consultants via our Advisory Board, and we are building the world's first and largest resilience Directory providing us access to an up to date list of the very highest performing professionals.

Testing, testing: how to test your business continuity plan

Disruptions are by their nature unexpected. but your organisation’s response to hitting pause on normal business operations doesn’t have to be equally as unexpected..

A comprehensive business continuity plan maps out every stage of your business’ response to relevant risks that could affect business-as-usual. This could be a powercut, a cyber-attack or a supply failure. Whatever the disruption, the right continuity plan can ensure that your business minimises downtime and recovers as quickly as possible, reducing the risk of lost revenue or reputation.

However, even the most detailed plan can become ineffective if it is not regularly tested. Businesses rarely stand still, and this means your plan may have to adapt to new circumstances. Lack of knowledge, communication and practice can also compromise your business’ response, which could extend your recovery.

So, how should you test your business continuity plan, and how often should it be put in practice?

How often should a business continuity plan be tested?

There is no hard and fast rule that governs how often your business should test its plan.

It really depends on the complexity of your business and the number, scale and likelihood of the risks it faces. These should be identified as part of a Business Impact Assessment (BIA), which will inform your business’ response.

If your business has high risks for revenue loss, a damaged reputation or the possibility of lengthy downtime, then testing should be carried out more regularly and more areas of the plan should be tested.

The regularity of the testing is also dependent on the type of test being performed.

How can a business continuity plan be tested?

There are three main ways of testing your business continuity plan: checklist or walkthrough exercises, desktop scenarios or simulations.

Checklist or walkthrough exercises

A checklist or walkthrough exercise is one of the easiest forms of test. It consists of a desktop exercise in which senior managers determine if the plan remains current by checking off or ‘walking through’ each step.

When going through the plan they should also ask key questions, such as does the business have the right supplies to cope? Are copies of the plan known by key personnel? Do key personnel know what their roles are?

To make this test as valuable as possible, an emphasis must be placed on any weak areas. The mission is not to find fault or assign blame, but to promote improvement, which will make your plan more effective if the worst should happen.

Desktop scenarios

A desktop scenario test is a little more specific than the checklist. Using a scenario relevant to the business, this test can help you to establish all the processes of your business’ response to a specific disruption. For example, you can check the processes of your plan in the event of sudden data loss.

Simulations

Simulations are full re-enactments of business continuity procedures and could involve most, if not all, of your workforce. They also tend to take place on site in the relevant business areas.

In this test, each employee involved will need to physically demonstrate the steps needed in order to react to the disruption and recover from it. This could involve driving to a back-up location, making phone calls, completing communication templates or visiting server rooms. These kinds of tests are good for establishing staff safety, asset management, leadership response, relocation protocols and any loss recovery procedures.

Due to the large scale of a full simulation, these kinds of tests may be limited to annual occurrences. They may also need to be moved to quieter business days or even non-operational days so that disruption to normal work is minimised.

Organising a test

Before beginning a test, you will need to set out a clear objective as well as define exactly what is being tested. For example, you may want to check your continuity plans in the event of a power outage.

For a desktop exercise, you need to ensure that key personnel or top management are available to participate. A venue also needs to be arranged, but this doesn’t necessarily have to be in a key location unless you are planning a simulation.

Before the test, circulate the testing plan along with the objective to everyone involved. This team should also familiarise themselves with the current business continuity plan.

Assign some people within the team to record the test’s performance and any shortcomings that are identified. After the test, feedback should also be sought. These findings then need to be formally recorded and used to update the business continuity plan. Once finalised, the revised plan should be shared among the workforce.

Remember that testing a business continuity plan is not about passing or failing – it is about improving processes to give your business the best possible chance of dealing with disruption. Regular testing asserts the effectiveness of your processes, trains your staff in what to do for faster, more confident responses and highlights areas that need strengthening.

Solution for disruption

Business continuity plans give your business a blueprint for disruption survival, but only if they are fit for purpose.

An internationally recognised mark of best practice, ISO 22301 will enable you to implement, maintain and improve a business continuity management system, which will support your business before, during and after disruption.

To find out more, visit our dedicated webpage for ISO 22301 .

You can also get in touch on 0333 259 0445 or by emailing [email protected] .

Sign up to get the latest in your inbox

Email address

About the author

Claire Price

Content Marketing Executive

Claire worked for Citation ISO Certification between 2020 and 2022 writing creative and informative content on ISO certification and consultation to help businesses reach their potential.

Picutre taken of the authore of the article, Claire Price

Looking for some guidance? Join us for one of our upcoming seminars!

QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only

Please Wait...

Business Continuity Simplified

By Andy Marker | December 17, 2018 (updated October 24, 2021)

Share on Facebook
Share on LinkedIn

Link copied

Unexpected work interruptions can cripple a business and cause millions of dollars in expenses and lost business. Learn about the importance of business continuity planning and management from experts.

In this article, you’ll learn the definition of a business continuity plan and the primary goal of business continuity planning . Additionally, you’ll learn the steps involved in business continuity planning and about the business continuity lifecycle .

What Is Business Continuity Management?

In business continuity management (BCM) , a company identifies potential threats to its activities and the threat impact. The company then develops plans to respond to those threats and continue activities through any crisis.

What Is a Business Continuity Plan?

A business continuity plan (BCP) describes how a business will continue to run during and after a crisis event. The BCP details guidelines, procedures, and work instructions to aid continuity.

To learn more about writing a plan, see our how-to guide to writing a business continuity plan .

What Is Business Continuity Planning?

Business continuity planning (BCP) refers to the work a company does to create a plan and system to deal with risks. Thorough planning seeks to prevent problems and ensure business processes continue during and after a crisis.

Business continuity planning ensures that the company deals with disruptions quickly, and minimizes the impact on operations. Business continuity planning is also called business resumption planning and continuous service delivery assurance (CSDA) .

What Is the Primary Goal of Business Continuity Planning?

The main goal of business continuity planning is to support key company activities during a crisis. Planning ensures a company can run with limited resources or restricted access to buildings. Continuity planning also aims to minimize revenue or reputation losses.

A business continuity plan should outline several key things that an organization needs to do to prepare for potential disruptions to its activities, including the following:

Recognize potential threats to a company.
Assess potential impacts on the company’s daily activities.
Provide a way to reduce these potential problems, and establish a structure that allows key company functions to continue throughout and after the event.
Identify the resources the organization needs to continue operating, such as staffing, equipment, and alternative locations.

Business Continuity Planning Steps

A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan.

The basic steps for writing a business continuity plan are as follows:

Create a governance team.
Complete your business impact analysis (BIA) and risk assessment documents.
Document your plan. Remember to include detailed guidelines and procedures that cover key processes and facilities.
Test and update the plan regularly.

The Business Continuity Management Lifecycle

Business continuity management includes preparing for and handling unexpected events. BCM has a six-step lifecycle. This cycle repeats during both in regular business times and crises, as you take the right steps to keep activities always running.

The BCM lifecycle includes the following points:

Mitigate Risk: Proactively identify business continuity risks to your company, and plan how your company will respond.
Prepare: Train staff on your business continuity plan and ensure they understand what they need to do to help the business respond.
Respond: Ensure that your company and all employees respond appropriately to a crisis. Be prepared to adapt in the moment.
Resolve: Ensure that the company plans how to communicate effectively with staff and that it does so appropriately during the crisis.
Recover: Inform employees, customers, and other important people about the status of the crisis and your company’s response.
Resume: Communicate with employees and others after the crisis ends.

What Are Business Continuity Risks or Events?

Also called business continuity events, business continuity risks are the most common events that can disrupt a company’s regular operations — these can be natural and human-made crises. Defining these risks is a vital part of business continuity planning.

Such events might include the following:

Severe weather
Natural disasters (tornadoes, floods, blizzards, earthquakes, fire, etc.)
A physical security threat
A recall of a company’s product
Supply chain problems
Threats to staffing and employee safety
Accidents at an organization’s facilities
Destruction to a company’s facilities or property
Power disruptions
Server crashes
Failures in public and private services (communications, transportation, safety, etc.)
Environmental disasters, including hazardous materials spills
Network disruptions
Human error/human-made hazards
Stock market crashes
Cyber attacks and hacker activity

Any of these triggers can result in broader problems for a company, such as danger or injury to staff and others, equipment damages, brand injury, and loss of income and net worth. Business continuity management and planning address and mitigate these contingencies.

What Is a Business Continuity Strategy?

A business continuity strategy is more often called a business continuity plan. The strategy includes the processes and structure a company uses to manage an unexpected event.

Some people consider business continuity strategy to be a step in the planning process. In the strategy phase, business continuity planners describe the overall approach a company should take to prevent, manage, and recover from a crisis.

An Overview of Business Continuity Management and Planning

There are several goals, key elements, and benefits to business continuity management and planning. The primary goals of management and planning are as follows:

Build Company Resiliency: Doing so means that your company’s tools, buildings, and operations are resistant to — and not greatly affected by — most disruptions.
Create a Plan for Recovery (with Contingencies that Aid in That Recovery): If a major event does cause problems, you should have a plan for how to recover quickly. That plan will include contingencies. For example, you should plan for how key operations will resume if there is a widespread power outage.

Business continuity management and planning generally cover the following areas, with differences depending on the organization and industry:

Disaster Recovery: Disaster recovery involves recovering technology after a disruptive event. You can learn more about disaster recovery and download free templates in our comprehensive article .
Emergency Management: Emergency management focuses on avoiding and mitigating catastrophic risks to staff and communities.
Business Recovery: Considered part of business continuity, business recovery centers on short-term activities after a disruptive incident. The short-term is sometimes defined as less than 60 days.
Business Resumption: This describes the longterm phase of recovery (60 or more days after an even), wherein the company returns to near-normal conditions.
Crisis Management: Crisis management focuses on communicating with stakeholders during and after a crisis, and controlling damage during the event. To learn more, read our comprehensive guide to crisis management .
Incident Management: Incident management is an ITIL (previously known as Information Technology Infrastructure Library) framework for reducing or eliminating downtime after an incident.
Contingency Planning: This covers outlier risks that are unlikely to occur but which could have disastrous results.

“A well managed business continuity management program will help protect people, assets, and business processes,” says Scott Owens, founder and managing director of BluTinuity , a business continuity firm based in New Berlin, Wisconsin. “It may not be able to prevent all incidents. But it can reduce the likelihood of incidents, decrease response time, and lower the cost and impact of an incident.”

Key Elements of Business Continuity Management

All business continuity management programs should include a number of key elements, which serve to ensure that your plan is positioned for success and that you regularly update and improve it.

These important elements include the following:

Governance: This is the structure and team your business sets up to create and monitor the program.
Business Alignment: This section details how your company’s current business continuity management and planning processes compare to expert approaches and industry standards.
Continuity Strategy and Recovery Strategies: Include a detailed plan that assesses risks to your organization and how you can recover, should those risks become reality.
Plan Documentation: Provide details on the plan that everyone in your company can access. To get started, see our roundup of free business continuity plan templates .
Tactical Implementation: This section includes details on the specific ways your company plans to recover from certain types of incidents.
Training: In this section, detail how you will train your staff to understand the business continuity plan and their role in it.
Testing: Include real-world simulations of a crisis event, and test how your company and its employees respond and the effectiveness of your business continuity plans.
Maintenance: Make changes to the plan where necessary to increase its effectiveness.
Monitoring: This section details how you will continue to compare industry standards and expert advice to how your plan is working.

To learn about formal requirements for business continuity planning and management, see our comprehensive article on the ISO 22301 standard .

The Costs of Business Continuity Management

The costs to do an appropriate job of business continuity management can be significant. However, some reports say that the cost of unforeseen downtime may be as much as $2.5 billion a year for Fortune 1000 companies.

Kurt Engemann, Ph.D., is Director of the Center for Business Continuity and Risk Management at Iona College in New York, Editor-in-Chief of the International Journal of Business Continuity and Risk Management and author of Business Continuity and Risk Management: Essentials of Organizational Resilience . In the book, he says that costs for business continuity preparation do not only include the groundwork to assess a company’s risks and plans to manage those risks. Rather, they also cover the needed backup facilities and equipment and company assets for emergency response. In addition, costs must cover resources for training employees and testing the plan.

Some experts have estimated that business continuity management and planning within only the crucial information technology aspects of companies can cost two to four percent of the information technology budget. But the costs are necessary, and worth it in the long run, according to business continuity experts.

“There is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis,” Engemann writes in his book. “Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective.”

When an organization’s top executives complain about the costs, Owens says, “Ask them what it would cost their organization for an hour of downtime. Or eight hours. Or 24 hours. Chances are the cost — financial, operational, and to brand and reputation — of having key business functions unavailable for an extended period are significant. They will most likely find business continuity management to be worth the investment.”

Benefits of Business Continuity Management

Like Engemann, Owens points out that there are significant benefits to the investment organizations make in business continuity management, including the following:

Mission Critical Processes: If you understand your key processes, you can plan to protect them and prioritize their recovery.
Legal and Regulatory Compliance: Laws or regulations require companies in some industries to implement a formal business continuity management system.
Satisfying Demands from Other Organizations: Some groups and companies may require that your company sets up BCM before they do business with you.
Insurance Payments: To get the maximum payments from an insurance policy after an event, a company must have suitable business continuity management policies in place.
Reputation Management: Your business’s brand will be greatly helped or hurt, depending on how an unforeseen event affects its operations.
Competitive Advantage: A strong business continuity plan can offer your company the advantage over peers who are not as well prepared.
Seamless Recovery: Cloud-based technologies make data backup, remote work, and business recovery affordable and accessible. Groups and businesses of all sizes can benefit from such tools. See our article on cloud computing for business continuity to learn more.
Time Savings: Planning prevents teams from scrambling at the last minute to cobble together a recovery effort. Strong planning helps you get back online — and back on track — faster.

Michael Herrera, CEO of MHA Consulting , a business continuity and disaster recovery firm, cites two other significant benefits:

Keeping Customers and Avoiding Major Financial Losses: Getting operations back to normal quickly after an event means your company loses less money.

“Your customers aren’t as patient as you think they are,” Herrera explains. “They expect you to have a business continuity system and they expect you to be up and running. Their patience does run out.”

Improving Day-to-Day Operations: Herrera says his firm’s clients often discover how business continuity planning gives them insights into the day-to-day operations of their company. “It really can help you with process improvement and getting a good understanding of what your business does every day.”

Additionally, strong business continuity planning will enable you to do the following:

Officially declare a disaster and alert senior management.
Assist in the development of an official public statement regarding a disaster and its effects on a business.
Monitor your business’s progress and present the recovery status.
Provide ongoing support and guidance to teams with pre-planned operations.
Review critical processing, schedules, and backlogs to keep everyone up to date on status.
Ensure businesses have both the resources and the information to deal with an unforeseen emergency.
Reduce the risk that an emergency might pose to employees, clients, and vendors, etc.
Provide a response for both man-made and environmental disasters.
Improve overall business communication and response plans.
Summarize both the operational and the financial impacts resulting from the loss of critical business functions.
Allow businesses to plan for a loss of function that has potentially larger, more severe consequences.

See our article on the importance and benefits of business continuity planning to read more expert examples of how business continuity can bolster your company.

Key Business Continuity Management and Planning Considerations

Companies don’t have to face business continuity planning alone. There are a variety of tools and services that can help, including the following:

Consultant Services

There are hundreds, if not thousands, of consultants and companies that can provide help with developing your business continuity plan. Below are a few things to think about in choosing one:

How experienced are they? How long have they been around?
What’s their reputation as a company? What do their clients say about them?
Are they focused on a specific industry or area of business continuity, or do they have experience with a range of industries and a broad spectrum of business continuity?
How do they think about business continuity (as a somewhat separate practice or something that needs to be ingrained within your organization)?
How aligned is their advice with standards in your industry?

Business Continuity Software

There are also hundreds of pieces of business continuity software on the market. Here are some things to consider:

Are you looking for software that will automate the development of plan components, or software that offers more in-depth help during the planning phase?
What is the history of the software and the company behind it? How long has this particular software been on the market and what is the history and the reputation of the company behind it?
Is the software being continually updated and improved?

Below are some specifics to consider as you test drive the software:

Does it have an easy-to-use interface?
Does it cover all aspects and components of business continuity, including business impact analysis and risk assessment ?
Does it include sufficient storage for your company’s supporting documents?
Does it provide secure portable access via mobile or other technologies, if a crisis interrupts your information technology systems?
Does it provide strong data analytics?
Is it secure and private?

Primary Things Your Organization’s Business Continuity Management System Should Accomplish

While your business continuity management system will have various elements and details, there are some primary things it should do for your organization. They correspond to the key elements listed earlier in this article.

For example, a BCM system should help do the following:

Understand your company’s needs for business continuity and disaster preparedness. A BCM system should be able to assist company leaders in understanding the need for a business continuity management policy.
Understand which processes should be recovered and in what order.
Establish business continuity metrics to gauge success.
Plan for communicating with customers, staff, and other stakeholders.
Determine what tools, technology, and staffing are required to restore activities and support customers.
Establish remote-work support or relocation plans for staff and activities.
Implement ways to continually assess and manage continuity risks.
Monitor and review how its business continuity management system is working.
Continually improve the system.
Respond effectively in a real-world crisis, and allow the business’s critical operations to continue and all operations to resume quickly.

Although nobody wants to think about disasters or the effort needed to prepare to meet and mitigate crises, the alternative is the potential loss of reputation, income, or the entire business. In sum, planning translates to determining your key processes, equipment, and tools, and applying basic recovery strategies.

The Importance of Senior Organizational Leaders Strongly Supporting Your Business Continuity Management and Planning

Your senior leaders must strongly support your company’s business continuity management plan for it to succeed. Such leadership is key as storms, floods, pandemics, and data breaches increase in force and frequency.

“Make sure senior management is committed to the planning, development, execution, and implementation of a business continuity/disaster recovery program,” says Paul Kirvan , a business continuity consultant and a fellow of the Business Continuity Institute with 25 years of experience in business continuity work. “Otherwise, it simply won’t happen. Such programs work best if they have top-down support and funding, as opposed to being developed from the ground up.”

Business Continuity Plan Test Types

Testing verifies the effectiveness of your plan and provides training for participants. To ensure better communication, include suppliers, vendors, and other stakeholders in exercises. If appropriate, also consider including local emergency preparedness officials.

There are four types of testing, and each requires increasing levels of planning, resources, and focus. You should try to run each type of drill regularly.

Plan Review: Plan reviews are often the first test applied to a new plan. In this test, top management and some key BCP personnel review the relevance and completeness of a plan. Such a review can verify risk and BIA results, and help you check for gaps and inconsistencies among continuity documents.
Tabletop or Structured Walkthrough: A tabletop test requires more preparation and time. It provides a role-playing exercise for recovery teams.
Simulation or Walkthrough Drill: In a walkthrough drill, your continuity team physically completes the type of tasks they'd find in a crisis. They may practice evacuating a building during a fire, restoring a backup, or switching to another communication frequency.
Functional or Live Scenario: Functional tests include a complete physical drill of continuity plans. Live tests may focus on one aspect of the plan or include the complete plan. They may include one part of the company or all team members.

Be sure to document what happened in the test so everyone involved in the exercise — and especially those who created the plan — can understand what did and didn’t go well, and can revise as necessary.

Business Continuity Management Policy Statement

A business continuity policy statement is a written document that outlines an organization’s business continuity management program. The policy statement should be communicated to all employees and should be signed and endorsed by the organization’s senior management.

See real-world examples of a business continuity policy statement .

Cultivating Awareness of Business Continuity Plans

The best business continuity system is useless if no one knows about it. Find ways to promote your plans in daily company activities, and discuss business continuity regularly in company and team meetings. Also, be sure to include the business continuity manager in cross-functional planning meetings so they can represent the business continuity perspective. Above all, exercise your plan, test your plan, and then test again.

What Is the Importance of a Business Continuity Plan?

A business continuity plan is vital to ensure that your company mitigates downtime during a crisis. Resuming activities quickly after an event also helps ensure your company’s financial health.

How to Write a Business Continuity Plan

It is crucial that your company set up a group of people to help create your business continuity plan. The group should include senior leadership, experts, and staff. A simple, practical plan is the best plan. At a minimum, include continuity team roles and duties, and team member contact information. You should also add guidelines and checklists for dealing with unforeseen events.

Daily business functions rely on many resources — human, utilities, machines, and even paper, pens, and pencils. Business recovery after a disruptive event is no different. See our in-depth article on writing a business continuity plan for a complete list of resource types you may want to include in a plan.

You can ask certain questions as you form your strategy, and a business continuity plan usually includes common resources and elements. See our article on how to write a business continuity plan to learn more.

Business Continuity Plan Template

This template can help you document and track business operations in the event of a disruption/disaster to maintain critical processes. The plan includes space to record business function recovery priorities, recovery plans, and alternate site locations. Plan efficiently for disruption and minimize downtime, so your business maintains optimal efficiency.

Download Business Continuity Plan Template

Word | PowerPoint | PDF

You’ll find other most useful free, downloadable business continuity plan (BCP) templates, in Microsoft Word, PowerPoint, and PDF formats in this article .

What Is a Business Impact Analysis and Why Is It an Important Part of a Business Continuity Plan?

A business impact analysis (BIA) is one of the most important parts of business continuity planning. The analysis considers how an unforeseen disruption could affect a company. BIA results also suggest how a business can recover from a crisis.

The business impact analysis will include details on the following:

Recovery time objectives that outline the organization’s goals relating to how quickly various services and processes will resume after an event
Financial impact of an incident
Impact on customers
Other possible impacts of an incident
How the organization will prioritize recovery steps
How the organization will prioritize critical services or products
Identification of potential revenue loss
Identification of additional expenses the organization will incur because of the event
Identification of insurance an organization has or needs to have
Identification of an organization’s dependencies on other agencies, companies, and providers

See our business impact analysis toolkit to find guidelines and templates to get started.

Risk Mitigation for Business Continuity

Risk assessment is one of the first steps in preparing your business continuity plan.

Risk management includes identifying and ranking risks, and risk control includes identifying policies and procedures to avoid and contain risks.

To learn more about risk management , read our comprehensive guide.

The Importance of Periodically Testing an Organization’s Business Continuity Plan

Even the best business continuity plans are useless if you do not continually test them in real-world mockups. Testing helps you continuously improve procedures, and also keeps plans synched with current business context.

Robert Sollars, a security trainer and consultant from Mesa, Arizona, says, “You must exercise your plan and train your employees in it. This can be costly and unwieldy at times, but it is an absolute must. I liken this to buying a Lamborghini and letting it sit in the garage, never starting it up, never driving it, never doing anything but admiring it. Your plan must be taken out and test driven at least two to three times per year. If you don’t test it, then when the real thing pops you will realize what the books, consultants, and experts have told you is useless for your organization. Testing it allows you to figure out the bugs and tweak the necessary items to make it more efficient and effective.”

Owens adds, “If you haven’t tested your plans, you aren’t ready for a disaster.”

You can do some testing through simpler table top exercises — for example, by talking through hypothetical incidents with your team. But Owens and other business continuity experts say organizations should also periodically do exercises that more closely mimic a real-world event.

“Organizations need to move … to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes,” he writes in a blog post about business continuity. “This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.”

The most important result from testing your plan is an understanding of where theoretical solutions won’t work in real events. This understanding will then allow your organization to amend the plan to be more effective.

What Is a Business Continuity Plan Governance Committee?

Many companies set up a business continuity plan governance committee, which consists of staff members and senior leaders (their continuity efforts is vital). Governance tasks include writing the business continuity plan and supervising ongoing plan maintenance.

The committee is often responsible for the following duties:

Approving the governance structure of the committee
Clarifying the roles of committee members and others working on the plan
Overseeing the creation of working groups to develop and implement the plan
Providing overall direction and communicate important information to employees
Approving the continuity plan and essential specifics within it
Setting priorities within the plan

The committee often includes the following members:

A senior leader from the business, often the sponsor
A business continuity manager and assistant manager
The company employee, or outside consultant, who will serve as overall coordinator of the business continuity plan
The company’s security officer
The company’s chief information officer, or information technology leader
Representatives from the company’s business department, to help with the business impact analysis
An administrative representative

How to Cultivate Resilience in Your Organization

A resilient organization has the tools and abilities to survive a disruptive event, and also regularly looks for new threats and adapts to changes in the organizational and industry landscape. Resilience experts recognize two types of resilience: reactive resilience uses a company’s existing processes to meet and overcome a crisis; proactive resilience anticipates disruptions and considers methods to prevent problems.

Real World Example: Lessons Learned About Business Continuity from the Terrorist Attacks of Sept. 11, 2001

Organizational leaders and business continuity experts learned a lot from the terrorist attacks of September 11, 2001. Worst of all, the attacks killed thousands of people. But they also severely disrupted communications, financial transactions, and some commerce in New York City and throughout the world.

The following are among the lessons learned:

Business continuity plans must be tested frequently, and updated where needed.
The plans must assume a wide range of threats.
The plans must take into account how much companies, agencies, and other entities depend on each other.
Key people from any organization must be available and reachable when an incident happens.
The ability to communicate, especially through landline phones, cell phones, and the internet, is vital.
Sites that organizations use for backup of their digital information should be located at a distance from their primary information technology site.
Employee support and counseling may be important during and after a crisis.
An organization should store copies of its business continuity plan at a location apart from its primary location.
Security perimeters around the scene of an incident may be large, which may affect employees’ access to organization facilities for long periods.

Legislation Governing Some Business Continuity Management and Planning

The United Kingdom did approved the Civil Contingencies Act in 2004, which requires businesses to have business continuity plans in place.

Some industries do have regulatory bodies that may impose business continuity requirements within those industries. For instance, the Financial Industry Regulatory Authority (FINRA) is a private self-regulatory organization overseeing the U.S. financial securities industry. FINRA established FINRA Rule 4370. This rule requires securities firms to create and maintain written business continuity plans. Utility bodies, such as North American Electric Reliability Corporation ( NERC ) and Federal Energy Regulatory Commission ( FERC ), also require continuity plans.

Guidelines, Standards, and Resources Providing Guidance on Business Continuity Management and Planning

Organizational leaders can use a number of standards set by industry and other groups to guide their business continuity planning and management programs. Below are some commonly used standards:

ISO 22301 : Developed by the International Organization for Standardization (ISO), a standard-setting body, this group of standards sets out appropriate business continuity management practices. Learn more about how this standard can help businesses of all sizes in our guide to ISO 22301 .
NFPA 1600 : Developed by the National Fire Protection Association, the standard is one of the most widely recognized in the U.S. on emergency preparedness and business continuity.
National Institute of Standards and Technology SP 800-34 : Sets contingency planning standards for federal information systems in the U.S.
SPC-2009 — Organizational Resilience : Security, Preparedness and Continuity Management Systems provides critical business and infrastructure security standards developed by the American Society for Industrial Security.
ISO 27000 : Standards for security in information technology systems, which include standards for business continuity in information technology. Learn more about ISO 27000 and find free checklists and templates .
DRI International : Professional Practices for Business Continuity Management
Federal Emergency Management Agency (FEMA): Continuity Guidance Circular: Continuity Guidance for Non-Federal Entities: An 86-page formal document, the circular presents FEMA’s perspective on how businesses can prepare for disasters.
Insurance Institute for Business & Home Safety: Open for Business Continuity Toolkit: This site offers a video, FAQ, and downloadable continuity planning tools.

What Is the Business Continuity Institute?

The Business Continuity Institute (BCI), based in the United Kingdom, is a non-profit professional organization providing education, certification, and leadership on business continuity management. The Institute has more than 8,000 members in more than 100 countries.

Improve Business Continuity Planning with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Artificial Intelligence
Generative AI
Business Operations
Cloud Computing
Data Center
Data Management
Emerging Technology
Enterprise Applications
IT Leadership
Digital Transformation
IT Strategy
IT Management
Diversity and Inclusion
IT Operations
Project Management
Software Development
Vendors and Providers
Enterprise Buyer’s Guides
United States
Middle East
Italia (Italy)
Netherlands
United Kingdom
New Zealand
Data Analytics & AI
Newsletters
Foundry Careers
Terms of Service
Privacy Policy
Cookie Policy
Copyright Notice
Member Preferences
About AdChoices
Your California Privacy Rights

Our Network

Computerworld
Network World

How to create an effective business continuity plan

A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. here’s how to create a plan that gives your business the best chance of surviving such an event..

Professional Meeting: Senior Businesswoman and Colleague in Discussion

The tumultuous events of the past several years have impacted practically every business. And with the number of extreme weather events, cyberattacks, and geopolitical conflicts continuing to rise, business leaders are bracing for the possibility of increasingly more frequent impactful incidents their organizations will need to respond to.

According to PwC’s 2023 Global Crisis and Resilience Survey , 96% of 1,812 business leaders said their organizations had experienced disruption in the past two years and 76% said their most serious disruption had a medium to high impact on operations.

It’s little wonder then that 89% of executives list resilience as one of their most important strategic priorities.

Yet at the same time, only 70% of respondents said they were confident in their organization’s ability to respond to disruptions, with PwC noting that its research shows that too many organizations “are lacking the foundational elements of resilience they need to be successful.”

A solid business continuity plan is one of those foundational elements.

“Every business should have the mindset that they will face a disaster, and every business needs a plan to address the different potential scenarios,” says Goh Ser Yoong, head of compliance at Advance.AI and a member of the Emerging Trends Working Group at the professional governance association ISACA.

A business continuity plan gives the organization the best shot at successfully navigating a disaster by providing ready-made directions on who should do what tasks in what order to keep the business viable.

Without such as a plan, the organization will take longer than necessary to recover from an event or incident — or may never recover at all.

What is a business continuity plan?

A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is caused by a natural disaster, civic unrest, cyberattack, or any other threat to business operations.

A business continuity plan outlines the procedures and instructions that the organization must follow during such an event to minimize downtime, covering business processes, assets, human resources, business partners, and more.

A business continuity plan is not the same as a disaster recovery plan , which focuses on restoring IT infrastructure and operations after a crisis. Still, a disaster recovery plan is part of the overall strategy to ensure business continuity, and the business continuity plan should inform the action items detailed in an organization’s disaster recovery plan. The two are tightly coupled, which is why they often are considered together and abbreviated as BCDR.

Why business continuity planning matters

Whether you operate a small business or a large corporation, it’s vital to retain and increase your customer base. There’s no better test of your capability to do so than right after an adverse event.

Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.

Moreover, there are increasing consumer and regulatory expectations for both enterprise security and continuity today. Consequently, organizations must prioritize continuity planning to prevent not only business losses, but financial, legal, reputational, and regulatory consequences.

For example, the risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence.

Building (and updating) a business continuity plan

Whether building the organization’s first business continuity plan or updating an existing one, the process involves multiple essential steps.

Assess business processes for criticality and vulnerability: Business continuity planning “starts with understanding what’s most important to the business,” says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional services firm.

So the first step in building your business continuity plan is assessing your business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, or a week.

“This step essentially determines what you are trying to protect and what you are trying to keep up for systems,” says Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting.

This assessment is more demanding than ever before because of the complexity of today’s hybrid workplace, the modern IT environment, and the reliance on business partners and third-party providers to perform or support critical processes.

Given that complexity, Goh says a thorough assessment requires an inventory of not only key processes but also the supporting components — including the IT systems, networks, people, and outside vendors — as well as the risks to those components.

This is essentially a business impact analysis.

Determine your organization’s RTO and RPO: The next step in building a business continuity plan is determining the organization’s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.

Each organization has its own RTO and RPO based on the nature of its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives need to establish, Nocera says.

“When you meet with individual aspects of the business, everyone says everything [they do] is important; no one wants to say their part of the business is less critical, but in reality you have to have those challenging conversations and determinations about what is actually critical to the business and to business continuity,” he adds.

Detail the steps, roles, and responsibilities for continuity: Once that is done, business leaders should use the RTO and the RPO, along with the business impact analysis, to determine the specific tasks that need to happen, by whom, and in what order to ensure business continuity.

“It’s taking the key components of your analysis and designing a plan that outlines roles and responsibilities, about who does what. It gets into the nitty-gritty on how you’re going to keep the company up and running,” Renner explains.

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.

Although the list of possible scenarios that could impact business operations can seem extensive, Goh says business leaders don’t have to compile an exhaustive list of potential incidents. Rather, they should compile a list that includes likely incidents as well as representative ones so that they can create responses that have a higher likelihood of ensuring continuity even when faced with an unimagined disaster.

“So even if it’s an unexpected event, they can pull those building blocks from the plan and apply them to the unique crisis they’re facing,” Nocera says.

The importance of testing the business continuity plan

Devising a business continuity plan is not enough to ensure preparedness; testing and practicing are other critical components.

Renner says testing and practicing offer a few important benefits.

First, they show whether or how well a plan will work.

Testing and practicing help prepare all stakeholders for an actual incident, helping them build the muscle memory needed to respond as quickly and as confidently as possible during a crisis.

They also help identify gaps in the devised plan. As Renner says: “Every tabletop exercise that I’ve ever done has been an eye-opener for everyone involved.”

Additionally, they help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.

Types and timing of tests

Many organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization itself — its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.

Common tests include tabletop exercises , structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.

In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

Some experts also advise a full emergency evacuation drill at least once a year.

Meanwhile, disaster simulation testing — which can be quite involved — should still be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine whether the organization and its staff can carry out critical business functions during an actual event.

During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.

Reviewing and updating the business continuity plan should likewise happen on an ongoing basis.

“It should be a living document. It shouldn’t be shelved. It shouldn’t be just a check-the-box exercise,” Renner says.

Otherwise, plans go stale and are of no use when needed.

Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.

Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.

Furthermore, a strong business continuity function calls for reviewing the organization’s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.

How to ensure business continuity plan support, awareness

One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.

Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts?

Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.

US proposes draft data privacy legislation

The C-suite is expanding — and IT leaders are stepping up

CIO Leadership Live Australia with Scott Andrews, Chief Operating Officer, Idea Science

Eaton CIO Katrina Redmond on optimizing AI and digital services

Tech layoffs continue, while AI prevents them from getting new jobs quickly

3 Leadership Tips: Adam Ennamli, Chief Risk Officer, General Bank of Canada

What Is A Business Continuity Plan? [+ Template & Examples]

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

executives discussing business continuity plan

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

Business Continuity Types
Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

Crisis Communication and Management Kit

Manage, plan for, and communicate during your corporate crises with these crisis management plan templates.

Free Crisis Management Plan Template
12 Crisis Communication Templates
Post-Crisis Performance Grading Template
Additional Crisis Best Management Practices

You're all set!

Click this link to access this resource at any time.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

2. Business Continuity Plan Example for Unplanned Internet or Telecom Outages

business continuity plan example: technology

Don't forget to share this post!

How to Navigate Customer Service During a Business Closure

10 Crisis Communication Plan Examples (and How to Write Your Own)

I Tried 7 Crisis Management Software to See if They’re Worth It (Results & Recommendations)

20 Crisis Management Quotes Every PR Team Should Live By

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

Manage, plan for, and communicate during a corporate crisis.

Service Hub provides everything you need to delight and retain customers while supporting the success of your whole front office

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Business Continuity Planning

Organize a business continuity team and compile a business continuity plan to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

Business Continuity Plan Situation Manual
Business Continuity Plan Test Exercise Planner Instructions
Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

(888) 244-1912
[email protected]

Understanding Business Continuity vs BDR: A Guide
About Invenio IT
Business Continuity

Can we break it? 9 business continuity plan testing scenarios

Dale Shulmistra

May 2, 2023
10 min read

Nobody wants to get those dreaded 3 a.m. phone calls. “The servers are down.” “The backups failed.” “Ed from logistics opened a phishing email again!” These calls are an IT professional’s worst nightmare. But the good news is: by exploring the right business continuity plan testing scenarios, you may never have to get such a call.

Creating a business continuity plan (BCP) is only the first step toward implementing a rock-solid continuity strategy. The systems and protocols outlined in your plan might sound good in theory, but how do they hold up in a real-world disaster?

Can your backup systems survive a real data meltdown?
Will you be able to meet your RTO for restoring data?
How well will employees follow emergency procedures?
Will your emergency communication strategy work out as planned, or will it implode?
What will really happen when things go bad?

There’s no way to know for sure without testing . This is a critical component of continuity planning. Without putting your BCP to the test, you’ll never know if your company is truly prepared for a disaster—until it’s too late.

Today, we look at 9 business continuity plan testing scenarios that can ensure your technologies and teams are ready for anything.

Get your hammer ready (metaphorically speaking)

Once your plan is finalized, it’s time to try to break it.

Don’t worry—you’re not actually shredding the document that you spent so many weeks writing, editing and getting approved from higher-ups. And you’re not actually breaking anything at all.

However, you do need to prove the soundness of everything you put in the plan. By that, we mean using strategic tests that will help you to:

Identify weaknesses in your BC systems
Confirm that infrastructure investments meet your continuity objectives
Evaluate the company’s response to different types of disruptive events
Make improvements to systems and procedures based on test findings
Update your BCP accordingly

Don’t make the mistake of creating a comprehensive plan but never putting it to the test. That’s more than just laziness. It’s dangerous.

Without testing your plan, you’re putting both the business and its people at risk.

Keep this in mind: only 6 percent of companies without a disaster recovery plan survive a disaster, according to Datto. Having an inadequate plan is just as risky as having no plan at all.

Before you get started

The question you’re probably already asking is: what do you test and how often?

If you’ve done your job, then your BCP is already filled with hundreds of procedures for various events, including even the smallest of emergency-response steps, such as calling 9-1-1 in a fire. Do you test everything? How much is too much?

This depends on your company’s unique risks (as you’ve hopefully identified in a thorough risk assessment and business impact analysis).

For example:

A company that has more to lose from a disruption (revenue losses, operational downtime, credibility / reputation, etc.) will usually require a higher number of business continuity plan testing scenarios, as well as a greater frequency of those tests.
Keep in mind: the tests that you deem as “most important” may not be as important to another business in the same building as you. They may not even apply at all.

Every business is different, and thus its BCP is different as well: in scope and priority.

Below, we’ve included tests that we recommend for most businesses who are concerned about continuity. Some of the recommendations may be a bit general, depending on your operations. Customize and implement as needed for your business’s unique needs.

Business continuity plan testing scenarios

As you prepare for your tests, you’ll also need to determine just how “real” you want the test to be.

Testing is often a challenge for companies. The tests require time and resources for planning and executing them. For that reason, you may find it easier to conduct certain tests sitting around a conference table, rather than involving the entire organization in a full-scale drill. In business continuity , these varying types of tests are typically defined as follows:

Plan review: the most basic test, in which the recovery teams go over the BCP, line by line, to make sure everything is accurate and shipshape.
Tabletop test: a more involved version of the plan review, in which employees participate in actual exercises (usually in a conference-room setting) to confirm that everyone knows their responsibilities in various types of emergencies. These tests may also be used for testing technology components so that multiple people can evaluate how the systems behave and how it affects their roles.
Simulation test: this is the most realistic test, requiring team members to perform their BC/DR duties within their actual work environments. For certain types of disasters, this may even mean going off-site (for example, to resolve issues at a local data center or mock-prepare a backup office location).

Full-scale simulation tests are ideal because they allow you to evaluate your teams’ and technologies’ response to disasters in a way that’s as close to the “real thing” as possible. But if time and resources don’t allow for repeated simulations, then fall back on the tabletop tests (rather than not testing at all).

Okay, let’s dive into the tests …

1) Data loss

Let’s start with one of the most common workplace disasters today: a loss of data. This loss could be caused by a number of culprits:

Ransomware and other cyberattacks
Accidentally deleted files or folders
Server / drive failure
Datacenter outage

Assume that the lost data is mission-critical. Perhaps it’s your CRM information or the data that runs your sales and logistics applications.

The obvious goal is to get that data back as quickly as possible, ideally by restoring a backup . But whose job is it to do that? How should they communicate the problem with other personnel (and at what point in the crisis)? What are the priorities? Do outside vendors, such as managed service providers (MSPs) need to be contacted?

If your primary IT person isn’t available to start the recovery, do other team members know how to do it?

These are all questions that should be answered by your test.

2) Data recovery

You need to make sure your BC/DR systems work like they’re supposed to. Conduct a test that involves losing a massive amount of data, and then try to recover it.

Here’s what you’ll need to evaluate:

How long does the recovery take?
Were any files corrupted during the recovery?
Did you meet your RTO?
If you virtualized a backup in the cloud, were there any issues? Did internal applications run without connectivity issues or lag?

Make sure that the teams who rely on this business-critical data participate in the test. For example, if they’ll be expected to work with a virtualized environment, watch them do this – see what questions they have or what issues they run into.

3) Power outage

Scenario: Last night, power was knocked out by a storm. The utility company says it won’t be back up for days.

So, what now? What does your BCP say should happen in an event like this?

As part of the test, you’ll want to make sure that your DR team knows their responsibilities and how to communicate with the rest of the organization.

How will personnel be notified? Are they expected to come to work?
If a prolonged work stoppage occurs, does HR and Accounting know how it impacts payroll?
Are there backup generators that need to be manually started?
Is there a backup office location?

These answers should already be in your BCP. But with the test, you’ll be able to confirm that everyone follows the protocols as outlined.

4) Network and/or Internet outages

Very similar concerns here. Chances are if there’s no electricity then there’s no network either. Although there are numerous situations in which you could have electricity but the network is down.

For situations like this (if the outage is prolonged), it’s increasingly common for organizations to provide personnel with the means to work remotely from home (more on that in the next continuity plan testing scenario, below). So as part of this test, you’ll want to make sure that this plan works as designed:

Do employees know how to use/access the remote desktop systems?
Does the technology work as designed? Are speeds/connectivity strong enough to maintain productivity levels?
How is the network being restored? Do recovery teams know what to do?

What about network tests?

In addition to testing your preparedness for a network outage, you’ll want to test the network itself. This will enable you to verify the resilience of the network in various scenarios, such as cyberattacks, heavy bandwidth usage, changes in network configurations and so on.

There are numerous types of network stress tests that allow you to simulate congested network conditions. Sometimes referred to as “torture testing,” these tests give you insight into how your network performs when stressed to the max. Most network testing tools will allow you to measure bandwidth utilization and latency, and see how spikes in packet levels affect the performance of your network devices.

In addition to routine testing, these tests should also be conducted prior to the rollout of new applications or other significant changes to the network.

Remember: a critical aspect of these testing scenarios is to test your response to the simulated incident. So in a simulated network outage, for example, you’ll want to run through the steps needed to resolve the problem. Then, conduct a post-incident analysis to measure the speed and effectiveness of that response.

5) Application failure

What happens when an application that is most critical to your operations suddenly stops working? Aside from bringing your operations to a halt, your employees will likely be idled with nothing to do. This is an extremely costly scenario for most businesses, because it means that revenue is halted while expenses continue (and are wasted).

Routinely testing your applications can help to prevent these costly outages from happening and ensure that teams know how to rapidly respond when failure does occur.

Here’s what to consider as part of this testing scenario:

What events or conditions are most likely to cause the application to fail? (i.e. heavy network usage, large-scale changes, etc.)
When failure occurs, what steps are needed for recovery?
What can be done to mitigate or eliminate these outages in the future?

Stress tests and performance tests are especially valuable, as they can help to identify how the application performs under different workloads. If the applications are externally developed and there are bugs or other issues inherent in the software (as opposed to adverse internal conditions, such as network issues), then organizations should work with their software vendor to identify a fix.

6) Public health crisis

This is a larger-scope continuity testing scenario that businesses became well-acquainted with during the Covid-19 pandemic.

As the coronavirus spread, organizations raced to adhere to critical health guidelines that ushered in a new era of remote work, virtually overnight. Not all businesses were able to quickly adapt to this sudden shift. However, some organizations had been testing such a scenario as part of their continuity planning long before the pandemic started.

Businesses of all sizes need to be sure they can continue to operate during a public health crisis that threatens the health, wellness and availability of workers. This means testing the ability to shift operations, as it relates to both logistical feasibility and IT infrastructure:

Can employees perform their jobs remotely?
Do they already have devices that make remote work possible? Or would new devices need to be acquired?
Are IT systems already in place that would enable workers to securely connect to the network?
In the event of prolonged staffing issues, can critical operations be carried out by limited personnel?

As we discovered, a global health crisis can occur at any time. Businesses need to continually test their ability to adapt to such an event to ensure their operations can continue without interruption.

7) On-site danger

This is a very important office-wide drill that you must conduct at least once a year. Chances are that your local fire codes may already require you to have a periodic fire drill. If not, it’s critical that you conduct one anyway.

In addition to fire, these drills can be used for testing response to other dangerous situations, such as:

Earthquakes
Bomb threats
Terrorist attacks
Structural instability

As part of your test, make sure people know their emergency procedures, whether it’s evacuation, duck and cover, retreating to a safe area or even staying at their desks.

Additionally, you should be testing your procedures for maintaining operations in case such an event is prolonged.

8) Communication protocols

Communication is critical in a disaster. And in the most disruptive events (such as a severe natural disaster), you’ll probably lose most of your traditional communication means.

Your BCP should already outline how communication should occur in these situations: who should call whom and how. Some companies use calling trees. Some have an emergency email alert system, a call-in number for updates or special company websites used exclusively for communicating during these events.

Your tests should check that these systems and steps actually work: that personnel know they exist, that they know how to use them and that they work as designed.

9) Crisis of any kind

Let’s face it—there are so many different disasters that threaten your operations. Hopefully they’re already thoroughly defined in your business continuity plan.

Your job is to make sure you’re creating realistic tests that prepare the business for each of these crises. We’ve included some of the most destructive (and common) disasters in the recommended tests above, but there are numerous others to consider as part of your testing, including:

Loss of personnel (transportation blockage, strike, illness, etc.)
Additional utility outages (gas, telecommunications)
Application outages
On-site flooding
City/area-wide evacuation
IT infrastructure failure or damage

As with each of the tests outlined above, your drills for these scenarios should be designed to ensure that personnel know how to respond, that they’ll be safe and that the business can continue running.

Documenting your testing scenarios

All tests should be thoroughly documented. This enables organizations to identify how the test was conducted, what went right and what needs to be improved. Each test provides a baseline for conducting future tests and also for making changes to continuity planning.

Each testing scenario should be individually documented, but can also be summarized to provide a high-level overview. Here is a very basic example of what that might look like, just for templating purposes:

This summary should be followed by a more detailed description of each test, when it was conducted, what occurred and recommendations for further testing and/or improvements.

Frequently asked questions

1) What is an example of business continuity?

Business continuity is an operational objective that means a business can continue to function without disruption or interruption. One example of maintaining business continuity would be a hospital that is able to continue providing healthcare services during a hurricane.

2) How do you write a business continuity plan?

Writing a business continuity plan involves outlining your business’s unique risks, the impact of those adverse events, protocols for mitigation, response and recovery, and the systems that support those continuity efforts. For more tips, see our related post on how to develop a business continuity plan .

3) Why is a business continuity plan important?

Planning for potential operational disruptions is the best thing businesses can do to prevent, mitigate and recover from such events. A business continuity plan serves as important documentation for understanding risks and guiding an organization through all stages of a disruption, from prevention to recovery.

4) How often do we test our business continuity plan objectives?

The timing and frequency of your plan testing will depend on the unique objectives of each business, and you will likely need to test different parts of your BCP at different times. For example, you might decide to conduct emergency preparedness drills for employees once a year, while your data backups may need to be tested every few months.

Get more information

To learn more about how your company can mitigate downtime after data loss and other disasters, contact our business continuity experts at Invenio IT. Request a free demo or contact us today by calling (646) 395-1170 or by emailing [email protected] .

Get the Ultimate Employee Cybersecurity Handbook

Join 23,000+ readers in the Data Protection Forum

The Essential (and Best) Guide to All Datto SIRIS Models

Where’s My Data? 411 on Datto Locations around the Globe

BCDR Faceoff: How Do Datto Competitors Stack Up?

2023 Guide to Datto SaaS Protection for M365 and Google Workspace

Learn how datto encryption secures your data

Do you know what makes Datto Encryption So Secure?

Cybersecurity.

How to Conduct Testing of a Business Continuity Plan

Small Business
Business Planning & Strategy
Business Continuity Plans
')" data-event="social share" data-info="Pinterest" aria-label="Share on Pinterest">
')" data-event="social share" data-info="Reddit" aria-label="Share on Reddit">
')" data-event="social share" data-info="Flipboard" aria-label="Share on Flipboard">

Business Recovery in Case of Earthquakes

Business risk assessment, what is the purpose of pre-accident plans.

Company Disaster Plan Examples
What Is the Difference Between Testing & Exercising Business Continuity Plans?

Many small businesses are able to continue to operate during a crisis, such as a weather-related emergency, because they have continuity plans. In addition to creating a continuity plan, your company should occasionally test it to confirm that things haven’t changed since you developed your guidelines and to ensure new employees know what to do in the event of an emergency. Conducting business continuity testing keeps your plans up to date and your stakeholders ready to work when you need them.

What Is a Continuity Plan?

Continuity plans are guidelines that businesses follow during a crisis so that they can keep operating, explains the Business Continuity Institute . Examples of crises that can affect a business include:

Extended power outage
Computer hacking
Traffic shutdown

Many businesses that shut down due to these crises could have continued to operate if they had continuity plans. Continuity plans address issues such as how to keep employees in communication when a workplace is shut down, how to manufacture off-site when your production facilities are closed, and how to keep IT systems operating if a workplace and its contents are damaged.

List Possible Scenarios

List the potential crises for which you want to conduct continuity testing. You might have continuity plans for up to 10 different disasters but only want to test for one or two at this time. After you decide which scenarios to examine, review the current continuity plan as it stands. Decide if any of the components of the plan need to be updated; your plan might be fine as is. Rewrite the plan if needed and distribute it to your employees.

Quiz Your Employees

Test your employees' knowledge of their required responses to an emergency. If you have never given written instructions to your employees, ask them anyway to see what they say. You might hear helpful suggestions.

Using the feedback, decide what education and training your staff needs to react appropriately to a business shutdown. For example, you need a central communications hub where employees can get information about continuing to work, how they’ll be paid while the company is shut down (if it does), how to communicate with supervisors, vendors and customers, and how to learn when it’s time to come back to work.

Contact External Stakeholders

If you’re shut down because of an internal event such as a fire, you won’t want your vendors continuing to come to your place of business to deliver goods or provide services (such as office cleaning). Contact each vendor and supplier you have to discuss how you will handle your relationship during a crisis.

Ask if other companies have contacted them about continuity plans to see if you can learn from those. Ask your suppliers if they have a continuity plan in the event they shut down and whether they will continue to serve you during their crisis.

Don’t forget to contact your bank and insurance company to see what type of working capital and credit you’ll have access to if a disaster strikes.

Test the Plan

Once you know that all your management and stakeholders are on the same page, test the plan. Have your employees visit your central communications hub to see if they can easily access it. Make sure everyone confirms they can. Run evacuation drills if those are part of the plan.

Talk to your vendors and ask how they would handle a multiday or multiweek shutdown of your company and if the time of year is a factor.

Some continuity plans include using another manufacturer’s facilities to make the affected company’s product during the crisis. Other plans outsource their entire production, having another company make their product. Check to see if your Plan B companies are still able to handle your production, if necessary, and what their charges would be.

Ask your IT department what would happen if your location and its hardware were damaged, recommends IBM . Discuss your off-site backup capabilities and how long it would take to get back up and running. For example, if you sell your product online, could you instantly switch your servers to your backup e-commerce site? Could you still send orders to your suppliers or warehouse for shipping?

Review the Results

After you’ve tested your continuity plan, review the results. Prices and costs may have changed since you first developed it. Your technology might not be robust enough or current. You might have enough new employees that slowdowns occur while they learn your procedures.

Update your continuity plan and communicate with all stakeholders, from your employees and suppliers to your potential production partners.

The Business Continuity Institute: What Is Business Continuity?
IBM: Adapt and Respond to Risks With a Business Continuity Plan
Businesses that contract with the federal government are required to have an updated BCP on hand for periodic review. Documented pan reviews and simulations to test and improve your company&rsquo;s plan will only improve your image as a responsible business contractor.

Steve Milano is a journalist and business executive/consultant. He has helped dozens of for-profit companies and nonprofits with their marketing and operations. Steve has written more than 8,000 articles during his career, focusing on small business, careers, personal finance and health and fitness. Steve also turned his tennis hobby into a career, coaching, writing, running nonprofits and conducting workshops around the globe.

How to train within a business continuity plan, the recovery phase of a business continuity plan, business recovery strategies, how to reduce business risks, how to turn off norton 360 auto update, business continuity plans for infectious diseases, how to ensure workplace safety, small business disaster recovery plan example, elements of a good crisis management plan, most popular.

1 How To Train Within a Business Continuity Plan
2 The Recovery Phase of a Business Continuity Plan
3 Business Recovery Strategies
4 How to Reduce Business Risks

CyberSecurity Testing

Advisory Services

Hardening & readiness.

TRAC: Risk Management Platform
KnowBe4: Simulated Phishing
Certification Programs
Memberships

Speaking Engagements

Resource Library
Our Company
Testimonials
Virtual CISO
Incident Response
Business Continuity
Vendor Management as a Service
Security Awareness Training
FTC Safeguards Rule
HIPAA Security Audit

Cybersecurity Testing

Network Security Audit
Vulnerability Assessment
Penetration Testing
Social Engineering
Microsoft 365 Hardening
Cybersecurity Essentials Assessment
Incident Readiness Assessment

Compliance. Simplified.

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

TRAC Modules

Action Tracking
Business Continuity Management (BCM)
Bank Secrecy Act (BSA)
Commercial Account Tracking (CATRAC)
Enterprise Risk Management (ERM)
Information Security Program (ISP)
Organization Risk Assessment

Other Products

Verify: ACH Fraud Detection

Uniquely dedicated to delivering industry-leading, quality education that instills confidence and empowers you to take security into your own hands.

Certifications for Managers

Certified Banking Security Manager
Certified Banking Vendor Manager
Certified Banking Business Continuity Professional
Certified Banking Incident Handler

Certifications for Executives

Certified Banking Security Executive
Certified Banking Cybersecurity Manager

Technical Certifications

Certified Banking Security Technology Professional
Certified Banking Ethical Hacker
Certified Banking Vulnerability Assesor
Hacker Hour
Cyber Showcase
SBS Institute
Book a Speaker
Meet our Speakers
Working at SBS

Why Choose SBS?

Endorsements
Who We Serve

Four Steps to Better Business Continuity Plan Testing

Business continuity planning is a process that is vital to your organization. There is always the possibility that your organization’s critical business processes could be negatively affected for reasons that are often beyond your control, so it's best to be prepared. If a disruption occurs, it’s essential that your organization has a plan to address any potential issues and ensure that your organization can still serve your customers.

However, if you’ve never enacted your plan, it’s hard to be confident that your plan will be sufficient. Testing your business continuity plan (BCP) helps to continuously improve your ability to recover successfully from various scenarios, whether it be a natural disaster or a communications failure. The good news is that there’s not just one way to test your BCP. Here are four steps to help you build a better business continuity plan testing program and ensure you are prepared for any situation that may come your way.

______________________________________________________________________________________________

The first step to better BCP testing is to incorporate different testing methods. You can utilize various methods to test the usability and effectiveness of your business continuity plan. Some of the possible test methods provided by the FFIEC include:

Tabletop Exercise: A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation. The goal of a tabletop exercise is to determine whether targeted plans and procedures are reasonable, personnel understand their responsibilities, and different departmental or business unit plans are compatible with each other.
Limited-Scale Exercise: A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes. The goal of a limited-scale exercise is to determine whether targeted systems can be recovered and whether personnel understand their responsibilities as defined in the plan.
Full-Scale Exercise: A full-scale exercise simulates full use of available resources (personnel and systems) prompting a full recovery of business processes. The goal of a full-scale exercise is to determine whether all critical systems can be recovered at the alternate processing site and whether personnel can implement the procedures defined in the BCP. For example, a full-recovery exercise might simulate the complete loss of primary facilities.

Step two is to understand how often to test. Although there is no hard-and-fast standard for determining how often to test your business continuity plan, some general guidelines are typically recommended. Note that each of these timeframes will depend on your organization’s industry, size, personnel, available resources, and current BCP maturity levels. Don’t take these timelines as gospel, as they are strictly that: guidelines.

SBS recommends reviewing each of your emergency preparedness plans (business continuity, disaster recovery, incident response, and pandemic preparedness) throughout the course of a given year. Testing would typically include an annual tabletop test of all four individual EPP plans, testing multiple scenarios for threats you identify as a higher risk to your organization. Be sure to test the scenarios you believe to be the highest risk to your organization most frequently. You can use your business continuity risk assessment to help identify which threats are particularly impactful/probable to the organization.

Additionally, a limited-scale exercise is recommended at least annually, but such a test is largely dependent on the size and complexity of your organization and the maturity of your failover procedures. For example, if your organization’s goal is to have a fully-functional failover DR backup site, but you have not yet achieved full-failover mirroring and backups, implementing this complex backup process and testing to ensure everything works correctly from failover to failback may take years to achieve. In comparison, testing file-level restores from nightly backups is something any organization can do quickly and frequently today.

However, if your organization has any significant changes in processes, systems, or plan details, you may want to perform these tests more frequently. To reiterate, these timelines are highly dependent on your organization; it may not be feasible or logical to perform some of these tests at a particular frequency. Base this decision on your organization and its specific needs.

If you are looking for somewhere to start and what should be prioritized for testing, refer to your business impact analysis . This is an excellent way to not only identify your most critical processes, but also the assets/systems you rely on the most. Systems that you require to keep your most critical processes functioning should be tested more frequently, allowing you to validate proper recoverability and the timeframes of that recovery. Most organizations benefit greatly by having a testing schedule documenting their plans. This allows for a strategic approach to testing involving the organization's processes, systems, and vendors deemed necessary.

Including your vendors is the next step in improving your BCP testing. In the course of your testing cycle (whether a tabletop test, limited-scale exercise, or full-scale exercise), you’ll want to ensure your critical vendor partners are included in the testing process to whatever extent possible. Involving your vendors in this process not only allows you to test to a greater degree of accuracy and usability but also allows your vendors a chance to provide feedback that may be valuable to your plans or testing process.

Finally, step four is to document your testing. Be sure to document the results of any testing performed, along with any actionable findings from those tests. Following up on these items and incorporating recommendations resulting from tests is the most important process in the BCP testing lifecycle. Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.

Testing, documenting the results of your testing, and implementing processes to improve your BCP is the best way to strengthen your organization’s response processes.

Business Continuity Plan Testing Checklist

Identify critical business functions and processes, establish objective for the continuity plan, identify critical resources needed to support business functions, approval: identification of critical resources.

Identify critical resources needed to support business functions Will be submitted

Develop recovery strategies for all identified critical business functions

Create business continuity plan document outlining the plan, establish testing schedule for the continuity plan, approval: testing schedule.

Establish testing schedule for the continuity plan Will be submitted

Identify and train the team responsible for the implementation of the business continuity plan

Conduct initial business continuity plan test, evaluate the results of the initial test, document findings and incorporate into the business continuity plan, approval: documented findings.

Evaluate the results of the initial test Will be submitted
Document findings and incorporate into the business continuity plan Will be submitted

Train employees on roles during a disaster or disruption

Conduct a full-scale test of the business continuity plan, evaluate and document results of full-scale test, approval: evaluation of full-scale test.

Conduct a full-scale test of the business continuity plan Will be submitted
Evaluate and document results of full-scale test Will be submitted

Enact changes based on the results of the full-scale test

Schedule regular reviews and updates of the business continuity plan, submit final business continuity plan for final approval, approval: final business continuity plan.

Submit final Business Continuity Plan for final approval Will be submitted

Take control of your workflows today.

More templates like this.

Search Search Please fill out this field.
Business Continuity Plan Basics
Understanding BCPs
Benefits of BCPs
How to Create a BCP
BCP & Impact Analysis
BCP vs. Disaster Recovery Plan

Frequently Asked Questions

Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)?

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

Determining how those risks will affect operations
Implementing safeguards and procedures to mitigate the risks
Testing procedures to ensure they work
Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

The impacts—both financial and operational—that stem from the loss of individual business functions and process
Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain.

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes.

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

Terms of Service
Editorial Policy
Privacy Policy
Your Privacy Choices

ISO Consultancy

Policy Portal Blog Useful Links

Who We Are Testimonials Our Services Contact Us

How to test your business continuity plan

Disruptions are by their nature unexpected. But your organisation’s response to hitting pause on normal business operations doesn’t have to be equally as unexpected.

So, how should you test your business continuity plan, and how often should it be put in practice?

How often should a business continuity plan be tested?

There is no hard and fast rule that governs how often your business should test its plan.

The regularity of the testing is also dependent on the type of test being performed.

How can a business continuity plan be tested?

There are three main ways of testing your business continuity plan: checklist or walkthrough exercises, desktop scenarios or simulations.

Checklist or walkthrough exercises

Desktop scenarios

Simulations

Simulations are full re-enactments of business continuity procedures and could involve most, if not all, of your workforce. They also tend to take place on site in the relevant business areas.

Organising a test

Before the test, circulate the testing plan along with the objective to everyone involved. This team should also familiarise themselves with the current business continuity plan.

Solution for disruption

Business continuity plans give your business a blueprint for disruption survival, but only if they are fit for purpose. Our expert consultants can quickly get to grips with your business and carry out a detailed Gap Analysis Report and Business Impact Assessment, which they can then use to create a bespoke and up-to-date business continuity plan for you.

Get in touch today on 01325 778352 or by emailing [email protected]

3 Ways to Test Your Business Continuity Plan

You’re a positive person. We think that’s spectacular. And though remaining positive is great in principle, sadly it isn’t always a smart risk management mindset. The companies that subscribe to Murphy’s Law are generally best equipped to mitigate risk and handle the unknowns – whether that’s economic downturns, natural disasters, data breaches or server failures. Regardless of risk appetite, smart companies plan against interruptions to business with what’s known as a Business Continuity Plan or BCP. A Business Continuity Plan evaluates how your company will sustain operations, communicate to personnel and clients, and generally weather the storm in the event of a business interruption. If the Murphy Law mantra feels negative, then just stack the deck and consider it a smart wager instead, since it is FAR better to be ready for a disaster that may never come than be caught unprepared and risk your business collapsing.

We’ve discussed the value of Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs) in previous articles, so today we turn this topic toward a vital and often overlooked component of risk mitigation and continuity assurance….Testing.

Even the best plans fall apart without proper implementation. Success in plan execution increases exponentially with testing. Consider testing your Business Continuity Plan annually at a minimum so that all employees and stakeholders are knowledgeable and primed for continuity measures in case of an emergency. Here’s our suggestions for three (3) things you can consistently do to ensure your Business Continuity Plan is tested and your organization is better prepared should disaster strike.

It’s not just for the compulsive personalities like project managers and analysts. Creating a checklist not only defines the successive order in which key operational and administrative procedures should be carried out, it also naturally comes in the form of a quick-reference guide (also known as a QRG). When confusion increases and communication deteriorates, a continuity plan checklist at either a high-level or multiple checklists across your more granular functional areas are an easy and comforting distillation of the business continuity plan that ensures two key components for successful plan implementation: 1) that steps are conducted in the right order, and 2) that no steps are missed.

Two sets of checklists should be made. The first set encompasses those key procedures, contacts, communications, and steps that should be done at the moment of business interruption and throughout any disaster in order to successfully execute on the Business Continuity Plan. The second set of checklists – your BCP Audit Lists – are the items and key information that should be tested and verified on the previous set. Using both in tandem during annual or periodic testing greatly increases the quality of your Business Continuity Plan testing and also the likelihood of successful plan implementation if a disaster occurs.

Common things to include on your BCP Audit List include your employee’s contact details. Much of business downtime and conversely a company’s speed in operations getting back up and running is contingent on internal communications. Having an outdated phone number is a painfully avoidable mistake that can carry considerable cost to your company. At testing time, validate all internal and external contact information to be sure details are current and accurate. If you maintain an offsite cache of emergency supplies, check to ensure that you have the appropriate types and volumes of supplies and backup equipment to last you until normal operations can be restored. Work with your analysts or external business consultation partners to help you determine which supplies, equipment and quantities are appropriate at varying levels and types of business interruption. In addition, be sure to review and secure copies of all required and supplemental documents for personnel, processes and operations (especially emergency forms, contact info, and the Business Continuity Plan itself).

One BCP Audit List item to include should be an evaluation of the overall plan for validity and appropriateness based on the current state of the company. Testing helps business continuity plans stay up to date and provides for more continual adaptation and updating, but your company’s key strategic leadership should periodically evaluate the current state of the company in light of new strategies, technologies, or capabilities and determine whether the existing Business Continuity Plan still covers all of the current needs, strategy and direction. New strategies/technologies may now exist that are more practical and efficient than the ones currently in your plan from last year, and company direction and capabilities may reveal a need to overhaul the business continuity plan or at least amend it.

Walk/Run-through

A walk-through or run-through promotes both procedural and muscle memory. Recall the fire drills and tornado drills of your elementary school days. Drills were conducted as a live activity rather than a verbal this-is-what-we-would-do review. The reason for this may be intuitive but studies show that active practice facilitates more efficient internalization of procedures, and (as instructional gurus will tell you) key process components have a much higher likelihood of cognitive transfer from working to long-term memory. What that boils down to is simply that your employees will care about it more and remember it longer.

Consider a structured walk-through with department heads to make sure that key points of command and delegation points to internal teams know precisely what to do in an emergency. Elect a team leader from each department and have each form their own testing team which should have extra duties and responsibilities (like making sure the building is clear) and will likely require extra rehearsal. After testing, department team leaders should discuss findings and then draft a unified report on plan efficacy and suggestions for improvement.

Walk-throughs are not just for the human parts of the plan. Kick off boot sequences, scripted and automated contingencies, data replication tasks, stand-by server switch-overs, cloud backup and data validation – whatever key technical components fall into your operations and continuity plan procedures. And then measure key continuity performance indicators (KCPIs) to report and leverage in your plan’s overall evaluation, such as quality or viability and speed to accessibility.

Simulation testing methods address the recovery and restoration aspects of the plan through seemingly real-life scenarios. Build your continuity simulation by creating scenarios that feel real and address key components of the Business Continuity Plan. Form testing teams and assign each a specific scenario that its members will enact using the facilities, equipment, and supplies available to them. If you can create cascading scenarios – ones that overlap and require inputs from or depend on processes to be completed by other testing teams – your simulation will be a better true-to-life representation of a business-interruption event or disaster.

Members of the company’s disaster response team should evaluate overall company response performance based on the simulation, determine how well teams were able to effectively carry out critical functions of the Business Continuity Plan, and identify key improvements and lessons learned to incorporate in the Business Continuity Plan and implementation procedures.

Don’t have a disaster response team? Assemble one as soon as possible.

Use the results from your checklists, walk-throughs and simulations to identify your Business Continuity Plan’s strengths and weaknesses, signal gaps between your plan and company’s current state of strategy and capability, determine how well your personnel can comply with the plan, and assess how ready you are for a disaster now that you’ve done the work of creating the BCP.

If testing your plan feels daunting, you aren’t alone. Many BCPs are constructed and then are shelved due to hesitation around the critical component of testing. The journey of a thousand tests begins with a single checklist, so start planning your Business Continuity Plan testing today. And as always, if you have questions about testing your Business Continuity Plan, need help with any of the techniques mentioned above, or need help constructing your Business Continuity Plan, let us help. Dynamic Quest offers business consultation services with a focus on disaster recovery , business continuity, plan testing, data analysis, and more. Just click the orange “Ask an Expert” button below to inquire about Dynamic Quest’s services or ask one of our experts a question.

Curious to learn more? Contact Dynamic Quest, your managed IT service provider ?

Our Vendors

Request A Quote For Managed IT Services

+1 (800) 826-0777
VIRTUAL TOUR
Mass Notification
Threat Intelligence
Employee Safety Monitoring
Travel Risk Management
Emergency Preparedness
Remote Workforce
Location and Asset Protection
Business Continuity
Why AlertMedia
Who We Serve
Customer Spotlights
Resource Library
Downloads & Guides

Three team members sit at a conference table and one stands, describing the details of a disaster recovery plan.

How to Build a Disaster Recovery Plan for Better Business Continuity

A disaster can derail your business without warning. Get back to business quickly and safely with a disaster recovery plan.

Blog-CTA-Sidebar-Graphic-BusinessContinuity-Checklist

What Is a Disaster Recovery Plan?

6 Steps to Build Your Plan
Instill a Culture of Preparedness

Within days of the tragic terrorist attack on the World Trade Center, business disruptions began rippling outward from New York City. Trucks delayed at the Canadian and Mexican borders led to shut-down assembly lines at Ford Motor Company. The Toyota factory in Indiana couldn’t make cars because parts weren’t coming in from Germany with air traffic shut down.

September 11, 2001 was a watershed event that forced many business leaders to “wake up” and admit that disasters can and do have widespread and lasting impacts globally. Over the decades that followed, disaster recovery became less about reacting to a crisis and more about ongoing risk management.

As John Liuzzi, National Director of Business Continuity at Southern Glazer’s Wine & Spirits, shared , professionals in his field no longer see disaster recovery and business continuity as administrative or compliance issues but as an integrated part of the business. Liuzzi says, “It’s about threat intelligence, disaster recovery, and crisis management that’s all seamless.”

A single human error can spur disruptive events from your supply chain to the front of the house. The longer your business stays out of service, the greater the loss to your people, systems, physical assets, and your company’s reputation.

From navigating a national tragedy to local demonstrations or a sudden blackout, a well-executed disaster recovery plan is your key to coming away with as few scratches as possible. Let’s break down what that could look like for your business.

Download Our Business Continuity Checklist

A disaster recovery plan (DRP) is a documented strategy for returning to normal operations quickly after an unexpected incident. The purpose is to provide specific instructions for actions to take before, during, and after any disaster. A comprehensive DRP should address all types of disasters, including human-instigated and natural, internal and offsite, accidental and intentional.

The range of potential disaster scenarios covered by a DR plan includes:

Malware or ransomware
System outages
IT infrastructure failure
Equipment failures
Building damages
Power outages
Civil Unrest
Citywide or regional issues
Health crises

What’s included in a disaster recovery plan?

The exact structure depends on your business, but a disaster recovery strategy typically begins with risk analysis and includes plans for emergency operations , data backup and recovery, redundancy and backup systems, communications, and incident recovery—all supporting the goal of preserving business continuity.

While business continuity and disaster recovery go hand in hand, they’re not interchangeable. A DR plan is more focused than a business continuity plan and does not necessarily cover all contingencies for business processes, assets, human resources, and external partners.

Disasters Are an Ongoing Threat to Business Continuity

Businesses lose a lot to disasters each year—especially catastrophic events such as floods and hurricanes. In 2022, the world suffered $313 billion in losses from natural disasters. But catastrophic events can also be driven by humans. Security breaches are one example of a common and costly human-made disaster, and they can lead to business downtime amounting to about $4.5 million per incident.

Whatever the reason—products aren’t available, stores can’t open, data centers fail, or your teams can’t get to work—everybody suffers. Your company sacrifices revenue, employees miss out on wages, and customers are left unserved. And once that cycle sets in, it can perpetuate itself.

If your business is located in an area susceptible to specific weather events, you absolutely need to plan for natural disasters. For example, plan for hurricanes in southern coastal areas, blizzards in snow-prone areas, or wildfires in the western and southwestern United States.

New market expansion or rapid team expansion can pose an added risk to business recovery, thanks to new processes, equipment, sites, and relationships. But even when it’s business as usual, all it takes is a cyberattack, an unexpected storm, or a chewed-through cable to cause the type of incident that could derail business operations.

If your organization’s disaster recovery plan is nonexistent, outdated, or a glorified checklist, now is the time to review, revise, or create a plan for disaster recovery solutions—before you need it.

Build Your Comprehensive Disaster Recovery Plan in 6 Steps

1. assess risks and vulnerabilities.

The first step is a risk assessment to uncover the threats you’re up against. A threat assessment and business impact analysis (BIA) will help you identify potential disasters and understand the possible consequences.

Take inventory of each functional area of the organization, your sites, people, physical and digital assets, key suppliers, and partners. Document your business’s internal infrastructure and data management to facilitate rebuilding after a disaster, and prioritize components based on their importance to business continuity.

2. Create your team

Decide who will create, update, and execute the plan. This disaster team will spearhead recovery and communication efforts during a crisis.

Assign specific tasks to your disaster recovery team members and document responsibilities, with one person as team leader. Ensure the disaster management team includes representation from each business function and align recovery tasks to each business unit so every department is included.

3. Establish clear objectives and priorities

Define the goals and objectives your recovery efforts will accomplish. Determine what the plan will and won’t cover, and establish critical questions to answer like, “Where do we relocate people or migrate systems?” and “Which applications and infrastructure must be restored immediately in case of a disaster?”

Based on your business impact analysis, define recovery time objectives (RTO) for applications, hardware, equipment, and other critical systems within the business. Recovery point objectives (RPO) are another key metric to establish the maximum allowable data loss in the event of a disaster impacting information systems.

Expressed in seconds, minutes, hours, or days, your RTOs define the acceptable time since the last data recovery point and should be calculated based on their importance. In other words, how long before an outage could a data recovery take place before the business would be impacted negatively?

4. Create a communication plan

During a fire, flood, or other disaster, seconds count and connectivity is the key to maximizing your time. Your crisis communication plan can make the difference between “crisis averted” and catastrophic consequences. In devising a disaster recovery communication plan, prioritize these steps:

Identify key audiences: Determine who will need information during and after a disaster, such as employees, customers, suppliers, city officials, and local first responders. Keep contact information up to date so you can get in touch quickly.

Pro tip: An emergency mass communication system can even help you group audiences that may need different information at different times. By organizing contact groups in advance, you lose no time sending critical messages to ensure people’s safety and mitigate operational disruptions.

Establish media protocols: Establish guidelines for interacting with the media during a crisis. Designate spokespersons and prepare them with key messages to ensure a clear and consistent message.

Create communication templates: Develop templated messages that you can quickly customize for each scenario. Know who is in charge of sending the messages and train them on procedures and how to use the emergency communication solution.

Set up communication centers: Equip these centers with scripts, FAQs, and necessary technologies to handle inquiries and provide information for customers, suppliers, employees, and the media.

5. Document the disaster recovery process

Create step-by-step instructions in plain language to restore critical functions quickly after a disaster. Your emergency response plan should outline each step in disaster recovery procedures, document the order of operations, and assign each task to an owner.

Documentation of the disaster recovery process may include:

Criteria for when you will activate the disaster recovery plan in different scenarios
Records of all critical applications, cloud services, data storage services, service providers, and hardware and planned backup systems
Communication protocols and instructions for the team in charge of the communications plan
Precautions and preventive measures to guard against future disasters
Emergency response procedures for evacuations, calling authorities, alternative work locations, supply chain contingencies, etc.
Strategies, tools, and technologies used for data protection, storage, backup procedures, replication, and recovery
A review of insurance coverages, including policies for flood, earthquake, or business interruption insurance

Store the DRP documentation away from the network in a secure yet accessible location. Consider immutable storage to prevent loss or unauthorized changes to the document.

6. Test and update the plan

You can’t possibly predict every scenario that might occur during a disaster. Doing a dry run is the best way to determine if your plan will work when you need it.

Stress test your plan through partial and full-scale recovery simulations. Use an after-action report to learn where there is room for improvement, then analyze, update, and retest different plans to find the best possible course of action. Conduct surprise drills to see how people and plans will function when an unexpected disaster strikes.

Southern Glazer's podcast Youtube cover image

Instill a Culture of Preparedness in Your Organization

Ideally, disaster recovery is more than a checklist or an annual compliance exercise. “It has to be built into your organizational DNA.” said Liuzzi. He goes on to say that your chances of success are higher when you “make it part of the business, not separate” and shares some of his best practices for disaster recovery.

Monitor for ongoing threats

As the world’s largest wine and spirits distributor, Southern Glazer’s needs to be alert 24/7 to manage its complex global supply chain. With ongoing threat intelligence, they are the first to know about all types of external risks—upcoming storms, wildfires in impacted areas, demonstrations, or geopolitical upsets. When contextual risk intelligence is built into your emergency preparedness, you’re not spending excessive time and resources monitoring and filtering through potential threats.

Nurture internal and external relationships before an incident happens

As Liuzzi attests from experience, running a successful business continuity program is about being prepared and building a culture where preparedness is not an afterthought. Part of building this level of safety culture is creating partnerships before an incident happens. For example, you could join an industry-specific safety organization. Support local fire, police, and emergency services departments at their events and work with them for company training.

Internally, nurturing a culture of emergency preparedness might look like:

Proactively providing access to resources like emergency kits and online tools for employee preparedness
Engaging employees in ongoing training, drills, and testing Promoting company values that include situational awareness and company resilience
Running disaster recovery tabletop exercises as part of a safety meeting
Partnering with your global security operations center ( GSOC ) and other org-wide teams to optimize backup and recovery plans
Winning buy-in from executive stakeholders by tying the value of business continuity to the data they care about

Optimize Your Business Continuity & Disaster Recovery Strategies

You can’t always avoid disasters, but you can prepare for them. A disaster recovery plan helps you recover what is lost (data, physical property, or something else) and get back to running smoothly as soon as possible. More importantly, educating your teams and building ongoing support for disaster recovery and continuity programs will go a long way in helping your organization respond quickly and effectively in an emergency.

Business Continuity Checklist

Please complete the form below to receive this resource.

Check Your Inbox!

The document you requested has been sent to your provided email address.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

IMAGES

How to create an effective business continuity plan?
Testing Business Continuity Plans Factsheet and Checklist
Free Business Continuity Plan Templates
FREE 12+ Sample Business Continuity Plan Templates in PDF
FREE 12+ Sample Business Continuity Plan Templates in PDF
How to create an effective business continuity plan?

VIDEO

NIS2 Business Continuity Plan
Business Continuity Plan
How to create an effective business continuity plan
Business Continuity Planning BCP
Task 10 of the Level 7 NVQ Diploma in Strategic Management & Leadership
Business Continuity Plan Template

COMMENTS

Comprehensive Guide to Business Continuity Testing
This article is a comprehensive guide to business continuity testing that presents a comprehensive set of practical methods you can implement at your organization. According to a 2019 study by BC Benchmark, 57% of companies stated that they test twice or four times a year. They do this because it helps to gain consistent buy-in throughout the company, which means that it will be more prepared ...
Business continuity plan maintenance: How to review, test and update
Reviewing, testing and updating your plan are all equally important stages. In other words, business continuity plan maintenance is crucial. Underpinning all of this is the need for reliable data on your organizational structure, people, systems and dependencies. Diligent's software suite can help you create the single source of truth you need ...
"Testing a Business Continuity Plan: Steps & Best Practices
This Guide details the essential steps and considerations to effectively test a business continuity plan, ensuring its reliability and effectiveness in the face of potential disasters and disruptions. Gain insights into the testing process, key elements to focus on, and tips for evaluating and improving your plan's resilience. In times of ...
6 Business Continuity Testing Scenarios
Strategic tests and these business continuity plan scenarios will help you to: Identify gaps or weaknesses in your BC plan. Confirm that your continuity objectives are met. Evaluate the company's response to various kinds of disruptive events. Improve systems and processes based on test findings.
Testing, testing: how to test your business continuity plan
Before the test, circulate the testing plan along with the objective to everyone involved. This team should also familiarise themselves with the current business continuity plan. Assign some people within the team to record the test's performance and any shortcomings that are identified. After the test, feedback should also be sought.
How to Test a Business Continuity Disaster Recovery (BCDR) Plan
The business continuity and disaster recovery test types that are appropriate for an organization will depend on a variety of factors, including its size and nature, available resources, and the stage of BCDR testing taking place. ... When advising customers on the levels of disaster recovery and business continuity plan testing they need, keep ...
The Ultimate Guide to Business Continuity Testing
Testing your business continuity program allows you to validate your BC plan and manage risks. In fact, 88% of companies test BCPs at their companies to identify gaps, and 63% of them do that to validate their plans. Business continuity testing isn't about pass or fail. It's about continuous improvement by learning from findings uncovered ...
ISO 22301 Business Continuity Management Made Easy
The ISO 22301 standard can provide benefits for your business continuity planning, even if your organization chooses not to pursue certification, or the review process that confirms your business continuity system meets all ISO 22301 requirements. ... Implement the recovery plan with detailed procedures, and test it regularly to verify that it ...
All about Business Continuity Planning
Business Continuity Plan Test Types. Testing verifies the effectiveness of your plan and provides training for participants. To ensure better communication, include suppliers, vendors, and other stakeholders in exercises. If appropriate, also consider including local emergency preparedness officials. ...
How to create an effective business continuity plan
A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is caused ...
Free business continuity testing template for IT pros
The included business continuity testing template provides a starting point to prepare for and execute a test. It provides a testing framework without addressing a specific plan format. All phases of a test are included in the template: pre-test planning, test execution, post-test review and AAR preparation. The actual test activity, including ...
What Is A Business Continuity Plan? [+ Template & Examples]
A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders.
Business Continuity Planning
Business Continuity Plan Test Facilitator and Evaluator Handbook; Business Continuity Training Videos. The Business Continuity Planning Suite is no longer supported or available for download. Business Continuity Training Introduction. An overview of the concepts detailed within this training. Also, included is a humorous, short video that ...
Stress-Test Your Business Continuity Management
November 05, 2019. Recent events, such as the spread of coronavirus, demonstrate the importance of stress-testing business continuity management plans. The spread of a severe pneumonia now known to be COVID-19 through China and into other countries offers a timely reminder of the difficulty of planning for pandemic events and natural disasters.
Can we break it? 9 business continuity plan testing scenarios
6) Public health crisis. This is a larger-scope continuity testing scenario that businesses became well-acquainted with during the Covid-19 pandemic. As the coronavirus spread, organizations raced to adhere to critical health guidelines that ushered in a new era of remote work, virtually overnight.
How to Conduct Testing of a Business Continuity Plan
Test the Plan. Once you know that all your management and stakeholders are on the same page, test the plan. Have your employees visit your central communications hub to see if they can easily ...
Four Steps to Better Business Continuity Plan Testing
SBS recommends reviewing each of your emergency preparedness plans (business continuity, disaster recovery, incident response, and pandemic preparedness) throughout the course of a given year. Testing would typically include an annual tabletop test of all four individual EPP plans, testing multiple scenarios for threats you identify as a higher ...
Business Continuity Plan Testing Checklist
Evaluate and document results of full-scale test. In this task, evaluate and document the results of the full-scale test of your business continuity plan. Analyze the test findings, strengths, weaknesses, and recommendations to identify areas for improvement and enhancement. Consider the overall performance of the plan, the team, and the ...
How Testing Improves Your Business Continuity Plan
Testing your business continuity program allows you to validate your BC plan and manage risks. In fact, 88% of our online poll respondents test BCP's at their companies to identify gaps, and 63% of them do that to validate their plans. However, testing isn't about pass or fail. It's about continuous improvement.
PDF Overview of how to test a Business Continuity Plan
Level 3 is used to assess how well management and staff have performed the functions needed to create, implement, and maintain BCP/DRP plans and Test Plans. Level 4 is used to guide the creation of BCP/DRP Test Plans and to evaluate how well they were executed. Level 1 - Executive Awareness and Authority.
What Is a Business Continuity Plan (BCP), and How Does It Work?
Business Continuity Planning - BCP: The business continuity planning (BCP) is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that ...
How to test your business continuity plan
There are three main ways of testing your business continuity plan: checklist or walkthrough exercises, desktop scenarios or simulations. Checklist or walkthrough exercises. A checklist or walkthrough exercise is one of the easiest forms of test. It consists of a desktop exercise in which senior managers determine if the plan remains current by ...
3 Ways to Test Your Business Continuity Plan
The first set encompasses those key procedures, contacts, communications, and steps that should be done at the moment of business interruption and throughout any disaster in order to successfully execute on the Business Continuity Plan. The second set of checklists - your BCP Audit Lists - are the items and key information that should be ...
Disaster Recovery Plan [+Business Continuity Checklist]
A DR plan is more focused than a business continuity plan and does not necessarily cover all contingencies for business processes, assets, human resources, and external partners. ... Test and update the plan. You can't possibly predict every scenario that might occur during a disaster. Doing a dry run is the best way to determine if your plan ...

Business continuity plan maintenance: How to review, test and update your BCP

Is Business Continuity Plan Maintenance Important?

Questions You Should Ask When Scheduling BCP Reviews and Drills

The Importance of the Business Continuity Plan Review

Business Continuity Plan Testing Considerations and Best Practices

Business Continuity Plan Testing Types

How To Keep Your Business Continuity Plan Current

Maintain Confidence in Your BCP

Solutions Solutions

Resources Resources

Company Company

How to test a Business Continuity Plan

Why Test a Business Continuity Plan?

How to Test a Business Continuity Plan

How Fixinc Can Support Your Organization

Leading senior advisors guiding you to success.

Testing, testing: how to test your business continuity plan

Related Articles

How often should a business continuity plan be tested?

How can a business continuity plan be tested?

Checklist or walkthrough exercises

Desktop scenarios

Simulations

Organising a test

Solution for disruption

Sign up to get the latest in your inbox

About the author

Looking for some guidance? Join us for one of our upcoming seminars!

Please Wait...

Business Continuity Simplified

What Is Business Continuity Management?

What Is a Business Continuity Plan?

What Is Business Continuity Planning?

What Is the Primary Goal of Business Continuity Planning?

Business Continuity Planning Steps

The Business Continuity Management Lifecycle

What Are Business Continuity Risks or Events?

What Is a Business Continuity Strategy?

An Overview of Business Continuity Management and Planning

Key Elements of Business Continuity Management

The Costs of Business Continuity Management

Benefits of Business Continuity Management

Key Business Continuity Management and Planning Considerations

Primary Things Your Organization’s Business Continuity Management System Should Accomplish

The Importance of Senior Organizational Leaders Strongly Supporting Your Business Continuity Management and Planning

Business Continuity Plan Test Types

Business Continuity Management Policy Statement

Cultivating Awareness of Business Continuity Plans

What Is the Importance of a Business Continuity Plan?

How to Write a Business Continuity Plan

Business Continuity Plan Template

What Is a Business Impact Analysis and Why Is It an Important Part of a Business Continuity Plan?

Risk Mitigation for Business Continuity

The Importance of Periodically Testing an Organization’s Business Continuity Plan

What Is a Business Continuity Plan Governance Committee?

How to Cultivate Resilience in Your Organization

Real World Example: Lessons Learned About Business Continuity from the Terrorist Attacks of Sept. 11, 2001

Legislation Governing Some Business Continuity Management and Planning

Guidelines, Standards, and Resources Providing Guidance on Business Continuity Management and Planning

What Is the Business Continuity Institute?

Improve Business Continuity Planning with Real-Time Work Management in Smartsheet

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Our Network

How to create an effective business continuity plan

What is a business continuity plan?

Why business continuity planning matters

Building (and updating) a business continuity plan

The importance of testing the business continuity plan

Types and timing of tests

How to ensure business continuity plan support, awareness

Related content

US proposes draft data privacy legislation

The C-suite is expanding — and IT leaders are stepping up

CIO Leadership Live Australia with Scott Andrews, Chief Operating Officer, Idea Science

Eaton CIO Katrina Redmond on optimizing AI and digital services

Tech layoffs continue, while AI prevents them from getting new jobs quickly

3 Leadership Tips: Adam Ennamli, Chief Risk Officer, General Bank of Canada

What Is A Business Continuity Plan? [+ Template & Examples]

What is a business continuity plan?

Business Continuity Plan Template