The threat of disruption comes in many forms for the modern organisation. Things like viruses, earthquakes and cyber attacks are bigger threats than ever. With technology playing an ever-increasing role in business processes and consumer expectations, there are more things that can go wrong. You’ll rarely be given any advance warning when a disruption occurs, so the only way to be prepared is to have a Business Continuity Plan (BCP). But what is a BCP, how does it work and how do you create one?

What is a BCP?

A BCP gives comprehensive guidance on the procedures and processes that must be followed in the event an organisation experiences a significant disruption. It must identify the risks that could cause issues for the organisation, such as:

– Economic issues
– Civil unrest
– Internal vulnerabilities
– Cyberattacks/Cybercrime
– Technological problems
– Extreme weather events
– Public health issues

Business disruption can come in many forms.

Every identified risk should be followed by a set of temporary measures and/or quick fixes to keep as many important business operations as functional as possible. Most organisations will prioritise their technologies, as things like online systems, network connections, phone lines, servers, business applications and network drives are all vulnerable to disruption. Furthermore, if something goes wrong with any of these technologies, it can cause serious problems across the entire business.

That said, business continuity planning is about more than just protecting IT functions. It centres around the critical activities that could instantly jeopardise your services and productivity if disrupted. Thus, IT is one of several resources that are essential for the preservation of those activities.

Restoring your IT could take some time, so it’s important to have plans in place for how business can keep going in the meantime. Temporary solutions can be low-tech ones, like carrying out processes with good old pen and paper. Whatever solutions you plan, they should be thoroughly documented in a BCP to inform employees of how to proceed.

What should be included in a BCP?

There are certain things any good BCP should cover. These are:

Purpose and scope:

You must establish the purpose of the plan and what it covers, particularly if your organisation includes subsidiaries and/or multiple locations. You may want to consider making separate plans for each subsidiary/location.

Responsibilities:

You must identify the employees who will be responsible for enacting the plan. Smaller organisations might only need a single leader, while larger organisations may need to nominate a group. You may also need to give authority to anyone who needs to handle the financial costs of disruption.

Plan invocation:

When and how will the plan come into effect? It’s not always clear whether a disruption meets the criteria, so you will need to document who starts the process and how to mobilise the response teams.

Development of the BCP:

This is where you put the meat onto the bones; the actions needed to recover from the disruptions you identify. You will need to carry out a risk assessment and a Business Impact Assessment (BIA) to identify threats and the impact they will have on your organisation. With this information to hand, you can outline the steps required for each disruption to protect people, contain the disruption and prevent further disturbance to priority activities.

Communication:

Plan for how internal and external communications will be maintained. This might include how to notify next of kin if your employees’ wellbeing is at risk. You will also want to plan for communications with the media.

Stakeholders: Your BCP should contain contact details of stakeholders, as they will need to be notified immediately following a disruption.

Document owner, approver and record of changes:

The BCP is owned by the business continuity manager, who takes responsibility for reviewing and testing the procedures.

Managing changes:

The plan should be available in both hard copy and digital formats, and all staff should have access. If changes are made, the digital and hard copy forms must be updated.

Doing it right

If you include everything listed above, the other key consideration is to test, or ‘validate’, it. You should test it at least twice a year to ensure it is still relevant. Having a business plan for preserving continuity following a disruption will help protect your organisation’s reputation, boost employee morale and strengthen relationships with third parties and subsidiaries. Every organisation should have a BCP – you will be glad of it if/when something happens. If you don’t have a BCP in place already, you should address that immediately to ensure your organisation can remain productive at all times.