This is the first of a blog series reviewing form & content of typical Business Continuity Plans – from basics to testing. While not intended to define any standard for BCP’s, these articles should provide assistance for new Planners, and provoke the thought processes of experienced Planners. We begin by examining the basic content of a Business Continuity Plan.
Regardless of the type or intent of a Business Continuity Plan (and there are many), the following seven components should be incorporated in every Plan:
1. Initial Response
When something disrupts day-to-day operations, everyone should understand what – if anything – they should do immediately. By planning for that – and exercising it – no one will be running in circles muttering “What’ll we do? What’ll we do?
Whoever notices the ‘event’ should know what to do (like calling 911, alerting Security, pulling the fire alarm, etc.). Protocols for alerting the proper decision-makers should be planned (along with contact information for those decisions-makers).
The Initial Response should also include a clear plan for who will be ‘in charge’. Whether that’s locally, regionally, or corporately, making it clear to all participants will understand – and the chance of an Alexander Haig incident will be alleviated.
Every disruption – regardless of cause – needs the same treatment: Containment– to prevent the situation from getting worse.
This involves understanding what happened, the cause of the event – and its potential impact if left unchecked. Like containing wildfires, containment needs to be a simple procedure; there’s no time to get caught up in analysis/paralysis, or to delay decisions while awaiting more detailed information.
Assess the impact, determine how to stop the bleeding and figure out what short-term and medium-term goals are appropriate to the situation.
Once an Impact Assessment has been conducted, what services need to be restored will become evident.
Linking the plan to the services/assets it is designed to recover (or continue) enables the Incident Management Team (IMT) to determine which Plans to activate.
Who is responsible for the Plan? Who will be contacted by the IMT? What will they do, where will they do it, and with whom?
In response to an incident, multiple stakeholders might initiate various actions to stabilize and or restore services. This could be a diverse group of responders coordinating across multiple geographically dispersed locations. Timely communication between the various respondents is critical to effective incident response.
Communications during an incident response may be to
- Alert potential stakeholders,
- Notify management,
- Invoke responders,
- Update current state of restoration activities,
- Report to senior management
- Facilitate collaboration among responders.
Every Plan should ensure that communication is emphasized and protocols are defined as to when in the recovery process is it appropriate, who is responsible for initiation and who is the target of the notification.
5. Planned Response
After the Initial Response activities and completion of initial Assessment, Incident managers might ‘declare a disaster’ and invoke Business Continuity Plans – The Planned Response. The scope of The Planned Response should include:
- What is the incident scenario or is it a combination of scenarios?
- What are the true impacts and the causality / downstream impacts?
- What are the available response strategies?
- Are Resources (Work areas, people, technology, supplies …) available to deliver the planned response.
- Protocols to monitor, measure & manage the recovery efforts
6. Extended Response
While you may plan for a specific RTO, actual recovery may take longer; perhaps days, perhaps weeks, or even months longer.
Be prepared for an extended response – even though you don’t expect it (after all, isn’t a Business Continuity Plan supposed to be about preparing for the unexpected?).
What resources (facilities, people, supplies, suppliers, technology, equipment … ) will you need to sustain a lengthy recovery? Also plan for rotating staff, roles & responsibilities and task hand-offs for extended response.
Be prepared to work with – or under the direction of – others outside your organization. In an event that impacts more than your organization, local, regional or federal authorities may assume command of the response. A simple acknowledgement of that possibility – and how you’ll deal with it – should be included in your plan.
7. Return to Normal
When a disruptive event ends, it’s not like a football game. There’s no final whistle and there are questions that will need to be answered:
- Is the return to ‘normal’ or a ‘new normal’?
- How will back-logs of work be reduced?
- How will work be divided between ‘normal’ operations and post-event catch-up tasks?
- How will information – for insurance and regulatory purposes – be collected?
No two Business Continuity Plans are alike, but all can benefit from considering these seven components. In many cases, smaller plans –containing only some of these components – may be rolled up into a larger Plan that, with their inclusion, contains them all.