7 Things Every Business Continuity Plan Should Contain

This is the first of a blog series reviewing form & content of typical Business Continuity Plans – from basics to testing.  While not intended to define any standard for BCP’s, these articles should provide assistance for new Planners, and provoke the thought processes of experienced Planners.  We begin by examining the basic content of a Business Continuity Plan.

Regardless of the type or intent of a Business Continuity Plan (and there are many), the following seven components should be incorporated in every Plan:

1.       Initial Response

When something disrupts day-to-day operations, everyone should understand what – if anything – they should do immediately.  By planning for that – and exercising it – no one will be running in circles muttering “What’ll we do?  What’ll we do?

Whoever notices the ‘event’ should know what to do (like calling 911, alerting Security, pulling the fire alarm, etc.).  Protocols for alerting the proper decision-makers should be planned (along with contact information for those decisions-makers).

The Initial Response should also include a clear plan for who will be ‘in charge’.  Whether that’s locally, regionally, or corporately, making it clear to all participants will understand – and the chance of an Alexander Haig  incident will be alleviated.

2.       Stabilization

Every disruption – regardless of cause – needs the same treatment: Containment– to prevent the situation from getting worse.

This involves understanding what happened, the cause of the event – and its potential impact if left unchecked.  Like containing wildfires, containment needs to be a simple procedure; there’s no time to get caught up in analysis/paralysis, or to delay decisions while awaiting more detailed information.

Assess the impact, determine how to stop the bleeding and figure out what short-term and medium-term goals are appropriate to the situation.

3.       Activation

Once an Impact Assessment has been conducted, what services need to be restored will become evident.

Linking the plan to the services/assets it is designed to recover (or continue) enables the Incident Management Team (IMT) to determine which Plans to activate.

Who is responsible for the Plan?  Who will be contacted by the IMT?  What will they do, where will they do it, and with whom?

4.       Communication

In response to an incident, multiple stakeholders might initiate various actions to stabilize and or restore services. This could be a diverse group of responders coordinating across multiple geographically dispersed locations.  Timely communication between the various respondents is critical to effective incident response.

Communications during an incident response may be to

  • Alert potential stakeholders,
  • Notify management,
  • Invoke responders,
  • Update current state of restoration activities,
  • Report to senior management
  • Facilitate collaboration among responders.

Every Plan should ensure that communication is emphasized and protocols are defined as to when in the recovery process  is it appropriate, who is responsible for initiation and who is the target of the notification.

5.       Planned Response

After the Initial Response activities and completion of initial Assessment, Incident managers might ‘declare a disaster’ and invoke Business Continuity Plans – The Planned Response. The scope of The Planned Response should include:

  • What is the incident scenario or is it a combination of scenarios?
  • What are the true impacts and the causality / downstream impacts?
  • What are the available response strategies?
  • Are Resources (Work areas, people, technology, supplies …) available to deliver the planned response.
  • Protocols to monitor, measure & manage the recovery efforts

6.       Extended Response

While you may plan for a specific RTO, actual recovery may take longer; perhaps days, perhaps weeks, or even months longer.

Be prepared for an extended response – even though you don’t expect it (after all, isn’t a Business Continuity Plan supposed to be about preparing for the unexpected?).

What resources (facilities, people, supplies, suppliers, technology, equipment … ) will you need to sustain a lengthy recovery?  Also plan for rotating staff, roles & responsibilities and task hand-offs for extended response.

Be prepared to work with – or under the direction of – others outside your organization.  In an event that impacts more than your organization, local, regional or federal authorities may assume command of the response.  A simple acknowledgement of that possibility – and how you’ll deal with it – should be included in your plan.

7.       Return to Normal

When a disruptive event ends, it’s not like a football game.  There’s no final whistle and there are questions that will need to be answered:

  •  Is the return to ‘normal’ or a ‘new normal’?
  • How will back-logs of work be reduced?
  • How will work be divided between ‘normal’ operations and post-event catch-up tasks?
  • How will information – for insurance and regulatory purposes – be collected?

No two Business Continuity Plans are alike, but all can benefit from considering these seven components.  In many cases, smaller plans –containing only some of these components – may be rolled up into a larger Plan that, with their inclusion, contains them all.

SHARE:
eBRP Thoughts

eBRP Thoughts

eBRP Thoughts, eBRP’s Blog voice, represents 50 + years of cumulative BCM knowledge gained through experience in corporate BCM program management, consulting & program implementations. We've worked hand-in-hand with governments and private enterprises to develop viable BCM programs. eBRP is an active participant on LinkedIn and Twitter. The opinions expressed in our eBRP.net blog are ours and are intended to engage resiliency planners in conversations about the BCM industry, its standards and its future.

Related Posts

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…
The BCM Challenge: Executive Buy-In

The BCM Challenge: Executive Buy-In

As a Business Continuity Management (BCM) solution provider, the first…
DR Plans – The What, When & Who

DR Plans - The What, When & Who

As a Business Continuity practitioner with more than 20 years…
Disaster Recovery – Exercised

Disaster Recovery - Exercised

As part of its Resiliency program, one of our clients…
You have a Risk Department.  Why do YOU conduct Risk Assessments?

You have a Risk Department. Why do...

If you’re new to Business Continuity, you have a lot…