Preparing A Business Continuity Plan

A BCP has several key components; resilience, recovery and contingency:

• Resilience is organising functions and infrastructure so that the effects of a crisis are minimised. In IT, this is ensuring that valid and up to date backups of systems and data are available. Resilience can include rotating staff so that there is always some institutional knowledge available. Available diesel generators to cover power failures is another example.
• Recovery is setting up systems and objectives to ensure a rapid return from a disaster. This may include setting recovery time objectives for recovery objectives. Developing a hierarchy of need will define the order in which the various elements are recovered.
• Outsourcing of some activities could be a strategy for recovery, and if space is required, converting spaces to host mission-critical systems. Beware though, one UK company was fined heavily by the local municipality for placing temporary offices (Portacabins) in a car park without advance permission.
• Contingency is the setting of procedures to cover a variety of external situations. In the above example, a contingency procedure would be to ask the Municipality for temporary emergency permission to put the Portacabins in the car park. Other examples could include planning with suppliers for the temporary use of equipment or finding temporary accommodation. One useful thing to have is a chain of command list setting out delegated responsibilities in a variety of situations.

The first thing to take on board is that this is an organisation-wide exercise. Some departments, for example, Finance or IT will have detailed plans of their own, but the entire organisation from top management down will participate.

The second thing is that this is not a one-off exercise. Circumstances change, and the changes might affect the BCP.

Far too many BCPs are prepared and stored in a cupboard where they gather dust until needed. Over time they become out of date. A regular program of review and update is essential.

1. A Version Control Sheet, updated at each regular review meeting.
2. An Executive Summary, stating the purpose of the document and a high-level summary of the actions needed.
3. An action plan for senior management when the BCP is invoked.
4. Company-wide and for each department:
   1. A set of risk analysis documents setting out
      1. Potential risks.
      2. The likelihood of their occurring.
5. Prevention methods and their associated costs
6. Contingencies; and
7. Recovery methods and their associated costs.
8. Statements setting out how the risk documentation meets resilience, recovery, and contingency procedures.
9. A list of key staff and their contact details.
10. Instructions for invoking the BCP.

The document can be digital. However, keep a paper copy or two in case the crisis you are facing means the digital copy is unavailable.

The first step is to put someone in overall charge. It could be an individual in a small business or a team in a larger organisation. There are software packages to help with BCP management, both in-house and Cloud-based. The software can assist with the process by providing guidance on the processes to be followed, a route map to completion, and making helpful suggestions. Industry pundits confidently expect AI-driven software to make an appearance over the next few years.

Remember that this is not a one-off exercise when choosing the BCP champions and that the process owner or team will be around for a while, updating the BCP to reflect changing circumstances.

The next step is in essence a Business Intelligence exercise, looking at business processes and identifying where risks could arise, followed by the creation of prevention, contingency, and recovery actions. It is useful to try to cost each to see if it makes more sense to let something happen and clear up afterwards, or pay for preventative measures for a risk that might happen very rarely.

A word about education. Part of the BCP preparation process is bringing the staff with you, a process best done through regular communication. When the BCP process is complete, it is essential to conduct some training exercises to test the BCP procedures. After all, the worst time to find out they don’t work is when there is a real crisis. Training exercises will help staff know what to do in the event of a real crisis.

A test could be a simulation exercise, or an unannounced full-scale test itself. In the Portacabin example above, staff arrived at the office one morning to find the doors locked and that they must now invoke the BCP.

That exercise was followed by a serious review of the outcome and some revisions to the BCP. One revision was to set up a regular testing schedule.

1. Every business must have a BCP
2. The BCP should be under continual revision and update.