Preparing A Business Continuity Plan

Preparing The Business Continuity Plan

Why Businesses Need A BCP?

Business Continuity Planning is not a new concept. It has been around since at least the 1970s, when it was known as ‘Disaster Planning’. The fundamental idea is that it is possible to devise plans to keep a company running, even at a minimal level, should anything stop normal operations.

Today, the more friendly term, Business Continuity Planning (“BCP”) is used, while Disaster Planning has become a subset of BCP. There are standards for BCP, the ISO 223XX and equivalent UK and EU standards for example. Some have been developed by industry groups such as ISACA and Federal institutions and councils.

Right now, with a move to e-commerce and implementing work from home and remote access facilities for staff and customers, a company is facing a broader range of risks principally because it is even more critically dependent on its IT infrastructure.

The broad type and range of events that can affect a business has increased greatly. For example, regulatory changes in the Finance and Pharmaceutical industries demand increasing levels of compliance, and non-compliance could stop a business in its tracks.

Finally, the post-pandemic environment is more competitive, and non-availability for even a short time could be a disaster for a company.

A BCP is essential to keep a business running when disaster strikes.

Key Elements Of A BCP

A BCP has several key components; resilience, recovery and contingency:

  • Resilience is organising functions and infrastructure so that the effects of a crisis are minimised. In IT, this is ensuring that valid and up to date backups of systems and data are available. Resilience can include rotating staff so that there is always some institutional knowledge available. Available diesel generators to cover power failures is another example.
  • Recovery is setting up systems and objectives to ensure a rapid return from a disaster. This may include setting recovery time objectives for recovery objectives. Developing a hierarchy of need will define the order in which the various elements are recovered.
  • Outsourcing of some activities could be a strategy for recovery, and if space is required, converting spaces to host mission-critical systems. Beware though, one UK company was fined heavily by the local municipality for placing temporary offices (Portacabins) in a car park without advance permission.
  • Contingency is the setting of procedures to cover a variety of external situations. In the above example, a contingency procedure would be to ask the Municipality for temporary emergency permission to put the Portacabins in the car park. Other examples could include planning with suppliers for the temporary use of equipment or finding temporary accommodation. One useful thing to have is a chain of command list setting out delegated responsibilities in a variety of situations.

What Is In A BCP

The first thing to take on board is that this is an organisation-wide exercise. Some departments, for example, Finance or IT will have detailed plans of their own, but the entire organisation from top management down will participate.

The second thing is that this is not a one-off exercise. Circumstances change, and the changes might affect the BCP.

Far too many BCPs are prepared and stored in a cupboard where they gather dust until needed. Over time they become out of date. A regular program of review and update is essential.

A typical BCP will therefore have:

  1. A Version Control Sheet, updated at each regular review meeting.
  2. An Executive Summary, stating the purpose of the document and a high-level summary of the actions needed.
  3. An action plan for senior management when the BCP is invoked.
  4. Company-wide and for each department:
    1. A set of risk analysis documents setting out
      1. Potential risks.
      2. The likelihood of their occurring.
  5. Prevention methods and their associated costs
  6. Contingencies; and
  7. Recovery methods and their associated costs.
  8. Statements setting out how the risk documentation meets resilience, recovery, and contingency procedures.
  9. A list of key staff and their contact details.
  10. Instructions for invoking the BCP.

The document can be digital. However, keep a paper copy or two in case the crisis you are facing means the digital copy is unavailable.

How To Get One

The first step is to put someone in overall charge. It could be an individual in a small business or a team in a larger organisation. There are software packages to help with BCP management, both in-house and Cloud-based. The software can assist with the process by providing guidance on the processes to be followed, a route map to completion, and making helpful suggestions. Industry pundits confidently expect AI-driven software to make an appearance over the next few years.

Remember that this is not a one-off exercise when choosing the BCP champions and that the process owner or team will be around for a while, updating the BCP to reflect changing circumstances.

The next step is in essence a Business Intelligence exercise, looking at business processes and identifying where risks could arise, followed by the creation of prevention, contingency, and recovery actions. It is useful to try to cost each to see if it makes more sense to let something happen and clear up afterwards, or pay for preventative measures for a risk that might happen very rarely.

A word about education. Part of the BCP preparation process is bringing the staff with you, a process best done through regular communication. When the BCP process is complete, it is essential to conduct some training exercises to test the BCP procedures. After all, the worst time to find out they don’t work is when there is a real crisis. Training exercises will help staff know what to do in the event of a real crisis.

A test could be a simulation exercise, or an unannounced full-scale test itself. In the Portacabin example above, staff arrived at the office one morning to find the doors locked and that they must now invoke the BCP.

That exercise was followed by a serious review of the outcome and some revisions to the BCP. One revision was to set up a regular testing schedule.

To summarise the key points:

  1. Every business must have a BCP
  2. The BCP should be under continual revision and update.

Our Specialist Consultants Are Here To Help

If you would like to know more about this process, and how it can specifically help your company both survive and thrive under challenging conditions, then please contact Anitech’s specialist specialist consultants today by filling out this simple online Contact Us form, or by calling us on 1300 802 163.

They can go through this process with you in detail, answer your questions, and explain to you how your business could directly benefit from this process.


We can help you to get your business ISO Certified.

    Leave your details and we will be in touch with you within 24 hours.

    GET IN TOUCHAnitech Social Links
    Taking seamless key performance indicators offline to maximise the long tail.

    Copyright @ 2020. All Rights reserved.