- Search Search Please fill out this field.
- Business Continuity Plan Basics
- Understanding BCPs
- Benefits of BCPs
- How to Create a BCP
- BCP & Impact Analysis
- BCP vs. Disaster Recovery Plan
Frequently Asked Questions
- Business Continuity Plan FAQs
The Bottom Line
What Is a Business Continuity Plan (BCP), and How Does It Work?
Pete Rathburn is a copy editor and fact-checker with expertise in economics and personal finance and over twenty years of experience in the classroom.
Investopedia / Ryan Oakley
What Is a Business Continuity Plan (BCP)?
A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.
- Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
- BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
- BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.
Understanding Business Continuity Plans (BCPs)
BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:
- Determining how those risks will affect operations
- Implementing safeguards and procedures to mitigate the risks
- Testing procedures to ensure they work
- Reviewing the process to make sure that it is up to date
BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.
Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.
Benefits of a Business Continuity Plan
Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.
Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.
An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.
How to Create a Business Continuity Plan
There are several steps many companies must follow to develop a solid BCP. They include:
- Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
- Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
- Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
- Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.
Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.
Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be identified and corrected.
In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.
Business Continuity Impact Analysis
An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.
FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:
- The impacts—both financial and operational—that stem from the loss of individual business functions and process
- Identifying when the loss of a function or process would result in the identified business impacts
Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”
Business Continuity Plan vs. Disaster Recovery Plan
BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain.
BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes.
Why Is Business Continuity Plan (BCP) Important?
Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.
What Should a Business Continuity Plan (BCP) Include?
Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.
What Is Business Continuity Impact Analysis?
An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.
FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.
These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.
Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.
Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ," Pages 15 - 17. Accessed Sept. 5, 2021.
Government & Policy
Stocks & Bond News
- Editorial Policy
- Do Not Sell My Personal Information
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
An official website of the United States government
Here’s how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Business Continuity Plan
Business Continuity Planning Process Diagram - Text Version
When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:
- Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
- Identify, document, and implement to recover critical business functions and processes.
- Organize a business continuity team and compile a business continuity plan to manage a business disruption.
- Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
Information technology (IT) includes many components such as networks, servers, desktop and laptop computers and wireless devices. The ability to run both office productivity and enterprise software is critical. Therefore, recovery strategies for information technology should be developed so technology can be restored in time to meet the needs of the business. Manual workarounds should be part of the IT plan so business can continue while computer systems are being restored.
Resources for Business Continuity Planning
- Standard on Disaster/Emergency Management and Business Continuity Programs - National Fire Protection Association (NFPA) 1600
- Professional Practices for Business Continuity Professionals - DRI International (non-profit business continuity education and certification body)
- Continuity Guidance Circular - Federal Emergency Management Agency
- Open for Business® Toolkit - Institute for Business & Home Safety
Business Continuity Impact Analysis
Business continuity impact analysis identifies the effects resulting from disruption of business functions and processes. It also uses information to make decisions about recovery priorities and strategies.
The Operational & Financial Impacts worksheet can be used to capture this information as discussed in Business Impact Analysis . The worksheet should be completed by business function and process managers with sufficient knowledge of the business. Once all worksheets are completed, the worksheets can be tabulated to summarize:
- the operational and financial impacts resulting from the loss of individual business functions and process
- the point in time when loss of a function or process would result in the identified business impacts
Those functions or processes with the highest potential operational and financial impacts become priorities for restoration. The point in time when a function or process must be recovered, before unacceptable consequences could occur, is often referred to as the “Recovery Time Objective.”
Resource Required to Support Recovery Strategies
Recovery of a critical or time-sensitive process requires resources. The Business Continuity Resource Requirements worksheet should be completed by business function and process managers. Completed worksheets are used to determine the resource requirements for recovery strategies.
Following an incident that disrupts business operations, resources will be needed to carry out recovery strategies and to restore normal business operations. Resources can come from within the business or be provided by third parties. Resources include:
- Office space, furniture and equipment
- Technology (computers, peripherals, communication equipment, software and data)
- Vital records (electronic and hard copy)
- Production facilities, machinery and equipment
- Inventory including raw materials, finished goods and goods in production.
- Utilities (power, natural gas, water, sewer, telephone, internet, wireless)
- Third party services
Since all resources cannot be replaced immediately following a loss, managers should estimate the resources that will be needed in the hours, days and weeks following an incident.
Conducting the Business Continuity Impact Analysis
The worksheets Operational and Financial Impacts and Business Continuity Resource Requirements should be distributed to business process managers along with instructions about the process and how the information will be used. After all managers have completed their worksheets, information should be reviewed. Gaps or inconsistencies should be identified. Meetings with individual managers should be held to clarify information and obtain missing information.
After all worksheets have been completed and validated, the priorities for restoration of business processes should be identified. Primary and dependent resource requirements should also be identified. This information will be used to develop recovery strategies.
If a facility is damaged, production machinery breaks down, a supplier fails to deliver or information technology is disrupted, business is impacted and the financial losses can begin to grow. Recovery strategies are alternate means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the recovery time objectives (RTO) developed during the business impact analysis .
Recovery strategies require resources including people, facilities, equipment, materials and information technology. An analysis of the resources required to execute recovery strategies should be conducted to identify gaps. For example, if a machine fails but other machines are readily available to make up lost production, then there is no resource gap. However, if all machines are lost due to a flood, and insufficient undamaged inventory is available to meet customer demand until production is restored, production might be made up by machines at another facility—whether owned or contracted.
Strategies may involve contracting with third parties, entering into partnership or reciprocal agreements or displacing other activities within the company. Staff with in-depth knowledge of business functions and processes are in the best position to determine what will work. Possible alternatives should be explored and presented to management for approval and to decide how much to spend.
Depending upon the size of the company and resources available, there may be many recovery strategies that can be explored.
Utilization of other owned or controlled facilities performing similar work is one option. Operations may be relocated to an alternate site - assuming both are not impacted by the same incident. This strategy also assumes that the surviving site has the resources and capacity to assume the work of the impacted site. Prioritization of production or service levels, providing additional staff and resources and other action would be needed if capacity at the second site is inadequate.
Telecommuting is a strategy employed when staff can work from home through remote connectivity. It can be used in combination with other strategies to reduce alternate site requirements. This strategy requires ensuring telecommuters have a suitable home work environment and are equipped with or have access to a computer with required applications and data, peripherals, and a secure broadband connection.
In an emergency, space at another facility can be put to use. Cafeterias, conference rooms and training rooms can be converted to office space or to other uses when needed. Equipping converted space with furnishings, equipment, power, connectivity and other resources would be required to meet the needs of workers.
Partnership or reciprocal agreements can be arranged with other businesses or organizations that can support each other in the event of a disaster. Assuming space is available, issues such as the capacity and connectivity of telecommunications and information technology, protection of privacy and intellectual property, the impacts to each other’s operation and allocating expenses must be addressed. Agreements should be negotiated in writing and documented in the business continuity plan. Periodic review of the agreement is needed to determine if there is a change in the ability of each party to support the other.
There are many vendors that support business continuity and information technology recovery strategies. External suppliers can provide a full business environment including office space and live data centers ready to be occupied. Other options include provision of technology equipped office trailers, replacement machinery and other equipment. The availability and cost of these options can be affected when a regional disaster results in competition for these resources.
There are multiple strategies for recovery of manufacturing operations. Many of these strategies include use of existing owned or leased facilities. Manufacturing strategies include:
- Shifting production from one facility to another
- Increasing manufacturing output at operational facilities
- Retooling production from one item to another
- Prioritization of production—by profit margin or customer relationship
- Maintaining higher raw materials or finished goods inventory
- Reallocating existing inventory, repurchase or buyback of inventory
- Limiting orders (e.g., maximum order size or unit quantity)
- Contracting with third parties
- Purchasing business interruption insurance
There are many factors to consider in manufacturing recovery strategies:
- Will a facility be available when needed?
- How much time will it take to shift production from one product to another?
- How much will it cost to shift production from one product to another?
- How much revenue would be lost when displacing other production?
- How much extra time will it take to receive raw materials or ship finished goods to customers? Will the extra time impact customer relationships?
- Are there any regulations that would restrict shifting production?
- What quality issues could arise if production is shifted or outsourced?
- Are there any long-term consequences associated with a strategy?
Resources for Developing Recovery Strategies
- The Telework Coalition (America’s leading nonprofit telework education and advocacy organization)
Telephones are ringing and customer service staff is busy talking with customers and keying orders into the computer system. The electronic order entry system checks available inventory, processes payments and routes orders to the distribution center for fulfillment. Suddenly the order entry system goes down. What should the customer service staff do now? If the staff is equipped with paper order forms, order processing can continue until the electronic system comes back up and no phone orders will be lost.
The order forms and procedures for using them are examples of “manual workarounds.” These workarounds are recovery strategies for use when information technology resources are not available.
Developing Manual Workarounds
Identify the steps in the automated process - creating a diagram of the process can help. Consider the following aspects of information and work flow:
Internal Interfaces (department, person, activity and resource requirements)
- External Interfaces (company, contact person, activity and resource requirements)
- Tasks (in sequential order)
- Manual intervention points
Create data collection forms to capture information and define processes for manual handling of the information collected. Establish control logs to document transactions and track their progress through the manual system.
Manual workarounds require manual labor, so you may need to reassign staff or bring in temporary assistance.
Last Updated: 05/26/2021
Return to top
- Artificial Intelligence
- Business Operations
- Cloud Computing
- Data Center
- Data Management
- Emerging Technology
- Enterprise Applications
- IT Leadership
- Digital Transformation
- IT Strategy
- IT Management
- Diversity and Inclusion
- IT Operations
- Project Management
- Software Development
- Vendors and Providers
- United States
- Middle East
- United Kingdom
- New Zealand
- Data Analytics & AI
- Foundry Careers
- Member Preferences
- About AdChoices
- Your California Privacy Rights
- Network World
How to create an effective business continuity plan
A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood or cyberattack. Here's how to create one that gives your business the best chance of surviving such an event.
We rarely get advance notice that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.
This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn’t just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.
What is business continuity?
Business continuity refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood or malicious attack by cybercriminals. A business continuity plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.
Many people think a disaster recovery plan is the same as a business continuity plan, but a disaster recovery plan focuses mainly on restoring an IT infrastructure and operations after a crisis. It’s actually just one part of a complete business continuity plan, as a business continuity plan looks at the continuity of the entire organization.
Do you have a way to get HR, manufacturing and sales and support functionally up and running so the company can continue to make money right after a disaster? For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? The BC plan addresses these types of concerns.
Note that a business impact analysis is another part of a business continuity plan. A business impact analysis identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your business continuity plan, which can come with its own risks. The business impact analysis essentially helps you look at your entire organization’s processes and determine which are most important.
Why business continuity planning matters
Whether you operate a small business or a large corporation, you strive to remain competitive. It’s vital to retain current customers while increasing your customer base — and there’s no better test of your capability to do so than right after an adverse event.
Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.
“There’s an increase in consumer and regulatory expectations for security today,” says Lorraine O’Donnell, global head of business continuity at Experian. “Organizations must understand the processes within the business and the impact of the loss of these processes over time. These losses can be financial, legal, reputational and regulatory. The risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence. Build your recovery strategy around the allowable downtime for these processes.”
Anatomy of a business continuity plan
If your organization doesn’t have a business continuity plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a business impact analysis.
Next, develop a plan. This involves six general steps:
- Identify the scope of the plan.
- Identify key business areas.
- Identify critical functions.
- Identify dependencies between various business areas and functions.
- Determine acceptable downtime for each critical function.
- Create a plan to maintain operations.
One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.
Remember that the disaster recovery plan is part of the business continuity plan, so developing a disaster recovery plan if you don’t already have one should be part of your process. And if you do already have a disaster recovery plan, don’t assume that all requirements have been factored in, O’Donnell warns. You need to be sure that restoration time is defined and “make sure it aligns with business expectations.”
As you create your plan, consider interviewing key personnel in organizations who have gone through a disaster successfully. People generally like to share “war stories” and the steps and techniques (or clever ideas) that saved the day. Their insights could prove incredibly valuable in helping you to craft a solid plan.
The importance of testing your business continuity plan
Testing a plan is the only way to truly know it will work, says O’Donnell. “Obviously, a real incident is a true test and the best way to understand if something works. However, a controlled testing strategy is much more comfortable and provides an opportunity to identify gaps and improve.”
You have to rigorously test a plan to know if it’s complete and will fulfill its intended purpose. In fact, O’Donnell suggests you try to break it. “Don’t go for an easy scenario; always make it credible but challenging. This is the only way to improve. Also, ensure the objectives are measurable and stretching. Doing the minimum and ‘getting away with it’ just leads to a weak plan and no confidence in a real incident.”
Many organizations test a business continuity plan two to four times a year. The schedule depends on your type of organization, the amount of turnover of key personnel and the number of business processes and IT changes that have occurred since the last round of testing.
Common tests include tabletop exercises , structured walk-throughs and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.
A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.
In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
It’s also a good idea to conduct a full emergency evacuation drill at least once a year. This type of test lets you determine if you need to make special arrangements to evacuate staff members who have physical limitations.
Lastly, disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine if you can carry out critical business functions during the event.
During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.
Review and improve your business continuity plan
Much effort goes into creating and initially testing a business continuity plan. Once that job is complete, some organizations let the plan sit while other, more critical tasks get attention. When this happens, plans go stale and are of no use when needed.
Technology evolves, and people come and go, so the plan needs to be updated, too. Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.
Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units. If you’ve had the misfortune of facing a disaster and had to put the plan into action, be sure to incorporate lessons learned. Many organizations conduct a review in tandem with a table-top exercise or structured walk-through.
How to ensure business continuity plan support, awareness
One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.
Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts? Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.
How to overcome the data silo challenge, a feat of skill: moving sap workloads to the cloud, a critical next phase of cloud transformation: reducing wan complexity, healthcare providers focus on quality for the next phase of digital transformation, from our editors straight to your inbox, show me more, the raci matrix: your blueprint for project success.
What is an SLA? Best practices for service-level agreements
United Airlines gives employees the digital tools to make customers happy
CIO Leadership Live with George Eapen, Group Chief Information Officer at Petrofac
CIO Leadership Live with Marc Hale, Chief Technology Officer, AIA NZ
CIO Leadership Live with CIO/CTO Kirk Ball of Giant Eagle
- Lenovo Late Night I.T. - Emmy-nominated host Baratunde Thurston is back at it for Season 2, hanging out after hours with tech titans for an unfiltered, no-BS chat.
- dtSearch® - INSTANTLY SEARCH TERABYTES of files, emails, databases, web data. 25+ search types; Win/Lin/Mac SDK; hundreds of reviews; full evaluations
- Discover why the worlds most essential organizations rely on NETSCOUTs Visibility Without Borders platform to keep their networks secure, available, and unstoppable.
- Disaster recovery planning and management
business continuity plan (BCP)
- Vicki-Lynn Brunskill
What is a business continuity plan (BCP)?
A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event.
The BCP states the essential functions of the business, identifies which systems and processes must be sustained, and details how to maintain them. It should consider any possible business disruption.
A BCP covers risks including cyber attacks , pandemics, natural disasters and human error. The array of possible risks makes it vital for an organization to have a business continuity plan to preserve its health and reputation. A proper BCP decreases the chance of a costly power outage or IT outage.
IT administrators often create the plan. However, the executive staff participate in the process, providing knowledge of the company and oversight. They also ensure the BCP is regularly updated.
This article is part of
What is BCDR? Business continuity and disaster recovery guide
- Which also includes:
- Business resilience vs. business continuity: Key differences
- A free business continuity plan template and guide
- Preparing an annual schedule of business continuity activities
Download this entire guide for FREE now!
Importance of business continuity planning
Business continuity planning is a proactive business process that lets a company understand potential threats, vulnerabilities and weaknesses to its organization in times of crisis. The creation of a business continuity program ensures company leaders can react quickly and efficiently to business interruption .
A BCP enables a company to continue to serve customers during a crisis and minimize the likelihood of customers going to competitors. These plans decrease business downtime and outline the steps to be taken -- before, during and after an emergency -- to maintain the company's financial viability.
Elements of a business continuity plan
According to business continuity consultant Paul Kirvan, a BCP should contain the following items:
- initial data at the beginning of the plan, including important contact information;
- a revision management process that describes change management procedures;
- the purpose and scope;
- how to use the plan, including guidelines as to when the plan will be initiated;
- policy information;
- emergency response and management procedures;
- step-by-step procedures;
- checklists and flow diagrams;
- a glossary of terms used in the plan; and
- a schedule for reviewing, testing and updating the plan.
In the book Business Continuity and Disaster Recovery Planning for IT Professionals , Susan Snedaker recommends asking the following questions:
- How would the organization function if desktops, laptops, servers, email and internet access were unavailable?
- What single points of failure exist?
- What risk controls and risk management systems are in place?
- What are the critical outsourced relationships and dependencies?
- During a disruption, what workarounds are there for key business processes and internal functions, such as human resources?
- What is the minimum number of staff needed to run data center and other operations, and what functions would they need to carry out?
- What are the key skills, knowledge and expertise needed to recover?
- What critical security or operational controls are needed if computer systems are down?
Business continuity planning steps
The business continuity planning lifecycle contains these five steps:
- Information gathering and analysis, featuring business impact analysis (BIA) and risk assessment (RA);
- plan development and design;
- testing; and
- maintenance and updating.
Once the business has started the planning process, it launches the BIA and RA processes to collect important data. The BIA defines the critical functions that must continue during a crisis and the resources needed to maintain those operations. The RA details the potential internal and external risks and threats, the likelihood of them happening, and the possible damage they could cause.
The next step determines the best ways to deal with the risks and threats outlined in the BIA and RA, and how to limit damage from an event. A successful business continuity plan defines step-by-step procedures for response.
The BCP should not be overly complex and does not need to be hundreds of pages long; it should contain just the right amount of information to keep the business running. Small businesses can use a one-page plan with all the necessary details. That can be more helpful than a long plan that is difficult to use. Those details should include the following:
- minimum resources needed for business continuity;
- locations where that can take place;
- personnel needed to accomplish it; and
- potential costs.
Key implementation steps
The four steps involved in implementing a BCP are the following:
- Oversight. Decide who will oversee the plan. Ideally, a BCP committee will include business, security and IT leaders.
- Analysis. Conduct the BIA.
- Who will be affected by a business disruption?
- Who holds a hard copy of contact information for top customers and clients?
- How and when will customers, employees and management be notified?
- What are the alternative means of communication if phones go down?
- Which employees are needed for the restoration of critical business functions and how will they be reached or relocated?
- Which critical products and services should the company focus on restoring first?
- What issues must be addressed within the first 24 to 48 hours?
- Does every team and department have its own BCP? Who is in charge of each?
- What is the emergency succession plan for senior staff, including the CEO?
- Which employees will perform emergency tasks?
- Where will off-site crisis meetings take place?
- Who will interact with local emergency responders, such as firefighters and police?
- Who are the key vendors, including data backup providers?
- Initial response. This defines how the company will respond to the business interruption within the first hours. This is the period when team members are contacted and the BCP is activated.
- Relocation. During this stage, alternate facilities are activated and work-at-home policies implemented.
- Recovery. Once personnel and equipment have been relocated, the assessment of damage and monitoring of business recovery begins. The recovery strategy must consider the organization's recovery time objective , or RTO, which is the maximum time IT systems can be down after a failure, as well as its recovery point objective , or RPO, which is the maximum data loss the organization can tolerate.
- Restoration. Personnel return to the original workplace or an alternate site. The company undertakes infrastructure verification, documents the incident and reviews lessons learned.
An organization's technology, processes, staff and facilities constantly change. Therefore, regular testing, reviewing and updating of a BCP is critical. Plan testing should be undertaken using tabletop exercises, walk-throughs, practice crisis management communications and emergency enactments to test the viability of the plan and to see how employees and executives react under stress.
Regular testing and maintenance ensure the BCP is current and accurate. A simple test of a business continuity plan might involve talking through it. A complex test requires a full run-through of what will happen in the event of a business disruption.
The test can be planned in advance or it can be done spur of the moment to better simulate an unplanned event. If issues arise during testing, the plan should be corrected accordingly during the maintenance phase. Maintenance also includes a review of the critical functions outlined in the BIA and the risks described in the RA, as well as plan updating if necessary.
A business continuity plan must be continually improved; updates should not wait for a crisis. Staff members involved in the plan must get regular updates and business continuity training . An internal or external business continuity plan audit should be used to evaluate the effectiveness of the BCP and highlight areas for improvement.
For specific BCP testing steps, download the guide Business continuity and disaster recovery testing templates .
Business continuity planning software, tools and trends
There is help available to guide organizations through the business continuity planning process, from consultants to tools to full software. Which approach an organization should take depends on the complexity of the business continuity planning task, the amount of time and personnel available, and the budget. Before making a purchase, it is advisable to research both products and vendors, evaluate demos, and talk to other users.
For more complicated functions, business continuity planning software uses databases and modules for specific exercises. The U.S. Department of Homeland Security, through its Ready.gov website, offers software in its Business Continuity Planning Suite. Other business continuity software vendors include Castellan, formed from the merger of Assurance, Avalution and ClearView in 2020; CLDigital, formerly Continuity Logic; Fusion Risk Management; Quantivate; and Sungard Availability Services.
The Federal Financial Institutions Examination Council's Business Continuity Management booklet contains guidance on plan development, testing, standards and training for both financial and nonfinancial organizations.
Free download of BCP template
The role of the business continuity professional has changed and continues to evolve. As IT administrators are increasingly asked to do more with less, it is advisable for business continuity professionals to be well versed in technology, security, risk management, emergency management and strategic planning.
Business continuity planning must also take into account emerging and growing technologies, such as the cloud and virtualization , as well as new threats, such as cyber attacks like ransomware .
One resource that combines all these elements is SearchDisasterRecovery's free, downloadable business continuity plan template . It provides guidance and insight for creating a successful BCP.
Business continuity planning standards
Business continuity planning standards provide a starting point.
The International Organization for Standardization (ISO) 22301:2019 standard is regarded as the global standard for business continuity management . ISO 22301 is often complemented by other standards, such as the following:
- ISO 22313 guidance on the use of ISO 22301;
- ISO 22317 guidelines for business impact analysis;
- ISO 22318 continuity of supply chains;
- ISO 22398 exercise guidelines; and
- ISO 22399 incident preparedness and operational continuity management.
Other standards include the following:
- National Fire Protection Association 1600 emergency management and business continuity;
- National Institute of Standards and Technology SP 800-34 IT contingency planning; and
- British Standards Institution BS 25999 standard for business continuity.
Emergency management and disaster recovery plans
An emergency management plan is a document that helps to lessen the damage of a hazardous event. Proper business continuity planning includes emergency management as an important component. The appointed emergency management team takes the lead during a business disruption.
An emergency management plan, like a BCP, should be reviewed, tested and updated regularly. It should be fairly simple and provide the steps needed to get through an event. The plan also should be flexible, because situations are often fluid. Teams involved in the event of a disaster should communicate frequently during the incident.
Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR plan is reactive, as it details how an organization recovers after a business disruption. A business continuity plan is a proactive approach that describes how an organization can maintain business operations during an emergency.
Learn more about responding to unplanned emergencies in this complete guide to managing crises .
Continue Reading About business continuity plan (BCP)
- Tips for obtaining BC/DR plan and resilience funding
- How to use AI for business continuity and disaster recovery planning
- Compare and contrast business resilience vs. business continuity
- Follow these standards for business continuity and resilience
- Cloud-era disaster recovery planning: Assessing risk and business impact
Dig deeper on disaster recovery planning and management.
6 reasons a business impact analysis is important
business impact analysis (BIA)
disaster recovery plan (DRP)
IBM is combining its data protection products and working with a new partner to address one of the biggest challenges for ...
Asigra's forthcoming SaaSBackup platform lets Asigra data protection technology protect SaaS backups. MSPs will be able to sell ...
A new SaaS backup specialist emerges from stealth to protect data in apps such as Trello, GitHub and GitLab, which CEO Rob ...
Persistent Kubernetes storage startups like Ondat are becoming extinct as enterprise IT vendors prow the market for container ...
Analytical capabilities of the data management vendor's flagship product are now available as a separate SaaS to help provide ...
Data reduction techniques have been difficult to achieve on SSDs, but vendors appear to be making progress. The more effective ...
While some 2022 ransomware statistics indicate a possible 'decline' in activity, threat researchers warn there's more to the ...
IceFire ransomware actors have shifted their attention to Linux servers and are actively exploiting a known vulnerability in ...
Adopting extended detection and response and employing managed detection and response services may be the missing pieces of the ...
As artificial intelligence adoption increases, experts believe it's time for Congress to enact AI regulations to safeguard ...
Agility, experimentation and empathy are critical drivers to a successful digital transformation. Learn why IT leaders should ...
U.S. senators showed concern for national security when it comes to popular tech platforms owned and operated by foreign entities...
Kyndryl has a comprehensive set of Technology Services around hybrid cloud solutions, business resiliency and network services for your IT transformations.
- Core Enterprise and zCloud
- Data and AI
- Digital Workplace
- Network and Edge
- Security and Resiliency
An open integration platform delivering IT solutions.
Co-creating to solve complex business problems
Kyndryl’s industry experts help modernize, digitize and secure your IT to provide outstanding customer experiences.
- Banking and Financial Markets
- Chemical, Oil and Gas
- Communications and Media
- Travel and Transportation
Kyndryl can help you identify and secure state and federal funding to support your critical technology projects.
Empowering progress while modernizing and managing the world’s mission-critical systems and services
- Corporate Responsibility
- Inclusion and Diversity
We’ve built relationships with some of the world’s leading companies. Together we’re disruption-proofing their operations and supporting their customers.
Adapt and Respond to Risks with a Business Continuity Plan (BCP)
What's a business continuity plan.
A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected.
Plans typically contain a checklist that includes supplies and equipment, data backups and backup site locations. Plans can also identify plan administrators and include contact information for emergency responders, key personnel and backup site providers. Plans may provide detailed strategies on how business operations can be maintained for both short-term and long-term outages.
A key component of a business continuity plan (BCP) is a disaster recovery plan that contains strategies for handling IT disruptions to networks, servers, personal computers and mobile devices. The plan should cover how to reestablish office productivity and enterprise software so that key business needs can be met. Manual workarounds should be outlined in the plan, so operations can continue until computer systems can be restored.
There are three primary aspects to a business continuity plan for key applications and processes:
- High availability : Provide for the capability and processes so that a business has access to applications regardless of local failures. These failures might be in the business processes, in the physical facilities or in the IT hardware or software.
- Continuous operations : Safeguard the ability to keep things running during a disruption, as well as during planned outages such as scheduled backups or planned maintenance.
- Disaster recovery : Establish a way to recover a data center at a different site if a disaster destroys the primary site or otherwise renders it inoperable.
Evolution of business continuity plans
Business continuity planning emerged from disaster recovery planning in the early 1970s. Financial organizations, such as banks and insurance companies, invested in alternative sites. Backup tapes were stored at protected sites away from computers. Recovery efforts were almost always triggered by a fire, flood, storm or other physical devastation. The 1980s saw the growth of commercial recovery sites offering computer services on a shared basis, but the emphasis was still only on IT recovery.
The 1990s brought a sharp increase in corporate globalization and the pervasiveness of data access. Businesses thought beyond disaster recovery and more holistically about the entire business continuity process. Companies realized that without a thorough business continuity plan they might lose customers and their competitive advantage. At the same time, business continuity planning was becoming more complex because it had to consider application architectures such as distributed applications, distributed processing, distributed data and hybrid computing environments.
Organizations today are increasingly aware of their vulnerability to cyber attacks that can cripple a business or permanently destroy its IT systems. Also, digital transformation and hyper-convergence creates unintended gateways to risks, vulnerabilities, attacks and failures. Business continuity plans are having to include a cyber resilience strategy that can help a business withstand disruptive cyber incidents. The plans typically include ways to defend against those risks, protect critical applications and data and recover from breach or failure in a controlled, measurable way.
There’s also the issue of exponentially increasing data volumes. Applications such as decision support, data warehousing, data mining and customer resource management can require petabyte-size investments in online storage.
Data recovery no longer lends itself to a one-dimensional approach. The complex IT infrastructure of most installations has exceeded the ability of most shops to respond in the way they did just a few years ago. Research studies have shown that without proper planning, businesses that somehow recovered from an immediate disaster event frequently didn’t survive in the medium term.
Why is a business continuity plan important?
It’s important to have a business continuity plan in place to identify and address resiliency synchronization between business processes, applications and IT infrastructure. According to IDC, on average, an infrastructure failure can cost USD $100,000 an hour and a critical application failure can cost USD $500,000 to USD $1 million per hour.
To withstand and thrive during these many threats, businesses have realized that they need to do more than create a reliable infrastructure that supports growth and protects data. Companies are now developing holistic business continuity plans that can keep your business up and running, protect data, safeguard the brand, retain customers – and ultimately help reduce total operating costs over the long term. Having a business continuity plan in place can minimize downtime and achieve sustainable improvements in business continuity, IT disaster recovery, corporate crisis management capabilities and regulatory compliance.
Yet developing a comprehensive business continuity plan has become more difficult because systems are increasingly integrated and distributed across hybrid IT environments – creating potential vulnerabilities. Linking more critical systems together to manage higher expectations complicates business continuity planning – along with disaster recovery, resiliency, regulatory compliance and security. When one link in the chain breaks or comes under attack, the impact can ripple throughout the business. An organization can face revenue loss and eroded customer trust if it fails to maintain business resiliency while rapidly adapting and responding to risks and opportunities.
Using consulting, software and cloud-based solutions for a business continuity plan
Many companies struggle to evolve their resiliency strategies quickly enough to address today’s hybrid IT environments and changing business demands. In an always-on, 24x7 world, global companies can gain a competitive advantage – or lose market share – depending on how reliably IT resources serve core business needs.
Some organizations use external resiliency consulting services to help identify and address resiliency synchronization between business processes, applications and IT infrastructure. Consultants can provide flexible business continuity and disaster recovery consulting to address a company’s needs – including assessments, planning and design, implementation, testing and full business continuity management.
There are proactive services, such as Kyndryl IT Infrastructure Recovery Services to help businesses identify risks and ensure they are prepared to detect, react and recover from a disruption.
With the growth of cyber attacks, companies are moving from a traditional or manual recovery approach to an automated and software-defined resiliency approach. The Kyndryl Data Protection Services approach uses advanced technologies and best practices to help assess risks, prioritize and protect business-critical applications and data. These services can also help business rapidly recover IT during and after a cyber attack.
Other companies turn to cloud-based backup services, such as Kyndryl Incident Recovery Services to provide continuous replication of critical applications, infrastructure, data and systems for rapid recovery after an IT outage. There are also virtual server options to protect critical servers in real-time. This enables rapid recovery of your applications at a Kyndryl Resiliency Center to keep businesses operational during periods of maintenance or unexpected downtime.
For a growing number of organizations, the answer is with resiliency orchestration, a cloud-based approach that uses disaster recovery automation and a suite of business continuity management tools designed specifically for hybrid-IT environments. For instance, Kyndryl Resiliency Orchestration helps protect business process dependencies across applications, data and infrastructure components. It increases the availability of business applications so that companies can access necessary high-level or in-depth intelligence regarding Recovery Point Objective (RPO) , Recovery Time Objective (RTO) and the overall health of IT continuity from a centralized dashboard.
Key features of an effective business continuity plan (BCP)
The components of business continuity are:
- Strategy : Objects that are related to the strategies used by the business to complete day-to day activities while ensuring continuous operations
- Organization : Objects that are related to the structure, skills, communications and responsibilities of its employees
- Applications and data : Objects that are related to the software necessary to enable business operations, as well as the method to provide high availability that is used to implement that software
- Processes : Objects that are related to the critical business process necessary to run the business, as well as the IT processes used to ensure smooth operations
- Technology : Objects that are related to the systems, network and industry-specific technology necessary to enable continuous operations and backups for applications and data
- Facilities : Objects that are related to providing a disaster recovery site if the primary site is destroyed
The business continuity plan becomes a source reference at the time of a business continuity event or crisis and the blueprint for strategy and tactics to deal with the event or crisis.
The following figure illustrates a business continuity planning process used by Kyndryl Global Technology Services. It’s a closed loop that supports continuing iteration and improvement as the objective. There are three major sections to the planning process:
- Business prioritization: Identify various risks, threats and vulnerabilities, and establish priorities.
- Integration into IT: Take the input from business prioritization and perform an overall business continuity program design.
- Manage: Administer what has been assessed and designed.
- Hubspot Blog
Oh no! We couldn't find anything like that.
Try another search, and we'll give it our best shot.
What Is A Business Continuity Plan? [+ Template & Examples]
Published: December 30, 2022
When a business crisis occurs, the last thing you want to do is panic.
The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.
A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.
In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.
Table of Contents:
What is a business continuity plan?
- Business Continuity Types
- Business Continuity vs Disaster Recovery
Business Continuity Plan Template
How to write a business continuity plan.
- Business Continuity Examples
A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.
For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.
When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.
Business Continuity Planning
Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.
3. Schedule interviews with key players in your departments.
Executives and upper management have a great bird's eye view of an organization, but business continuity issues happen at all levels of an organization. For an analysis that's truly comprehensive (and, in effect, valuable), you'll want to interview key team members in various departments of your organization.
Choose individuals who know the ins and outs of their department's operations and understand the importance of its functionality within the grander scheme of the organization. You can ask questions such as:
- What are your top 5 most important processes?
- What systems or applications are needed to support your operations?
- How does [X department] depend on your work in this area?
- In your opinion, what's our biggest blind spot?
- What would happen if [worst case scenario]?
- Who would be impacted if [worst case scenario] and how?
4. Identify critical functions and types of threats.
The above questions are a guide to help give you insight into the areas of your business that require the greatest degree of business continuity. Prioritize the business functions and threats that are the most critical according to:
- The likelihood of it happening,
- The extent of the loss based on impact.
5. Conduct risk assessments across each area identified.
The idea here is to quantify the information you received during the interviews:
- How long would it take to recover from a critical situation in this area?
- How much revenue would be lost during that time?
- How much productivity would be lost during that time within that department?
- How much productivity would be lost for other departments as a result?
- How many customers and/or stakeholder confidence will be lost?
- Will there be additional costs to get it resolved?
- Will there be additional liability costs?
- How much does it cost to implement prevention measures?
6. Conduct a Business Impact Analysis.
Once you've gathered information across disparate processes, it's time to compile that information into a format that reflects the broader business.
A Business Impact Analysis (BIA) analyzes the main operations of an organization, the major resources it uses, how its operations relate to one another — a.k.a. when one function goes down, how does it affect other operations — and how long each function generally takes to complete.
A BIA is a key part of the final business continuity plan. This is where you summarize your findings regarding costs against benefits to further underscore what gets prioritized.
7. Draft out the plan.
Now that you have a good idea of what to include in your plan, start by composing a first draft that can serve as a baseline. The draft should include the following aspects to ensure a well-rounded, actionable plan:
- The purpose, objectives, budget, and timeline of the plan.
- The members of the business continuity team and their roles.
- All of the important stakeholders that are involved in the business continuity plan.
- The Business Impact Analysis.
- Proactive strategies that will be put into place to prevent crises.
- Reactive strategies that will immediately respond to crises.
- Long-term recovery efforts.
- Training and testing schedules for proactive preparation.
8. Test the plan for gaps.
Of course, you should immediately test your plan.
Start with communicating with those that play a critical role in your continuity plan. After they know what their involvement is in the plan, conduct a mock recovery test and put the plan into action. Make note of any gaps that arise during this process.
9. Revise based on your findings.
After testing is complete, correct any flaws you've uncovered throughout the process.
Continue testing and implementing changes until you're satisfied with the outcomes. However, it is important to be aware that business changes will likely require updating the plans you have. Given this, it's important to keep testing your plan to ensure it's up to date with your business needs, and you're properly prepared for any type of crisis.
Now that you've learned everything there is to know about business continuity plans, use the following template to start creating one for your organization.
How often should a business continuity plan be tested?
Your business continuity plan should be reviewed at least twice per year. You should review the plan and test it to make sure it's up-to-date with your current business processes. The larger your organization is, the more complex your systems are going to be, meaning you'll want to review your business continuity plan more frequently to ensure there aren't any gaps.
As you add new systems, departments, leaders, and technology to your business, make it a part of your standard operating procedure to update the business continuity plan as well so that all the bases are covered.
The following schedule is recommended to maximize the reliability and validity of your plan, while also minimizing the amount of time you're putting into plan review.
1. Review your checklist twice a year.
Your teams should review the elements of your business continuity plan bi-annually to make sure all the responses still apply to your current status. In addition, you'll use this opportunity to ensure that each response aligns with your desired business goals.
2. Conduct emergency drills once a year.
Just like schools have fire drills, your organization should have emergency drills to prepare your staff for the steps that are laid out in your business continuity plan. This will also help when a real crisis occurs because they will have practiced the steps before.
3. Hold tabletop reviews every other year.
All stakeholders that are involved in your business continuity plan should meet every other year to discuss it. The review doesn't need to take too much time and doesn't require physically running through the steps, but it can help you uncover red flags that may otherwise go unnoticed without testing.
4. Conduct a comprehensive review every other year.
Unlike the tabletop review, the comprehensive review takes a deep dive into the plan. It should look closely at cost-benefit analyses as well as recovery procedures to ensure everything is up-to-date with current business operations.
5. Mock recovery test, every two to three years.
This is an in-depth test in which your continuity plan is put into motion to test for any weaknesses or mishaps. Since this test is time-consuming, it shouldn't occur frequently, but it will ensure all internal stakeholders are confident in the plan.
No matter what type of business you are operating, you need to be constantly considering the possible threat of a crisis. If you want to be able to effectively manage them, then it's essential that you have a business continuity plan in place to tackle difficult or unexpected situations.
Let's go over some examples of scenarios that would require a business continuity plan that will help you understand why your business needs one.
Business Continuity Plan Examples
1. business continuity plan example for external product outage.
Don't forget to share this post!
Situational Crisis Communication Theory and How It Helps a Business
What Southwest’s Travel Disruption Taught Us About Customer Service
Showcasing Your Crisis Management Skills on Your Resume
What Is Contingency Planning? [+ Examples]
What Is Reputational Risk? [+ Real Life Examples]
10 Crisis Communication Plan Examples (and How to Write Your Own)
Top Tips for Working in a Call Center (According to Customer Service Reps)
How to Create a Social Media Crisis Management Plan [Free Template]
Service Reps on the Most Powerful De-Escalation Techniques [Expert Tips + Consumer Data]
Top 5 Crisis Management Skills for Business Leaders (& How to Apply Them)
Manage, plan for, and communicate during a corporate crisis.
- Search Submit search
- Boat & Yacht
- All Products
- Insurance 101
- Home Central
- Travelers Garage
- Managing Through COVID-19
- Affinity Group Discount
- Online Service
- Pay Your Bill
- Get a Quote
- Find an Agent
- File a Claim
- Boiler & Machinery
- Commercial Auto & Trucking
- Environmental Liability
- Excess Casualty & Umbrella
- General Liability
- Global Insurance
- Inland Marine
- Management & Professional Liability
- Ocean Marine
- Business Owner's Policy
- Surety Bonds
- Workers Compensation
- Architects, Engineers & Surveyors
- Auto & Truck Dealers
- Business & Professional Services
- Energy & Renewable
- Equipment Dealers
- Financial Institutions
- Food Services
- Health & Related Services
- Hospitality & Recreation
- Marine Industries
- Museums & Fine Art
- Public Entities
- Real Estate
- Wholesale & Distribution
- Risk Control
- Premium Audit
- Online Customer Tools
- Risk Management Information Services
- Travelers Client Advantage
- Automobile Insurance
- Data Breach
- Employment Practices Liability
- Professional Insurance
- Umbrella Insurance
- Workers Compensation Inurance
- Multinational Business
- By Industry
- Navigating Your Business Through COVID-19
- Claim Center
- Should I File a Claim?
- File a Claim
- Roadside Assistance
- Find a Service Provider
- Check Your Claim Status
- Understanding the Claim Process
- Claim Guide Library
- Workers Compensation Resources
- Claim Capabilities
- For Individuals
- Buying & Selling
- Home Maintenance
- Home Renovation
- Home Safety
- Car Maintenance
- Distracted Driving
- Safe Driving
- Teen Driving
- For Business
- Small Business
- Business Continuity
- Driver and Fleet Safety
- Facilities Management
- Internet of Things
- Product and Services Liability
- Supply Chain Management
- Workplace Safety
- Travelers Risk Index
- Awards & Recognition
- Diversity & Inclusion
- Media Resources
- Travelers Championship
- Travelers Institute
Business Continuity Planning in 4 Steps
There are many reasons why your company needs a business continuity plan . Having a strategy – before an event happens – helps to maximize the chance your business can recover while minimizing the loss of property, life and assets.
Developing your business continuity plan should be a thoughtful process resulting in a plan that can be beneficial to you if an event occurs.
Start by assembling a team of key decision-makers who will lead your continuity planning efforts. Senior management, team leaders and anyone with in-depth knowledge about business operations should be included.
Four Steps to Developing an Effective Business Continuity Plan
- Identify threats or risks Understanding the risks that could leave employees, customers, vendors, property and operations vulnerable is fundamental. Threats can include, but are not limited to natural disasters, malicious attacks, power outages and system failures. Identify the risks most likely to occur based on historical, geographical, organizational and other factors. Then weigh the probability of each event against its potential impact to your business, as well as your readiness to respond.
- Conduct a business impact analysis Identify the people, places, providers, processes and programs critical to the survival of your business. What functions and resources, if interrupted or lost, could impact your ability to provide goods and services or meet regulatory requirements? Consider who and what is absolutely necessary to restore critical operations. Then prioritize the need to restore each item after the event. Plan to use limited resources wisely. Complementary functions can always be restored later.
- Adopt controls for prevention and mitigation Prevention and mitigation planning and activities are intended to help prevent an event (such as a fire or explosion from unsafe conditions) as well as to reduce the impact or severity of an event (such as relocating critical equipment to a higher elevation in flood-susceptible areas). Your prevention and mitigation plans should address, among other things, emergency response, public relations, resource management, and employee communications.
- Test, exercise and improve your plan routinely A business continuity plan is an evolving strategy that should adapt to your company’s ever-changing needs. Test and update it regularly – yearly at a minimum – or any time critical functions, facilities, suppliers or personnel change. Train employees to understand their role in executing the plan, too. Exercises can include discussions or hypothetical walk-throughs of scenarios to live drills or simulations. The key is to ensure the plan works as intended.
Learn More About Business Insurance
DaaS and VDI
Zero Trust Network Access (ZTNA)
BY USE CASE
- Deploy DaaS
- Simplify hybrid cloud
- Accelerate employee onboarding
Secure Distributed Work
- Modernize your IT security
- Get a VPN alternative
- Protect apps and APIs
- Enable remote work
- Collaborate securely
- Enhance user experience
See all use cases
- Financial Services
Build your own digital workspace
DAAS AND VDI
Citrix DaaS Citrix Virtual Apps and Desktops Citrix Analytics for Performance
APP DELIVERY AND SECURITY
Citrix App Delivery and Security Service Citrix ADC Citrix Analytics for Security Citrix Secure Private Access Citrix Web App and API Protection
View all products
Download Citrix Workspace app
Citrix Workspace app is the easy-to-install client software that provides seamless secure access to everything you need to get work done.
- Trust Center
- Events & Webinars
- Customer Stories
- Citrix Discussions
View all resources
How the approach to cybersecurity and zero trust network access has evolved
View the infographic
The business value of Citrix Analytics for Performance
Read the brief
- Success Programs
- Consulting Services
- Premium Training
- Onboarding & Adoption
Get expert guidance, resources, and step-by-step instructions to navigate your path to the cloud.
Learn about planning, deployment, and management of Citrix solutions, so you can maximize the value of your investment.
- Corporate Citizenship
- Diversity & Inclusion
- Strategic Alliances
- Partner with Citrix
- Partner Central
- Citrix Ready Marketplace
- Find a Local Partner
From back to office to branch: How financial services can reimagine their IT
Read the blog
1 800 424 8749
Locate a Citrix Partner
My Citrix account Citrix Cloud Citrix Cloud Japan Citrix Cloud Government
Manage licenses Renew maintenance
Back to Glossary
What is a business continuity plan?
A business continuity plan refers to an organization’s system of procedures to restore critical business functions in the event of an unplanned disaster. These disasters could include natural disasters, cyberattacks, service outages, or other potential threats. Business continuity planning (BCP) enables organizations to resume business operations with minimal downtime.
Explore additional business continuity planning topics:
What is the purpose of a business continuity plan?
- 5 elements of a successful business continuity plan
- Citrix solutions for business continuity
An optimized business continuity plan encompasses three main components.
First, a company needs to be resilient. That means key business functions are designed within the context of potential disasters. The business continuity team runs a risk assessment against each function for weaknesses and susceptibilities, then establishes protections against them. This supports ongoing risk management policies.
Second, stakeholders prioritize functions and determine which need to be brought online first. Disaster recovery is a key factor, and the faster functions can return to an operational state, the less likely the organization is to sustain lasting damage. IT stakeholders set disaster recovery time goals and develop an actionable disaster recovery plan. After mission-critical functions return to working order, team members work down the list of priority functions, utilizing third-party support to implement recovery strategies as needed.
Third, organizations require a contingency plan with branching paths that describe chains of command, stakeholder responsibilities, and any necessary technical knowledge necessary for emergency management within established disaster scenarios. Finally, an optimized business continuity plan includes a recovery time objective (RTO) to establish the speed at which business operations must be recovered, and a business impact analysis (BIA) to determine how successful recovery efforts were. Likewise, a disaster report shows stakeholders how the disaster recovery planning process can improve in the future.
With these three elements, an organization can weather crises, assess damage quickly, and recover as soon as possible. It's also important to understand that a business continuity plan is a living document that must be updated regularly as the organization adopts new technologies and processes. As organizations grow to scale, they adopt new solutions and infrastructures; these must be accounted for in the plan, or disaster recovery challenges could become augmented by unexpected bottlenecks.
Five elements of a successful business continuity plan
Although each business disruption is unique and many decisions will have to be made as situations unfold, a business continuity plan provides a framework and preparation to guide these decisions, as well as a clear indication of who will make them. A successful business continuity plan includes the following elements.
1. Define a team structure
- Develop a clear decision-making hierarchy, so that in an emergency, people don’t wonder who has the responsibility or authority to make a given decision
- Create a core business continuity team with personnel from throughout the organization, including executive leaders, information technology, facilities, and real estate, as well as physical security, communications, human resources, finance, and other service departments
- Create supporting teams devoted to related functions such as emergency response, communications, campus response, and business readiness
2. Establish a plan
- Identify potential disruptions to your business process that can affect any of your organization’s locations, such as power outages, epidemics, and fires•
- Base your plan on worst-case scenarios rather than multiple graduated versions of each incident, to keep the number of scenarios manageable
- Prioritize the most essential operations as well as who will perform them and how work will be redirected if key people are unavailable
- Determine how employees will work from home in the event of a prolonged outage
- Update your plan annually to reflect changes in the criticality and dependency of applications, business priorities, risk management, business locations, operations, and other considerations
3. Test your plan
- Conduct full emergency simulations annually, including crisis communications, safety drills, and workplace recovery processes
- Measure your test results and strive for continuous improvements, whether they’re application availability goals or personnel safety assurances
4. Create a crisis communications strategy
- Establish emergency notification procedures, incorporating both push and pull systems to communicate quickly
- Identify all stakeholders for emergency communications, including employees, contractors, clients, vendors, media, and executive management—and collect all contact information
- Prepare scripted communications that can be easily updated and ready to transmit immediately
5. Educate people on safety procedures
- Train your workforce so they’re aware of the processes they should follow in the event of an emergency and so they know where to find resources for help
- Consult with local and federal agencies for emergency response training and other guidance for your program
- Conduct employee drills to help personnel become familiar with procedures, such as finding emergency exits
Citrix solutions for business continuity planning
If people can’t access the applications, data, and files they depend on, business stays down—and risks losing money, customers, productivity, reputation, and opportunities every moment it takes to get them back to work. Citrix keeps your business running during unplanned downtimes to ensure continuity of operations.
- Provide people with secure offsite access to a virtual applications and desktops, from any location and device
- Simplify business continuity management by leveraging everyday infrastructure, eliminating the need for separate tools, devices, and recovery units
- Ensure IT availability through rapid, automated datacenter failover, load balancing, and network capacity management as well as cloud-based deployment choices
What is business continuity?
What is disaster recovery?
Learn about business continuity with Citrix
Explore the benefits of business continuity planning with Citrix DaaS
- Articles and tools
- Business strategy and planning
- Manage your business
- 8 steps for planning your emergency and disaster plan
Whether it's a natural disaster such as an ice storm, or a serious accident in an industrial plant, an unforeseen event can disrupt business operations at any company.
After all, in an emergency situation, your employees may not be able to come to work. Your suppliers may face a shortage of the materials you need to continue your business activities, or demand for your services may simply decline.
The key benefits of a business continuity plan
No one can predict the future; however, you can be ready with a sound business continuity plan. Getting a plan in place shows your employees, shareholders and customers that you are a proactive organization; it improves overall efficiency in your company and helps you allocate the right financial and human resources to keep your firm up and running during a serious disruption.
Here are 8 basic steps to keep in mind when putting together your plan. Click on the link in each step to find more information and useful templates from BDC's complete Business Continuity Guide .
It is a good idea to clearly assign the responsibility for emergency preparedness to a team. Select a few managers/individuals or an existing committee to take charge of the project.
It is advisable to assign one person to lead the planning process. You should also ensure that this "emergency manager" has the authority to get things done.
As with other business aspects, planning for an emergency relies on the following:
- An understanding of the organizational objectives
- Solid research on the risks
- Creative alternatives to unique challenges
- Reliable decision-making process.
What are the key roles and responsibilities for your Emergency Preparedness team?
Planning and implementation.
- Develop the Business Continuity Plan (BCP)
- Establish alert levels and monitor
- Develop training and cross-training plans
- Identify key business partners such as suppliers and clients and determine if they have a BCP
- Assess potential financial impact of an emergency on the business
- Ensure adequate amount of supplies. (emergency safety equipment, such as personal protective equipment, or in the event of a pandemic, hygiene supplies like hand sanitizers, cleaning products, masks, protective barriers, etc.)
- Local site manager(s) implements the plan
- Perform trial run of the plan
Policies, procedures, organization
- Establish policies such as compensation and absences, return to work procedures, telecommuting, flexible work hours, travel restrictions
- Define chain of command for plan implementation
- Establish authorities' trigger points and when to implement BCP
- Establish emergency safety policies for the workplace. For example, in the event of a pandemic, policies that will help prevent the spread of influenza, such as promoting respiratory/ hygiene/cough etiquette, and prompt exclusion of people with influenza symptoms.
- Establish policies for employees who are directly affected by the emergency. For example, in the event of a pandemic, policies for employees who have been exposed.
- Maintain good communications and manage relations with all staff levels
- Advise senior management
- Instil importance of the BCP throughout the organization
- Liaison with local government agencies such as Health Canada and Public Safety Canada
- Prepare and disseminate timely and accurate information to all employees
- Educate staff about possible emergencies. For example, in the event of a pandemic, give information on signs and symptoms of influenza, modes of transmission, personal and family protection, and response strategies
- Evaluate using various forms of technology to maintain communications
- Help prepare training on the subject
- Local site managers implement the plan
- Setup systems to monitor employees for an emergency.
Use the Planning Team for Business Continuity in an Emergency form (DOC) to clearly identify the team members and coordinator who will create your BCP for emergencies, along with their respective contact information.
During an emergency, your business may experience a disruption in your operations due to:
- High staff absenteeism
- Unavailability of supplies and materials
- Interruptions to services like power, transportation and communications.
Objective of the business continuity planning process
Determine how your organization will maintain essential services/functions in the event of an emergency.
What are essential services
- A service when not delivered, creates an impact on the health and safety of individuals.
- A service that may lead to the failure of a business unit if activities are not performed in a specified time period.
- In some organizations, services that must be performed to satisfy regulatory requirements.
- A service where if not performed, the impact may be immediate or may occur over a certain time period.
This means that your business may be forced to modify, reduce, or even eliminate specific services/functions to cope with the impacts of the emergency. These impacts may be felt across the organization or localized to specific business units.
As you begin discussions, you may find that you have existing resources that you can use to extract information about essential services in your organization (e.g., pandemic influenza plans, Y2K plan, etc.)
How to determine and prioritize your essential services
1. complete the essential services ranking template.
This will help you create your list of essential services by department or business unit. You then need to rate the degree to which it will negatively impact the various key areas such as financial, employees, customers etc.
2. Prioritize and categorize, use the Essential Services Criticalness Factor template
For each essential service, assign a "degree of criticalness" (Priority A, B or C). Rate the impact on each service such as staff absenteeism, unavailability of critical supplies, or disruptions to essential systems.
- Priority A: Essential services/functions
- Priority B: Services that can be suspended for a short period of time (for example, services that can be suspended for one month).
- Priority C: Services that can be suspended for an extended period of time. This may require a corporate overview.
As part of your business continuity planning process, you'll need to identify the number of staff and skills required to perform and maintain the essential services/functions.
Use the Essential Services Criticalness Factor template to help you capture the information necessary to develop your plan.
Try to identify any special requirements necessary to perform the essential services/functions (for example, license to operate heavy machinery).
You may also wish to prepare a list of special tasks and skills required in emergency situations and assign them to appropriate employees, e.g. crisis management team, employee support, IT backup, defining security perimeters etc.
Additional sites with useful information:
- Public Safety Canada
- Canadian Center for Emergency Preparedness
- Canadian Red Cross
Discuss what will happen if you have to reduce, modify or eliminate essential services or functions. Document the following points:
- All the issues that are identified
- Action plans for each issue
- The responsibilities of designated people for each essential service or function.
Strategies and action plans
Use the Action Plan Template for Maintaining Essential Service (DOC) to write your plans for each essential service or function. This should include:
- A description of the service or function
- Individuals responsible for implementing the action plan
- Backup individuals
- Business impact issues
- Action plans: Include key items such as notification communication plan, staff relocation, alternate resources, suppliers, etc.
- Resource needs
Use the supplied templates to create lists of all your key contacts along with their contact information.
Being proactive in contacting important customers can go a long way in mitigating losses. Use the Action Plan Template for Key Customers (DOC) to list customers who would need and expect personal notification from you, or who would be offended or take their business elsewhere if they were not contacted.
Include the following information in your list:
- Product or service provided: A description of the product or service you provide. Use the comments main to indicate the reason that this customer should be contacted in an emergency.
- Contact person's name: For some customers, there may not be a specific person to list. As appropriate, you can list a title or department, e.g., "service representative on call" or "service department."
- Contact phone numbers: Include all possible ways to reach the customer, including fax, cellular, pager, after-hours number if different from the normal number, and toll-free numbers in addition to the normal number.
- Alternate names and numbers: Where possible, list alternatives to the primary contact person.
- 24-hour service: If your customer does not have 24-hour service, discuss with them how to contact them during off-hours. Reassure them that the information will have limited distribution, and ask for home telephone numbers if cellular or pager numbers are not sufficient.
- Comments: Include any significant information including the reason this customer should be contacted following an incident, instructions the customer would need, etc.
Suppliers and sub-contractors
Use the Action Plan Template for Critical Suppliers (DOC) to list essential information on your key suppliers. The information should be the same as that described for Key Customers, above.
Business partners and support providers
This main is for important partners who do not fall into the earlier categories, but that you would need to contact in the event of an emergency:
- Business partners (internal and external) that are neither vendors nor customers. These could include internal business units who rely on your business for information, your management, and internal business units that would support your recovery. Examples include corporate insurance, internal security, facilities, public relations and legal entities.
- Support providers include emergency-response agencies such as police, fire, utility companies, and the Canadian Red Cross (if your community uses the 911 system, that should be documented).
Use the Action Plan Template for Business partners (DOC) to list essential information about these other partners. The information should be the same as that described for Key Customers above.
Review your Business Continuity Plan to make sure that all issues have been addressed, and identify any areas in which you may need additional documentation.
The "Business Continuity Plan Checklist" (DOC) provided by Capital Health was developed to ensure that you've covered most aspects of your plan.
Impact on your business
Impact on your employees and customers, establishing policies to be implemented during an emergency.
- Allocating resources to protect your employees and customers
Communicating with employees
Coordinating with external organizations and helping your community.
- Have you identified an emergency coordinator or team and clearly defined their roles and responsibilities? Do you need to involve labour representatives?
- Have you identified the employees and critical inputs you need to maintain business operations during an emergency?
- Have you trained and prepared a backup workforce?
- Have you planned for scenarios that are likely to affect the demand for your products or services during an emergency?
- What is the potential impact of an emergency on company financials? On different product lines or production sites?
- What is the potential impact of an emergency on business-related domestic and international travel?
- Do you have access to up-to-date, reliable information on emergencies from community public health, emergency management, and other sources? Are the links to this information sustainable?
- Do you have an emergency communication plan?
- What mechanisms are in place to revise the plan periodically?
- Have you tested your plan?
- Have you forecasted and allowed for employee absences during an emergency?
- Do you have guidelines to reduce face-to-face contact in the workplace and with customers, in the event of a pandemic?
- Do you encourage and monitor annual employee flu vaccinations?
- Have you evaluated employee access to and availability of healthcare services during an emergency? Do these services need improvement?
- Have you evaluated employee access to and availability of mental health and social services during an emergency?
- Have you identified employees and key customers with special needs? Are their needs incorporated into your BCP?
- Have you established emergency policies for employee compensation and sick-leave absences?
- Have you established flexible policies regarding worksite and work hours?
- Have you established policies to prevent the influenza spread of disease at the worksite?
- Do you have policies for employees who have been exposed, are suspected to be ill, or become ill at the worksite?
- Have you established policies for restricting travel to affected geographic areas, evacuating employees working in or near an affected area when an emergency occurs, and guidance for employees returning from affected areas?
- Have you set up authorities, triggers, and procedures for activating and terminating the company's response plan, for altering business operations and for transferring business knowledge to key employees?
Allocating resources to protect your employees and customers during an emergency
- Do you provide sufficient and accessible emergency supplies?
- Do you need to enhance communications and information technology infrastructures to support employee telecommuting and remote customer access?
- Will medical consultation and advice be available for emergency response?
- Have you developed and disseminated programs and materials covering emergency fundamentals?
- Have you anticipated and planned for employee fear and anxiety, rumours and misinformation?
- Are your communications culturally and linguistically appropriate?
- Have you disseminated information to employees about your emergency preparedness and response plan?
- Have you provided information for the at-home care of ill employees and family members?
- Do you have a platform for communicating emergency status and actions to employees, vendors, suppliers, and customers inside and outside the worksite in a consistent and timely way? Have you included redundancies in the emergency contact system?
- Have you identified community sources for timely and accurate emergency information? Resources for obtaining safety equipment and counter-measures?
- Have you consulted insurers, health plans, and major local healthcare facilities to share your emergency plans and understand their capabilities and plans?
- Have you consulted federal, provincial, and local public agencies or emergency responders?
- Have you asked local or provincial public agencies or emergency responders what your business could contribute to the community?
- Do you share best practices with other businesses in your communities, chambers of commerce, and associations to improve community response efforts?
You should present a draft of the Business Continuity Plan to your emergency preparedness team for review and/or comment. Since the committee will have an understanding of the overall corporate impact of an emergency, they should review to ensure that your plan:
- Is consistent for all business units/departments.
- Addresses all critical elements .
The committee should also be in charge of monitoring the progress of the initiative .
Be proactive: put your plan to the test by performing trial runs. This will help you identify any missing aspects or weaknesses.
- 5 tips to minimize the risk of a disaster for your business
- What is strategic planning?
- Strategic planning: Realize your company's potential
- Business performance benchmarking tool
- Business continuity plan templates
- Business plan template
- Apply online for a flexible small business loan up to $100k
- Protect your cash flow with a working capital loan
- Advisory services
- Human Resources Growth
Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms
Business Continuity Plan · Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the
A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood or cyberattack.
Business continuity planning is a proactive business process that lets a company understand potential threats, vulnerabilities and weaknesses to its
A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service.
Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important
In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. ... Business continuity is the intended
A business continuity plan is an evolving strategy that should adapt to your company's ever-changing needs. Test and update it regularly – yearly at a minimum –
A business continuity plan refers to an organization's system of procedures to restore critical business functions in the event of an unplanned disaster. These
Planning and implementation · Develop the Business Continuity Plan (BCP) · Establish alert levels and monitor · Develop training and cross-training plans · Identify