Unexpected work interruptions can cripple a business and cause millions of dollars in expenses and lost business. Learn about the importance of business continuity planning and management from experts.
In business continuity management (BCM), a company identifies potential threats to its activities and the threat impact. The company then develops plans to respond to those threats and continue activities through any crisis.
A business continuity plan (BCP) describes how a business will continue to run during and after a crisis event. The BCP details guidelines, procedures, and work instructions to aid continuity.
Business continuity planning (BCP) refers to the work a company does to create a plan and system to deal with risks. Thorough planning seeks to prevent problems and ensure business processes continue during and after a crisis.
Business continuity planning ensures that the company deals with disruptions quickly, and minimizes the impact on operations. Business continuity planning is also called business resumption planning and continuous service delivery assurance (CSDA).
The main goal of business continuity planning is to support key company activities during a crisis. Planning ensures a company can run with limited resources or restricted access to buildings. Continuity planning also aims to minimize revenue or reputation losses.
A business continuity plan should outline several key things that an organization needs to do to prepare for potential disruptions to its activities, including the following:
A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan.
The basic steps for writing a business continuity plan are as follows:
Business continuity management includes preparing for and handling unexpected events. BCM has a six-step lifecycle. This cycle repeats during both in regular business times and crises, as you take the right steps to keep activities always running.
The BCM lifecycle includes the following points:
Also called business continuity events, business continuity risks are the most common events that can disrupt a company’s regular operations — these can be natural and human-made crises. Defining these risks is a vital part of business continuity planning.
Such events might include the following:
Any of these triggers can result in broader problems for a company, such as danger or injury to staff and others, equipment damages, brand injury, and loss of income and net worth. Business continuity management and planning address and mitigate these contingencies.
A business continuity strategy is more often called a business continuity plan. The strategy includes the processes and structure a company uses to manage an unexpected event.
Some people consider business continuity strategy to be a step in the planning process. In the strategy phase, business continuity planners describe the overall approach a company should take to prevent, manage, and recover from a crisis.
There are several goals, key elements, and benefits to business continuity management and planning. The primary goals of management and planning are as follows:
Business continuity management and planning generally cover the following areas, with differences depending on the organization and industry:
“A well managed business continuity management program will help protect people, assets, and business processes,” says Scott Owens, founder and managing director of BluTinuity, a business continuity firm based in New Berlin, Wisconsin. “It may not be able to prevent all incidents. But it can reduce the likelihood of incidents, decrease response time, and lower the cost and impact of an incident.”
All business continuity management programs should include a number of key elements, which serve to ensure that your plan is positioned for success and that you regularly update and improve it.
These important elements include the following:
To learn about formal requirements for business continuity planning and management, see our comprehensive article on the ISO 22301 standard.
The costs to do an appropriate job of business continuity management can be significant. However, some reports say that the cost of unforeseen downtime may be as much as $2.5 billion a year for Fortune 1000 companies.
Kurt Engemann, Ph.D., is Director of the Center for Business Continuity and Risk Management at Iona College in New York, Editor-in-Chief of the International Journal of Business Continuity and Risk Management and author of Business Continuity and Risk Management: Essentials of Organizational Resilience. In the book, he says that costs for business continuity preparation do not only include the groundwork to assess a company’s risks and plans to manage those risks. Rather, they also cover the needed backup facilities and equipment and company assets for emergency response. In addition, costs must cover resources for training employees and testing the plan.
Some experts have estimated that business continuity management and planning within only the crucial information technology aspects of companies can cost two to four percent of the information technology budget. But the costs are necessary, and worth it in the long run, according to business continuity experts.
“There is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis,” Engemann writes in his book. “Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective.”
When an organization’s top executives complain about the costs, Owens says, “Ask them what it would cost their organization for an hour of downtime. Or eight hours. Or 24 hours. Chances are the cost — financial, operational, and to brand and reputation — of having key business functions unavailable for an extended period are significant. They will most likely find business continuity management to be worth the investment.”
Like Engemann, Owens points out that there are significant benefits to the investment organizations make in business continuity management, including the following:
Michael Herrera, CEO of MHA Consulting, a business continuity and disaster recovery firm, cites two other significant benefits:
“Your customers aren’t as patient as you think they are,” Herrera explains. “They expect you to have a business continuity system and they expect you to be up and running. Their patience does run out.”
Additionally, strong business continuity planning will enable you to do the following:
See our article on the importance and benefits of business continuity planning to read more expert examples of how business continuity can bolster your company.
Companies don’t have to face business continuity planning alone. There are a variety of tools and services that can help, including the following:
Consultant Services
There are hundreds, if not thousands, of consultants and companies that can provide help with developing your business continuity plan. Below are a few things to think about in choosing one:
Business Continuity Software
There are also hundreds of pieces of business continuity software on the market. Here are some things to consider:
Below are some specifics to consider as you test drive the software:
While your business continuity management system will have various elements and details, there are some primary things it should do for your organization. They correspond to the key elements listed earlier in this article.
For example, a BCM system should help do the following:
Although nobody wants to think about disasters or the effort needed to prepare to meet and mitigate crises, the alternative is the potential loss of reputation, income, or the entire business. In sum, planning translates to determining your key processes, equipment, and tools, and applying basic recovery strategies.
Your senior leaders must strongly support your company’s business continuity management plan for it to succeed. Such leadership is key as storms, floods, pandemics, and data breaches increase in force and frequency.
“Make sure senior management is committed to the planning, development, execution, and implementation of a business continuity/disaster recovery program,” says Paul Kirvan, a business continuity consultant and a fellow of the Business Continuity Institute with 25 years of experience in business continuity work. “Otherwise, it simply won’t happen. Such programs work best if they have top-down support and funding, as opposed to being developed from the ground up.”
Testing verifies the effectiveness of your plan and provides training for participants. To ensure better communication, include suppliers, vendors, and other stakeholders in exercises. If appropriate, also consider including local emergency preparedness officials.
There are four types of testing, and each requires increasing levels of planning, resources, and focus. You should try to run each type of drill regularly.
Be sure to document what happened in the test so everyone involved in the exercise — and especially those who created the plan — can understand what did and didn’t go well, and can revise as necessary.
A business continuity policy statement is a written document that outlines an organization’s business continuity management program. The policy statement should be communicated to all employees and should be signed and endorsed by the organization’s senior management.
The best business continuity system is useless if no one knows about it. Find ways to promote your plans in daily company activities, and discuss business continuity regularly in company and team meetings. Also, be sure to include the business continuity manager in cross-functional planning meetings so they can represent the business continuity perspective. Above all, exercise your plan, test your plan, and then test again.
A business continuity plan is vital to ensure that your company mitigates downtime during a crisis. Resuming activities quickly after an event also helps ensure your company’s financial health.
It is crucial that your company set up a group of people to help create your business continuity plan. The group should include senior leadership, experts, and staff. A simple, practical plan is the best plan. At a minimum, include continuity team roles and duties, and team member contact information. You should also add guidelines and checklists for dealing with unforeseen events.
Daily business functions rely on many resources — human, utilities, machines, and even paper, pens, and pencils. Business recovery after a disruptive event is no different. See our in-depth article on writing a business continuity plan for a complete list of resource types you may want to include in a plan.
You can ask certain questions as you form your strategy, and a business continuity plan usually includes common resources and elements. See our article on how to write a business continuity plan to learn more.
This template can help you document and track business operations in the event of a disruption/disaster to maintain critical processes. The plan includes space to record business function recovery priorities, recovery plans, and alternate site locations. Plan efficiently for disruption and minimize downtime, so your business maintains optimal efficiency.
Download Business Continuity Plan Template
You’ll find other most useful free, downloadable business continuity plan (BCP) templates, in Microsoft Word, PowerPoint, and PDF formats in this article.
A business impact analysis (BIA) is one of the most important parts of business continuity planning. The analysis considers how an unforeseen disruption could affect a company. BIA results also suggest how a business can recover from a crisis.
The business impact analysis will include details on the following:
See our business impact analysis toolkit to find guidelines and templates to get started.
Risk assessment is one of the first steps in preparing your business continuity plan.
Risk management includes identifying and ranking risks, and risk control includes identifying policies and procedures to avoid and contain risks.
To learn more about risk management, read our comprehensive guide.
Even the best business continuity plans are useless if you do not continually test them in real-world mockups. Testing helps you continuously improve procedures, and also keeps plans synched with current business context.
Robert Sollars, a security trainer and consultant from Mesa, Arizona, says, “You must exercise your plan and train your employees in it. This can be costly and unwieldy at times, but it is an absolute must. I liken this to buying a Lamborghini and letting it sit in the garage, never starting it up, never driving it, never doing anything but admiring it. Your plan must be taken out and test driven at least two to three times per year. If you don’t test it, then when the real thing pops you will realize what the books, consultants, and experts have told you is useless for your organization. Testing it allows you to figure out the bugs and tweak the necessary items to make it more efficient and effective.”
Owens adds, “If you haven’t tested your plans, you aren’t ready for a disaster.”
You can do some testing through simpler table top exercises — for example, by talking through hypothetical incidents with your team. But Owens and other business continuity experts say organizations should also periodically do exercises that more closely mimic a real-world event.
“Organizations need to move … to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes,” he writes in a blog post about business continuity. “This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.”
The most important result from testing your plan is an understanding of where theoretical solutions won’t work in real events. This understanding will then allow your organization to amend the plan to be more effective.
Many companies set up a business continuity plan governance committee, which consists of staff members and senior leaders (their continuity efforts is vital). Governance tasks include writing the business continuity plan and supervising ongoing plan maintenance.
The committee is often responsible for the following duties:
The committee often includes the following members:
A resilient organization has the tools and abilities to survive a disruptive event, and also regularly looks for new threats and adapts to changes in the organizational and industry landscape. Resilience experts recognize two types of resilience: reactive resilience uses a company’s existing processes to meet and overcome a crisis; proactive resilience anticipates disruptions and considers methods to prevent problems.
Organizational leaders and business continuity experts learned a lot from the terrorist attacks of September 11, 2001. Worst of all, the attacks killed thousands of people. But they also severely disrupted communications, financial transactions, and some commerce in New York City and throughout the world.
The following are among the lessons learned:
The United Kingdom did approved the Civil Contingencies Act in 2004, which requires businesses to have business continuity plans in place.
Some industries do have regulatory bodies that may impose business continuity requirements within those industries. For instance, the Financial Industry Regulatory Authority (FINRA) is a private self-regulatory organization overseeing the U.S. financial securities industry. FINRA established FINRA Rule 4370. This rule requires securities firms to create and maintain written business continuity plans. Utility bodies, such as North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC), also require continuity plans.
Organizational leaders can use a number of standards set by industry and other groups to guide their business continuity planning and management programs. Below are some commonly used standards:
The Business Continuity Institute (BCI), based in the United Kingdom, is a non-profit professional organization providing education, certification, and leadership on business continuity management. The Institute has more than 8,000 members in more than 100 countries.
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.