*BEFORE* Writing a Business Continuity Plan
Posted February 10, 2023 by Kevin Finch
A few people here at Sayers suggested that I put together a post on how to put together a Business Continuity Plan. I also know there are a lot of you out there that are trying to get your Business Continuity programs off the ground, and you’ve probably got people pressuring you to deliver on getting a Business Continuity Plan together. I’ve been there myself. But, there are a few things that you need to get done before you can write a proper Business Continuity Plan. If you don’t, you’re going to find yourself with a plan that’s not as good as it could be, it’s value to the business will be limited, and you will probably find yourself in exactly the same position a few years down the road because you have to redo some of the work.
“Build your empire on the firm foundation of the fundamentals.”Lou Holtz, Football Coach
With all of that in mind, I feel I would be doing everyone a disservice if I went straight into ‘How to build a Business Continuity Plan’ without covering this preface information first. There’s information and policies you need in order to create and maintain plans properly, and I don’t feel like I should write about creating plans without first talking about what you should do beforehand. Therefore, in order to make sure that you don’t have a lot of wasted effort (and to make sure that my instructions on building a plan actually make sense), there’s a few steps you should follow prior to putting the proverbial pen to paper and writing that first BC plan.
“People’s participation is the essence of good governance.”Narendra Modi, Prime Minister of India
Industry Best Practices to Building a Business Continuity Plan
1. Highlight Building Governance
There are multiple sets of industry best practices on building Business Continuity programs, and all of the prominent ones highlight building governance as the first step to building a successful program. The reason is simple: Business Continuity nearly always ends up being extra work for people, and those people aren’t going to be willing to do that extra work unless there is some sort of governance in place to encourage them to do so.
In this case, governance means writing policies and forming a Business Continuity oversight committee. That manager with the fancy title that’s breathing down your neck to get a plan delivered? Let’s put them at the head of the oversight committee. The managers of departments that everybody thinks most desperately need a Business Continuity Plan? Put them on that oversight committee too. The auditors that initially said you needed a Business Continuity Plan? Have them help you put together a timetable and draft new corporate policies to make sure that the work gets done. Getting a program off the ground is incredibly difficult, believe me. I’ve done it five times.
However, no matter what industry you are in or how big your company is, getting your program off the ground will be much easier if you have management’s support and involvement. Building governance at the outset will make sure that you have that backing when you need it.
“Just for the record darling, not all positive change feels positive in the beginning.”S. C. Lourie, Author
2. Do a Business Impact Analysis
Yes, it’s a lot of work, but I would also never recommend creating a Business Continuity Plan without doing some sort of Business Impact Analysis (BIA). In brief, a BIA takes a look at what your business does, and figures out what the impacts to the business are if those key business processes are interrupted. It tells you what potential events you are actually planning for. I’ve covered why you should do a BIA in greater depth elsewhere, but there are a few additional things to consider.
Your BIA doesn’t always have to look at every single process in the business, but it should go past a superficial depth so you can have a better idea of how to prioritize your recovery strategies. A well-executed BIA will also help illustrate the level of interdependency between business processes, which is another key part of determining the order in which processes need to be recovered.
A third thing that a BIA will do for you is help you too determine how many actual Business Continuity Plans you will really need. The process of gathering BIA data forces you to look at work processes and how they are interrelated, and one of the takeaways from that is learning more about the similarities and differences between different parts of your business. You may find that disparate parts of the company operate under very similar circumstances, and could both be covered by very similar (if not identical) Business Continuity Plans. You may also find out that certain processes that live underneath a single manager (such as different functions within finance) may need their own Business Continuity Plans independent of each other because of how differently they operate (such as the differences between billing and treasury).
This highlights another need for good governance as well – it shouldn’t be up to just the Business Continuity coordinator to make these kinds of determinations. The Business Continuity coordinator should analyze the BIA data and make recommendations to the oversight committee, and then the committee as a group should come together and agree on how the planning should be done. Then everybody has a voice in the process, and everybody will be happier about participating.
“The ultimate purpose of collecting the data is to provide a basis for action or a recommendation.”W. Edwards Deming, Father of Total Quality Management
Another thing to remember about your BIA data is that it has an expiration date. As staff changes, as business processes change, and as your business environment continues to evolve, what is important to your business today may not be what’s important to your business in years to come.
Best practice is to look at your BIA data at least annually and make sure that it is still valid and accurate for the way you are doing business. Ideally, you will also re-examine your BIA after any large change to your business (or your underlying IT infrastructure), just to make sure that the BIA structure still suits the way you are doing business. Again, this is a point when governance comes in handy – if your corporate policy says that the BIA data gets checked annually, then it’s a lot easier for someone to enforce the idea that it gets checked every year.
Now You’re Ready to Create Your Business Continuity Plan
With governance in place and fresh BIA data in hand, you’re probably ready to start working on creating those Business Continuity Plans.
Honestly, creating plans is relatively easy once you’ve got that hard work done. Gathering and analyzing the BIA data, and consequently the process of creating plans, is also much easier if you do the work using a Business Continuity program management package. I’ve done it both ways, and believe me, a Business Continuity program management package can be worth every penny because of the deeper analysis you can do on your data, and because of the amount of time and labor it saves in curating your BIA data and plans.
“Over every mountain, there is a path, although it may not be seen from the valley.”Theodore Roethke, American Poet
However, if you are reading this and unsure of the best way to write BC policies or conduct a BIA, Sayers is here to help. Not only can we help you with the fine detail work of crafting policies and collecting BIA data, we can also help you quickly assess the maturity of your overall Business Continuity program.