Writing a Business Continuity Plan
Posted April 20, 2023 by Kevin Finch
Alright, so you’ve done your homework and now you’re ready to write your Business Continuity Plan. You’ve got governance in place, an oversight committee that meets a few times a year to oversee the Business Continuity Program, and you’ve got corporate policies crafted to help make sure that all of your information about your business stays up to date. You’ve also gone through the work to understand your business, and you’ve got Business Impact Analysis (BIA) data that gives you a good feel for what’s truly important to your business. You know how your business can be harmed when critical business processes get interrupted.
So, now that you’re ready, how do you proceed with your Business Continuity Plan?
“The secret of getting ahead is getting started.”
Mark Twain
In most Business Continuity Plans, there are five main parts. Getting everything together for each of these parts probably deserves its own blog post, but I’ll list some details here in order to help bring things into focus.
Business Continuity Plan Background
This is the introduction to the plan. Generally speaking, people will put the purpose and objectives of the plan here, and also talk about the plan’s intent and limitations. This may also talk about the plan’s intended audience, and may cover information about any compliance needs or regulations that the plan is intended to fulfill. Most plans also include information about whatever set of best practices it may be aligned with (such as the ISO22301 standard). The section also covers “housekeeping“ for the plan, such as how often it is to be edited and updated, and who approves updates to the plan. If there’s a particular person (or a particular job title) that is responsible for maintaining the plan, they should definitely be listed in this section. It’s also good practice to keep a revision history of the plan, and that should be put in this section.
While composing all of that may sound rather involved, the nice thing about it is that it generally is the same from plan to plan through your whole company. It’s not uncommon to have the same introduction copy/pasted nearly wholesale from plan to departmental plan, even for large companies with dozens of plans.
People and Responsibilities
This is where you start getting into more of the department-specific information for your plan. Depending on the size of your organization and its complexity, you may or may not want to list every one of your employees inside of your plans. (That information would almost definitely be included in Crisis Communication plans, but those are separate and distinct from Business Continuity Plans.) The important thing to include is information about employees that have some duty in executing the plan. If you have a departmental manager that is supposed to forward orders from management once the plan has been activated, you need to list that manager and their duties in this section. If there is someone that can take over responsibilities if a manager is unavailable during an incident, then that transfer of responsibility should be in this section.
All plans also need to be tested, and this is where we discuss the type and frequency of plan testing. Best practices generally dictate that plans are tested annually. Depending on the type of business, it may also be a good idea to do multiple types of testing (tabletop AND employee relocation testing, for example).
Another part of this section (which like the introduction, may be very similar across all plans in an organization) is the listing of duties of upper management, including plan activation and incident declaration. You want to make sure that all the normal and special duties of upper management are laid down in black-and-white so that there isn’t any debate at time of incident.
“Recovery is not so much a dream as it is a plan.”
Carolyn Spring, Author
Recovery Steps
The recovery steps are the heart of the plan, and they are generally broken out into three subsections: Response, Recovery, and Repatriation.
Response
The Response section is as the name suggests; it’s the set of steps that you take an immediate response to the plan being activated. The time frame for the Response steps will vary from organization to organization, but a good rule of thumb is that the Response section is what you do from the point of plan activation through the first 72 hours. It’s the steps that need to be performed immediately to safeguard the business. It’s the things that need to be performed first, the fastest, and that have the most impact in ensuring the safety of the business.
Recovery
The Recovery section is usually longer and more detailed. It covers all the actions that happen between the immediate response, and the repatriation actions that happen later as the business returns back to normal operations. The section tends to include have inter-departmental communication plans, relocation or remote work plans, and lists out long-term workarounds for impacted business processes. Again, the timeframes on it will vary from organization to organization, but it picks up where the Response plan leaves off and guides the business to what could be an undetermined point in time in the future. For example, many organizations plan for the Recovery phase to last three weeks, but some organizations plan for two months or more.
Repatriation
The Repatriation section is where you list the steps that you believe you’re going to need to perform in order to return to business as usual. While admittedly, the Response and Recovery phases have Repatriation as their ultimate goal, the specific steps to be performed would be listed in this section. It’s worth noting that depending on the type of incident, Repatriation steps may be difficult to predict. These steps may end up as more of a set of guidelines or goals, rather than an actual checklist like you might find in the Response and Recovery phases.
To put this section in perspective, let’s say that your Business Continuity plan for the loss of a facility is to have people move to a remote work location. Your Response section of your Recovery Steps would cover the need for immediate communication, and making sure that all your employees have the resources they need to work at that new location. The Recovery part of the plan would cover the day-to-day work processes of your employees at that new work location, highlighting how they’d be different from normal operations. The Repatriation steps would cover what employees would do once the impact to your original facility had passed, and they were packing up to move back to their normal work location.
Business Continuity Plan Resources
The Resources section of the Business Continuity plan generally has two parts to it. The first part of it is the resources that your business needs to perform its day-to-day operations. Those should be documented in as much detail as possible, so that accommodations can be made for them and so plans can be made to fulfill business needs as much as possible during the recovery.
The second part of the Resources section is the resources that are needed specifically for recovery. Do your employees normally use desktop PCs, but they need to use laptops in the event of a Recovery? You would need to list that information here. Do they have desk phones, but they would be expected to use software phones on those laptops during recovery? Then you would list those software resources here too.
Another resource that is often overlooked in Business Continuity Plans (but it is really, really important) is money. Prudent, well timed spending as a part of a response effort can often save the company a lot more money in the long run. Rules for emergency spending should be included as part of the resources listed in a plan. If departmental managers are given new discretionary spending authority during a declaration or a plan activation, that should be listed here.
Supplementary Information
Finally, there’s a lot of supplementary information that can be included in Business Continuity Plans in order to make them more useful. Sometimes that’s information that falls underneath the umbrella of “vital records“ or key pieces of information that employees need to reference frequently in order to do their jobs. For other companies, it’s a list of information to contact key vendors, suppliers, or customers so that relationships can be maintained even while dealing with an incident.
There’s other information that is handy to include in plans also, such as contact information for relocation facilities, non-emergency contact information for emergency services in the local community, or information for employees on what to do if they are contacted by members of the media.
“Completion is a goal, but we hope it is never the end.”
Sarah Lewis, Professor, Harvard University
Once you’ve got all of that assembled, an ideal departmental plan will be less than 15 pages long and will have a well-marked table of contents to make navigation easy. It should cover everything your employees need to recover operations, but not a lot of information that they don’t need.
At this point it’s worth noting that this entire process has made much easier with the use of a good Business Continuity Program Management Package. A good package will take the information you’ve gathered from your BIA and automatically integrate it into your plans. It will walk you through the process of writing your response, recovery, and repatriation steps for your business processes, and will help you break everything down by department or business unit to suit the needs of your business.
This entire plan creation process might seem difficult and bewildering but taken step-by-step it’s certainly not impossible. More importantly, Sayers is here to help. Whether you’ve got an existing Program and Plans you would like refreshed, or if you are just starting out, the experts from Sayers can make sure that you’re on the right track.
