1 Program, 6 Plans: The Half Dozen Plans Every BCM Program Should Have

A quality business continuity management (BCM) program is made up of six separate plans covering everything from emergency response to IT disaster recovery.

In today’s post, we’ll explain what the six plans are and share some tips to help your organization devise them.

Related on BCMMETRICS: Become a Master of Disaster: Educate Yourself With These Key BC Resources 

Somebody once said that, “A goal without a plan is just a wish.” A less known variation of the quote (much less known) is, “A goal with six plans is a BCM program.”

These six plans are the ones you need to be able to respond, recover, and return to normal operations after a business disruption. What are the six? The answer is coming up.

Before we begin, our title says every BCM program should have these plans. There are a couple exceptions as I’ll go into below.

Here are the six plans, in order of importance:

1. Emergency Action Plan

This comes first because if you don’t protect your people, nothing else you have will do you any good. This plan is specifically related to the occupants of your facility. It includes how to safely exit the building in the event of a fire or other emergency. The plan also includes where to go outside, or congregate inside if the best option is to shelter-in-place.  It tells people what to do in the event of a critical incident at the building. The plan also includes details about contacting emergency personnel. This plan is typically put together by the facilities or corporate security department, but in the absence of such a department, you should include it in your BC/IT disaster recovery plan.  The emergency action plan integrates with the crisis management plan.

2. Crisis Management Plan

Executed by senior management, the CMP gives strategic guidance during a critical incident. For more information, check out this recent post from MHA Consulting.

3. Crisis Communication Plan

The quality of your internal and external communication during a crisis can determine whether you sail through or flame out. Maintaining clear communication with your workforce during an emergency can help in preserving a sense of calm and order.

Planning and providing consistent and clear communications for employees and external parties helps organize recovery efforts and reduce the anxiety employees face. For more, check out our post “4 Rules for Effective Communication in a Crisis.”

4. Cyber Incident Response Plan

The CIRP establishes procedures to address cyber attacks against the organization. The plan should include procedures to identify the nature and extent of the attack, mitigate and stop the damage, and recover and resume IT operations. The CIRP is typically written by the IT department and should be considered part of the IT/Disaster Recovery (IT/DR) plan. Like the IT/DR plans, the CIRP requires a specialized team—in this case, one that is trained to quickly and effectively take action upon discovery of a cyber incident.

5. Business Continuity Plan

This is sometimes known as the Business Recovery Plan or (if you’re part of the U.S. Government) as a Continuity of Operations Plan. This plan focuses on sustaining the organization’s business activities, particularly those related to revenue generation and the management of corporate obligations.

Business Continuity Plans can be written for a specific business process or for all key business processes. In most cases, these plans address the long-term recovery processes needed for the company to resume normal operations. In almost every company, the BC Plan will have an IT component since almost every company operating today utilizes IT.

6. IT/Disaster Recovery Plan

This plan focuses on the restoration of the organization’s key information technology immediately following an emergency or disaster. Unlike a BC plan, the IT/DR plan typically does not include processes and procedures for ensuring the continuing and ongoing operations of the company long-term. The IT/DR plan should include a section listing the technological needs of the company during an emergency and a section on the initial steps needed to restore all affected IT systems. The IT/DR plan will also include the identification and specifications for an alternate operations site to be used following an emergency, if necessary.

3 Tips for Assembling Your Plans

1. Determine which of the six plans you need. As I hinted above, a small number of organizations will not need all six plans. If your organization outsources work in a certain area, you won’t need a plan for that area. The most common example is likely to be IT/DR.
2. If your company outsources that function, you won’t need an IT/DR plan.
3. Determine what level of comprehensiveness makes sense for your company. For guidance, check out this post on writing business continuity checklists.
4. Make sure your plans are in alignment with industry standards and best practices. For tips, check out these posts on standards.

A Man, A Plan

Do you know the famous palindrome (words that read the same backward and forward), “A man, a plan, a canal – Panama”? In this case, what’s needed is a man (or woman) and six plans—namely, the six plans mentioned above that will help your organization respond, recover, and return to normal operations after a business disruption.

Further Reading

• The 4-3-3 Rule for Writing Business Recovery Checklists
• Become a Master of Disaster: Educate Yourself With These Key BC Resources
• Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
• How to Go from Adopting a BC Standard to Knowing What to Do to Comply with It
• 4 Rules for Effective Communication in a Crisis
• 4 Metrics to Help Your Organization Improve at Crisis Management