Contrary to popular belief, a business continuity plan is not a single document but an aggregate of assessments, processes, and checklists.
In today’s post, we’ll lay out the process of creating a BC plan from soup to nuts, giving 20 steps your organization can take to improve its resilience and protect its stakeholders.
A LESSON FROM IOWA
People interested in business continuity need look no farther than the front pages last week to see an example of a truly epic business disruption.
I’m talking about the Democratic caucuses in Iowa, where the app created to tally the results didn’t work and the backup plans fell apart.
The debacle was national and even international news with a common thread of the commentary being, how could the organizers have blown it so badly?
As a BC consultant, I can tell you that while the Iowa situation was unusually public and embarrassing, it was not that unusual in and of itself.
Failures of that type are more common than you might think, it’s just that most of the time they happen out of the public eye.
Even so, the Iowa incident is a good reminder of the importance of business continuity and crisis management planning, testing, and validation.
20 STEPS TO A ROBUST BUSINESS CONTINUITY PLAN
As a memorial to the 2020 Democratic Iowa caucuses (may they rest in peace), below is a list of 20 steps your organization can take to develop a sound business continuity plan.
The links are to older posts by myself or MHA Consulting CEO Michael Herrera that explain that step in detail.
- Communicate with management and gain their support. Your program is unlikely to succeed if management doesn’t understand what BCM is and why it matters. See: How to Manage Management: 8 Tips to Help You Bring Your Bosses on Board.
- Choose who will be on the business continuity team. Creating a sound BCM plan requires many different kinds of knowledge and expertise. See: The Human Factor: Optimizing Yourself and Your Business Continuity Team
- Create an action items list to monitor and track progress. Use this progress document in your initial implementation and as a basis for ongoing maintenance.
- Develop an understanding of your current state and your program requirements. Before you can start developing recovery plans and strategies, you need to find out where you stand and what you need. These assessments can be more or less formal depending on your organization’s profile and industry. Standard assessments include the business impact analysis (BIA), threat and risk assessments (TRAs), and IT/disaster recovery assessments. See: What’s Up, Doc? When and How to Perform a Current State Assessment, Weighing the Danger: The Continuing Value of the Threat and Risk Assessment, and Your BIA Action Guide: A Handbook For BCM Professionals.
- Determine your current technical and functional recovery capability and document any gaps. Look at both IT/DR and the business processes and ensure a functional perspective. See: Your First Task: Scout the Business Continuity Territory.
- Develop a mitigation plan for any technical or functional gaps. Once any gaps are identified, determine what level they should be mitigated to and how the mitigation will occur. This might require a phased approach starting with a manual workaround while automated, technical, or redundant capabilities are implemented. See: The Top 7 Risk Mitigation Controls, in Order.
- Develop a recovery plan for each business unit. Once you understand your current needs, capabilities, and gaps, you can begin developing specific, executable plans for the various business units. These should be checklist-based with an emphasis on specific steps to be taken rather than on policy statements. See: The Plan that Time Forgot: The Importance of Protecting Your Business Processes and The 4-3-3 Rule for Writing Business Recovery Checklists.
- Document the internal contact information. This should be in two parts: a contact list of teams and team members for the overall management of an event as well as the specific information needed in the individual plans.
- Document the external contact information. For critical vendors and third-party contacts; organized the same as the internal information. See: It Shouldn’t Be a Scavenger Hunt: Accessing Critical Recovery Information in Crisis.
- Develop a crisis management plan. Vitally important. See: What to Include in Your Crisis Management Plan.
- Develop a crisis communication plan. Can be part of the crisis management plan or stand alone. Should contain guidance on the who, what, when, and how of communication, both internal and external. An essential component is sample scripts for various scenarios that can be modified as appropriate. See: 4 Rules for Effective Communication in a Crisis.
- Verify your emergency notification capability. This is the process for swiftly getting in touch with the crisis management team, recovery teams, or staff during an event. Can be done through email, voice, text, or other methods and involve the use of cloud or third-party services. See: “This Is an Emergency”: Why You Should Consider an Emergency Notification System.
- Verify your status update capability. This might be accomplished through email or a web page and involve the use of cloud or third-party services.
- Monitor the progress of the development of your BCM plan. See Step 3 above. This is the tracking of all the actions mentioned so far.
- Develop an IT test plan and strategy. Identify the schedule, scope, and expectations for IT/disaster recovery tests. See: Kill the Zombies, or How to Get More From Your DR Exercises.
- Develop a business continuity test plan and strategy. These are the exercises meant to ensure the non-IT departments’ plans are functional. Do not assume that the fact that some staff work from home occasionally is sufficient to verify your relocation capability. Working from home for convenience is different from working from home because of an event. See: Beginner’s Guide to Recovery Exercises.
- Perform regular mock disaster exercises for the crisis management and crisis communication plans. Do not assume day-to-day problem solving is the same as crisis management problem solving. The latter takes different skills and requires the ability to make decisions with limited information. Mock exercises show where gaps exist in your process and plans. See: How to Plan a Mock Disaster Exercise and How to Be a Mock Jock: Advice on Facilitating a Disaster Exercise.
- Review and update the plan as developed so far. See Steps 4 – 17.
- Establish a common storage location for all documentation. This storage must be available immediately. Today many companies are using cloud-based solutions to meet this need. This capability is a component of Google Office and Microsoft 365. Ensure all staff know where and how to access the documents. See: It Shouldn’t Be a Scavenger Hunt: Accessing Critical Recovery Information in Crisis.
- Develop a summary document of the recovery strategy. Should cover both IT/DR and the business processes. Should include a listing of all the plans and documents supporting recovery and crisis management. Ensure you have an inventory of all documents, including their owners and locations and when those documents were last updated. Don’t forget the supplemental documents that might be specific to particular recoveries, such as SOPs or facility or process diagrams.
A SOUND, VALIDATED BC PLAN
Chances are you are not responsible for ensuring the success of an event that attracts the attention of the entire world.
Nonetheless, your organization and its activities are probably critically important to its stakeholders.
To ensure your organization’s IT functionality and business processes are resilient and recoverable you need a sound, validated BC plan. To create such a plan, use these 20 steps as a checklist for your BC plan.
Business Continuity Plan Checklist
|1||Communicate with management and gain their support.|
|2||Choose who will be on the business continuity team.|
|3||Create an action items list to monitor and track progress.|
|4||Develop an understanding of your current state and your program requirements.|
|5||Determine your current technical and functional recovery capability and document any gaps.|
|6||Develop a mitigation plan for any technical or functional gaps.|
|7||Develop a recovery plan for each business unit.|
|8||Document the internal contact information.|
|9||Document the external contact information.|
|10||Develop a crisis management plan.|
|11||Develop a crisis communication plan.|
|12||Verify your emergency notification capability.|
|13||Verify your status update capability.|
|14||Monitor the progress of the development of your BCM plan.|
|15||Develop an IT test plan and strategy.|
|16||Develop a business continuity test plan and strategy.|
|17||Perform regular mock disaster exercises for the crisis management and crisis communication plans.|
|18||Review and update the plan as developed so far.|
|19||Establish a common storage location for all documentation.|
|20||Develop a summary document of the recovery strategy.|
The items above may seem obvious and uncomplicated, but the key in Business Continuity Plan development is to get it done. Your Business Continuity plan is the sum of various components and parts. Even a partially complete plan is better than nothing.
Remember the words of Dwight Eisenhower –
Plans are worthless, but planning is everything.
For more information on business continuity planning and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Start Here: The Business Continuity Management Guide for Beginners
- Your First Task: Scout the Business Continuity Territory
- What to Include in Your Crisis Management Plan
- The Plan that Time Forgot: The Importance of Protecting Your Business Processes
- IT Change Management: Don’t Leave Your Recovery Environment Behind