I am a Business Continuity Manager ... and I want to create a BCP!

(Part 1)

This is the one million dollars task! Everyone will have a different answer about how to create one and what to put in it, but mainly you can find a common base.

First, you need to define what is a BCP, for you and for your organization. The ISO 22301 defines it as “documented information that guides an organization to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives.”

Simple, right? It is. Many professionals and consultants love to complicate stuff, so do not worry if you don’t understand their definition or contents.

In simpler terms, a BCP is a set of documents such as protocols, guides, plans, and workarounds that provide the necessary information to enable the right people to take the right decisions and actions at the right time.

It's important to remember that a BCP is about recovery – recovering processes, assets, spaces, etc., after a disruptive event. The plan should be the outcome of a strategic design process, incorporating inputs from this stage rather than solely relying on the Business Impact Analysis (BIA).There is no one-size-fits-all approach to creating a BCP.

In the event of a crisis, no one will have the time or inclination to sift through lengthy documents. Keep it short, straightforward, and actionable.

Include various recovery strategies or options, even if not fully detailed, as a contingency.While specific regulations may dictate certain inclusions, focus on practicality and utility. Avoid unnecessary details like impacts or risks unless essential to the plan's effectiveness.

I recommend you create document for operational use. NO ONE will read or open a 50 (even 20) pages plan in case of an event. Make them short and useful. In its Manifesto, Adaptive BC (adaptivebcp.org ) speaks about “Document for mnemonics”. Tasks should be described the shortest way possible.

A plan that could be executed by anyone is just a legend. Most of the time, only the process or asset owner will execute the recovery procedure, even more if it’s technical. They know their stuff, they know some terms, they could even execute the plan without reading it.

You can present information in tables which is much easier to read with tasks, responsible and the associated requirements/comments. Add the detail of contacts (even home addresses are necessary sometimes) and providers/suppliers. It should also include different strategies or options of recovery as you never know what will happen. Not all strategies need to be fully detailed in a plan, but we must put them as a reminder in case the main work around is not functioning.

Some regulations might require adding some specific information so review them before. But adding RTOs, impacts, risks, and so on, is up to you. My understanding and experience will tell you to not include such information.

In conclusion, make your BCP user-friendly, concise, and relevant. Consider the end-users who will rely on it during a crisis rather than catering solely to auditors. Remember, simplicity and clarity are key in creating an effective BCP.

To be continued …