Important: The Scope of a Business Continuity Plan (Updated 2023)

This post was originally published at https://invenioit.com/continuity/scope-of-a-business-continuity-plan/

Disasters, both natural and man-made, can happen at any time, often with very little warning. The consequences of not being prepared can be devastating. According to the Federal Emergency Management Agency (FEMA),?almost 40 percent?of small businesses affected by a disaster never reopen their doors.

How can you ensure that your company won’t be part of that statistic? The answer is to have a well-thought-out business continuity plan.

What is a Business Continuity Plan (BCP)?

A BCP lays out the steps and procedures a company will follow before, during and in the wake of a disaster, so that it can maintain maximum functionality during the emergency and get its operations back to normal in the shortest possible time. With a good BCP in place, your company’s employees will know exactly what to do when disaster strikes.

In this post, we outline the scope of a typical business continuity plan and how to create one, including:

• Sections to include
• Identifying the plan’s objective
• How to test the BC plan
• Outsourcing your business continuity planning
• Choosing BC/DR vendors for backup and recovery

The Scope of a Business Continuity Plan

What should be in your BCP so that you can be sure that your business is adequately prepared for a disruption? The following are seven?areas any good business continuity plan should address. If you’re creating a BCP for the first time, these are high-level tips to help you create the core framework of your plan. Below, we go into more detail on what to include within each section.

1. Identify the Objectives and Scope of the BCP

Business continuity plans can vary significantly in size and scope. They can be focused on specific business systems or the company’s entire operations. As such, each BCP needs to clearly state what its objectives are – along with its scope and limitations. For example, if the plan is focused narrowly on maintaining continuity for IT systems, then this objective should be clearly stated at the beginning of the plan.

2. Identify Critical Business Functions

One of the most vital steps in formulating a good BCP is to conduct a business impact analysis (BIA) to identify the crucial areas of your business that must be maintained or quickly restored when a disaster strikes. It’s these core business functions that your BCP will be designed to protect.

3. Identify Critical Systems and the Dependencies Between Them

Your BCP should identify the systems and data that are most critical for the continued operation of the company. What equipment, supplies and records (both digital and paper) must be available and operational in order for your company to continue to function? What is their role and importance? Why are they crucial to the survival of the business? Your BCP should identify this in clear terms to emphasize the importance of establishing effective recovery protocols.

4. Identify Your Risks

What are the most likely disruptive events that might impact your company’s operations? Cyberattacks, accidental data loss, server outages, ransomware infections? What about natural disasters, such as tornadoes, hurricanes, wildfires and earthquakes? Obviously, it’s not possible to predict which disaster will strike your operations or when. But you can and should specifically plan for every possible scenario within your BCP. Some businesses may have a higher risk of certain types of disasters, which is why a comprehensive risk assessment should be conducted for each company, as we outline below.

5. Specify Your Data Backup and Recovery Plan

Your BCP should specify procedures and systems for data backup and recovery. How frequently will backups be conducted, and by whom? Where will the data be stored, and how will it be geographically replicated so that no local disaster can result in a permanent loss? How will it be recovered? These questions should be addressed both for electronic and critical paper records.

6.nbsp;Identify the Composition, Functions and Procedures of Your Disaster Recovery Team

Who can declare an emergency that activates the recovery procedures in the BCP? Who are key employees who should be notified (and how), and who will be in charge? Where will disaster recovery team members and other employees meet if the company premises are not usable? These questions and more should be addressed in detail in the BCP.

7. Have a Detailed Communications Plan

How will the BC team be notified of an emergency if, for example, your email systems and telephones are disrupted? Who is authorized to speak on the company’s behalf to media, customers, suppliers and external partners, such as government agencies? The plan should include a list of people and agencies that will be contacted when an emergency is declared.

8. Specify BCP Testing, Refreshing and Training Procedures

A BCP that looks good on paper may be totally unworkable in practice. It must be realistically tested before it is put into operation, and key employees trained in its use. It must then be updated on a regular basis. With changing conditions, technology, organizational structures and personnel, the plan can quickly become outdated and unusable. Procedures for training, and for both testing and refreshing the plan should be included in the BCP itself.

The Importance of Proper Planning

Creating a thorough business continuity plan is the most important thing you can do to prepare your business for an operational disruption.

As the?Department of Homeland Security?notes, “A business continuity plan to continue business is essential.” Proper planning ensures that operations can be quickly restored, regardless of what has caused the incident.

Preparing for?all?possible disasters is vital to this planning, as FEMA?writes:

“The planning process should take an ‘all hazards’ approach. There are many different threats or hazards. The probability that a specific hazard will impact your business is hard to determine. That’s why it’s important to consider many different threats and hazards and the likelihood they will occur. In developing an all-hazards preparedness plan, potential hazards should be identified, vulnerabilities assessed and potential impacts analyzed. Strategies for prevention/deterrence and risk mitigation should be developed as part of the planning process. Threats or hazards that are classified as probable and those hazards that could cause injury, property damage, business disruption or environmental impact should be addressed.”

Getting the scope of your business continuity plan right is crucial to the survivability of your business if disaster should strike. If the planning falls short or fails to anticipate certain disasters, then recovery will be far more challenging.

What is Your Business Continuity Plan Objective?

Above, we mentioned the importance of identifying an objective for your BCP. What is the purpose of your business continuity plan? What does it aim to accomplish?

While the fundamental goal of every BCP is similar—to ensure continuity through a disruption—plans can vary in their approach. This is why it’s important to identify your business continuity plan objective at the start of your planning. Typically, this is one of the first sections in a BCP.

For example:

• A BC plan objective can be focused on the business as a whole, or specific business units and processes.
• Some organizations create separate BCPs for IT operations, focused on continuity of networking, data storage, backup, Internet connectivity and so on.
• A business with little risk for technology-related hazards, such as smaller retail establishments, may set a business continuity plan objective that is more focused on emergency response protocols, employee safety and workforce continuity.

Setting a plan objective is crucial for ensuring that everyone is on the same page about what the plan aims to achieve. If, for example, the plan is focused solely on IT continuity, then this will make it clear that additional planning is needed for other areas of the business.

What about RTO and RPO?

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are additional objectives that should be identified within certain sections of your business recovery plan. However, unless your plan is strictly focused on a specific system (rather than the business as a whole) then these objectives should not be used as the plan’s key objective. Instead, RPO and RTO should be identified within your recovery planning sections.

Here’s the difference between RTO and RPO:

• RPO?is the desired backup recovery point for restoring data (or essentially the age of the most recent backup). The more recent, the better.
• RTO?is the desired speed of restoration following an outage. The faster, the better. i.e. a 2-hour RTO following hard drive failure.

For example, an RPO of 8 hours would dictate that no backup should be more than 8 hours old. An RTO could be used to specify how quickly a data recovery should occur. For example, an RTO of 1 hour would dictate that a backup must be able to be restored within 1 hour.

It’s important to note that being able to achieve these objectives depends largely on the capabilities of the backup systems deployed. This is why RPO and RTO should be determined during the planning process to help identify which technologies are required.

Business Continuity Plan Assessment

Your business continuity plan assessment—often referred to as a?risk assessment—is another critical section of your planning document.

Above, we mentioned the importance of identifying the most likely risks to your organization. This is the section where you will outline those risks, defining what they look like and their likelihood of occurring. By assessing your risks in this fashion, you’ll be able to prioritize your planning around the most urgent risks.

Some organizations may also choose to incorporate aspects of their business impact analysis in this section, in the form of a table or chart. This provides a clearer overview of the threats and their severity, at a glance. Here is a basic example of what this business continuity plan assessment might look like:

Business Continuity Plan Checklist: Have You Included These Sections?

We’ve touched on the fundamental scope of a business continuity plan and some key components to include. But there are several other sections you’ll want to include to ensure that the plan is effectively communicated and able to be properly executed. Use the business continuity plan checklist below as a basic outline for how to structure your document and what these sections should entail.

• Contact information: Include the names and contact information of those who have created the BCP. You may also choose to include the contact information of disaster recovery team members here, as well as stakeholders who should be notified first when critical business disruptions occur.
• Plan objectives:?Outline the key goals of the plan and its areas of focus, as directed above, to define its scope (and limitations).
• Risk assessment:?Identify probable risks and disaster scenarios, as outlined above, which have the potential to cause a break in continuity.
• Impact analysis: Define the impact of those scenarios, including the potential length of the disruption, business systems or areas that will be affected and the estimated costs.
• Prevention: Define the systems and protocols that will help to prevent those scenarios from occurring or that can mitigate the issue. A basic example would be antimalware solutions to prevent a malware infection.
• Response: Provide step-by-step instructions for how to respond to the disaster scenarios identified in the risk assessment. Typically, these are the protocols that should be followed immediately after a disruption to ensure a swifter mitigation and recovery.
• Recovery: Detail the additional protocols for fully recovering affected systems or business functions. Examples could include recovering data from backup, restoring lost power or rebuilding a structure after a natural disaster.
• Contingencies:?Identify backup assets and contingency plans for incidents involving extended disruptions. This could include a sudden transition to remote work, as was seen during the COVID-19 pandemic, as well as secondary business locations and backup equipment if primary facilities are destroyed.
• Action items:?Explain any weaknesses identified during the planning process or outstanding action items that need to be followed up on. For example: the need to deploy a new?data backup solution for greater protection?against emerging threats such as ransomware.
• Communication:?Identify the means of communicating important updates between recovery teams and to other personnel. Examples could include the use of mobile devices/text messages, intranet/extranet sites or emergency phone lines for employees to call for updates during prolonged disruptions.
• Plan review:?Specify how often the business continuity plan should be reviewed and updated, and by whom.

Auditing a Business Continuity Plan

Routine review and auditing of a business continuity plan is crucial for ensuring that the information within the plan is still accurate and up to date. As new risks emerge, or business objectives change, it is necessary to revisit the plan and update those sections accordingly.

For example, only a few years ago, the threat of ransomware was not on many businesses’ radars. Today, it is one of the most dangerous risks to organizations, and as such, is now commonly included in BC plans across numerous industries.

But also, on a smaller level, even personnel names and contact information within a BCP can become quickly outdated when employees leave a company. So it’s important to make sure every aspect of the plan is up to date.

How to Conduct Business Continuity Testing

Business continuity testing is another vital part of the planning process. Testing ensures that the protocols and systems identified in the plan are actually effective. Routine tests also help to educate recovery teams and have them walk through the steps, so they are familiar with the processes when real disruptions occur.

Business continuity testing can encompass nearly any aspect of your planning, including:

• Data backup validation and recovery tests
• Mock drills for IT infrastructure failures
• Emergency response & evacuation procedures
• Network stress tests

All tests should be thoroughly documented. Did anything go wrong? Were recovery objectives met? What improvements must be made? If any critical gaps are uncovered during the testing process that require significant infrastructure changes (such as a new backup system, for example), these should be identified in the Action Items section of the BCP.

Hiring a Business Continuity Professional or Consultant

Hiring a business continuity consultant can be a smart move for businesses that need an outside perspective from a professional. Experienced consultants can identify any gaps in your business continuity plan, as well as the need for additional systems or procedures.

If you plan to hire a business continuity professional, you’ll want to be sure that the consultant is the right fit. Here are some tips:

• Look for a consultant with experience in your specific industry or niche
• Confirm the consultant’s area of expertise; for example: IT-only or comprehensive business continuity planning
• Ask for referrals that you can contact for a deeper understanding of the consultant’s quality of service

Outsourcing Business Continuity

Businesses with limited resources may want to consider outsourcing business continuity planning to an outside provider. This is a perfectly acceptable strategy for both small and large businesses, particularly if in-house personnel have little experience building a BC plan.

Even if your organization already has a BCP, outsourcing business continuity planning can help to provide an independent audit of your plan or manage specific aspects, such as your continuity technologies.

Which BCDR Vendors are Right for You?

Business continuity and disaster recovery (BCDR) vendors can help to deploy the technologies you need to maintain continuity. These solutions can include data storage, data backup, cloud replication and network solutions, just to name a few.

Choosing the right BCDR vendors is much easier when you already have a business continuity plan in place. Your BCP will identify the specific technologies you need to mitigate risks and recover from a disruption. Your continuity objectives will further help to narrow down your options: if a potential data backup solution can’t meet your RPO, for example, then you need to look for other vendors.

Frequently Asked Questions (FAQ) about a Business Continuity Plan

1. What is in a business continuity plan?

A business continuity plan includes the systems and procedures that help a business stay open during an operational disruption. A typical plan includes:

a.???? Plan Objectives

b.???? Key Contacts

c.???? Risk Assessment

d.???? Business Impact Analysis

e.???? Disaster Prevention Strategies

f.????? Communications Plan

g.???? Disaster Recovery Protocols

h.???? Business Continuity & Disaster Recovery (BC/DR) Technologies

i.?????? Plan Review & Testing Schedule

2. What is business continuity in simple words?

In simple terms, business continuity means that a business can continue operating during a disruptive event. All companies aim to maintain business continuity. A break in continuity—whether caused by natural disaster, cyberattack or other incidents—can be costly and can threaten the survival of a business.

3. What is the most important step in business continuity planning?

The most important step in business continuity planning is identifying the systems and procedures that will help a business maintain operations during various disaster scenarios. To effectively complete this step, the business will first need to conduct a comprehensive risk assessment and business impact analysis.

4. Who is responsible for a business continuity plan?

A business continuity plan is typically the joint responsibility of leaders from different operational divisions. While one individual may be tasked with overseeing the plan as a whole, the content is usually a team effort, requiring managers to identify operational risks specific to their respective units.

5. Is backup part of business continuity?

Yes, backups are integral to business continuity, because a loss of data can result in a costly operational disruption. This is why it’s important to identify data backup systems and protocols within the business continuity plan, including deployed technologies, recovery objectives, backup testing and recovery procedures.

Conclusion

Developing and maintaining a good business continuity plan is essential for keeping operations running through an unexpected disruption. By adequately assessing risks and outlining strategies for prevention, response and recovery, organizations can greatly reduce the chances of a prolonged interruption to essential systems and services.