Business Continuity Plan Basics
Business Continuity Planning is a subset of ERM planning and is defined as the processes, procedures, decisions, and activities created by an organization to ensure that critical operations continue to function through business interruption events. It is yet another area of critical understanding for leaders at all levels. In this article, we will illustrate the basic recipe for business continuity plans and explain the importance of each.
The purpose of Business Continuity Planning is to minimize adverse impact of the event itself and to return the organization to normalcy as quickly as possible after the event subsides through the proactive process of risk assessment and mitigation plan development. Best practice BCP programs have five main components:
-
Crisis Communication Plan
-
Emergency Response Plan
-
Disaster Recovery Plan
-
Business Resumption Plan
-
Testing Training & Awareness
​
Program Structure
A Business Continuity Program is a collection of processes by which continuity planning, documentation, testing, and implementation are achieved, monitored, and managed. The document that memorializes the program is called a Business Continuity Plan and consists of five primary components which we discuss in more detail below:
Crisis Communication Plan (CCP) – Provides direction and detail on how to communicate during and after an Event.
Emergency Response Plan (ERP) – Provides procedures to ensure the safety of employees and safeguarding of facilities and assets during an Event.
Business Resumption Plan (BRP) – Provides direction and procedure on resuming business immediately after an Event.
Disaster Recovery Plan (DRP) – Identifies priority of key applications, systems and data network recovery, and procedures for initiating backup systems during an Event as well as restoral of primary systems after an Event.
Testing, Training & Awareness Plan (TTAP) – Establishes the plan for regular testing of the BCP, as well as the schedule of employee training and awareness for all BCP components.
The BCP assumes that an Event has resulted in, or indirectly triggered, one or more of the following scenarios at any organization entity:
-
Key facility(ies) rendered uninhabitable
-
Access to network data or applications severely impacted or lost
-
Normal means of communication severely impacted or lost
-
Key personnel and/or a large percentage of human resources unable to report to work
For continuity planning purposes, we focus on impact versus event. While we would fill page after page with all the events that could potentially befall our operations, the types of inevitable impact resulting from those events are limited. Further, the BCP anticipates worse-case scenarios without regard to event probability. This Control-Based Risk Management technique prevents program gaps (and potential failure) caused by minimizing exposure to low-frequency events.
Event Definitions
It is important to understand that not every “disaster” will cause a business interruption for an organization. The inverse is also true: a seemingly small server equipment failure could be severe enough to cause a Business Interruption, invoking an organization’s BCP. We have therefore defined the following terms as they relate to an organization’s operations and continuity planning and response efforts. Note that severity increases with each progressive situation, and they have a “stacked” relationship (i.e., not every Event is an Incident, but every Incident is an Event, and so on.)
Event: Any occurrence, whether caused by human action, technological failure or natural phenomena, whether anticipated or not, that requires acknowledgment and has the potential to create an Incident for an organization.
Incident: An Event that disrupts the normal course of an organization's business operations that requires correction and may or may not cause a loss of productivity.
Business Interruption: Any Incident with an impact expected to exceed 72 hours, causing a loss of productivity and/or potentially revenue, but is believed to be within an organization’s capacity to control using established resources and plans.
Disaster: An exceptional Event that overwhelms service infrastructure such as utilities, communication, and transportation, causing a Business Interruption that exceeds an organization’s capacity to control in terms of duration and impact.
Activation of the BCP
An organization’s BCP will be activated when an event overwhelms our ability to manage it through standard operating procedures. Some or all components of the BCP may be activated for a Business Interruption scenario; full activation of the BCP is expected for a declared disaster scenario. Plan activation happens at the senior leadership level and may consist of a 2 or 3-person team handling the entire plan or a much larger team structure, depending on the size, geographic diversity, and complexity of the organization.
​
​
Crisis Communication
The goal of a Crisis Communication Plan (CCP) is to provide protocols for communicating appropriate, timely information to internal and external stakeholders. Prescribed communication protocols help to proactively manage risks related to reputation and credibility by:
-
Communicate key messages to key leadership and stakeholders as quickly as possible, with regular updates as circumstances evolve.
-
Identify the best communication mediums to reach intended audiences.
-
Be open, accountable, and accessible to both internal and external stakeholders, while being mindful of legal and privacy concerns.
-
Ensure that Chugach’s core behaviors and commitment to safety are reflected in all communications.
Key Plan Elements
-
Roles and Responsibilities: Identifying primary and backup positions.
-
Audiences: Identifies the full range of potential audiences requiring communication, including contact information in both a repository and a backup area.
-
Communication Channels: Identifies multiple communication channels for each audience if traditional communication channels are down.
-
Activation Protocols: Addresses activation following the CMT’s activation of the BCP.
-
Command Center: Identification of primary CMT and media operations, including back-ups.
Emergency Response
The Emergency Response Plan (ERP) identifies potential emergency events and establishes compliant emergency response procedures for leadership and the Emergency Response Team. The specific objectives of the ERP include the following:
-
Minimize injury and loss of human life during any crisis event.
-
Reduce damage to buildings and equipment.
-
Prepare employees for dealing with emergency situations through education, training, and drills.
-
Assure company-wide compliance with Occupational Safety and Health Administration’s (OSHA) Emergency Action Plan Standards and other applicable regulations.
-
Maintain business continuity.
Standard ERP Elements
-
Roles & Responsibilities: Identifying primary and backup positions.
-
Emergency Response Plan: Identifies and plans for potential emergency response events for its location(s) and addresses requirements of Federal, State, and Local regulations.
-
Post-Event Reporting: Identification of the process and procedure for reporting.
Each ERP must clearly define the process and procedures related to plan implementation to ensure the safety and well-being of employees, clients, and visitors. Plans must both identify potential emergencies and the plan for addressing those emergencies by location as required by Federal, State, and Local regulations. At a minimum, each plan will address the following:
-
Natural Disaster
-
Severe Weather
-
Workplace Violence
-
Pandemic
-
Medical Emergency
-
Civil Disturbance
-
Fire & Uncontrolled Electricity
-
Power Loss
-
Toxic Hazard Exposure
​
Disaster Recovery
The Disaster Recovery Plan (DRP) outlines the roles, responsibilities, and protocols that will guide in restoring network systems and data during an emergency or crisis. The purpose of the DRP is to establish the priorities and protocols that the Disaster Recovery Team will follow to restore services in the event of disruptions to our local area networks (LAN), wide area networks (WAN), internet access, wireless network services, applications, and other systems.
Each DRP should:
-
Provide clear documentation, testing, and review of recovery services.
-
Document storage, safeguarding, and retrieval procedures for vital network records and other relevant data.
-
Immediately mobilize a group to assess the technical ramifications of a situation.
-
Set technical priorities for the recovery group during the recovery period – i.e., what systems and data are prioritized for restoration.
-
Minimize the impact of the disruption to services and business groups.
-
Stage the restoration of operations to full capabilities.
-
Return to full operations once the disruption has been resolved when appropriate.
Standard DRP Elements
-
Roles & Responsibilities: Identifying primary and backup positions.
-
Disaster Recovery Plan Assumptions: List all assumptions used in developing the plan.
-
Disaster Recovery & Backup Strategies: Addressing how servers, services, networks, and network file data are protected, backed up, and restored.
-
Critical Staff: Includes staff and key outside vendors.
-
Implementation: Identification of site-specific procedures.
​
​
Business Resumption
The goal of the Business Resumption Plan (BRP) is to establish predetermined and documented resumption processes within each functional area to help ensure that the organization can return to normalcy as quickly as possible after a crisis event. The BRP provides emergency response protocols that ensure that leadership and Business Resumption Team members are familiar with resumption business processes.
Each BRP should:
-
Identify mission-critical functions, processes, and systems by functional area.
-
Identify critical staff with specific or additional duties for resumption after a crisis or interruption event.
-
Document step-by-step procedures for mission-critical processes; and
-
Define expectations of a return to normal operations together with assumptions and requirements underlying those expectations.
Standard BRP Elements
-
Roles & Responsibilities: Identifying primary and backup positions.
-
Mission Critical Identification & Impact: Identifies the priority and criticality of restoring functions, processes, and systems after a crisis or interruption event.
-
Critical Staff: Staff and key outside vendors.
Testing, Training & Awareness
Each TTAP will identify the type and platform for staff training as well as the employees subject to the various trainings. At a minimum, employees will be trained on general BCP understanding upon hire with an annual refresher training, and employees with specific BCP duties will receive subject-specific training annually. At a minimum, training programs should include:
-
All Employee Training of BCP structure and program (upon hire and annual refresher)
-
Process specific training (active members of BCP)
-
Process specific training for BRP (by department)
​