Google search “business continuity planning steps” and you’ll find a yard sale of results.
Is it 5 steps, or 7, or 4?
Which are the most involved and which are the most important?
How long does the business continuity planning process take? And who should be involved?
I would love to be the definitive source of truth here, but in reality, there is no perfect answer. Size, location, industry, management structure, and existing reporting, resources, and experience—every company is different, as are their business continuity planning needs. These factors and more influence how we tailor our approach to business continuity planning with each of our diverse clients.
Still, like many you’re probably here because you’re getting ready to embark on the business continuity planning process and you have a lot of questions.
Bryghtpath has over 50 years of collective experience in business continuity planning working with a multitude of global clients in varied industries.
Here’s our take on the process, and a good idea of what you can expect from the business continuity planning process.
Step 1: Establish the Fundamentals of Business Continuity Planning
When we start working with clients on their business continuity plan or BCP, the general end goal is always the same—create a plan to keep things running in the event of a disruption. But while most companies have the same vision for the outcomes of their business continuity planning process, they may have different ideas of how they are going to get there.
Your company should start the process by agreeing on a few fundamentals at the start.
What are the plan objectives?
Most companies have the same basic objective—minimize the impacts of disruptions and restore critical capabilities within acceptable timeframes. Improving overall company resilience and the decision-making process may also be important goals.
However, every business is different and will have a slightly different take on the overall goals and objectives for their business continuity planning endeavors. Getting clear on what these are at the outset is critical to achieving an optimal outcome.
Who will be responsible for creating and activating the plan?
There are many roles and responsibilities in business continuity planning. From senior-level leadership who ensures the business continuity program and planning process aligns with strategic objectives, to the business unit planners who do the actual work of creating the plan, each is critical and requires the right people to be placed in the right role. While some roles and responsibilities may change over time, you should initially establish exactly who will be involved and the role they will play in the planning process.
You also need to decide who will be responsible for actually activating the plan. This depends a lot on your company culture. Some may elect a centralized method that requires the authorization of a high-level incident leader or a crisis management team. Other businesses adopt a decentralized method in which authorization to activate the plan is distributed to different business unit leaders; we find the latter to be a more nimble and effective approach in most cases.
What resources are available for Business Continuity Planning?
Certain response and recovery strategies in your business continuity plan may require the development of new capabilities and/or the purchase of new equipment. Each company must determine the tradeoff of potential risks and disruption against the relative resources available to invest in its business continuity plan. For example, one company may choose to purchase spares of critical equipment to build new redundancies, whereas another with different resource capabilities may elect to accept the risk of a temporary shutdown.
Step 2: Assess Risks and Business Impacts
Just as the integrity of a well-built home depends on laying a sound foundation, so too does the effectiveness of a good business continuity plan rely on the right assumptions. A thorough business impact analysis, or BIA, is key to developing the accurate underlying assumptions that will ensure business continuity planning success.
Your BIA will help you better understand:
- Key business systems and processes
- Specific areas of vulnerability
- Potential impacts and losses from particular disruptions
- Current and capabilities and redundancies
- Maximum tolerable downtimes for different business functions
I can’t emphasize enough how important it is to get your BIA right. Without a good BIA, you might end up overlooking critical systems and processes or the full impact a disruption could have on your revenue, expenses, and reputation.
In our experience, after conducting their BIA, a lot of companies realize they’ve vastly underestimated the interdependencies in their operations—especially when it comes to technology and outsourcing to third-party service providers.
For example, an organization may think of a tool like Salesforce as impacting only their sales activities. But their BIA may reveal that this service is critical to many other operations that could be impacted in the event of a disruption to the Salesforce infrastructure.
We typically evaluate interdependencies in four core areas—workplace (the breakdown of work by geographical location and facility), workforce (the minimum number of key personnel assigned to critical functions along with required skill sets), third party relationships (outside services and products necessary to critical functioning), and technology (software and platforms). The BIA should also capture upstream and downstream dependencies between various business units within the organization.
A thorough business impact analysis, or BIA, is key to developing the accurate underlying assumptions that will ensure business continuity planning success.
Step 3: Select and Develop Your Response and Recovery Strategies
After evaluating your business processes and interdependencies and the potential impacts of a disruption, you will likely discover many gaps between your response and recovery requirements and your current capabilities. From this baseline, you can determine what needs to be done to address these gaps and develop a menu of resource and recovery strategy options that can be implemented in response to a particular incident. Some strategies may require new capabilities to be developed, especially where significant gaps in current capabilities are identified.
The menu of response and recovery strategies is typically broken down by resource (i.e. workplace, workforce, 3rd parties, and technology) and also includes an estimation of the time needed to implement and the expected sustainable duration for each strategy.
Each separate recovery strategy should include a detailed procedure that further describes how that specific response and recovery strategy will be accomplished.
Step 4: Create Your Response and Recovery Roadmap
After all available response and recovery options have been cataloged, the next step is to develop the procedures and guidelines that will serve as your business continuity plan roadmap. Your team will use this roadmap to help you initially assess the disruption, activate the appropriate response strategy, and carry out that strategy to completion.
A critical part of preparing your response and recovery roadmap is detailing how and when you will evaluate your plan. While the inherent nature of business disruptions precludes testing your business continuity plan in a practical sense, regularly reviewing the performance of your BCP can provide important insights and improvements.
Likewise, roles change, people leave, and technology and processes evolve. And disruptions that were once imaginable (like a global pandemic) may emerge as all-important. You should evaluate and update your BCP on a regular (at least annual) basis and also in an after-action to any specific response and recovery plan activations.
Want to learn more about Business Continuity?
Our Ultimate Guide to Business Continuity contains everything you need to know about business continuity.
You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.
We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.
Business continuity planning is full of surprises
When we begin the business continuity planning process with our clients, we usually get one of two reactions.
“This is more complicated than I expected!”
The first is one of shock and overwhelm—as the saying goes, “ignorance is bliss.” Once the client begins to dig in, they realize that there’s a lot more to think through than they ever imagined; and that their business is vulnerable to a lot more risk than they ever realized.
Another common discovery for many businesses is that their business continuity plan resides mostly in Susan from Compliance’s head. While Susan has been through 30 years of disruption and response and recovery in your business and is a wealth of knowledge, what happens when she retires, has a medical issue, or your competitor hires her away?
In both cases, an experienced consultant can help you overcome the overwhelm of tackling the business continuity planning process for the first time. Likewise, they can help you get everything in Susan’s head on paper and also identify and address existing gaps from previous business continuity planning efforts.
“This is a lot less complicated than I expected!”
A second reaction we get from new clients is one of pleasant surprise.
A lot of business continuity professionals and consultants are focused on building the best, most detailed, and complex business continuity program that they can. They try to follow every standard to the letter and impose a rigid methodology into each step of the process. But a misplaced focus on complexity and complying to an industry-standard often causes more confusion and complication than it solves. Approaches like this often fail to meet the organization’s objectives of minimizing disruption and optimizing resilience.
I’m all for diving into detail and complexity—when it makes sense. But taking this approach to business continuity planning doesn’t necessarily mean you’re delivering what your clients really need. Reams of binders with 175-page plans are cumbersome and seldom used, frustrating efforts to respond to an actual disruption in the future.
The Bryghtpath approach is informed by our practical business experience. We know what senior leaders care about and what’s truly important to the success of your business. Rather than creating an overly complex business continuity plan and program, our goal is to demystify the process and ensure that we produce a BCP that is practical, usable, and applicable—and with the least disruption possible in the creation process. The result is a tight integration of your business continuity program and business continuity plans with your business’s overall objectives and strategy.
Whatever business continuity planning surprises your organization is facing, Bryghtpath is ready to help. We work with the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.