How To Score And Win The Game With A Great Business Continuity Plan!

How To Score And Win The Game With A Great Business Continuity Plan!

What is a business continuity plan (BCP)?

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and can function quickly in a disaster.

Understanding Business Continuity Plans (BCPs)

Dominoes, business continuity concept

BCP involves defining any risks affecting the company’s operations, making it an essential part of the organization’s risk management plans. Risks may include natural disasters—fire, flood, or weather-related events—cyber-attacks, and Centers for Disease Control events (COVID-19). Once the risks are identified, the plan should also include the following:

  • Determining how the risk will affect operations
  • Implementing safeguards and procedures to mitigate the losses
  • Testing procedures to ensure they are optimized
  • Reviewing the process to make sure that it is up to date

BCPs are an essential part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And companies can’t rely on insurance alone because it doesn’t cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves key stakeholders and personnel input.

At The National Football League, A Business Continuity Plan Was In Place In The Event Of A Tragic Event.

NFL flags

When I worked in Football Operations at the NFL, I was heavily involved on the Risk Management Team. Our team knew that the NFL had a plan if a tragic plane crash event eliminated an entire team. The plan was to have an emergency meeting involving all 32 team clubs. Team management would conduct a special draft of the existing 31 clubs, pulling enough players and staff to field a team to continue business operations for the rest of the season.

Business Continuity Plan vs. Disaster Recovery Plan

Business continuity and disaster recovery concept

BCPs and disaster recovery plans are similar; the latter focuses on technology and information technology (IT) infrastructure. BCPs concentrate more on the entire organization, such as customer service and supply chain.

BCPs focus on reducing overall costs or losses, while disaster recovery plans look at technology outages and related expenses. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential procedures.

6 Levels Of Business Continuity Maturity

Business continuity concept

How mature is your organization when it comes to business continuity? Does your business continuity management (BCM) program crawl, walk, or run? From self-governed to synergistic, we have identified six levels of BCM maturity that most companies fall into.

Immature

Levels 1-3 represent organizations that still need to complete the necessary program basics to launch a sustainable enterprise business continuity management program.

Level 1 – No real plan in place. A wait-and-see approach.

Individual business units and departments can organize or implement their business continuity or disaster recovery efforts. The state of readiness for disruptive events is low across the business enterprise. The business or individual department reacts to disruptive events when they occur. No actual planning is involved: business continuity recovery is reactive rather than proactive.

Level 2 – Departmental: The one and only—you’re in a class alone!

At least one business unit gets it. You have reached Level 2 of BCM maturity if at least one department or business unit has initiated efforts to establish management awareness of the importance of business continuity. A few functions or services have developed and maintain business continuity plans within one or more business continuity disciplines, such as:

  • Incident reporting
  • Technology protection
  • Security mandates
  • Business continuity

At Level 2, your organization has at least one internal or external resource assigned to support the business continuity efforts of the participating business units and departments. The state of preparedness may be moderate for participants but remain relatively low across most of the company. Management may see the value of a BCM program, but they are unwilling to make it a priority at this time with minimal executive buy-in.

Level 3 – Cooperative: Moderate preparedness, but on its way to full maturity.

Participating business units and departments have instituted a sophomoric program, mandating at least limited compliance to standardized BCM policy, practices, and procedures to which they have commonly agreed.

  • A BCM program office or department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units.
  • Still lacking executive buy-in; senior management has not committed the enterprise to a BCM program.

Maturing

Levels 4-6 represent a definite plan for a maturing enterprise BCM program. If your business achieves Level 4, you are compliant with most standards.

Level 4 – Standards in place: You have climbed to early BCM maturity adulthood.

Congratulations! Your management has arrived on the scene and is committed to the strategic importance of an effective BCM program throughout the organization. In addition, there is an enforceable, practical BCM policy that adopts structure, including procedures and tools for addressing all four business continuity disciplines:

  • Incident reporting
  • Technology protection
  • Security mandates
  • Business continuity ​

Level 5 – Integrated: Almost there!

At Level 5, the company meets all of the requirements of Level 4 that are now implemented throughout the company, adopting continuous quality improvements.

All business departments have completed tests on all elements of their business continuity plan, including their internal and external dependencies.

  • Planned methods have proven to be effective.
  • Management has bought into crisis management exercises.
  • A communications and tracking system exists to sustain a high level of business continuity.

Level 6 – Synergistic: You have reached BCM nirvana!

You not only conquered levels 4 and 5. You own it! As official business continuity gurus, you have:

  • Sophisticated business protections are in place and tested successfully.
  • Innovative procedures, practices, and technologies are working and functional in the BCM program.​
Is Your Organization Prepared For The Next Disaster?

Is Your Organization Prepared For The Next Disaster?

Bad news is seemingly dominating the nightly news headlines. Disasters appear to be everywhere we turn. When a disaster such as a data breach occurs, it’s incredibly stressful and chaotic. Things need to be decided and done quickly or all of the organization’s data could be permanently lost. Note: It’s not IF a disaster will occur, but WHEN a disaster will occur. Does your organization have a written business continuity planning (BCP) plan defining how to handle the disruption?

Creating a documented, comprehensive, and tested business continuity plan and IT disaster recovery plan before the next disaster occurs is crucial. Otherwise, employees are forced to muscle through the best they can, and there is a good chance that critical tasks will inadvertently not get done or be much harder than normal.

If your organization doesn’t have a written BCP plan, here is a framework you can use to create a basic BCP plan, and then continue to enhance it.

How To Create A Business Continuity Plan (BCP)

Natural disasters

1. Identify the key risks – incident (i.e. cyberattack, pandemic, active shooter), outage (such as a power failure), and natural disasters (i.e. tornado, wildfire, earthquake). Do a risk assessment to determine the probability of occurrence (high, medium, low) and impact (enterprise-wide, regional, department-specific, etc.)

2. Take the risk assessment and do a business impact analysis (BIA) to determine how the organization would be impacted. Create a BIA questionnaire for each department to identify things such as potential lost income, outsourcing expenses, regulatory penalties, etc. Additional information can be found here.

3. Use the BIA information to create the business continuity planning (BCP) plan. There is specific software you can purchase, but if you’re just starting out, I’ve created BCP plans using Microsoft Word. Additional information can be found here.

  1. Create a separate “chapter” for each department, and have IT create a disaster recovery plan.
  2. Identify technology systems/applications and classify them based on quickly they need to be up and running (mission-critical, essential, non-essential).
  3. Identify employees who are critical and non-essential as well as have skills that can be used in other departments and speak different languages.
  4. Identify if there are any critical vendors or VIP customers that need to be notified.
  5. Other resources (e.g. hard copy plan, desktops/laptops, other equipment, forms, supplies, etc.) that will be needed especially if you’re resuming operations at an alternate location.
  6. Don’t forget to create a communication plan.
    • Who can declare a disaster? Talk with the press?
    • Make sure employees know what to do.
    • Have a special phone number employees can call to hear instructions (to report or not); have call info on a business card and distribute to employees; and/or purchase a system (such as Everbridge) to make outgoing calls/texts (will need up-to-date contact info).

4. The BCP plan should be reviewed at least annually. Departments should update their section of the BCP plan whenever the business changes (a new process or service), there is a new regulation, etc.

5. Test the plan at least annually and minimally via a tabletop exercise. This gives departments the opportunity to gather lessons learned and update their plan for things they didn’t account for or forgot to update. For example, you didn’t update the team directory and as result had incorrect phone numbers or didn’t realize that one of your critical employees had resigned and wasn’t replaced.

Additional Resources

BCP plan, business continuity plan

Another resource is the Association of Contingency Planners. There is a BCP intro and industry resources.

Once you create a basic BCP plan, then you can continually enhance it. So, when the next disaster occurs, your organization is better prepared and effective. Employees will benefit from all of that planning and know what to do.

For more information on having a comprehensive business continuity planning (BCP) plan, follow me on LinkedIn!