The Ultimate Guide to Business Continuity Planning
A key output of the business continuity planning process, plans are documented steps that help companies respond to and recover from a business disruption.
What is a Business Continuity Plan?
In most business continuity programs, there are five major types of plans:
- Crisis Management Plans : Sometimes referred to as “incident management plans,” crisis management plans provide a structured response to a disruption that if poorly managed, will result in unacceptable consequences for the organization. These plans provide steps and considerations for the organization’s strategic response to a disruption.
- Crisis Communications Plans : A crisis communications plan serves to supplement crisis management activities by coordinating two-way communications with internal and external stakeholders.
- Emergency Response Plans : Emergency response plans are typically written for a location and focus on ensuring a safe work environment and the protection/preservation of life. These plans may include different sets of procedures for different threats.
- IT Disaster Recovery Plans : IT disaster recovery plans are technology plans that focus on the recovery of IT systems, data, and telecommunication assets.
- Business Continuity (Recovery) Plans : Business continuity, or business recovery, plans focus on the continuation and/or recovery of business activities and resources that support the delivery of products and services. These plans typically include procedures, manual workarounds, and alternate procedures addressing the loss of the workplace, equipment, people, technology and suppliers.
This article focuses on the fifth of the plan types, business continuity plans.
What is the Purpose of a Business Continuity Plan?
The purpose of a business continuity program is to prevent disruption and respond efficiently and effectively when one occurs. As such, business continuity plans typically serve three main purposes:
- Ensure that employees, contractors, customers, and visitors remain safe
- Minimize the impact associated with disruption by speeding up the recovery effort
- Protect the organization’s reputation, operations, and relationships with stakeholders
There’s a US military quote that’s often cited when it comes to “plans” (with many people receiving credit for it). It goes something like this: “Plans are only useful as evidence that planning took place.”
When it comes to business continuity plans, that is partially true. Business continuity plans must remain flexible to changing circumstances, but also include procedures that outline how to implement recovery strategies addressing a loss of people, the workplace, equipment, information technology services and data, and suppliers/third parties.
What is the Best Approach to Writing a Business Continuity Plan – Resource-Loss vs. Threat-based Planning?
Over the years, business continuity professionals debated two major schools of thought on the approach to planning: resource-loss based planning and threat-based planning. Castellan strongly recommends the former, resource-loss based planning.
Several years ago, the business continuity industry focused on completing threat-based plans. These plans focused on an organization’s response to very specific events: snowstorms, fires, floods, pipe bursts, tornados, and acts of terrorism. There are two key issues with threat-based planning:
- You can never plan for every situation
- Attempting to plan for every situation necessitates endless documentation, meetings, and considerations (and therefore increases the administration burden associated with maintaining these numerous plans)
Also, should any of these threats occur, the result is the same – a loss of people, the workplace, equipment, information technology services and data, and suppliers/third parties. So why not keep it simple and streamline the planning effort?
This is where resource-loss based planning came into place.
When creating business continuity plans (typically, one plan each for a function or department), Castellan focuses on four main resource types: people, workplace/equipment, information technology, and supplier / third parties. When documenting business continuity procedures, Castellan first works to identify the best strategies to address each resource loss for each department or function, and then documents how to implement each strategy following the onset of a disruption and as necessary, how to operate differently until returning to normal.
Before covering the business continuity plan creation process in more detail, it’s important to point out one more detail. There is a place for some threat-based procedures. For example, procedures to address preparation for hurricane, or if a public health emergency is imminent, how to prepare staff for a period of absenteeism.
Get The Department Recovery Plan Template
How to Write a Business Continuity Plan?
Plan documentation is the fourth phase in Castellan’s Business Continuity Operating System (BCOS). Prior to documenting plans, it is necessary to complete the Startup, Analysis, and Strategy phases to scope the business continuity program, understand key activities as they relate to the organization’s key products and services, identify activity dependencies (resource requirements), and determine the strategies to recover each dependency .
After completing the first three BCOS phases, it is time to document the business continuity plans. Creating business continuity plans involves four steps:
- Planning Approach Determination : Determine how the organization intends to manage the response to a disruption, the scope of the plans, and how the different plan types interact
- Plan Development: Design the plan structure, collect the information necessary to manage the response to the disruption, and then create the procedures (answering the question, “how”)
- Plan Review and Approval: Review the draft plan with the plan owner and the team that will be charged with responding to the disruption; seek their feedback and approval
- Plan Refresh: Review the plan periodically (typically annually or following significant change) to confirm strategies remain appropriate, assigned team members remain accurate, and procedures are both complete and accurate
1. Planning Approach Determination
As discussed earlier, there are five types of business continuity plans: crisis management, crisis communications, emergency response, IT disaster recovery, and business continuity. However, some organizations may combine plans into a single document. This decision is often based on organizational size, complexity, sector, and structure.
The most common planning approach that we see organizations use looks like this:
With this planning approach, individual teams (and their respective plans) can be triggered into action in response to a disruption impacting their respective function/department or resource dependency.
For crises or disasters that have the potential to disrupt the entire organization, the crisis management team (supplemented by the crisis communications team) would be triggered into action. This group, or groups, would provide strategic direction and address issues from individual functions/departments that were escalated, along with approving spend to acquire required resources for recovery. This group would also manage internal and external communications. Using this approach, other members of the organization’s executive leadership team that aren’t actively participating (or don’t have a specific role), aids and provides resources to the crisis management team on as “as needed” basis.
However, this approach does not make sense for all organizations. Some common examples of when a different structure is beneficial include:
- Executive Leadership Involvement: Some organizations have a culture or organizational structure where executive leadership feels that they should be the crisis management team. This approach is often the case for small to mid-sized organizations or when crisis communications are, typically, the primary focus of the crisis management team.
- Site Recovery Plans: For some organizations, namely those in the manufacturing industry, site recovery plans are used either instead of, or as a supplement to, function/department recovery plans. This approach is typically used when recovering processes comprised of multiple elements of different functions or departments.
2. Plan Development
Plan development addresses the creation of the plan, leveraging and summarizing information, conclusions and outcomes stemming from the Analysis and Strategy phases of the Business Continuity Operating System.
The first task is establishing the structure of each plan and clarifying the relationship among the plans. Business continuity plans typically include the following sections/content:
- Plan scope and objectives
- Team members and contact information
Response and recovery procedures
Scope and Objectives
The business continuity plan scope and objectives section should summarize what the plan intends to accomplish. Additionally, the plan should define the scope of the response and recovery effort addressed by the plan.
Team Members and Contact Information
This section should outline the team members needed to manage the response and recovery effort and their roles and responsibilities . Contact information for each team member should also be documented in the plan. In addition to the team’s contact information, any other individuals or organizations – internally or externally – that may need to be contacted during a disruption should be documented within the plan.
Response and Recovery Procedures
During the BCOS “Strategy” phase, decisions were made on how the organization would respond in general, and how to recover affected resources (people, workplace/equipment, information technology, and suppliers/third parties). During the planning process, it is important to document how to implement these strategies, and as necessary, how to operate differently when employing these strategies. Each procedure should be assigned to a team role to ensure that no steps are missed (thereby delaying the recovery effort). One more point regarding recovery strategies – business continuity plans should include information on how to use manual workarounds or alternate procedures, if known and possible.
3. Plan Review and Approval
Following the completion of an initial draft of each plan, it should be reviewed and approved by the members of the response or recovery team. Team members should validate that the procedures documented are accurate for their individual roles. Team members should be encouraged to add details and steps that accurately describe additional responsibilities or actions that they would perform during the response to a disruption. After the plan has been reviewed by members of the team, it should be approved by the plan owner, who is often the team leader.
4. Plan Refresh
Business continuity best practices recommend that documentation is reviewed, updated, and approved, at a minimum, on an annual basis. As such, Castellan recommends that on an annual basis (or more frequently if the organization covered by the plan changes materially) organizations review their business continuity plans. Team members, roles and responsibilities, and strategies/procedures are key areas that should be reviewed and refreshed. Considerations include:
- Team members: Update roles and responsibilities to reflect the current team and its responsibilities.
- Strategies and Procedures: If systems, suppliers, people, or facilities have changed for the given plan, the associated strategies and procedures should be updated. Procedures should continually be enhanced to reflect how the team would recover from a given incident. Especially if an incident has occurred since the past plan revisions, procedures should be reconsidered and updated to accurately reflect how the response to the disruption should occur.
Common Challenges When Creating Business Continuity Plans
Organizations face many challenges when documenting business continuity plans. A few of the most common challenges include:
Reliance on Templates
Business continuity plan templates can ensure a higher level of quality through consistency of structure, and also efficiency by centrally creating content applicable to all plans. However, just like anything, a template only can do so much. Where a plan template can provide a great starting point, it alone will not suffice if your organization wants to be truly prepared for an incident if the template is not updated to describe how to response and recover using selected strategies. Templates are a great start, but plan customization is where your organization will gain the most from the planning process.
Plans Lack Focus
One of the most common questions we hear when discussing the plan documentation process with plan owners is “What am I supposed to do when something happens?” The answer to this question and the focus of any plan should be very simple: the plan is used to guide the response to and recovery from the disruption. To do so, plans must document the answers to a few simple questions, notably:
- Who is involved with the response and recovery effort?
- How do we response and recover in a timely manner?
- When do we recover (and to what performance level)?
- How do we operate in “recovery mode” until returning to normal?
The results from the business impact analysis (BIA) should establish business continuity requirements, enabling the strategy determination and plan documentation effort. The BIA should define what activities need to be resumed, how soon these activities need to be resumed, to what performance level, and what resources are needed. If a plan doesn’t address BIA results in a concise manner, the plan will lack focus and will likely be ineffective.
Plan Activities and Tasks are Too Generic or Irrelevant
This ties in with our point about using plan templates!
Strategy development must occur before documenting business continuity plans. Too often, practitioners forget that the key function of a plan is to document the steps necessary to recover and describe how to operate in “recovery mode.” To ensure that plans are relevant and make sense, plan owners and those that use the plans must work together to identify strategies in the event of a resource loss. Once plan owners are aware of approved response and recovery strategies specific to their business activities, plan documentation typically becomes significantly simpler. Imagine trying to document the steps necessary to relocate operations to a new facility without knowing where that location is, how many employees can go there, and what resources are available.
Plan Content Is Not Developed for the Right Audience
All managers delegate, and when done right, delegation is often a good thing, especially when managers can leverage subject-matter experts (SME) to assist in the planning process. However, business continuity practitioners always need to work with managers to ensure that plans are written at the appropriate level and provide actionable steps for the recovery team, which usually consists of managers and SMEs. If the new summer intern isn’t familiar with business operations, he or she is probably not the best person to develop the function or department’s business continuity plan. Business continuity professionals can work with business owners to ensure appropriate buy-in and further set expectations for plan owners during the strategy and plan development process to ensure proper ownership and review prior to approval.
What is the Difference Between an IT Disaster Recovery Plan and a Business Continuity Plan?
As mentioned earlier, there are five types of plans. Two of these plans that often get confused are IT disaster recovery plans and business continuity plans. Both types of plans focus on how an organization can respond to and recover from a disruption. That said, business continuity plans focus on the continuation and/or recovery of business activities, whereas IT disaster recovery plans focus on recovering IT infrastructure, applications and data.
Business continuity plans focus on four loss scenarios (people, suppliers, technology, and facilities/equipment) and the business’ response to a disruption of each. As introduced previously, plans are typically created at either the business unit, department, or site level. On the other hand, IT disaster recovery plans focus on the technical requirements that go into recovering an organization’s IT services and associated infrastructure. There are usually several plans created as part of an IT disaster recovery program:
- IT Incident Management Plans: Describes the strategic nature of IT response and recovery, summarizing priorities and order of recovery, with an IT Incident Management team to oversee the overall response and recovery effort.
- IT Infrastructure Recovery Plans: Based on the size and complexity of an organization, IT Infrastructure Plans can be developed in different ways. However, these plans typically address how to recover network, storage, compute (servers and databases), and telecommunications assets.
- IT Application Recovery Plans: IT Application Plans document how to recover, test and connect the end user to a recovered application and its data.
Frequently Asked Questions
Based on industry standards, Castellan recommends updating and performing planning activities on an annual basis (more frequently based on organizational change). In general, this determination should be made based on the speed in which your organization is changing and evolving. If an organization experiences significant changes often (i.e. the scope of each department, leadership, strategic initiatives, dependency shifts), it may be beneficial to review plans on a more frequent basis than if an organization remains largely stagnant in terms of departments, activities, risks, and dependencies.
Different individuals and groups are required during different steps of the planning process. First, the business continuity steering committee, program sponsor, and program manager should work collectively to determine the planning approach. This group should identify the type and number of plans that will be created (i.e. crisis management, IT disaster recovery, emergency response, and business continuity plans). From there, plan owners and team members should be chosen for each plan. These individuals should have the knowledge necessary to recover key activities and resources, as well as the respect and authority to make required decisions for the in-scope activities and resources.
Business continuity plan templates are a great start! They provide a structure, shared content, and standard roles and responsibilities. However, these plans do not provide the detail necessary or the organization-specific information that value-adding plan includes. A plan template will not include HOW to employ chosen strategies to recover as well as unique roles and responsibilities that are required to drive toward a successful recovery.
The first step in completing a business continuity plan is determining what plans are needed. This step should be completed by the organization’s steering committee and program manager. Considerations should include the scope of the business continuity program, size and complexity of the organization, dependencies that are used by in-scope departments/sites, and leadership required to recover from an incident.
Yes and no. Small programs may find it possible to manage a business continuity program/business continuity plans without software (by small, typically organizations with less than 10 or 15 functions/departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort (and to drive program continual improvement with workflow functionality). For larger organizations, software is almost essential as the automation alone can replace the costs associated with one or more FTEs. For example, software allows a program manager to eliminate the need to manually seek plan owner reviews and approvals. Additionally, software can be used to streamline the response and recovery by providing a “live” version of plans and a single-source repository to provide response updates. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Castellan Business Continuity Software.
Resource-loss based planning is an “all-hazards” approach to business continuity planning. Rather than creating individual plan documents that focuses on the wide variety of threats that could impact an organization (i.e. tornado, snowstorm, power outage), resource-loss based planning focuses on four key loss scenarios: the loss of personnel, technology, suppliers, or facilities. Resource-loss based planning is easier to document and maintain. Whether the organization is impacted by a tornado, fire, or power outage, a “loss of facility” strategy and procedures can help the organization effectively respond.
Like insurance, we hope that you never have to use your business continuity plan! However, selecting strategies and documenting plans ensures that, if a disruption does occur, you are ready to respond in an efficient and effective manner.
Type of Plans
- BCM Institute Glossary
- BCM Institute Crisis Management Glossary
- BCM Institute Crisis Communication Glossary
- BCM Institute DR Glossary
- BcmBoK 5 CL 2
- BcmBoK 5 CL 2C
- BcmBoK 5 CL 2CC
- BcmBoK 5 CL 2D
Navigation menu
Personal tools.
- Request account
- View source
- View history
- About BCM Institute
- Business Continuity
- Crisis Management
- Crisis Communication
- Disaster Recovery
- Supply Chain BCM
- Cyber Security
- Operational Resilience
- Pandemic Flu
- Competency Level
Chinese Glossary (S)
Bahasa glossary (m).
- Examination
- Certification
- Recertification
- Meet-the-Experts
- World Continuity Congress
- BCM Institute Website
- Specialist Series
- Dictionary Series
Acknowledgment
- Contributors
ISO Glossary
Bcm glossary.
- Request Changes
- What links here
- Related changes
- Special pages
- Printable version
- Permanent link
- Page information
- This page was last edited on 30 October 2020, at 07:05.
- Privacy policy
- About BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
- Disclaimers
What Does a Business Continuity Plan Typically Include? [Complete Guide]
Introduction
A business continuity plan (BCP) is your first line of defense against any challenge that threatens the core functionalities of your organization’s operations. When disaster strikes, your BCP should be there to reduce the time it takes to get things back up and running as usual again – as quickly as possible.
If you’re not able to react quickly to these types of incidents, your company could suffer physical harm, monetary losses, reputational damage, data integrity loss, litigation and much more.
Designing a BCP can feel overwhelming, as it’s such a critical document; where should you start? Who should be involved in the process? How should it be disseminated? These are all questions we’ll answer in this guide, including what is typically included in a BCP.
Bonus Material: Free BCP Checklist
How to Create a Business Continuity Plan
It’s important to actively invest time and energy into preparing for any potential risk before a potential event of a disaster so that if or when it does, your BCP directs you to the necessary resources to return to business as usual. That’s why creating and developing your BCP needs to involve a great deal of strategy and intention.
Taking a risk-based approach is the best way to go about developing your business continuity plan and avoid the need to use implement a disaster recovery plan. Through a risk-based approach, you follow the following steps: identify, assess, mitigate, monitor, connect and report. Here’s how to apply each of these steps during the lifecycle of your BCP:
- Start by identifying your most critical processes. When a business continuity event occurs, taking a risk-based approach ensures that you understand what the most critical processes to your organization are that need to be prioritized first to get back up and running to minimize any impacts.
- Next, assess your various risks. By evaluating all of the various types of risks that an incident could bring up – such as financial, reputational, customer, legal or strategic impact – you’re able to adequately determine which steps must be included in your BCP to minimize those impacts.
- Be sure to implement strategic mitigations as part of your business impact analysis. Building a business continuity plan through a risk-based lens empowers you to design more effective policies and procedures that simultaneously minimize the impact of the disruption at hand.
- Monitor the effectiveness of your controls over time. Otherwise, your BCP won’t align with your risks, leaving you likely to be caught off guard next time a business continuity event occurs.
- Your BCP does not exist in isolation, so be sure to connect departmental efforts. This allows you to identify interdependencies that must be known if an event occurs to ensure all steps are taken.
- Reporting is a key step in the risk-based approach, as it reveals patterns over time so that you can improve your BCP development where needed and keep your organization protected from any future disruption.
What Should my Business Continuity Plan Include?
Your BCP should include:
- An analysis of all critical functions within your business. This will allow for preparation of resources.
- A prioritized list of risks that pose a severe or even catastrophic threat to your business. These can be prioritized through risk tolerances and risk appetite so you can visualize which ones fall farthest out of that range.
- A list of specific strategies (or mitigation activities) that help protect the critical components you identified earlier in the BCP.
- Evidence that the strategies have been tested across critical business functions, using key metrics, indicators and financial scenarios.
- Dashboards and reports that uncover challenges and allow you to update the plan and your business processes over time.
Examples of Potential Unforeseen Risks
Naturally, your BCP will include risks that you deem a threat to your business. It can be difficult to begin writing that list when you’re not sure exactly what should be on it. In Risk Management, it’s important to consider potential risks that others may not have ever predicted to become reality (many people today say they never imagined in their lifetime that they would experience a pandemic).
Here is a list of potential unforeseen risks that pose a threat to business continuity:
- The sudden unavailability of a key vendor-provided service
- A regional power outage
- Abandonment in leadership
- Data protection issue
- Supply chain issues
- Privacy policy issues
- Getting sued
- An industry strike
- Pest infestation
- Natural disasters
- Winning the lottery
- Receiving a life-threatening diagnosis
- Getting in an accident
- A threat to national security, such as a terrorist attack
- Collapse of infrastructure
- And perhaps the most timely example of all, a pandemic (check out our complete guide to building a BCP for COVID-19 here )
BCP Best Practices
Like we mentioned earlier in this guide, it’s important to take a risk-based approach when creating your BCP. This will help you better preserve your business reputation, build up customer confidence and allow you to gain a competitive advantage. It will also ensure that you can avoid situations of disaster recovery. (Read our full guide on Business Continuity vs. Disaster Recovery )
To receive these benefits, it’s best practice to leverage robust business continuity planning software . This enables you to inherently take a risk-based approach and demonstrates to customers and stakeholders that you are prioritizing business continuity planning. This is especially true today amidst our ever-evolving disruptive business environment and the See-Through Economy.
Your business continuity plan will be different from anyone else’s, which is why it’s important to dedicate time and resources to creating one that fits your unique needs and risk factors. Working with a professional risk consultant is just one added benefit that’s included with your partnership with LogicManager. With their help, you’ll be able to better leverage the tools and resources included in our integrated ERM software, as well as our solution package for business continuity development .
FREE DOWNLOAD: BCP Checklist
Download our free BCP checklist to ensure that you are on the right track with your business continuity planning.
Related Posts
How Often Should A BCP Be Reviewed?
Business Continuity vs. Disaster Recovery: What Is The Difference?
Return To School Covid 19 Plan: Lessons In Pragmatic Risk Management as School Reopening Begins
Covid-19 Second Wave Risk Mitigation: Return To Work Negligence Waiting to Happen
My Favorites List
Submit your Favorites List and our experts will reach out to you with more information. You will also receive this list as an e-mail which you can share with others. Here are the solutions you've added to your list so far:
- Disaster recovery planning and management
business continuity plan (BCP)
- Vicki-Lynn Brunskill
What is a business continuity plan (BCP)?
A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue operating during an unplanned event.
The BCP states the essential functions of the business, identifies which systems and processes must be sustained, and details how to maintain them. It should consider any possible business disruption.
A BCP covers risks including cyber attacks , pandemics, natural disasters and human error. The array of possible risks makes it vital for an organization to have a business continuity plan to preserve its health and reputation. A proper BCP decreases the chance of a costly power outage or IT outage.
IT administrators often create the plan. However, the executive staff participate in the process, providing knowledge of the company and oversight. They also ensure the BCP is regularly updated.
This article is part of
What is BCDR? Business continuity and disaster recovery guide
- Which also includes:
- Business resilience vs. business continuity: Key differences
- A free business continuity plan template and guide
- Preparing an annual schedule of business continuity activities
Download this entire guide for FREE now!
Importance of business continuity planning
Business continuity planning is a proactive business process that lets a company understand potential threats, vulnerabilities and weaknesses to its organization in times of crisis. The creation of a business continuity program ensures company leaders can react quickly and efficiently to business interruption .
A BCP enables a company to continue to serve customers during a crisis and minimize the likelihood of customers going to competitors. These plans decrease business downtime and outline the steps to be taken -- before, during and after an emergency -- to maintain the company's financial viability.
Elements of a business continuity plan
According to business continuity consultant Paul Kirvan, a BCP should contain the following items:
- initial data at the beginning of the plan, including important contact information;
- a revision management process that describes change management procedures;
- the purpose and scope;
- how to use the plan, including guidelines as to when the plan will be initiated;
- policy information;
- emergency response and management procedures;
- step-by-step procedures;
- checklists and flow diagrams;
- a glossary of terms used in the plan; and
- a schedule for reviewing, testing and updating the plan.
In the book Business Continuity and Disaster Recovery Planning for IT Professionals , Susan Snedaker recommends asking the following questions:
- How would the organization function if desktops, laptops, servers, email and internet access were unavailable?
- What single points of failure exist?
- What risk controls and risk management systems are in place?
- What are the critical outsourced relationships and dependencies?
- During a disruption, what workarounds are there for key business processes and internal functions, such as human resources?
- What is the minimum number of staff needed to run data center and other operations, and what functions would they need to carry out?
- What are the key skills, knowledge and expertise needed to recover?
- What critical security or operational controls are needed if computer systems are down?
Business continuity planning steps
The business continuity planning lifecycle contains these five steps:
- Information gathering and analysis, featuring business impact analysis (BIA) and risk assessment (RA);
- plan development and design;
- implementation;
- testing; and
- maintenance and updating.
BCP implementation
Once the business has started the planning process, it launches the BIA and RA processes to collect important data. The BIA defines the critical functions that must continue during a crisis and the resources needed to maintain those operations. The RA details the potential internal and external risks and threats, the likelihood of them happening, and the possible damage they could cause.
The next step determines the best ways to deal with the risks and threats outlined in the BIA and RA, and how to limit damage from an event. A successful business continuity plan defines step-by-step procedures for response.
The BCP should not be overly complex and does not need to be hundreds of pages long; it should contain just the right amount of information to keep the business running. Small businesses can use a one-page plan with all the necessary details. That can be more helpful than a long plan that is difficult to use. Those details should include the following:
- minimum resources needed for business continuity;
- locations where that can take place;
- personnel needed to accomplish it; and
- potential costs.
Key implementation steps
The four steps involved in implementing a BCP are the following:
- Oversight. Decide who will oversee the plan. Ideally, a BCP committee will include business, security and IT leaders.
- Analysis. Conduct the BIA.
- Who will be affected by a business disruption?
- Who holds a hard copy of contact information for top customers and clients?
- How and when will customers, employees and management be notified?
- What are the alternative means of communication if phones go down?
- Which employees are needed for the restoration of critical business functions and how will they be reached or relocated?
- Which critical products and services should the company focus on restoring first?
- What issues must be addressed within the first 24 to 48 hours?
- Does every team and department have its own BCP? Who is in charge of each?
- What is the emergency succession plan for senior staff, including the CEO?
- Which employees will perform emergency tasks?
- Where will off-site crisis meetings take place?
- Who will interact with local emergency responders, such as firefighters and police?
- Who are the key vendors, including data backup providers?
- Initial response. This defines how the company will respond to the business interruption within the first hours. This is the period when team members are contacted and the BCP is activated.
- Relocation. During this stage, alternate facilities are activated and work-at-home policies implemented.
- Recovery. Once personnel and equipment have been relocated, the assessment of damage and monitoring of business recovery begins. The recovery strategy must consider the organization's recovery time objective , or RTO, which is the maximum time IT systems can be down after a failure, as well as its recovery point objective , or RPO, which is the maximum data loss the organization can tolerate.
- Restoration. Personnel return to the original workplace or an alternate site. The company undertakes infrastructure verification, documents the incident and reviews lessons learned.
BCP testing
An organization's technology, processes, staff and facilities constantly change. Therefore, regular testing, reviewing and updating of a BCP is critical. Plan testing should be undertaken using tabletop exercises, walk-throughs, practice crisis management communications and emergency enactments to test the viability of the plan and to see how employees and executives react under stress.
Regular testing and maintenance ensure the BCP is current and accurate. A simple test of a business continuity plan might involve talking through it. A complex test requires a full run-through of what will happen in the event of a business disruption.
The test can be planned in advance or it can be done spur of the moment to better simulate an unplanned event. If issues arise during testing, the plan should be corrected accordingly during the maintenance phase. Maintenance also includes a review of the critical functions outlined in the BIA and the risks described in the RA, as well as plan updating if necessary.
A business continuity plan must be continually improved; updates should not wait for a crisis. Staff members involved in the plan must get regular updates and business continuity training . An internal or external business continuity plan audit should be used to evaluate the effectiveness of the BCP and highlight areas for improvement.
For specific BCP testing steps, download the guide Business continuity and disaster recovery testing templates .
Business continuity planning software, tools and trends
There is help available to guide organizations through the business continuity planning process, from consultants to tools to full software. Which approach an organization should take depends on the complexity of the business continuity planning task, the amount of time and personnel available, and the budget. Before making a purchase, it is advisable to research both products and vendors, evaluate demos, and talk to other users.
For more complicated functions, business continuity planning software uses databases and modules for specific exercises. The U.S. Department of Homeland Security, through its Ready.gov website, offers software in its Business Continuity Planning Suite. Other business continuity software vendors include Castellan, formed from the merger of Assurance, Avalution and ClearView in 2020; CLDigital, formerly Continuity Logic; Fusion Risk Management; Quantivate; and Sungard Availability Services.
The Federal Financial Institutions Examination Council's Business Continuity Management booklet contains guidance on plan development, testing, standards and training for both financial and nonfinancial organizations.
Free download of BCP template
The role of the business continuity professional has changed and continues to evolve. As IT administrators are increasingly asked to do more with less, it is advisable for business continuity professionals to be well versed in technology, security, risk management, emergency management and strategic planning.
Business continuity planning must also take into account emerging and growing technologies, such as the cloud and virtualization , as well as new threats, such as cyber attacks like ransomware .
One resource that combines all these elements is SearchDisasterRecovery's free, downloadable business continuity plan template . It provides guidance and insight for creating a successful BCP.
Business continuity planning standards
Business continuity planning standards provide a starting point.
The International Organization for Standardization (ISO) 22301:2019 standard is regarded as the global standard for business continuity management . ISO 22301 is often complemented by other standards, such as the following:
- ISO 22313 guidance on the use of ISO 22301;
- ISO 22317 guidelines for business impact analysis;
- ISO 22318 continuity of supply chains;
- ISO 22398 exercise guidelines; and
- ISO 22399 incident preparedness and operational continuity management.
Other standards include the following:
- National Fire Protection Association 1600 emergency management and business continuity;
- National Institute of Standards and Technology SP 800-34 IT contingency planning; and
- British Standards Institution BS 25999 standard for business continuity.
Emergency management and disaster recovery plans
An emergency management plan is a document that helps to lessen the damage of a hazardous event. Proper business continuity planning includes emergency management as an important component. The appointed emergency management team takes the lead during a business disruption.
An emergency management plan, like a BCP, should be reviewed, tested and updated regularly. It should be fairly simple and provide the steps needed to get through an event. The plan also should be flexible, because situations are often fluid. Teams involved in the event of a disaster should communicate frequently during the incident.
Disaster recovery (DR) and business continuity planning are often linked, but they are different. A DR plan is reactive, as it details how an organization recovers after a business disruption. A business continuity plan is a proactive approach that describes how an organization can maintain business operations during an emergency.
Learn more about responding to unplanned emergencies in this complete guide to managing crises .
Continue Reading About business continuity plan (BCP)
- Tips for obtaining BC/DR plan and resilience funding
- How to use AI for business continuity and disaster recovery planning
- Compare and contrast business resilience vs. business continuity
- Follow these standards for business continuity and resilience
- Cloud-era disaster recovery planning: Assessing risk and business impact
Related Terms
Dig deeper on disaster recovery planning and management.
6 reasons a business impact analysis is important
Free business impact analysis (BIA) template with instructions
business impact analysis (BIA)
Asigra's forthcoming SaaSBackup platform lets Asigra data protection technology protect SaaS backups. MSPs will be able to sell ...
A new SaaS backup specialist emerges from stealth to protect data in apps such as Trello, GitHub and GitLab, which CEO Rob ...
A growing number of enterprise Kubernetes users presents an opportunity for CloudCasa, currently a division of Catalogic, with ...
Pure Storage expanded its storage offerings with FlashBlade//E designed for the unstructured data market with an acquisition cost...
Data governance manages the availability, usability, integrity and security of data. Follow these best practices for governance ...
Vast Data Universal Storage brought out data services, including set performance, metadata cataloging, better security, container...
A coordinated law enforcement effort last week resulted in raids and arrest warrants against 'core members' of the infamous ...
Working from an incident response playbook can speed organizations' responses to cyber attacks. Find out how to build repeatable ...
An incident response program ensures security events are addressed quickly and effectively as soon as they occur. These best ...
While the EU is considering new cryptocurrency regulation, the U.S. Securities and Exchange Commission is focused on heightening ...
Policymakers want federal data privacy legislation limiting businesses' ability to collect data on individuals and banning ...
Public, private, hybrid or consortium, each blockchain network has distinct pluses and minuses that largely drive its ideal uses ...
- Corporate Finance
- Mutual Funds
- Investing Essentials
- Fundamental Analysis
- Portfolio Management
- Trading Essentials
- Technical Analysis
- Risk Management
- Company News
- Markets News
- Cryptocurrency News
- Personal Finance News
- Economic News
- Government News
- Wealth Management
- Budgeting/Saving
- Credit Cards
- Home Ownership
- Retirement Planning
- Best Online Brokers
- Best Savings Accounts
- Best Home Warranties
- Best Credit Cards
- Best Personal Loans
- Best Student Loans
- Best Life Insurance
- Best Auto Insurance
- Practice Management
- Financial Advisor Careers
- Investopedia 100
- Portfolio Construction
- Financial Planning
- Investing for Beginners
- Become a Day Trader
- Trading for Beginners
- All Courses
- Trading Courses
- Investing Courses
- Financial Professional Courses
- Business Continuity Plan Basics
- Understanding BCPs
- Benefits of BCPs
- How to Create a BCP
- BCP & Impact Analysis
- BCP vs. Disaster Recovery Plan
Frequently Asked Questions
- Business Continuity Plan FAQs
The Bottom Line
- Investopedia
What Is a Business Continuity Plan (BCP), and How Does It Work?
:max_bytes(150000):strip_icc():format(webp)/wk_headshot_aug_2018_02__william_kenton-5bfc261446e0fb005118afc9.jpg "business continuity plan types")
Pete Rathburn is a copy editor and fact-checker with expertise in economics and personal finance and over twenty years of experience in the classroom.
:max_bytes(150000):strip_icc():format(webp)/E7F37E3D-4C78-4BDA-9393-6F3C581602EB-2c2c94499d514e079e915307db536454.jpeg "business continuity plan types")
Investopedia / Ryan Oakley
What Is a Business Continuity Plan (BCP)?
A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.
Key Takeaways
- Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
- BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
- BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.
Understanding Business Continuity Plans (BCPs)
BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:
- Determining how those risks will affect operations
- Implementing safeguards and procedures to mitigate the risks
- Testing procedures to ensure they work
- Reviewing the process to make sure that it is up to date
BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.
Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.
Benefits of a Business Continuity Plan
Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.
Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.
An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.
How to Create a Business Continuity Plan
There are several steps many companies must follow to develop a solid BCP. They include:
- Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
- Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
- Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
- Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.
Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.
Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be identified and corrected.
In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.
Business Continuity Impact Analysis
An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.
FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:
- The impacts—both financial and operational—that stem from the loss of individual business functions and process
- Identifying when the loss of a function or process would result in the identified business impacts
Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”
Business Continuity Plan vs. Disaster Recovery Plan
BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain.
BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes.
Why Is Business Continuity Plan (BCP) Important?
Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.
What Should a Business Continuity Plan (BCP) Include?
Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.
What Is Business Continuity Impact Analysis?
An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.
FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.
These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.
Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.
Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ," Pages 15 - 17. Accessed Sept. 5, 2021.
Business Essentials
Government & Policy
Tech Companies
Stocks & Bond News
- Terms of Use
- Editorial Policy
- Privacy Policy
- Do Not Sell My Personal Information
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
- ISO22301 BCMS Audit
- BCM Certification Courses
- BCM Competency Based Courses
- CM Certification Courses
- CM Competency Based Courses
- CC Certification Courses
- CC Competency Based Courses
- IT Disaster Recovery
- Certification
- Examination
What Are the Types of Business Continuity Strategy?
This is a continuation of the previous article Formulating Your Business Continuity Strategy . This second part of the BC Strategy phase of the "New BCM Manager" series provides the detailed elaboration of the three strategies for business continuity (BC) implementation.
Output of BC Strategy
The output of the business continuity (BC) strategy phase would generally include a strategy for mitigation, (crisis) response, and recovery.
(a) Mitigation Strategy
- Are the implemented controls ineffective, or are there other causes that drive likelihood and/or impact variables up, in spite of these controls?
- Are there multiple causes of a risk, and have we addressed all or only some of them? Obviously high-risk threats cannot be ignored and must be mitigated to the best of our ability.
These threats must be identified and further attempts to lower the risk posed by them must be implemented with the objective to preventing any potential disruption. In addition, a mechanism must be in place to detect and sound the alarm should an threat materialize. These detection mechanisms could take the form of monitoring tools that captures and records abnormal changes in the environment or process.
While it is always better to prevent a disaster from happening, it is impossible to say with one hundred percent certainty that one will never occur. In the unfortunate event that a disaster causes business operations to be disrupted, a strategy is required to ensure effective and timely recovery and resumption.
(b) Recovery Strategy
The recovery strategy should focus on re-gaining or re-establishing what has been lost in the disaster.
- Think people, facilities, systems, records, equipment and the like.
- What has the disaster deprived the organisation of, and what resource needs to be recovered to allow the organisation to carry out its critical business functions and meet its minimum committed service levels?
- How quickly must these resources be made available? Then brainstorm on how to acquire these resources within the acceptable time frame, guided by the associated business function recovery time objective (RTO) .
- What resources could be built or acquired by the organisation in anticipation of a disaster. This model gives the highest level of recovery assurance as the critical resource is guaranteed. For example, facilities, like a hot site, could be purpose-built so that in the event of a disaster, a critical function can be immediately up and running.
Alternatively, an organisation that does not or chooses not to own spare resource, could lease the resource. An example of leasing is to subscribe to a shared recovery space with a reputable service provider. There is some minimal assurance that recovery seats are available; however, as with such a model, there is no guarantee - the seats are shared and the first caller activating the recovery seats will be given priority. Yet other organisations may choose to procure resources only when a disaster occurs. This model gives the least recovery assurance as the required resources may not be available when needed most.
In developing the recovery strategy, not only must one think about getting back resources needed to continue critical business operations, one must also keep in mind that the recovery must be done within the prescribed RTOs for these critical operations. If a resource cannot be recovered in this time, an alternative means or interim method of carrying on the critical operation must be found. These interim measures are often called Temporary Operating Procedures (TOP).
(c) Crisis Response Strategy
Where an organisation does not already have an incident management or response plan, the strategy might also include a response component that spells out the prioritized activities that the organisation would undertake in a disaster. These activities include emergency responses, like evacuation, situational assessment and modes of communication.
Typically the business continuity strategy outlines the structure of how to prevent, respond and recover from a disaster.
It approaches recovery at a macro level and does not dwell on details. This is often useful in providing an overview to management and allows them to see the “big picture” for organisational recovery. It is important to gain their approval before we proceed to decompose the strategy into detailed actionable steps in the plan development phase of the project.
Learn More About Business Continuity Management (BC-CM-CC-ITDR)
You may want to know more about business continuity management courses.
For our Singapore colleagues, funding are available under the CITREP+ and WSQ program.
![CITREP+ [BL-B-5] What Funding Is Available?](https://no-cache.hubspot.com/cta/default/3893111/300a45fd-60ae-4649-99b7-96bc54b258c0.png "business continuity plan types")
hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '0ab1a8b7-14ce-444a-a632-b58a1e494344', {"useNewLoader":"true","region":"na1"}); hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, 'dc3955a2-1ceb-4902-9559-49f94948fc8a', {"useNewLoader":"true","region":"na1"}); hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '6cd9625e-8a55-4266-88bb-49ecc436d642', {"useNewLoader":"true","region":"na1"});
- Partner Portal
- Customer Support
- Partner Login
- Customer Login
Business Continuity Planning: What Is It All About?
There are numerous threats that can disrupt your business, and different scenarios of how these hostile events may unfold. A study by Allianz found events like cyber incidents, business interruptions, changes in regulations and natural disasters are the top business risks in 2021.
Effective planning puts you in the driver’s seat when tackling response and recovery efforts after a disruption. If your plan is sound, you can make it a repeatable approach to minimize downtime, so much so, it becomes almost second nature for your business.
To put it simply, a well-thought-out business continuity plan (BCP) prepares you for unexpected business disruptions.
What is a Business Continuity Plan?
A business continuity plan (BCP) is a document that outlines a set of preventive strategies to ensure business continuity following any disruption caused due to cyberattacks, on-premise accidents, supply chain disruptions, natural disasters, and other operational failures.
BCP is essentially a hedging tool to reduce the risk associated with data loss and infrastructural downtime.
However, your BCP requires a coordinated effort across several departments. You need to build out a business continuity management (BCM) team that will be responsible for putting the business continuity plan in motion.
A good BCM team consists of:
- Sponsor. The top brass individual oversees the entire BCM operation.
- The Business Continuity Manager. The individual is directly responsible for the BCM operations.
- Administrative Assistant. The individual is responsible for supporting the business continuity manager.
- Team Representative. A rep from each department should be involved to give input on the implementation of appropriate recovery strategies across the organization.
Components of the Business Continuity Plan
BCPs vary based on the requirements of the organizations’ industry and the unique needs of the business. However, there several components every healthy BCP should have.
1. Recovery personnel
A dedicated individual should be assigned to manage the recovery process to get systems back up and running quickly. Ideally, at least one such person should be appointed from each department.
2. Recovery procedure
The recovery procedure outlines the strategies to restore key business functions and helps to prioritize assets critical to business operation. These assets include equipment, IT systems and contact lists. To protect critical assets, work with line of business leaders to classify them based on their criticality to the business and define recovery objectives such as Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Identify risks and potential threats, and determine the right tools and techniques required of a system to guide you in recovering these assets in case of an unwelcoming event.
3. Data backup
Your BCP should clearly establish how to back up data, as well as the methods used for backup and recovery. Depending on RTO and RPO as well as the granularity of recoveries required (i.e., restoration of individual files), your methods may vary. Data backup tools may include the use of on-premise appliances, virtual appliances, cloud targets, SaaS backup, and direct-to-cloud backup.
The Benefits of Business Continuity Plan
Ambassadors of BCP tend to keep the conversation around what will happen to the business if there is no plan? Let’s switch tracks and talk about the benefits your business can enjoy if a business continuity plan is in place.
Business continuity on point
A comprehensive BCP ensures product and service continuity even during an ongoing crisis. It creates fodder for enhancing the operational effectiveness of the business; instead of painting a bleak picture in the wake of a disaster, consider an approach that highlights the advantage of resuming operations with minimal downtime. The BCP keeps revenue flowing. The quicker disruptions are resolved, the shorter the downtime, and the smaller your losses. In many cases, a BCP has prevented disruption from snowballing into destruction – often the potential losses from damages are far greater than the cost of developing a business continuity plan.
Resilience and reputation intact
A business continuity plan safeguards your business’ reputation. In many cases, the BCP outlines protocols for protecting priority customers or partner infrastructure. Meeting your obligations despite calamities puts your business in a favorable light among customers and partners. This vote of confidence ensures customer retention, protecting your market share while avoiding major financial losses.
Enable security on all fronts
Business disruptions can be manmade as well. Interestingly, human error is the leading cause of business data loss, not hardware failure or data corruption. A BCP addresses intentional or unintentional asset misuse as part of the risk assessment. As you evaluate and update your plan regularly, acknowledge your risk assessment findings and leverage them to realign systems and processes to tackle the security loopholes.
Watch the video to learn more about the benefits of a healthy business continuity plan.
Types of Continuity Plans
Let’s explore the different types of BCPs and their purpose within your overall business continuity strategy.
Business Continuity Plan
The ISO 22301 states that a BCP should typically focus on the implementation, maintenance, and management of a system designed to protect against disruptions should they arise as well as the recovery of resources, services and activities required to ensure the continuity of critical business functions.
In many ways, a successful recovery strategy may resemble a sequence of business continuity plans being initiated in a prioritized order, with ongoing reporting of their status to the crisis management team. The communication between the department-level recovery teams and crisis management team is critical in executing a successful recovery per the methodology in the BCP.
A BCP outlines the following:
- Resources that need to be resumed to enable product and service continuity.
- A prioritized list of resources that need to be available for running specific departments following a disruption.
- Defined roles, responsibilities, and contact information of personnel executing the recovery process.
- Methods of communication with all stakeholders.
- A manual to enable participants to recover and operate following a disruption.
Crisis Communications Plan
How do you communicate with stakeholders on the status of your business when a disruption occurs?
A crisis communication plan ensures businesses can promptly, accurately and confidently communicate with customers, employees and other stakeholders. It also includes legal implications associated with public statements and certain key points that could impact response and recovery. The goal is to minimize reputational damage resulting from poor communication.
A crisis communication plan outlines the following:
- Individuals who will conduct internal and external communications, respectively.
- Internal and external stakeholders, like customers, business partners, and suppliers.
- Primary and secondary methods of communication with respective stakeholders.
- Boilerplate messages distributed to respective stakeholders.
- When and how each stakeholder will be contacted during the disruption.
Crisis Management Plan
A crisis management plan is designed with higher-level managers in mind and provides a structured response to a disruption that could potentially threaten business survival. Typically, it does not deal with the recovery activities of a single business process, and instead focuses on the high-level tasks that will help the organization as a whole to respond and recover.
A crisis management plan outlines the following:
- The structure that will help top-level managers assess the situation and potential impact of the disruption.
- The timeline for activating the plan.
- Activities and resources that must be recovered across the entire organization.
- Roles and responsibilities of those who will execute the plan.
Disaster Recovery Plan (DR Plan)
A disaster recovery plan restores critical IT infrastructure in case of a disruption. DR is primarily concerned with restoring critical IT operations after a crisis. Unlike other aspects of the BCP, DR plans are typically run by IT managers responsible for restoring hardware and software.
A DR plan outlines the following:
- Defined thresholds of acceptable data loss (RPO) and downtime (RTO).
- The functionality of each application after restoration.
- Technical specifications to restore the software or hardware (e.g., host, networking, and security).
- IT professionals tasked with managing recovery and testing.
Business Continuity Plan Testing
Testing is vital to the success of your business continuity plan. You don’t want to find out an aspect of the plan doesn’t work during a crisis. Testing identifies potential gaps, oversights, or vulnerabilities in the plan and, other than a real disaster incident, is the only way to truly know if your BCP works.
Controlled testing for your business continuity plan allows you to pick out the weaknesses in the plan, evaluate response to various kinds of disruption, and improve processes based on test results.
Testing frequency is dependent on the size, location and the rate at which the business goes through changes. For instance, businesses with rapid employee turnovers should test twice a year to ensure the plan is fresh in the minds of the employees. In cases where turnover isn’t that regular, test at least once a year.
Here are the different ways you can test your BCP:
Plan Review
The BCP team and the top-level management together review the plan. The components audited tend to be contact information, recovery coverage for desired business continuity, validity of recovery contracts and training material for new members of the BCP team.
Table-Top/Simulation
A scenario-based, role-play exercise to ensure all BCP members are in sync with the latest processes. It consists of members sitting around a table and primarily reviewing the plan to identify shortcomings in the current process and how to improve them.
Walk-Through drill
A walkthrough drill is a more hands-on version of the tabletop. Team members physically demonstrate the steps expected during a disruption. This can include moving to the right backup location, choosing the communication methods mentioned in the plan and contacting the right personnel. The test records validation of team response and BCP processes.
Recovery systems are brought up to a state of operational readiness, required personnel are relocated to the recovery site, and recovery media is tested to see if they can perform actual business transactions to support key processes. During this test primary systems still carry the full production workload.
You can take the help of third-party companies that offer disaster recovery as service (DRaaS) solutions “sandbox” or partition virtual machines so testing can be performed without affecting production servers.
Full Interruption
The simulation reflects a real-life disaster and includes a complete testing process: running up the backup systems and processing data transactions. It has the potential to actually disrupt business operations and can be time-consuming. However, it’s extremely effective in identifying problems in your DR plans.
Peace of Mind with Automated Testing
It’s almost impossible for businesses to manually test DR processes with the frequency at which cyberattacks occur. As a result, businesses run the risk of unplanned downtime due to business disruptions or recovery failures.
Unitrends Recovery Assurance delivers automated recovery testing, both onsite and offsite, with the ability to set recovery objectives and SLA s ahead of time — giving you peace of mind when it comes to ensuring business continuity.
Want to know if Unitrends can help your business?
Request a demo
About Adam Marget
Adam Marget is a Product Marketing Manager at Unitrends, a leader in data center backup and disaster recovery solutions. An experienced technical marketing professional, Adam has been a member of the Unitrends team since 2016, during which time he’s held several roles. Driven by a love and curiosity for technology, Adam’s been delighted to have been afforded the opportunity to help both end users and channel partners solve challenges around disaster recovery and business continuity. Prior to joining Unitrends, Adam worked with national IT solutions provider CDW where he leveraged a variety of partner solutions to help his customers achieve their goals across backup, networking, security, power & cooling, endpoint, and data center technologies.
Related Posts
Backup strategy: what it is and how to create one.
Posted by Adam Marget on 09/27/22
In today’s threat-laden environment, having a solid data backup strategy is an absolute...
Secondary Storage: Definition, Devices and How It Can Support Your Backup Strategy
Posted by Adam Marget on 11/15/22
The modern world is a data-driven world. Data has become the currency that...
The Power of Data Copy Access: Everything You Need to Know
Posted by Adam Marget on 12/12/22
In today’s digital world, data is an omnipresent entity. It is as significant...
An official website of the United States government
Here’s how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Business Continuity Plan
Business Continuity Planning Process Diagram - Text Version
When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:
- Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
- Identify, document, and implement to recover critical business functions and processes.
- Organize a business continuity team and compile a business continuity plan to manage a business disruption.
- Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
Information technology (IT) includes many components such as networks, servers, desktop and laptop computers and wireless devices. The ability to run both office productivity and enterprise software is critical. Therefore, recovery strategies for information technology should be developed so technology can be restored in time to meet the needs of the business. Manual workarounds should be part of the IT plan so business can continue while computer systems are being restored.
Resources for Business Continuity Planning
- Standard on Disaster/Emergency Management and Business Continuity Programs - National Fire Protection Association (NFPA) 1600
- Professional Practices for Business Continuity Professionals - DRI International (non-profit business continuity education and certification body)
- Continuity Guidance Circular - Federal Emergency Management Agency
- Open for Business® Toolkit - Institute for Business & Home Safety
Business Continuity Impact Analysis
Business continuity impact analysis identifies the effects resulting from disruption of business functions and processes. It also uses information to make decisions about recovery priorities and strategies.
The Operational & Financial Impacts worksheet can be used to capture this information as discussed in Business Impact Analysis . The worksheet should be completed by business function and process managers with sufficient knowledge of the business. Once all worksheets are completed, the worksheets can be tabulated to summarize:
- the operational and financial impacts resulting from the loss of individual business functions and process
- the point in time when loss of a function or process would result in the identified business impacts
Those functions or processes with the highest potential operational and financial impacts become priorities for restoration. The point in time when a function or process must be recovered, before unacceptable consequences could occur, is often referred to as the “Recovery Time Objective.”
Resource Required to Support Recovery Strategies
Recovery of a critical or time-sensitive process requires resources. The Business Continuity Resource Requirements worksheet should be completed by business function and process managers. Completed worksheets are used to determine the resource requirements for recovery strategies.
Following an incident that disrupts business operations, resources will be needed to carry out recovery strategies and to restore normal business operations. Resources can come from within the business or be provided by third parties. Resources include:
- Office space, furniture and equipment
- Technology (computers, peripherals, communication equipment, software and data)
- Vital records (electronic and hard copy)
- Production facilities, machinery and equipment
- Inventory including raw materials, finished goods and goods in production.
- Utilities (power, natural gas, water, sewer, telephone, internet, wireless)
- Third party services
Since all resources cannot be replaced immediately following a loss, managers should estimate the resources that will be needed in the hours, days and weeks following an incident.
Conducting the Business Continuity Impact Analysis
The worksheets Operational and Financial Impacts and Business Continuity Resource Requirements should be distributed to business process managers along with instructions about the process and how the information will be used. After all managers have completed their worksheets, information should be reviewed. Gaps or inconsistencies should be identified. Meetings with individual managers should be held to clarify information and obtain missing information.
After all worksheets have been completed and validated, the priorities for restoration of business processes should be identified. Primary and dependent resource requirements should also be identified. This information will be used to develop recovery strategies.
Recovery Strategies
If a facility is damaged, production machinery breaks down, a supplier fails to deliver or information technology is disrupted, business is impacted and the financial losses can begin to grow. Recovery strategies are alternate means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the recovery time objectives (RTO) developed during the business impact analysis .
Recovery strategies require resources including people, facilities, equipment, materials and information technology. An analysis of the resources required to execute recovery strategies should be conducted to identify gaps. For example, if a machine fails but other machines are readily available to make up lost production, then there is no resource gap. However, if all machines are lost due to a flood, and insufficient undamaged inventory is available to meet customer demand until production is restored, production might be made up by machines at another facility—whether owned or contracted.
Strategies may involve contracting with third parties, entering into partnership or reciprocal agreements or displacing other activities within the company. Staff with in-depth knowledge of business functions and processes are in the best position to determine what will work. Possible alternatives should be explored and presented to management for approval and to decide how much to spend.
Depending upon the size of the company and resources available, there may be many recovery strategies that can be explored.
Utilization of other owned or controlled facilities performing similar work is one option. Operations may be relocated to an alternate site - assuming both are not impacted by the same incident. This strategy also assumes that the surviving site has the resources and capacity to assume the work of the impacted site. Prioritization of production or service levels, providing additional staff and resources and other action would be needed if capacity at the second site is inadequate.
Telecommuting is a strategy employed when staff can work from home through remote connectivity. It can be used in combination with other strategies to reduce alternate site requirements. This strategy requires ensuring telecommuters have a suitable home work environment and are equipped with or have access to a computer with required applications and data, peripherals, and a secure broadband connection.
In an emergency, space at another facility can be put to use. Cafeterias, conference rooms and training rooms can be converted to office space or to other uses when needed. Equipping converted space with furnishings, equipment, power, connectivity and other resources would be required to meet the needs of workers.
Partnership or reciprocal agreements can be arranged with other businesses or organizations that can support each other in the event of a disaster. Assuming space is available, issues such as the capacity and connectivity of telecommunications and information technology, protection of privacy and intellectual property, the impacts to each other’s operation and allocating expenses must be addressed. Agreements should be negotiated in writing and documented in the business continuity plan. Periodic review of the agreement is needed to determine if there is a change in the ability of each party to support the other.
There are many vendors that support business continuity and information technology recovery strategies. External suppliers can provide a full business environment including office space and live data centers ready to be occupied. Other options include provision of technology equipped office trailers, replacement machinery and other equipment. The availability and cost of these options can be affected when a regional disaster results in competition for these resources.
There are multiple strategies for recovery of manufacturing operations. Many of these strategies include use of existing owned or leased facilities. Manufacturing strategies include:
- Shifting production from one facility to another
- Increasing manufacturing output at operational facilities
- Retooling production from one item to another
- Prioritization of production—by profit margin or customer relationship
- Maintaining higher raw materials or finished goods inventory
- Reallocating existing inventory, repurchase or buyback of inventory
- Limiting orders (e.g., maximum order size or unit quantity)
- Contracting with third parties
- Purchasing business interruption insurance
There are many factors to consider in manufacturing recovery strategies:
- Will a facility be available when needed?
- How much time will it take to shift production from one product to another?
- How much will it cost to shift production from one product to another?
- How much revenue would be lost when displacing other production?
- How much extra time will it take to receive raw materials or ship finished goods to customers? Will the extra time impact customer relationships?
- Are there any regulations that would restrict shifting production?
- What quality issues could arise if production is shifted or outsourced?
- Are there any long-term consequences associated with a strategy?
Resources for Developing Recovery Strategies
- The Telework Coalition (America’s leading nonprofit telework education and advocacy organization)
Manual Workarounds
Telephones are ringing and customer service staff is busy talking with customers and keying orders into the computer system. The electronic order entry system checks available inventory, processes payments and routes orders to the distribution center for fulfillment. Suddenly the order entry system goes down. What should the customer service staff do now? If the staff is equipped with paper order forms, order processing can continue until the electronic system comes back up and no phone orders will be lost.
The order forms and procedures for using them are examples of “manual workarounds.” These workarounds are recovery strategies for use when information technology resources are not available.
Developing Manual Workarounds
Identify the steps in the automated process - creating a diagram of the process can help. Consider the following aspects of information and work flow:
Internal Interfaces (department, person, activity and resource requirements)
- External Interfaces (company, contact person, activity and resource requirements)
- Tasks (in sequential order)
- Manual intervention points
Create data collection forms to capture information and define processes for manual handling of the information collected. Establish control logs to document transactions and track their progress through the manual system.
Manual workarounds require manual labor, so you may need to reassign staff or bring in temporary assistance.
Last Updated: 05/26/2021
Return to top
What are the 5 key components of a business continuity plan?
Related articles, putting together a robust business continuity plan means that your business is more likely to be able to react confidently and quickly in the event of disruption. this can help you to keep customer dissatisfaction at bay, give your team confidence and reduce recovery timescales. in order to achieve this, every business continuity plan needs to incorporate five key elements., 1. risks and potential business impact.
Any business continuity plan worth its salt will be based on a business impact analysis, which identifies potential risks and vulnerabilities both within and outside the business. These risks could be anything from flooding or a major IT disruption to a failure from an important supplier. By knowing what you could potentially face, you can begin to take steps to prevent or mitigate the risk.
A strong plan will also use the output of your business impact analysis to reveal the possible consequences of disruption on your business. This will enable you to anticipate its cost, the effect it could have on essential business functions and the time needed to recover.
2. Planning an effective response
Once you have an awareness of the types of risks and threats your business may be vulnerable to, you can begin to form an effective plan.
A comprehensive business continuity plan will take each risk identified in the business impact analysis and develop an appropriate response strategy to either minimise it or prevent it altogether. These detailed plans will describe the action needed and outline who needs to be involved to implement it. Timescales and resources, such as laptops, alternative warehouse space and mobile phones, should also be laid out to ensure a quick and relevant response.
3. Roles and responsibilities
In order for a crisis or disruption to be met confidently, the key people in your business need to know their roles and responsibilities. A business continuity plan will therefore document which key personnel need to be involved in the response to the disruption. This will typically be more senior staff members, but this depends on your business and the type of risk you are dealing with.
Once these people have been identified, their roles and actions need to be clearly defined so that they can react quickly and efficiently. The resources they need following a disruption should also be clearly stated so that they can be prioritised ahead of the rest of the team. For instance, if a remote office needs to be set up following a disruption, critical personnel will need to be prioritised when it comes to allocating resources such as laptops, tablets and mobile phones.
4. Communication
Clear communication is vital during business disruptions. Effective communication across your business can reassure team members and give them confidence that the organisation is taking effective steps to respond and recover. Outside of your company, good communication is also necessary in order to liaise with suppliers and customers and minimise dissatisfaction.
To prepare for this, a business continuity plan will normally include a list of key contacts as well as templated press releases and social media posts. Having these in place in advance can speed up communication in a crisis and ensure that both your staff and external contacts are kept up to speed. In larger organisations, it may be necessary to have a separate communication plan that provides a comprehensive approach to communication during a crisis.
5. Testing and training
Business continuity plans are not just theoretical – they need to be robust enough to be put into action. In order to check this, the final key component of a business continuity plan is testing and exercising.
Realistic scenarios can be used to test the plan and your team’s response. By doing so, you can identify room for improvement and take action to improve the plan before a disruption occurs. Testing and exercising business continuity plans also helps to ensure that key personnel understand the plan and their role in it. This means that the company can respond quickly and efficiently when a disruption occurs.
Raising awareness of the business continuity plan among your wider staff will also help them to understand their role in responding to disruptions. Many companies run regular awareness training sessions and include business continuity as a key topic during new staff inductions. This training can then improve the resilience of the company overall.
Building your own business continuity plan
An internationally recognised mark of best practice, ISO 22301 will enable you to implement, maintain and improve a business continuity management system, which will support your business before, during and after disruption.
To find out more, visit our dedicated webpage for ISO 22301 .
You can also get in touch on 0333 259 0445 or by emailing [email protected] .
Sign up to get the latest in your inbox
- Email address
About the author
Claire Price
Content Marketing Executive
Claire worked for Citation ISO Certification between 2020 and 2022 writing creative and informative content on ISO certification and consultation to help businesses reach their potential.
Looking for some guidance? Join us for one of our upcoming seminars!
QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.
By continuing, you consent to the use of cookies in accordance with our Cookie Policy
Allow All Cookies
Allow Strictly Necessary Cookies Only
Please Wait...
At the end of your visit today, would you complete a short survey to help improve our services?
Thanks! When you're ready, just click "Start Survey".
It looks like you’re about to finish your visit. Are you ready to start the short survey now?
- Running a business
Managing risks in your business
Business continuity planning.
- Identifying and managing business risk
- Incident response plan
- Developing a recovery plan
- Recovery checklist
- Business insurance
- Managing risk when starting up
- Surviving an economic downturn
- Managing risk in supply chains
- Online risks and IT security
- Crime prevention and security
- Intellectual property for Queensland businesses
- Avoiding business scams
- Manage environmental risks and other climate risks to your business
- Natural disaster resilience and recovery
- Pandemic and health events
- Workplace health and safety
- Mental health and wellbeing
Business continuity planning helps your business respond to unexpected events and situations which can interrupt your operations.
Developing a business continuity plan will help your business minimise the impacts of these events and continue trading.
On this page
What is a business continuity plan.
A business continuity plan is a document that explains the actions you should take before, during and after unexpected events and situations.
It is designed to help you:
- identify, prevent or reduce risks where possible
- prepare for risks that are out of your control
- respond and recover if an incident or crisis occurs.
Continuity planning for resilience
Business continuity planning is the process of creating a system in your business that helps prevent, minimise and recover from threats to your operations.
All businesses deal with risk. At any time, your business may experience:
- natural disasters (floods, storms, cyclones)
- power outages
- supply chain failures
- staff shortages
The aim of business continuity planning is to return to trading within the shortest period of time. This planning helps your business be more resilient and continue with minimal interruptions.
Examples: why continuity planning is important
A fire has destroyed all your stock in your warehouse. To continue to trade, could you:
- replace the stock quickly, or find another way of meeting the needs of your customers?
- replace stock quickly with your current suppliers?
- buy excess stock from your competitors?
- find a warehouse or other space to store stock if your own warehouse is unavailable?
- ship straight from the supplier to your customers (dropshipping)?
Imagine you were not able to run your business or communicate with staff and stakeholders for 6 months.
- Would your staff be able to run your business?
- Do you have a document or plan in a secure place that staff and stakeholders could access (e.g. in the cloud)?
- Does your plan include all the information needed to operate the business successfully in your absence?
Develop a business continuity plan
A typical business continuity plan has the following elements.
This section outlines the key objectives on your plan, and who needs to use it. It should also include information to help your staff to understand it.
In this section:
- executive summary
- distribution list
- glossary of terms used in your plan documents.
This section identifies possible risks to your business, and ways to manage them or minimise their impact on your business.
- identified risks
- preventative actions
- contingency plans
- business insurance details
- data security and backup strategies.
Learn more about:
- identifying and managing business risk
- business insurance
- IT risk management .
This section uses the risks identified in section 2 to review your critical business activities, forecast the impact of a disruption and work out how long it might take to recover.
Learn more about identifying and managing business risk .
This section describes how and when you'll activate your plan in response to a critical incident.
- immediate response checklist
- evacuation procedures
- emergency kits
- roles and responsibilities
- key contact lists
- preparing an incident response
- preparing for a natural disaster .
This section describes the methods you will use to recover quickly.
- recovery plan
- incident recovery checklist
- recovery contacts
- insurance claims
- market assessment
- staff mental health assessment.
Learn more about developing a recovery plan .
This section details how you'll test your systems and procedures. Use these reviews to evaluate and update your plan to be better prepared.
- training schedules
- review schedules.
- business processes, procedures, and standards
- industry codes of practice from WorkSafe Queensland, which set out work health and safety drill requirements (e.g. fire drills).
Business continuity plan template
The business continuity plan template will help you develop a:
- risk management plan
- incident response plan
- recovery plan.
Download the business continuity planning template .
Best practice in managing disaster risk — the PPRR model
The prevention, preparedness, response, recovery (PPRR) model is a cyclical way of handling disaster risk within your business. It's a useful example for your business continuity planning.
Reproduced from materials available on Prevention Preparedness, Response and Recovery Disaster Management Guideline published under a Attribution 4.0 International . © State of Queensland, 2022
This diagram shows the starting point of the model is prevention and mitigation, then moves to preparedness, followed by response, and finally recovery.
Use the PPRR model to:
- assist in developing your business continuity plan
- assist when conducting regular drills and rehearsals of emergency events
- identify gaps and areas for improvement
- ensure you are as prepared as possible.
The PPRR model is commonly used by Australian emergency management agencies because it is simple to understand and easy to remember and act on.
Small business examples of the PPRR model in practice
These examples help identify potential scenarios to consider for your business continuity plan.
Steps to prevent or eliminate risks
Example 1: Floods
When selecting a suitable premises for your business, check your local council's online flood maps and choose a location above flood levels of past floods.
If your premises is likely to be flooded, try to locate your building and structures above potential flood levels. Build accessible paths and driveways to allow continued access.
Learn more about preparing your business for natural disasters .
Example 2: Finances
Protect your finances by enabling additional security measures on your bank accounts and authorisations on payments. Set up a procedure to check all invoices, accounts and transactions regularly.
Contact your suppliers prior to payment to ensure the bank details listed on invoices are correct. These simple measures prevent fraud from within your business and theft through external cyber fraud.
- security and crime prevention
- managing financial risks .
Prepare your business to respond to and recover from an incident
Example 1: Bushfires
Identify what impact a bushfire might have on your business operations. This will not only include impacts to your business premises (e.g. loss of buildings and stock) but also wider impacts, such as how your local suppliers may be affected (e.g. limited orders, road or transport closures).
Develop emergency evacuation plans, and contact your local council for bushfire preparedness information for your area.
- preparing for a natural disaster
- bushfire preparation for small business .
Example 2: Losing a major customer
Losing a major customer can have a significant impact on your finances and may have implications for your staffing.
Consider how you could diversify products and services, or build your client base to ensure you're not reliant on the business of 1 customer.
Your response to contain and control an incident
Example 1: Economic downturn
An economic downturn is a normal phase in the business cycle. Customers may reduce spending and you may have to look at reducing stock or staffing levels.
A planned incident response will allow you to take immediate action to stabilise your business. Consider changing staff hours or renegotiating supplier contracts.
Learn more about surviving an economic downturn .
Example 2: Electrical fire
An electrical fire on your business premises needs a rapid response including making sure all staff are safe, evacuating and contacting emergency services.
A go-to kit with response checklists and contacts will help manage the incident.
- incident response
- emergency preparation for small business .
The steps and timelines to fully restore your business operations
Example 1: Drought
Recovering from drought in a rural area may require many steps to recover business customers and revenue, and is likely to take time.
Recovery could include attracting tourism to the area and broadening products and services. It may also require seeking financial assistance from the government and other sources.
- recovering after drought
- developing a recovery plan .
Example 2: Reputation loss
Reputation loss can be very difficult to recover from. You could consider engaging a public relations adviser, running a media campaign, retraining staff in customer service, and changing some products or services.
- recovering from a reputation incident
Train your staff
Include key staff when you develop and review your business continuity plan. This will help ensure your plan is comprehensive across all areas of your business, and help staff effectively respond to incidents. Make sure you introduce your plan to new staff as part of induction processes.
Use workplace simulations with staff to test and review your plan.
Workplace simulations of possible risks can help by:
- identifying how prepared you and your staff are
- revealing how quickly your staff can locate the plan, enact the incident checklists and put recovery actions in place
- identifying gaps and problems with the plan.
Simulation exercise
Your business experiences an IT outage. Many systems are affected including all your computers and telephones.
- Is your business continuity plan accessible in another location (e.g. a hard copy onsite, in the cloud accessible by a mobile phone)?
- Does your plan have a checklist of what to do including who to contact?
- Does your plan provide instructions on how to contact customers?
- How rapidly did the staff deal with the emergency and recover the business?
A team debrief after the simulation opens up discussion for review and changes based on staff feedback.
Also consider...
- Find out about identifying and managing business risk .
- Read about IT risk management .
- Visit the small business disaster hub to learn about managing natural disasters and other threats to your business.
- Last reviewed: 24 Nov 2022
- Last updated: 24 Nov 2022
IMAGES
VIDEO
COMMENTS
1. Planning Approach Determination. As discussed earlier, there are five types of business continuity plans: crisis management, crisis communications, emergency
Type of Plans ; 2. Occupant Emergency Planning (OEP) ; 3. Incident Response Plan (IR Plan) ; 4. Continuity of Operations Plan (COOP) ; 5. Disaster
Next, assess your various risks. By evaluating all of the various types of risks that an incident could bring up – such as financial
A BCP covers risks including cyber attacks, pandemics, natural disasters and human error. The array of possible risks makes it vital for an organization to have
Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks. BCP is designed to
Output of BC Strategy · (a) Mitigation Strategy · (b) Recovery Strategy · (c) Crisis Response Strategy.
Types of Continuity Plans · Business Continuity Plan · Crisis Communications Plan · Crisis Management Plan · Disaster Recovery Plan (DR Plan).
Conducting the Business Continuity Impact Analysis · Shifting production from one facility to another · Increasing manufacturing output at
A comprehensive business continuity plan will take each risk identified in the business impact analysis and develop an appropriate response
Continuity planning for resilience · natural disasters (floods, storms, cyclones) · fire · power outages · IT outages · supply chain failures · staff