University of Houston Small Business Development Center

Step-by-Step Guide: How to Build a Business Recovery Plan

By Tatyana Parham

In the midst of the coronavirus (COVID-19) pandemic, small businesses around the world are experiencing severe operational and economic challenges. In order to embrace small business recovery in such difficult times, business owners must proactively take the steps necessary to develop resilience in the face of a disaster. By creating a detailed business recovery plan geared towards the impacts of the pandemic, leaders are better equipped to respond efficiently and protect their employees, customers, and operations.

What is included in a small business disaster recovery plan? A business recovery plan is a strategic guide that details processes created to prepare, respond, and recover in the event of an emergency. As the COVID-19 pandemic has a unique set of challenges, as compared to other natural disasters such as floods and hurricanes, it calls for a nuanced plan-of-action that will mitigate risks and allow for an expedient recovery.

An effective business recovery plan clearly outlines policies and procedures that highlight key information such as disaster risk and impact, critical stakeholders and operations, communication models, and strategy for business continuity .

Here are some key concepts to consider when creating a disaster recovery plan for your small business:

Prioritize employee health and safety The health, safety, and wellbeing of your employees and customers should always be your top priority. Address any immediate needs and concerns first, including creating guidelines that support sick employees or those with sick family members. Consider expanding flexibility for typical work arrangements, and verify that you have the capacity to support a remote workforce. If telecommuting isn’t possible, ensure you have measures established that align with the current governmental health policies and support a safe working environment.

Identify COVID-19 risks and impact on your business Conduct a risk assessment:  Small business recovery begins with awareness of the potential risks that can adversely affect your business. A part of this may be to consider how operations will change in a worst-case scenario of 35 - 40% of your workforce being out sick, or how to reallocate your budget and preemptively avoid layoffs.

Other risks may include lack of access to public transport for employee commute, additional costs of establishing a remote workforce, national shutdowns prohibiting in-person contact, slowdown in sales, issues in supply chain and manufacturing, and even your business being forced to temporarily close. Prioritize critical business functions that are the most vulnerable, such as employee payroll inventory management, and outline how you can protect them. Once top risks are identified, you can assess which risks will generate the most substantial impact, so you can determine the most efficient use of your resources.

Analyze the impact:  Understand how the identified risks can affect critical business functions, and map out potential impacts this can have on your business. For example, if you have to temporarily stop operations for six weeks, how will that affect your quarterly and yearly financial statements, and how can you minimize financial loss through alternative sources of income? Identify the gaps in your current processes that prevent your business from operating sustainably. This process is called a business impact analysis.

Designate a recovery team After identifying your business’s prime vulnerabilities, designate a team of stakeholders that will be directly involved in recovery efforts. This team of key players should understand the business’s core competencies, and have the ability to consistently make choices that reflect the best outcome for the needs of the business. Be realistic about expectations for each individual, and ensure that you are a top leader throughout recovery in order to maintain employee confidence levels.

Establish transparent communication Consistently focus on transparent and timely communication with all relevant stakeholders to ensure regular support throughout the pandemic, including employees, clients or customers, suppliers, landlords, and investors. Create an employee communication plan specifically intended for the event of a disaster, and consistently provide updates based on CDC guidelines and organizational priorities. Regularly inform customers of any impact on products, services, and delivery, and maintain steady contact with suppliers regarding their continued capability to provide essential materials.

Revise business strategy for continuity As the pandemic progresses, significant shifts in consumer behavior will demand a different approach to sustaining your business. Proactively strategize how to minimize downtime and disruptions to daily operations. Perform a complete audit of your business and marketing plans to pinpoint what’s working, what’s not working, and what will best support your business in a worst-case scenario.

Creatively decide on a plan-of-action that will provide practical cost-effective strategies that reduce the impact of identified risks. Brainstorm how to protect cash flow and monitor utilization of resources, ensuring that you have more than enough to cover future expenses.

Continue to monitor external vulnerabilities that can impact the flow of business as well, including pressures on customers, partners, and suppliers. Devise multiple plans for multiple scenarios of varying intensity, to ensure full preparation for what’s ahead. Assess your wins and losses throughout the recovery process, and devise contingency plans that will enable your business to thrive moving forward. Although crises may have considerable impacts to the detriment of your business, they reveal opportunities for your business to generally improve in value, organization, or efficiency.

Maximize the use of alternative funding and support To support business recovery, stay up to date with available local and federal assistance programs that offer disaster relief. Visit our online hub for COVID-19 resources here .

SBDC Logo

  • Search Search Please fill out this field.
  • Business Continuity Plan Basics
  • Understanding BCPs
  • Benefits of BCPs
  • How to Create a BCP
  • BCP & Impact Analysis
  • BCP vs. Disaster Recovery Plan

Frequently Asked Questions

  • Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

business process recovery planning

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

  • Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
  • BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
  • BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

  • Determining how those risks will affect operations
  • Implementing safeguards and procedures to mitigate the risks
  • Testing procedures to ensure they work
  • Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

  • Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
  • Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
  • Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
  • Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

  • The impacts—both financial and operational—that stem from the loss of individual business functions and process
  • Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

business process recovery planning

  • Terms of Service
  • Editorial Policy
  • Privacy Policy
  • Your Privacy Choices

Guide to Creating Your Business Recovery Plan  

Photo of person writing plans in a notebook

This post is part of our 8-part series exploring the role of data in business recovery and planning in the era of COVID-19. Read the rest of the articles here .

A disaster or emergency can threaten the very survival of a business or cause huge damage to customer relationships, profitability, employee well being, and assets.

In order to mitigate these potential fallouts of an unforeseen event, every organization must have a business recovery plan in place. This plan documents a clear course of action to be followed in the event of an emergency. The business recovery plan is created with a view to maintain the critical revenue path of your products or services or at least restore them within the shortest possible time.

You need to develop, deploy, and maintain strategies and procedures that will ensure that critical business processes are resilient. These will enable your business to respond to and recover from possible events or disasters. The underlying approach to planning can be summed up as PPRR - prevention, preparedness, response, and recovery. We can attempt to prevent certain events or incidents, but for those that are beyond our control, we need to focus on our preparedness to respond and recover quickly. 

A study by Gartner found that two out of every five organizations that experienced a disaster went out of business within five years . This finding is a wake-up call to take business recovery planning very seriously. You can ensure that your business will be one that will be counted amongst the other 3 by adopting the following best practices of business recovery planning. 

Plan with data-driven decisions

In a previous post on How to Leverage Data to Create an Effective Business Continuity Plan , we explored the 5 steps towards creating a BCP, namely:

  • Business Impact Analysis
  • Risk Assessment
  • Risk Mitigation Strategy
  • Crisis Management Team
  • Test and Maintain

Planning enables you to put risk mitigation practices in place, by considering each risk to see whether you can avoid or reduce it. Some of these practices may include creating alternate supply chain sources, safeguarding revenue streams, backing up data, purchasing appropriate insurance coverage, and creating a cash reserve fund. 

The effectiveness of the plan depends upon your ability to correctly identify the most critical processes for your business. You need to estimate what the downtime of each of these processes will cost you. You also need to assign probabilities to a variety of possible risks. 

It's important that these decisions are taken based on past data that's available within the organization as well as from external sources such as public health, as seen during the pandemic, or weather centers, during storms and hurricanes. If this data is not properly maintained and analyzed then your plan will be based on gut feel and will not deliver the full value that it should.

Let’s consider potential risks. Businesses face a variety of risks. While some risks are specific to a particular industry or company, others can affect all kinds of businesses. The COVID-19 global pandemic has affected businesses across all sectors and geographies, and other epidemics or pandemics in the future may also wreak such havoc. Natural disasters such as earthquakes, tornadoes, hurricanes, winter storms, wildfires, or floods cause damage in specific locations. Industrial accidents such as chemical explosions, fires, or spillage of hazardous material may also pose a risk to your business. The failure of utilities such as power or water supply can cause disruption to your operations. Then there is the risk of deliberate sabotage by way of information theft or other attacks.

When you need to assess risks,  working with data can provide granular insights about specific risks to facilities, teams, or locations. Data also plays a huge role in ensuring accurate business impact analysis. Scenario analysis based on data can help to consider the outcome of various possible events, and select the right risk mitigation strategies.

Detail the recovery procedure

A detailed business recovery plan is an important part of overall business continuity management . Consider each of the following aspects and define the procedure to be followed when restarting after an incident:

  • Which functions can be restarted and under what conditions?
  • What is the correct sequence for restarting, for example, machinery, servers etc?
  • Which roles will work through the incident, which will restart afterwards, and under what conditions?
  • In case anyone is injured, what is the emergency medical protocol?
  • Is there a need to relocate any facilities, functions or people? What will be the relocation process?
  • Keep an inventory of the essential items that will need to be available. What is needed to meet customer needs? What is essential to maintain communications? Plan for vehicles that will be needed for transportation or relocation. 
  • What happens if your payroll function gets disrupted? How will you take care of your employees’ financial needs?
  • Who will collect the evidence needed to file insurance claims?
  • If there is damage to physical or cyber security, how will you prevent fraud or theft?
  • Who will communicate to external stakeholders - families of staff members, customers, investors, members of the press, and others?
  • Who will manage documentation and evidence to protect you from legal liabilities?

The business recovery plan is created after thinking through each of these questions, and finding solutions that are specific to your business.

Create a continuity mindset

A business recovery planning exercise done once, with the objective of creating a formal plan, will not help your organization to build the necessary resilience, no matter how great the document produced is. Do people across functions know what is expected of them and feel a sense of ownership about the recovery plan? What if the document or file is not accessible when an incident occurs? Will key people still know what they are responsible for? 

Consider these questions carefully and engage team members to actively participate in continuity management. This safeguards the interest of your customers, employees, and their families, supply chain, and investors. It protects your brand, assets, and knowledge.  Company leaders should not believe that business recovery planning is only related to IT systems and data, and is the exclusive responsibility of the IT function. Actually, business recovery should be an enterprise-wide focus and consider the needs of all functions in case of a disaster.

Provide training and conduct drills so that employees are familiar with their responsibilities in the event of a disaster. See that the BCP includes communications processes. You could define a call tree or phone tree that defines a calling sequence to ensure that everyone gets notified quickly. Contact information for employees, suppliers, customers, financial institutions, and other important stakeholders should be known and readily available at all times. Your training for employees could also include instructions about what can be shared on social media during a crisis.

While many plans focus on the crisis management team (CMT), you may choose to create other specialized teams. The recovery management team could be tasked with executing functions related to restarting operations. In addition, you may create teams specifically responsible for legal matters,  damage assessment, PR, data recovery, and so on. 

You can allocate responsibility for various components of the plan by assigning an owner and a reviewer. Stakeholders should be able to see when the plan was published and editing rights should be carefully controlled. 

Most importantly, you must list the people who are authorized to invoke the plan and under what circumstances. 

Review and maintain the business recovery plan

The business recovery plan must be current,  tested, and available to stakeholders for it to be an effective means of building a resilient organization.

Over time, your business can evolve -  people change, locations change, new equipment or facilities get added, and contact information changes. The nature of risks to your business also changes with time. For this reason, a regular review of the business recovery plan is essential . Do schedule an annual review of the BCP. This is the time to update the plan to better reflect the current realities of business. When you conduct exercises and drills,  follow this up with a review to check whether things went well or whether the plan needs to be tweaked, and make changes if needed.

You may choose to invite an external consultant to review your business recovery plan and readiness. In this case, select a consultant who has conducted this exercise in multiple organizations so that you can benefit from the experience.

By following these best practices of business recovery management, you can help the stakeholders of your business achieve a state of readiness to overcome challenges and uncertainty. 

We value your privacy

Taking Care of Business: How to Write a Business Recovery Plan

Taking Care of Business: How to Write a Business Recovery Plan

Last time, we looked at how to write recovery plans to protect your organization’s computer systems and applications. In today’s post we’re going to lay out how to write plans to recover your business processes.

Related on MHA Consulting: The Science and Art of Writing an IT/DR Recovery Plan

Protecting Your Business Processes

Two weeks ago we tackled the subject of how to write an IT/DR recovery plan. Today we’re going to look at the other side of the coin by discussing how to write a plan to protect your business processes.

In the current environment, businesses are under several new types of threat, including from the pandemic, extreme weather, the supply crunch, and the rise in ransomware attacks.

Given these conditions, what can companies do to protect their businesses? The answer is, identify their critical business processes and write plans showing how to recover them in the event of an outage. This will minimize downtime and protect the organization’s ability to carry its mission.

The Four Types of Disruption

The first step in devising recovery plans for any department is thinking about the four types of disruption. Your plans need to protect your business processes from the following four types of event:

· Building loss

· Technology loss

· Third-party loss

· Personnel loss

Identifying Threats and Dependencies

Next identify the top four or five threats you face under each of the four types of events. You might have already identified these in conducting your business impact analysis (BIA) or threat and risk assessment (TRA).

Also, think about your dependencies: the things, people, and third parties you need in place for your recovery plans to be executable.

There are four main types of dependencies:

1. Application dependencies. Applications needed for the process (and how will you work if those are not available).

2. Equipment dependencies. The gear that must be available in order for your recovery plans to work.

3. Third-party dependencies. Data pertaining to third parties you might need to execute your plans and recover or sustain your business processes.

4. Relocation dependencies. Centralized alternate work sites and/or work from home requirements.

Taking Action

The next thing to look at in devising your business recovery plans is the actions that must be taken.

Immediate Actions. The actions that must be taken right away to protect people and property. After you are sure everyone is safe, identify and address any issues associated with your business processes that you have to take care of in the next 30 minutes. You might need to contact management, other employees, or some of your vendors or customers.

Containment Actions. Steps that must be taken to reduce further damage or impact from the event.

Recovery Actions. Actions that must be taken to move the department back toward normal operation. Common recovery actions include:

· Establish how people will travel to an alternate site and the first set of actions the recovery team will do when it gets there. Consider what will happen when people are working from home.

· Restore functions in order of importance as dependencies allow.

· Identify and document manual workarounds as needed.

· For each business process, develop recovery steps for the risks you’ve identified, then work out how you’re going to recover that process. Ensure you have identified manual workarounds to use if applications or technology are not available.

· Document any operational or relocation changes.

· Based on the risks and impacts, document specific actions that are going to be taken for each business process.

· Be prepared in case primary staff is unavailable and untrained people are required to perform key recovery tasks. You might need to hold a thirty-minute training session so secondary or tertiary staff will be capable of handling these tasks. Such training sessions should be included in your recovery plans. See below for information on documentation.

· In cases where relocation of operations is necessary, carry out the previously identified tasks needed to achieve this objective, such as changing phone numbers and implementing alternative communication arrangements.

Including Essential Reference Information

The last major element of your business recovery plans is your reference information. This is information you might need that isn’t included elsewhere in your plans. Either provide the information’s location or include a copy in your plan’s appendix.

The following are documents that are typically included in this group of resources:

· Asset List. List of important departmental assets such as laptops, phones, and special printers.

· Process documentation and SOPs. Documents that explain how to perform the department’s primary operations and activities.

· Employee List. List of departmental personnel with contact information. Might include a proposed employee work schedule for use during recovery. Such a schedule would list the various roles at the department and indicate how many employees in that role would be needed and for which times.

· Vendor List. List of names, products or services supplied, contract IDs, and contact information for key vendors.

Taking Care of Business

Protecting your business requires devising plans to recover your key business processes in the event of an outage. In today’s technology-driven environment, many organizations give short shrift to protecting their business processes. Don’t make this mistake. Follow the suggestions above to make sure your company will be able to quickly resume its critical business processes in the event of an emergency.

Further Reading

For more information on writing business continuity recovery plans and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

  • The Science and Art of Writing an IT/DR Recovery Plan  
  • Powering On: How to Be Ready for a Power Outage  
  • The 4-3-3 Rule for Writing Business Recovery Checklists  
  • Sounds Like a Plan: The Elements of a Modern Recovery Plan  
  • Staying Current: Why You Need to Keep Your BCM Plans Up to Date  

business process recovery planning

Richard Long

Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.

Powering On: How to Be Ready for a Power Outage

A little help: how to select a bcm consultant, you may also like, about time: deciding when to start your rto countdown.

Many organizations lack a clear, recognized understanding of when the metaphorical switch will be flipped to start the recovery time objective (RTO) countdown timer. There are two options, either of which can […]

A Home Away From Home: Crafting a Site Recovery Plan

If a disaster strikes one of your organization’s critical sites, you might need to temporarily shift its operations to a home away from home. To be ready for this eventuality, your organization […]

The Benefits of Stressing Out: Why You Should Stress Test Your Recovery Plans

In everyday life, stress is usually regarded in a negative light, but in business continuity management, stress testing your recovery plans can play a very positive role in improving an organization’s resilience. […]

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

  • In the Community

Business Continuity

Business Continuity

Crisis Management

Crisis Management

Disaster Recovery

Disaster Recovery

BCaaS

Program Augmentation

Training and Awareness

Training and Awareness

Discover our intuitive BCM software.

business process recovery planning

Learn from the best.

business process recovery planning

Compliance Confidence

BIA On-Demand

BIA On-Demand

BCM Planner

BCM Planner

BCM One

See Our Software in Action

Schedule a demo.

Theron Long - BCMMETRICS Demo

BCM Services backed by experience

business process recovery planning

Book cover

Always-On Business pp 51–78 Cite as

Business Continuity Management, Disaster Recovery Planning: Compliance in Practice

  • Nijaz Bajgorić 4 ,
  • Lejla Turulja 4 &
  • Amra Alagić 4  
  • First Online: 22 March 2022

445 Accesses

Part of the Progress in IS book series (PROIS)

This chapter provides instructions on how a project management methodology can be applied to create, implement, and maintain Business Continuity Plan (BCP), Disaster Recovery Plan (DRP) with a strong emphasis on building business readiness that allows companies to recover their business processes after unforeseen events. There are three main topics covered in this chapter: Business Continuity Plan (BCP), Disaster Recovery Plan (DRP) and IT Audit of BC/DR. The Chapter explains four key BCM processes that can be divided into the following six phases: Project initiation, Risk Assessment/Business Impact Analysis, Determining the BCM Strategy, Creation of master Contingency Plans, Testing and exercising master Contingency Plans, and Operations Management. Special emphasis was placed on the development of two key documents, Risk Assessment and Business Impact Analysis, through which the BCM team becomes more familiar with business processes and the IT infrastructure that supports these processes, in order to define key parameters such as RTO and RPO to prioritize critical business processes and determine the order of recovery of processes and applications after a disaster. At the end of the Chapter, instructions are provided on how to conduct a systematic audit of BC/DR processes and associated activities.

This is a preview of subscription content, log in via an institution .

Buying options

  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
  • Available as EPUB and PDF
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
  • Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Al Hour, A. (2012). Business continuity management: Choosing to survive . IT Governance Ltd.

Google Scholar  

Asnar, Y., & Giorgini, P. (2008). Analyzing business continuity through a multi-layers model. In Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics), 5240 LNCS (pp. 212–227). https://doi.org/10.1007/978-3-540-85758-7-17

Chapter   Google Scholar  

British Standards Institution. (2016). ISO 22301 business continuity management your implementation guide . British Standards Institution.

Cha, S. C., Juo, P. W., Liu, L. T., & Chen, W. N. (2008). RiskPatrol: A risk management system considering the integration risk management with business continuity processes. In IEEE international conference on intelligence and security informatics (pp. 110–115). IEEE ISI. https://doi.org/10.1109/ISI.2008.4565039

Dey, M. (2011). Business continuity planning (BCP) methodology—Essential for every business. In 2011 IEEE GCC conference and exhibition (pp. 229–232). GCC. https://doi.org/10.1109/IEEEGCC.2011.5752503

Engemann, K. J., & Henderson, D. M. (2014). Business continuity and risk management: Essentials of organizational resilience . Rothstein Publishing.

Hawkins, S. M., Yen, D. C., & Chou, D. C. (2000). Disaster recovery planning: A strategy for data security. Information Management and Computer Security, 8 (5), 222–229. https://doi.org/10.1108/09685220010353150

Article   Google Scholar  

Herbane, B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Business History, 52 (6), 978–1002. https://doi.org/10.1080/00076791.2010.511185

Kliem, R. L., & Richie, G. D. (2015). Business continuity planning: A project management approach . CRC Press.

Book   Google Scholar  

Low, S. P., Liu, J., & Sio, S. (2010). Business continuity management in large construction companies in Singapore. Disaster Prevention and Management: An International Journal, 19 (2), 219–232. https://doi.org/10.1108/09653561011038011

Peterson, D. M., & Perry, R. W. (1999). The impacts of disaster exercises on participants. Disaster Prevention and Management: An International Journal, 8 (4), 241–254. https://doi.org/10.1108/09653569910283879

Rezaei Soufi, H., Torabi, S. A., & Sahebjamnia, N. (2019). Developing a novel quantitative framework for business continuity planning. International Journal of Production Research, 57 (3), 779–800. https://doi.org/10.1080/00207543.2018.1483586

Sikdar, P. (2011). Alternate approaches to business impact analysis. Information Security Journal, 20 (3), 128–134. https://doi.org/10.1080/19393555.2010.551274

Somasekaram, P. (2017). A component-based business continuity and disaster recovery framework . Uppsala Universitet.

Tammineedi, R. L. (2010). Business continuity management: A standards-based approach. Information Security Journal: A Global Perspective, 19 (1), 36–50.

Torabi, S. A., Rezaei Soufi, H., & Sahebjamnia, N. (2014). A new framework for business impact analysis in business continuity management (with a case study). Safety Science, 68 , 309–323. https://doi.org/10.1016/j.ssci.2014.04.017

Young, R., & Jordan, E. (2008). Top management support: Mantra or necessity? International Journal of Project Management, 26 (7), 713–725.

Download references

Author information

Authors and affiliations.

School of Economics and Business, University of Sarajevo, Sarajevo, Bosnia and Herzegovina

Nijaz Bajgorić, Lejla Turulja & Amra Alagić

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Cite this chapter.

Bajgorić, N., Turulja, L., Alagić, A. (2022). Business Continuity Management, Disaster Recovery Planning: Compliance in Practice. In: Always-On Business. Progress in IS. Springer, Cham. https://doi.org/10.1007/978-3-030-93959-5_4

Download citation

DOI : https://doi.org/10.1007/978-3-030-93959-5_4

Published : 22 March 2022

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-93958-8

Online ISBN : 978-3-030-93959-5

eBook Packages : Business and Management Business and Management (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

  • Publish with us

Policies and ethics

  • Find a journal
  • Track your research
  • Technology Services
  • Compliance Services
  • Security Services
  • Webinar Schedule
  • Customer Portal

Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

BCP vs. DR: Key Differences

Business continuity management planning, what ceos should know about bcmp, key steps to developing a compliant bcmp, tactics for staying ahead of regulators, disaster recovery planning, what ceos should know about dr, the 4rs of dr planning, why a cloud dr service is important, our solutions.

Businesses today encounter an ever-increasing volume of operational threats, so it’s critical for banks and credit unions to have adequate business continuity and disaster recovery (DR) procedures in place. Business continuity management (BCM) entails all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity —and it can enable an institution to keep operating if a disruption such as a cyberattack, natural disaster, or man-made event occurs.

We understand that BCM and DR planning can be challenging, so this guide provides some key strategies and best practices to help financial institutions execute them successfully.

It is first important to understand the key differences between a business continuity plan (BCP) and a disaster recovery plan as these two terms are often mistakenly used interchangeably. The Federal Financial Institutions Examination Council (FFIEC) updated its Business Continuity Management IT Examination Handbook a few years ago to expand its focus from “business continuity planning” to “business continuity management.” The BCM process is one in which a financial institution must proactively plan for resiliency to disruptive events and recover from those events. The traditional business continuity plan is now a subset of the overall BCM process and will be referred to as business continuity management plan (BCMP) going forward . The BCMP outlines what needs to happen to ensure that key products and services continue to be delivered in case of a disaster. On the other hand, the DR plan outlines the specific steps to be taken to recover the interdependencies the institution must restore to return to normal operations after a disaster. The BCMP focuses on the continuation of critical functions, while the DR plan focuses on the restoration and recovery of the specific individual technology and third-party components necessary for those functions.

In the previous guidance, business continuity and disaster recovery were closely tied together, but the new guidance defines them as two separate concepts and states that “The business strategy, not technology solutions, should drive resilience.” It places a heavy focus on resilience and states that financial institutions cannot rely on technology alone to ensure resilience. Although technology can help provide resilience and offer significant advantages to your recovery capabilities, indeed in many cases technology could be what failed in the first place. Financial institutions must be able to offer products and services to their customers or members regardless of technology or third-party failure, and often that could mean using manual processes and procedures to accomplish this.

Finally, the latest BCMP guidance provided an important distinction between a “test” and an “exercise.” Simply put , a test focuses on demonstrating the resilience and recovery capabilities of your systems, and an exercise addresses the people, processes, and procedures . For example, where a test may focus on backup and recovery options of systems, data restoration, device replication and rebuild or replacement, an exercise would verify that your staff (and ideally third parties) are aware of and could execute those options effectively. Both exercises and tests are now a requirement, and together they provide a high degree of confidence that your recovery procedures will allow you to meet your pre-determined process for recovery time objectives (RTOs).

Business continuity management is an essential system for preventing and recovering from potential threats. As a part of the business continuity process, a compliant and successful BCMP should include risk management (business impact analysis and risk/threat assessment); continuity strategies (interdependency resilience, continuity, and recovery); training and testing (exercises); maintenance and improvement; and board reporting.

To adhere to regulatory guidance, it is imperative for institutions to not only comprehend the entire business continuity management program but also employ a broad process-oriented approach that considers technology, business operations, testing, and communication strategies that are necessary for the entire organization—not just the information technology department.

Management should develop BCMPs with sufficient detail appropriate to the institution’s size and complexity . According to FFIEC guidance, “The BCMP should address key business needs and incorporate inputs from all business units.” The institution’s business continuity management program should align with its strategic goals and objectives. In addition, management should consider the entity’s role within and impact on the overall financial services sector when developing the program.

BCM 10 Steps

To develop a successful, compliant BCMP , it is important to understand and follow the recent, more detailed view of the BCM lifecycle in the FFIEC Business Continuity Management IT Examination Handbook. This approach is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance . Here is a checklist consisting of the required elements of the new approach that may not be incorporated into your current program:

  • Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  • Recovery point objectives (RPO)
  • Recovery time objectives (RTOs) for each business process (prioritized)
  • Maximum tolerable (or allowable) downtime (MTD/MAD)
  • Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst-case (low probability, high impact) scenarios?
  • Do you use testing as employee training exercises to verify that personnel is knowledgeable of recovery priorities and procedures?
  • Do you track and resolve all issues identified during testing exercises and use lessons learned to enhance your program? (Must be documented.)
  • Does your board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

Although there are several tips, tricks, and tactics to enhance compliance , one of the main tactics financial institutions can apply to stay ahead of regulators is to focus on resilience . Resilience includes the ability to anticipate, prepare for, prevent, and adapt to changing conditions, and to respond to, withstand, and recover rapidly from deliberate attacks, accidents, or naturally occurring threats or incidents. Management should incorporate the concept of resilience into all areas, including their business continuity management process, vendor management program, third-party supply chain management, and information security program. The objective is to implement processes to minimize the possibility of disruption and reduce the impact of such an event if it happens.

Inconsistencies between procedures and practices will often result in exam findings. Mentioning outdated references or older terminology in policies is one of the most common offenses that institutions commit. For instance, referencing business continuity plan or planning (BCP) versus business continuity management plan or planning (BCMP). This would be a minor mistake because the term BCP is not necessarily obsolete, but it’s not consistent with the most recent guidance and could raise a “red flag” that leads examiners to wonder if the institution has properly updated its policies, resulting in further scrutiny. A tactic that financial institutions can use to minimize outdated references and other inconsistencies between procedures and practices is to implement automation . Technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

Disaster recovery—the process of restoring IT infrastructure, data, and third-party systems—should address a broad range of adverse events such as natural disasters, infrastructure failures, technology failures, unavailability of staff, or even cyberattacks. As part of the disaster recovery strategy, management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the business impact analysis. The FFIEC’s Business Continuity Management IT Examination Handbook states:

Here are some important DR considerations for CEOs to consider to ensure their institution is taking an effective approach to disaster recovery:

  • Expect the Unexpected : A disaster can strike anytime and in a myriad of ways. Most people think of a disaster as being a situation created by an unexpected weather event, power outage, equipment failure, or cyberattack, but network downtime due to human error is also a common cause of disruption. The need for disaster recovery is a matter of when—not if . Therefore, CEOs should expect some type of disaster to affect their institution.
  • Be Proactive : Not having a sufficient disaster recovery plan in place can have major negative consequences: a loss of data, business functions, clients, and reputation—not to mention time and money. So, bank CEOs must ensure their management team is being preemptive about implementing effective disaster recovery strategies. These strategies should be reflected in the BIA, which can reveal gaps in critical processes that would hinder the institution’s disaster recovery and, in turn, business continuity.
  • Consider Outsourcing : More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyberattacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report . However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage, and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient, and cost-effective.

For effective disaster recovery, there are four important “R’s” that institutions should focus on:

  • Recovery time objective (RTO) – The longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens. Shorter RTOs require more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints.
  • Recovery point objective (RPO) – The amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance.
  • R eplication – An exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster.
  • Recurring testing – A variety of tests and exercises to verify the ability to quickly resume core business applications during a disaster situation. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback.

Institutions must have viable DR measures in place, and a comprehensive, cloud-based service is a cost-effective way to accomplish this. With DR in the cloud , institutions are always able to access their data—no matter what type of disaster happens. In addition, a cloud DR service offers a team of third-party experts who are available to advise on DR processes, ensure ongoing backups and regular testing are done in the correct timeframes, and serve as an extension of the staff when a disaster strikes.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. In addition, a cloud DR solution from an outside service provider can give institutions peace of mind from knowing their DR plan is being adequately tested and will work during a real disaster.

Safe Systems offers a wide range of comprehensive services to help community banks and credit unions support their BCM and DR planning and other efforts. Whether it’s compliance services , such as BCP Blueprint, Vendor Management, or Information Security Program, or technology services , such as Managed Site Recovery, Managed Cloud Services, or CloudInsight, institutions can customize solutions to meet their specific needs and budget.

Be the first to hear about regulatory guidance and industry trends

Home  >  Learning Center  >  Business continuity planning (BCP)  

Article's content

Business continuity planning (bcp), what is business continuity.

In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures.

The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability.

Start with a business continuity plan

Business continuity management starts with planning how to maintain your critical functions (e.g., IT, sales and support) during and after a disruption.

A business continuity plan (BCP) should comprise the following element

1. Threat Analysis

The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include:

2. Role assignment

Every organization needs a well-defined chain of command and substitute plan to deal with absence of staff in a crisis scenario. Employees must be cross-trained on their responsibilities so as to be able to fill in for one another.

Internal departments (e.g., marketing, IT, human resources) should be broken down into teams based on their skills and responsibilities. Team leaders can then assign roles and duties to individuals according to your organization’s threat analysis.

3. Communications

A communications strategy details how information is disseminated immediately following and during a disruptive event, as well as after it has been resolved.

Your strategy should include:

  • Methods of communication (e.g., phone, email, text messages)
  • Established points of contact (e.g., managers, team leaders, human resources) responsible for communicating with employees
  • Means of contacting employee family members, media, government regulators, etc.

From electrical power to communications and data, every critical business component must have an adequate backup plan that includes:

  • Data backups to be stored in different locations. This prevents the destruction of both the original and backup copies at the same time. If necessary, offline copies should be kept as well.
  • Backup power sources, such as generators and inverters that are provisioned to deal with power outages.
  • Backup communications (e.g., mobile phones and text messaging to replace land lines) and backup services (e.g., cloud email services to replace on-premise servers).

Load balancing business continuity

Load balancing  maintains business continuity by distributing incoming requests across multiple backend servers in your data center. This provides redundancy in the event of a server failure, ensuring continuous application uptime.

In contrast to the reactive measures used in failover and  disaster recovery  (described below) load balancing is a preventative measure.  Health monitoring  tracks server availability, ensuring accurate load distribution at all times—including during disruptive events.

Disaster recovery plan (DCP) – Your second line of defense

Even the most carefully thought out business continuity plan is never completely foolproof. Despite your best efforts, some disasters simply cannot be mitigated. A disaster recovery plan (DCP) is a second line of defense that enables you to bounce back from the worst disruptions with minimal damage.

As the name implies, a disaster recovery plan deals with the restoration of operations after a major disruption. It’s defined by two factors: RTO and  RPO .

disaster recovery plan

  • Recovery time objective (RTO)  – The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services. A different RTO should be assigned to each of your business components according to their importance (e.g., ten minutes for network servers, an hour for phone systems).
  • Recovery point objective (RPO)  – The point to which your state of operations must be restored following a disruption. In relation to backup data, this is the oldest age and level of staleness it can have. For example, network servers updated hourly should have a maximum RPO of 59 minutes to avoid data loss.

Deciding on specific RTOs and RPOs helps clearly show the technical solutions needed to achieve your recovery goals. In most cases the decision is going to boil down to choosing the right failover solution.

See how Imperva Load Balancer can help you with business continuity planning.

Choosing the right failover solutions

Failover  is the switching between primary and backup systems in the event of failure, outage or downtime. It’s the key component of your disaster recovery and business continuity plans.

A failover system should address both RTO and RPO goals by keeping backup infrastructure and data at the ready. Ideally, your failover solution should seamlessly kick in to insulate end users from any service degradation.

When choosing a solution, the two most important aspects to consider are its technological prowess and its service level agreement (SLA). The latter is often a reflection of the former.

For an IT organization charged with the business continuity of a website or web application, there are three failover options:

  • Hardware solutions  – A separate set of servers, set up and maintained internally, are kept on-premise to come online in the event of failure. However, note that keeping such servers at the same location makes them potentially susceptible to being taken down by the same disaster/disturbance.
  • DNS services  – DNS services are often used in conjunction with hardware solutions to redirect traffic to a backup server(s) at an external data center. A downside of this setup includes  TTL-related delays  that can prevent seamless disaster recovery. Additionally, managing both DNS and internal data center hardware failover solutions is time consuming and complicated.
  • On-edge services  – On-edge failover is a managed solution operating from off-prem (e.g., from the  CDN  layer). Such solutions are more affordable and, most importantly, have no TTL reliance, resulting in near-instant failover that allows you to meet the most aggressive RTO goals.

Latest Blogs

Connected World

Lynne Murray

, Shiri Margel

Dec 1, 2023 5 min read

Mobile phone with a stock exchange app displayed and a finger perusing the trend line

Oct 9, 2023 4 min read

sc

Aug 28, 2023 3 min read

Latest Articles

  • Regulation & Compliance

606.4k Views

190.9k Views

41.7k Views

37.6k Views

35.5k Views

29.3k Views

25.1k Views

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The 10th Annual Bad Bot Report

The evolution of malicious automation over the last decade

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

At the end of your visit today, would you complete a short survey to help improve our services?

Thanks! When you're ready, just click "Start survey".

It looks like you’re about to finish your visit. Are you ready to start the short survey now?

Create a business recovery plan

A recovery plan will help you respond effectively if an incident or crisis affects your business. It aims to shorten your recovery time and minimise losses.

Definition of business recovery

Business recovery is the return to operations following an incident, crisis, disaster, or significant event.

A business recovery plan is a pre-designed plan that includes:

  • setting timelines to restore critical functions
  • strategies to trade at pre-incident levels as soon as possible

Your recovery plan is part of your business continuity plan that outlines practical strategies to help you manage and stage a recovery from a crisis.

Thumbnail of business continuity planning Word template

Download the business continuity plan template

This template includes a Recovery section.

Use this page to consider how your business can recover from a crisis, then complete the recovery section of the template.

Download the business continuity planning template .

Business recovery planning

In some cases, such as a pandemic, there may be several steps and stages of recovery. For example, a lockdown may occur several times and the business will need to recover operations as quickly as possible after each event.

Unlike an incident response plan, the business recovery plan has a longer-term view.

The business recovery plan covers:

  • strategies to recover from a range of incidents
  • objectives around time-frames to fully recover all business functions
  • a description of key resources, equipment, and staff required
  • checklists to ensure all actions have been done.

The best method to help define recovery times is to conduct a business impact analysis and identify critical business activities. Find out more about identifying and managing risk .

Analyse how long it will take to bring each activity back online or make operational again, for example, restoring backups of critical IT systems on your computers or replacing lost stock. Capture this in the recovery section of your business continuity plan.

Strategies from the small business disaster hub

Natural disasters :

  • cyclone and storm surge
  • severe storm

Major health event :

  • localised outbreaks
  • food poisoning and contamination

Emergency :

  • biosecurity threats (pest and animal disease outbreaks)
  • workplace accidents or deaths
  • dangerous material spills, leaks, or explosions
  • loss of power or infrastructure
  • major transport disasters
  • terrorist or major criminal incidents
  • climate change risks

Information technology (IT) threat

  • cyber-attack or data hacking

Reputation incident :

  • highly negative media or social media coverage
  • rumour-driven crisis
  • inappropriate workplace behaviour (e.g. bullying, harassment)
  • organisational misdeeds and legal action (e.g. fraud, theft)

Designate a recovery team

As with the incident response plan , consider a team to manage business recovery.

Your team may be internal, such as the leader with clear objectives for all critical business functions, or external with advice and support from your accountant, legal representative, or business mentor.

As part of the planning, your team should receive training or advice on incident recovery and any designated tasks. This training could include skills to run the recovery remotely and the use of your emergency kits.

Clarification about who is needed for the recovery team, team training and practice drills are important parts of your preparation.

Past disasters and other incidents show that small businesses:

  • often need and look for external help to aid internal staff with full recovery (e.g. emergency services, banking and finance operators, council, and government assistance)
  • recover in different ways and at different speeds (e.g. external mental health services may form part of your recovery plan)
  • can struggle to make important decisions for many months (i.e. being without a clear recovery plan with achievable actions will slow down progress).

Your team should know about employment requirements and obligations before, during and after an incident or event.

Learn more about employment entitlements during natural disasters and emergencies from the Fair Work Ombudsman.

Communicating during the recovery

The recovery team should communicate as soon as possible with all staff and key stakeholders usually within the first 24–48 hours of the incident.

As the recovery commences and well after the event, it is important to communicate regularly with suppliers, customers, and internal staff. You should provide the current state of progress and any changes that you've implemented to restore operations (e.g. establishing contracts with alternative suppliers or changes to opening hours).

Stages of recovery

Business recovery after an incident may occur in stages.

Initial stage

Activities in the initial stage include:

  • returning to your business site only when safe
  • protecting yourself and your staff when returning to the site
  • staying alert to dangers if the emergency event is not yet resolved
  • monitoring emergency updates and broadcasts
  • working with insurance companies to assist in recovery
  • securing the business site if necessary and safe to do so.

Early stage

Activities in the early stage include:

  • working with professional advisers (e.g. accountant, business mentors to design financial recovery and approach banking or other financial support to maintain cash flow whilst recovering)
  • forecasting cash flow over a prolonged period (e.g. 3–36 months)
  • insurance rectifications to premises and equipment
  • relocation or 'building back better'.

Long-term stage

Activities in the long-term stage include:

  • re-negotiating loans
  • reviewing emergency plans and kits
  • new products and services
  • thanking customers, community and celebrating overcoming the incident with staff.

Learn how to monitor the recovery process using a checklist .

Also consider...

  • Learn how to write a business continuity plan .
  • Read more about preparing an incident response plan .
  • Develop a recovery checklist .
  • Last reviewed: 24 Nov 2022
  • Last updated: 28 Feb 2023
  • Generative AI
  • Business Operations
  • IT Leadership
  • Application Security
  • Business Continuity
  • Cloud Security
  • Critical Infrastructure
  • Identity and Access Management
  • Network Security
  • Physical Security
  • Risk Management
  • Security Infrastructure
  • Vulnerabilities
  • Software Development
  • Artificial Intelligence
  • United States
  • United Kingdom
  • Newsletters
  • Foundry Careers
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Member Preferences
  • About AdChoices
  • E-commerce Links
  • Your California Privacy Rights

Our Network

  • Computerworld
  • Network World

Business Continuity Event Planning: Building a recovery strategy

In previous posts, we examined understanding the business, the relationship between event response and recovery efforts, and how to build an incident response plan .  The natural next step after initial response is the interim and permanent recovery of critical systems.  However, before drilling into the mechanics of creating and managing a business continuity plan for recovery, I’d like to step back and take a quick look at creating the controlling strategic framework upon which catastrophe response and recovery activities are based.

Having a management-approved business continuity strategy in place provides guidance relative to the requirements of initial response, what to recover, and to what extent it should be recovered.  Many organizations plan to recover everything, a recovery strategy doomed to fail in large organizations. 

Building a strategy begins with understanding the business .  Only with a thorough knowledge of what processes cannot be down for even a short period can you build an effective recovery plan.  Armed with operations management approval of these processes, and an understanding of the underlying technology, you can make an informed decision about what to temporarily recover at a recovery site. 

The approach I recommend is to:

  • Work with business managers to identify critical processes.  Critical processes are those identified during the understand-the-business phase and ranked high when performing business impact analysis (BIA).
  • Using the results of the BIA, and the time necessary to identify and prepare a permanent recovery site, identify those processes which must be part of the interim recovery activities (e.g., hot site).
  • Work with business managers and key employees to identify technology requirements and possible manual workarounds.
  • Document the results of Item 3 in a business recovery plan.
  • Cycle through this process at least annually.

Considerations

Again, not all processes can be recovered.  This includes some critical outcome activities.   However, business continuity teams must provide accurate information to management to ensure the right decisions can be made as to whether to accept or mitigate the resulting risk.  According to BS 25999-1:2006 (Business continuity management code of practice, p. 21), managers should consider three things when assessing whether a process should be recovered and when:

  • The maximum tolerable period of disruption of the critical process
  • The costs of implementing a strategy or strategies for recovery or mitigation
  • The consequence of inaction [defined in the BIA]

There are also logistics considerations when building a strategy.  It cannot be built in isolation.  What is and is not possible must be considered.  A strategy built on unachievable assumptions results in incident response and recovery plans with little or no chance of success.  Logistical considerations include:

  • Availability of key personnel.  If a recovery site is out of town, how will employees reach the site?  If a catastrophe encompasses a large geographic region, will employees even be available?

Premises.  Considering the list of critical processes, supporting technology, and manual workarounds, what are the office or data center requirements, including:

  • Connection to the Internet
  • Direct connections to outside businesses/customers
  • Office equipment
  • IT infrastructure.  Entering into a contract for a warm or hot site requires considering what infrastructure is needed.  The cost of the contract increases with increases in infrastructure requirements.  When determining requirements, recovery teams must not only consider operational equipment.  They must also consider what equipment is initially necessary to concurrently recover critical systems, if necessary. 

There are additional considerations, but working through these provides answers about what type of recovery, if any at all, is feasible.

The final word

Whether a strategy is needed for smaller events (i.e., server failure, loss of key personnel) is up to management.  However, a strategy is necessary before planning for events resulting in loss of most or all data center capabilities.

Related content

Mqtt is not evil, just not always secure, iot messaging protocol is big security risk, anatomy of an insider attack, identity governance and admin: beyond basic access management, from our editors straight to your inbox.

Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security , Microsoft Virtualization , and Enterprise Security: A Practitioner's Guide . He is also the author of various papers on security management and has been a blogger for CSOonline.com, TechRepublic, Toolbox.com and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.

Most popular authors

business process recovery planning

  • Cynthia Brumfield Contributing Writer

business process recovery planning

Show me more

Identity hacking saw sharp rise 2023.

Image

Biden's maritime cybersecurity actions target China threats

Image

Critical infrastructure attacks aren't all the same: Why it matters to CISOs

Image

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

Image

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Image

CSO Executive Sessions Australia with Robbie Whittome, CISO at Curtin University

Image

Reaping the Benefits of Security Metrics

Image

Don’t Lose Your Focus: It’s Not About the AI; It’s About the Data

Image

Sponsored Links

  • Read this IDC spotlight to learn what commonly prevents value realization – and how to solve it
  • Want to justify your IT investments faster? IDC reports on how to measure business impact.
  • Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Using Business Continuity & IT Disaster Recovery Planning

On this page

Process Diagram

Creating a business continuity or it disaster recovery plan, documenting roles and responsibilities, testing your business continuity or disaster recovery plan.

The following diagram illustrates the overall process enabled by Archer Business Continuity & IT Disaster Recovery Planning.

Business Continuity & IT Disaster Recovery - process flow diagram

Business continuity (BC) plans are the detailed business process recovery plans that give an organization the step-by-step blueprint to recover a business process, facility, function, or department subsequent to a disruption. IT Disaster recovery (DR) plans are detailed recovery plans that give an organization the step-by-step road map to recover a data center, technology device, infrastructure, or application subsequent to a disruption. You can also create crisis response plans that the crisis team can use during an event to manage the disruption until it is closed.

To create a BC or DR plan, provide the applicable details for each plan, including plan information, review and approval information, recovery strategies, backlog tasks, contacts, requirements, and testing frequency. After the Business Continuity or Disaster Recovery plan has been drafted, recovery strategies documented, and recovery tasks outlined, the assigned reviewer should review and approve or reject the proposed plan. After a Business Continuity or Disaster Recovery plan is activated, associated tasks and strategies are distributed to employees as defined in the plan. As each strategy is run and task completed, the individual records must be updated to reflect the changes.

Documenting roles and responsibilities allows you to assign users certain jobs or titles for business continuity or disaster recovery plans. These assignments are typically provided by the Business Resiliency Director or Manager. Associating roles with Business Continuity or Disaster Recovery plans instead of individuals helps ensure consistency and accuracy of the plans if individuals associated with specific roles change positions frequently. If the role is critical, such as a key participant in a highly critical process, it can be designated by Role Type. These roles are also used to help create call trees to ensure effective communication between colleagues during a disaster.

The Notifications and Call Trees application provides a template for creating notifications and communicating information during an event. This application is used to document the notification, track the call tree (initiator and recipients), and associate the notification to BC or DR plans and Crisis Events.

You can test your plans, remediate issues that are discovered as part of a test, and submit the test results for review. A test exercise incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. A test is run when business continuity or disaster recovery plans are activated through a Testing/Exercise record. You can also use the automated test process provided by Archer to plan for your next plan test date.

Archer 6.12

Archer is a leading provider of enterprise risk management solutions , which include third party risk management , IT risk management , operational risk management , and more. Contact us now to learn more about integrated risk management solutions from Archer .

Black and blue background

Disaster recovery (DR) consists of IT technologies and best practices designed to prevent or minimize data loss and business disruption resulting from catastrophic events—everything from equipment failures and localized power outages to cyberattacks, civil emergencies, criminal or military attacks, and natural disasters.

Many businesses—especially small- and mid-sized organizations—neglect to develop a reliable, practicable disaster recovery plan. Without such a plan, they have little protection from the impact of significantly disruptive events.

Infrastructure failure can cost as much as  USD 100,000 per hour  (link resides outside IBM), and critical application failure costs can range from USD 500,000 to USD 1 million per hour. Many businesses cannot recover from such losses. More than 40% of small businesses will not re-open after experiencing a disaster, and among those that do, an additional 25% will fail within the first year after the crisis. Disaster recovery planning can dramatically reduce these risks.

Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster recovery plan.

Disaster recovery also involves ensuring that adequate storage and compute is available to maintain robust failover and failback procedures.  Failover  is the process of offloading workloads to backup systems so that production processes and end-user experiences are disrupted as little as possible.  Failback  involves switching back to the original primary systems.

Read our article to learn more information about  the important distinction between backup and disaster recovery planning .

Business continuity planning creates systems and processes to ensure that all areas of your enterprise will be able to maintain essential operations or be able to resume them as quickly as possible in the event of a crisis or emergency. Disaster recovery planning is the subset of business continuity planning that focuses on recovering IT infrastructure and systems.

Business impact analysis

The creation of a comprehensive disaster recovery plan begins with business impact analysis. When performing this analysis, you’ll create a series of detailed disaster scenarios that can then be used to predict the size and scope of the losses you’d incur if certain business processes were disrupted. What if your customer service call center was destroyed by fire, for instance? Or an earthquake struck your headquarters?

This will allow you to identify the areas and functions of the business that are the most critical and enable you to determine how much downtime each of these critical functions could tolerate. With this information in hand, you can begin to create a plan for how the most critical operations could be maintained in various scenarios.

IT disaster recovery planning should follow from and support business continuity planning. If, for instance, your business continuity plan calls for customer service representatives to work from home in the aftermath of a call center fire, what types of hardware, software, and IT resources would need to be available to support that plan?

Risk analysis

Assessing the likelihood and potential consequences of the risks your business faces is also an essential component of disaster recovery planning. As cyberattacks and ransomware become more prevalent, it’s critical to understand the general cybersecurity risks that all enterprises confront today as well as the risks that are specific to your industry and geographical location.

For a variety of scenarios, including natural disasters, equipment failure, insider threats, sabotage, and employee errors, you’ll want to evaluate your risks and consider the overall impact on your business. Ask yourself the following questions:

  • What financial losses due to missed sales opportunities or disruptions to revenue-generating activities would you incur?
  • What kinds of damage would your brand’s reputation undergo? How would customer satisfaction be impacted?
  • How would employee productivity be impacted? How many labor hours might be lost?
  • What risks might the incident pose to human health or safety?
  • Would progress towards any business initiatives or goals be impacted? How?

Prioritizing applications

Not all workloads are equally critical to your business’s ability to maintain operations, and downtime is far more tolerable for some applications than it is for others. Separate your systems and applications into three tiers, depending on how long you could stand to have them be down and how serious the consequences of data loss would be.

  • Mission-critical:  Applications whose functioning is essential to your business’s survival.
  • Important:  Applications for which you could tolerate relatively short periods of downtime.
  • Non-essential:  Applications you could temporarily replace with manual processes or do without.

Documenting dependencies

The next step in disaster recovery planning is creating a complete inventory of your hardware and software assets. It’s essential to understand critical application interdependencies at this stage. If one software application goes down, which others will be affected?

Designing resiliency—and disaster recovery models—into systems as they are initially built is the best way to manage application interdependencies. It’s all too common in today’s  microservices -based architectures to discover processes that can’t be initiated when other systems or processes are down, and vice versa. This is a challenging situation to recover from, and it’s vital to uncover such problems when you have time to develop alternate plans for your systems and processes—before an actual disaster strikes.

Establishing recovery time objectives, recovery point objectives, and recovery consistency objectives

By considering your risk and business impact analyses, you should be able to establish objectives for how long you’d need it to take to bring systems back up, how much data you could stand to use, and how much data corruption or deviation you could tolerate.

Your recovery time objective (RTO) is the maximum amount of time it should take to restore application or system functioning following a service disruption.

Your recovery point objective (RPO) is the maximum age of the data that must be recovered in order for your business to resume regular operations. For some businesses, losing even a few minutes’ worth of data can be catastrophic, while those in other industries may be able to tolerate longer windows.

A recovery consistency objective (RCO) is established in the service-level agreement (SLA) for continuous data protection services. It is a metric that indicates how many inconsistent entries in business data from recovered processes or systems are tolerable in disaster recovery situations, describing business data integrity across complex application environments.

Regulatory compliance issues

All disaster recovery software and solutions that your enterprise have established must satisfy any data protection and security requirements that you’re mandated to adhere to. This means that all data backup and failover systems must be designed to meet the same standards for ensuring data confidentiality and integrity as your primary systems.

At the same time, several regulatory standards stipulate that all businesses must maintain disaster recovery and/or business continuity plans. The Sarbanes-Oxley Act (SOX), for instance, requires all publicly held firms in the U.S. to maintain copies of all business records for a minimum of five years. Failure to comply with this regulation (including neglecting to establish and test appropriate data backup systems) can result in significant financial penalties for companies and even jail time for their leaders.

Choosing technologies

Backups serve as the foundation upon which any solid disaster recovery plan is built. In the past, most enterprises relied on tape and spinning disks (HDD) for backups, maintaining multiple copies of their data and storing at least one at an offsite location.

In today’s always-on digitally transforming world, tape backups in offsite repositories often cannot achieve the RTOs necessary to maintain business-critical operations. Architecting your own disaster recovery solution involves replicating many of the capabilities of your production environment and will require you to incur costs for support staff, administration, facilities, and infrastructure. For this reason, many organizations are turning to cloud-based backup solutions or full-scale Disaster-Recovery-as-a-Service (DRaaS) providers.

Choosing recovery site locations

Building your own disaster recovery  data center  involves balancing several competing objectives. On the one hand, a copy of your data should be stored somewhere that’s geographically distant enough from your headquarters or office locations that it won’t be affected by the same seismic events, environmental threats, or other hazards as your main site. On the other hand, backups stored offsite always take longer to restore from than those located on-premises at the primary site, and network latency can be even greater across longer distances.

Continuous testing and review

Simply put, if your disaster recovery plan has not been tested, it cannot be relied upon. All employees with relevant responsibilities should participate in the disaster recovery test exercise, which may include maintaining operations from the failover site for a period of time.

If performing comprehensive disaster recovery testing is outside your budget or capabilities, you can also schedule a “tabletop exercise” walkthrough of the test procedures, though you should be aware that this kind of testing is less likely to reveal anomalies or weaknesses in your DR procedures—especially the presence of previously undiscovered application interdependencies—than a full test.

As your hardware and software assets change over time, you’ll want to be sure that your disaster recovery plan gets updated as well. You’ll want to periodically review and revise the plan on an ongoing basis.

The IBM Knowledge Center provides an  example of a disaster recovery plan .

Disaster-Recovery-as-a-Service (DRaaS) is one of the most popular and fast-growing managed IT service offerings available today. Your vendor will document RTOs and RPOs in a service-level agreement (SLA) that outlines your downtime limits and application recovery expectations.

DRaaS vendors typically provide cloud-based failover environments. This model offers significant cost savings compared with maintaining redundant dedicated hardware resources in your own data center. Contracts are available in which you pay a fee for maintaining failover capabilities plus the per-use costs of the resources consumed in a disaster recovery situation. Your vendor will typically assume all responsibility for configuring and maintaining the failover environment.

Disaster recovery service offerings differ from vendor to vendor. Some vendors define their offering as a comprehensive, all-in-one solution, while others offer piecemeal services ranging from single application restoration to full data center replication in the cloud. Some offerings may include disaster recovery planning or testing services, while others will charge an additional consulting fee for these offerings.

Be sure that any enterprise software applications you rely on are supported, as are any public cloud providers that you’re working with. You’ll also want to ensure that application performance is satisfactory in the failover environment, and that the failover and failback procedures have been well tested.

If you have already built an on-premises disaster recovery (DR) solution, it can be challenging to evaluate the costs and benefits of maintaining it versus moving to a monthly DRaaS subscription instead.

Most on-premises DR solutions will incur costs for hardware, power, labor for maintenance and administration, software, and network connectivity. In addition to the upfront capital expenditures involved in the initial setup of your DR environment, you’ll need to budget for regular software upgrades. Because your DR solution must remain compatible with your primary production environment, you’ll want to ensure that your DR solution has the same software versions. Depending upon the specifics of your licensing agreement, this might effectively double your software costs.

Not only can moving to a DRaaS subscription reduce your hardware and software expenditures, it can lower your labor costs by moving the burden of maintaining the failover site to the vendor.

If you’re considering third-party DRaaS solutions, you’ll want to make sure that the vendor has the capacity for cross-regional multi-site backups. If a significant weather event like a hurricane impacted your primary office location, would the failover site be far enough away to remain unaffected by the storm? Also, would the vendor have adequate capacity to meet the combined needs of all its customers in your area if many were impacted at the same time? You’re trusting your DRaaS vendor to meet RTOs and RPOs in times of crisis, so look for a service provider with a strong reputation for reliability.

Read “ Disaster Recovery as a Service (DRaaS) vs. Disaster Recovery (DR): Which Do You Need? ” for a comparative overview of both solutions.

Protect your data with a cloud disaster recovery plan.

Achieve RPO in seconds and RTO in minutes, with an easy-to-deploy and scalable data-protection solution.

Run smoother with deployment options for every workload. Our network is resilient, redundant, highly available.

Gain the skills and knowledge required to begin a career as an IBM Cloud Professional Architect. Validate your capabilities in an interactive curriculum that prepares you for IBM Cloud certification.

Learn the basics of backup and disaster recovery so you can formulate effective plans that minimize downtime.

Compare the costs, benefits, and functionality of on-premises disaster recovery solutions and DRaaS.

Disaster recovery solutions based in the IBM Cloud are resilient and reliable. You can provision a failover site in any of the more than 60 data centers located in six regions and in 18 global availability zones for low latency and in order to meet geographically-specific business requirements.

Kezia Farnham Image

Disaster recovery plan vs. business continuity plan: Is there a difference?

Person evaluating the difference between a disaster recovery plan and business continuity plan

Disaster recovery and business continuity are two terms often used interchangeably ' but doing so risks missing some of the key differences between the two strategies. To debunk the disaster recovery plan vs. business continuity plan debate, we look at:

  • What each means
  • Where the two are similar
  • How they differ
  • Why they are often confused
  • Whether your organization needs both

What is Business Continuity?

Definitions of a business continuity plan vary, as you'd expect; as with any corporate strategy term, there are different interpretations. But while definitions may diverge slightly, the general understanding is that a business continuity plan (BCP) is designed to ensure that your business can maintain its operations in the event of a disaster, whatever form that might take. On the other hand, a disaster recovery plan focuses on how your organization will recover and rebuild following any crisis. IT firm Phoenix NAP believes that 'Disaster Recovery (DR) versus Business Continuity (BC) are two entirely different strategies, each of which plays a significant aspect in safeguarding business operations.' Best practice business continuity plans follow a set pattern with some standard features. A comprehensive BCP will:

  • Identify the potential risks your business faces
  • Allocate responsibility, putting in place the teams you need to continue operations
  • Be built on best practice subsidiary and entity data
  • Make back-up arrangements for power, systems and communications
  • Prepare for recovery, identifying your disaster recovery team and the steps you will take to build back

This last point is where the potential 'grey area' between business continuity and disaster recovery starts to become apparent. Disaster recovery is a subset of business continuity planning and a vital element of a BCP. As well as planning for an immediate crisis-driven response, a business continuity plan should consider 'what happens next.' It's not just about how you deal with the immediate aftermath of a crisis, whether that's a cyber-attack, fire, flood, terrorist attack or any other human-made or natural disaster. It's about what you do next to restore operations on a more permanent footing. This is where the disaster recovery element of your planning comes in.

What is Disaster Recovery?

The disaster recovery plan and business continuity are very closely interlinked. Disaster recovery is the process of ' as you might imagine ' recovering after any business interruption or crisis. As InvenioIT puts it, 'A disaster recovery plan ...aims to answer the question: 'How do we recover from a disaster?'' What does a disaster recovery plan entail? It is typically a formal document, with details of steps needed to ensure you can recover rapidly from any disruption. IBM believes that a DR plan is more focused than a business continuity plan; as we said above, a subset of the BCP that focuses on how you recover your IT and systems to ensure operations return to normal as soon as possible. These formalized plans came into being in the 1970s. Businesses switched from being paper-based operations to ones dependent on systems and computer-based operations, technologies that require rapid response and clear action plans for contingency and recovery. Minimizing downtime by having recovery plans for your IT infrastructure and other operations means businesses can reduce the length and impact of any unexpected disruption.

Disaster Recovery Plan vs. Business Continuity Plan: How Do BCP and DR Plans Differ?

What is the difference between a disaster recovery plan and a business continuity plan? Given that you need to consider both business continuity and disaster recovery, it's worth exploring the two differences. Partly, as we mentioned above, the difference is about scope. The BCP is broad, while a DR plan will be more focused, looking specifically at how to get systems up and running in the aftermath of a disaster. An IT disaster can take many forms, from a localized hardware failure to a company-wide data breach ' and can have huge ramifications, with some 93% of businesses suffering an IT disaster going on to file for bankruptcy within a year . Another difference is in timing; the BCP should kick in as soon as a disruption is identified. Potentially, this means moving to back-up servers, power generators, remote working. On the other hand, the recovery plan tends to follow once the initial emergency response is in place, looking further ahead to determine how the business will rebuild and return to more normal operations. In either case, a written plan is vital, including a detailed business impact analysis that should be updated regularly. We've written before about the importance of keeping your business continuity plan up-to-date ' a lack of accurate data on your systems can significantly impact your ability to maintain operations and recover longer-term. Central to this is the need to maintain accurate information on all your entities and subsidiaries . Doing so enables you to methodically record the systems and technologies that will be impacted by an outage across the entirety of your organization. Once you're confident that you have captured all the applications and hardware you need to consider, your disaster recovery plan should include:

  • Detailed plans for restoring each of these critical applications and pieces of infrastructure
  • The timeframe for doing so
  • The people who need to be involved ' along with emergency contact details to ensure they can be contacted in the event of any communications interruption

The ramifications of a disaster can be significant for an organization, including lost income, reputational damage, regulatory breaches and associated penalties, financial or otherwise, and missed opportunities for business growth while recovery is prioritized. The 'disaster recovery plan vs. business continuity plan' debate, then, is slightly spurious ' because you clearly need both. Having defined plans, both to respond in the immediate aftermath of a crisis, and to recover following the initial crisis period, is essential. To help organizations with their planning, both for business continuity and disaster recovery, Diligent has long-standing expertise and a suite of solutions. The software supports businesses that manage entities, compliance and organizational documents, enabling companies to minimize and mitigate the risks posed by any disruption. You can find out more by getting in touch to request a demo.

Solutions Solutions

  • Board Management
  • Enterprise Risk Management
  • Audit Management
  • Market Intelligence

Resources Resources

  • Research & Reports

Company Company

Your data matters.

Cart

  • SUGGESTED TOPICS
  • The Magazine
  • Newsletters
  • Managing Yourself
  • Managing Teams
  • Work-life Balance
  • The Big Idea
  • Data & Visuals
  • Reading Lists
  • Case Selections
  • HBR Learning
  • Topic Feeds
  • Account Settings
  • Email Preferences

How Machine Learning Will Transform Supply Chain Management

  • Narendra Agrawal,
  • Morris A. Cohen,
  • Rohan Deshpande,
  • Vinayak Deshpande

business process recovery planning

Businesses need better planning to make their supply chains more agile and resilient. After explaining the shortcomings of traditional planning systems, the authors describe their new approach, optimal machine learning (OML), which has proved effective in a range of industries. A central feature is its decision-support engine that can process a vast amount of historical and current supply-and-demand data, take into account a company’s priorities, and rapidly produce recommendations for ideal production quantities, shipping arrangements, and so on. The authors explain the underpinnings of OML and provide concrete examples of how two large companies implemented it and improved their supply chains’ performance.

It does a better job of using data and forecasts to make decisions.

Idea in Brief

The problem.

Flawed planning methods make it extremely difficult for companies to protect themselves against supply chain disruptions.

A new approach, called optimal machine learning (OML), can enable better decisions, without the mystery surrounding the planning recommendations produced by current machine-learning models.

The Elements

OML relies on a decision-support engine that connects input data directly to supply chain decisions and takes into account a firm’s performance priorities. Other features are a “digital twin” representation of the entire supply chain and a data storage system that integrates information throughout the supply chain and allows for quick data access and updating.

The Covid-19 pandemic, the Russia-Ukraine conflict, trade wars, and other events in recent years have disrupted supply chains and highlighted the critical need for businesses to improve planning in order to be more agile and resilient. Yet companies struggle with this challenge. One major cause is flawed forecasting, which results in delivery delays, inventory levels that are woefully out of sync with demand, and disappointing financial performance. Those consequences are hardly surprising. After all, how can inventory and production decisions be made effectively when demand forecasts are widely off?

  • Narendra Agrawal is the Benjamin and Mae Swig Professor of Information Systems and Analytics at Santa Clara University’s Leavey School of Business.
  • Morris A. Cohen is the Panasonic Professor Emeritus of Manufacturing & Logistics at the University of Pennsylvania’s Wharton School. He is also the founder of AD3 Analytics, a start-up that developed the OML methodology for supply chain management.
  • Rohan Deshpande is a machine learning scientist at Cerebras Systems and a former chief technology officer at AD3 Analytics.
  • Vinayak Deshpande is the Mann Family Distinguished Professor of Operations at the University of North Carolina’s Kenan-Flagler Business School.

Partner Center

Everything that you need to know to start your own business. From business ideas to researching the competition.

Practical and real-world advice on how to run your business — from managing employees to keeping the books.

Our best expert advice on how to grow your business — from attracting new customers to keeping existing customers happy and having the capital to do it.

Entrepreneurs and industry leaders share their best advice on how to take your company to the next level.

  • Business Ideas
  • Human Resources
  • Business Financing
  • Growth Studio
  • Ask the Board

Looking for your local chamber?

Interested in partnering with us?

Start » strategy, 9 steps to creating a procurement process for your small business.

An effective procurement strategy is the foundation for implementation success. Learn how to plan your approach, choose the right technologies, and find suitable suppliers.

 A small business owner checks a delivery. Before her is an open box. She is holding the shipping invoice in her right hand and comparing it against the goods delivered.

Disruptions, shortages, and out-of-stock situations impact your uptime and ability to meet customer expectations. Indeed, in the second quarter of 2023, supply chain issues remained a top concern for 23% of small business owners, according to the MetLife and U.S. Chamber Small Business Index . A procurement strategy increases supply chain visibility and resiliency while reducing your financial and operational risks.

In addition, a purposeful approach to procurement can save your company money and bolster relationships with suppliers. Follow this step-by-step guide to develop a procurement process suitable for your business goals and needs.

1. Assess your needs, goals, and budget

Procurement cycles differ by company; small and medium businesses (SMBs) should refrain from trying to create a one-size-fits-all plan. Instead, complete an internal review to learn what goods and services each department requires. Categorize these as direct (raw materials or services for production) or indirect (supports business activities). Then, break them into goods or services. Remember to include pricing and quantities to understand the spend for each group.

This step aims to see how much your business spends on direct and indirect goods and services. These figures will give you an idea of how procurement can benefit your company and how a strategy can help you overcome supply chain challenges .

[ Read more: 6 Ways to Protect Your Business From a Supply Chain Disruption ]

2. Establish metrics to measure your procurement performance

Procurement key performance indicators (KPIs) track your company’s efficiency and process goals. Monitoring metrics increases visibility into your supply chain and shows where you’re improving or need further action. You should set small business KPIs before beginning any new process.

Consider tracking the following metrics:

  • Rate of emergency purchases.
  • Procurement return on investment (ROI) and benefits.
  • Supplier defect rate.
  • Purchase order (PO) and invoice accuracy.
  • Compliance rate.
  • Supplier lead time.
  • Vendor availability.
  • PO cycle time.
  • Cost per invoice and PO.
  • Procurement ROI and benefits.
  • Spend under management.
  • Price competitiveness.

[ Read more: Big Brands’ Inventory Management Partners Share Top Tips to Slay Supply Chain Snarls ]

3. Consider current and new procurement technologies

Capterra stated, “Nearly 30% of SMBs plan to implement a new supply chain management tool in 2023.” Moreover, MHI predicts that “digital supply chains will be the norm” by 2033.

Although companies can choose an all-in-one procure-to-pay suite, Capterra found that many organizations opt for specialized tools. Niche programs are easier to use, integrate, and deploy.

See if your current software supports your procurement process, and while planning your strategy, look for opportunities to automate tasks using supply chain tech . Doing so can decrease errors and save time, allowing your procurement team to focus on high-value activities instead of data entry.

Procurement software solutions fall into the following categories (and several tools cover multiple areas):

  • Accounts payable and spend analysis: This software helps companies understand the procurement process and find cost-saving opportunities. Solutions include Coupa , SAP Ariba , Precoro , and PRM360 .
  • Procure to pay: These end-to-end platforms centralize many procurement activities. Consider solutions like mjPRO , Procurify , Precoro , Basware , and MHC Software .
  • Purchasing: Automate your approval workflows and view real-time spend data with SAP S/4HANA Cloud , Emburse Certify Expense , Spendwise , Veeqo , Unleashed , Planergy , Teampay , and Order.co .
  • Request for proposal (RFP): Create a central database for your procurement documents and use artificial intelligence (AI) tools to improve your workflows. Software solutions include Responsive (formerly RFPIO), Loopio , Avnio Response Cloud , RFP360 , QorusDocs , and RocketDocs .
  • Spend management: Manage your expenses automatically and visualize your costs with software like BILL Spend & Expense (Formerly Divvy), Ramp , Brex , Airbase , and Spendesk .
  • Strategic sourcing: Automate your sourcing and procurement process with software such as aPriori , Procol , and Anvyl .
  • Vendor management: Review, track, and manage suppliers with solutions from QuickBooks Online , Vanta , SAP Fieldglass , Venminder , Ncontracts , and Tradeshift Pay .

4. Find and evaluate suppliers

Identify vendors for each good, electronic component, service, raw material, or service your business requires. Obtain supply market intelligence using free resources from the U.S. Small Business Association and the U.S. Census Bureau . Also, consider paid services, such as IBIS World , Crain’s , Bloomberg , and Gartner . Consider each vendor’s cost structure, market information, past performance, and commodity profile.

This prescreening process is enough to move to the next stage for some services and goods (office supplies or standard maintenance items like grease). However, you should further evaluate complex parts and essential production components when the products substantially impact your budget and production capacity. The more risk that’s involved, the more time you should dedicate to the vetting process.

Consider criteria such as the following:

  • Location: Review the geographic stability, distance from your company, and supply chain infrastructure.
  • Cultural and language differences: Determine if barriers will cause communication issues during the process.
  • Working conditions: Focus on health and safety practices, child labor usage, and general working conditions.
  • Employee capabilities: See if there is a history of labor disputes or strikes, the turnover rate, and the workforce skill level.
  • Cost structure: Go over the total costs, including production, marketing, material, administrative, and supply chain expenses.
  • Technological capabilities: Consider the company’s approach to technology in design, equipment, processes, methods, and any current or future investments in research and development.
  • Quality control: Look at what system they use and record to ensure consistency for current and anticipated demand.

In the second quarter of 2023, supply chain issues remained a top concern for 23% of small business owners, according to the MetLife and U.S. Chamber Small Business Index.

5. Choose a sourcing strategy

After approving a purchase, your procurement team must select a supplier and either buy directly from them, send an RFP or a request for quote (RFQ), or enter into an agreement.

An RFP solicits bids from suppliers. It should outline your project and provide delivery requirements, financial terms, pricing structure, and product or service details. Alternatively, a company uses an RFQ when they only need a price quote, not information about products or services.

[ Read more: Do You Have a Supply Chain Backup Plan? How to Plan Ahead ]

6. Select suppliers and negotiate

Once you review the documents and choose a supplier, it’s time to negotiate vendor contracts . The agreement should outline the scope of work, delivery dates, budget, contract duration, legalities, terms, and conditions.

It’s important to remember that, ideally, you’re building a long-term relationship. You need to get the best deal possible. At the same time, compromise is part of negotiation.

7. Finalize documents and keep records

The onboarding process begins immediately after signing and approving the contract. Larger organizations often require individuals to complete a purchase requisition (PR). This form requests the procured goods or services and requires approval from an internal department manager or leader.

From there, the business creates a purchase order (PO). This document goes to the supplier and details the services or goods and negotiated terms and conditions.

Small businesses should keep all records on file, whether those records are paper files or digital forms. Doing so helps show your overall ROI and can support you when negotiating future vendor payment terms . Moreover, it’s essential for business tax and audit purposes.

Store the following documents:

  • Supplier invoices.
  • Delivery reports.
  • Company policies.
  • Purchase orders.
  • Packing lists.
  • RFPs and RFQs.
  • Procurement budget approvals.
  • Goods received note.

8. Inspect shipments and pay suppliers

Check out your first shipment to ensure everything is in good condition and in the correct quantity. Also, note if the supplier met the delivery schedule and satisfied the services outlined in the contract. If you have any concerns, contact the vendor for a meeting. Otherwise, you can go over the invoice for payment.

Companies often use the three-way matching method. It compares the purchase order, invoice, and itemized list for accuracy. From there (depending on your payment terms), your financial department will process the payment and send it to the supplier.

9. Review and adjust your procurement strategy

All business strategies are living documents. Nothing, including contracts, is set in stone.

Your procurement KPIs will highlight opportunities for improvement and areas where you could save money by adjusting your process or negotiating better contract terms. Likewise, you may realize inefficient processes are driving up administrative costs. In this case, automated spend management software or vendor management tools can boost productivity while reducing errors and ensuring policy compliance.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here .

Next Event: Tax Filing Tips!

Join us on Thursday, February 22, at 12 pm ET for the first episode of our expert series, Ready. Set. Scale.: Smart Tax Tips for a Stress-Free Filing. We will have seasoned leaders offering actionable tips to help minimize the stressors of tax time for small businesses.

Subscribe to our newsletter, Midnight Oil

Expert business advice, news, and trends, delivered weekly

By signing up you agree to the CO— Privacy Policy. You can opt out anytime.

For more business strategies

How to file a beneficial ownership information report for your business, 22 resources for black-owned businesses.

By continuing on our website, you agree to our use of cookies for statistical and personalisation purposes. Know More

Welcome to CO—

Designed for business owners, CO— is a site that connects like minds and delivers actionable insights for next-level growth.

U.S. Chamber of Commerce 1615 H Street, NW Washington, DC 20062

Social links

Looking for local chamber, stay in touch.

Roots Recovery Center reports progress in substance abuse treatment

WEBB COUNTY, Tex. (KGNS) - The Laredo/Webb County Drug and Alcohol Commission got together for an update on the Roots Recovery Center on Wednesday, February 21.

Since opening its doors, staff at the detox center have been reaching out to individuals on their waiting lists, extending an invitation to embark on their journey to recovery. Notably, one person has completed the detoxification process for alcohol and crack cocaine, while two others have been admitted for treatment.

One of the center’s primary requirements is a clear TB test to mitigate the risk of spreading disease among patients and staff. Viviana Martinez, Detoxification Director at Roots Recovery Center, elaborated on the process, stating, “Our process is calling them up, letting them know they will need to go get a TB test. The center will cover the cost of the TB test. Once their TB test comes back clear, then we do their admission and enroll them into the center.”

While the average length of stay for patients is about two weeks, the center emphasizes flexibility, recognizing that each individual’s journey to recovery may vary in duration.

For individuals seeking further information, you can contact the Roots Recovery Center at (956) 962-4198. They are located at 1300 Chicago Street.

For more headlines. click here .

Copyright 2024 KGNS. All rights reserved.

American Flag seen upside down near Vietnam Veterans Plaza

City of Laredo responds to upside down American Flag

Motorcycle crash reported on Loop 20

Motorcycle crash reported on Loop 20

According to Laredo police, the incident took place last Tuesday, February 13th.

LPD: Road rage incident lands one in hospital, one arrested for assault and injury to the elderly

Questions remain following Alexander High School lockdown

Questions remain following Alexander High School lockdown

Kale Robinson died after passing out during a weigh-in at a fishing tournament in Texas.

High school student dies after fishing tournament weigh-in

Latest news.

FILE — Hands type on a cell phone in this undated file photo.

Select cellular services reportedly down nationwide

David Gonzalez

UISD Board votes to finalize the termination process of superintendent

Wednesday 7 Day Forecast

Hot Thursday, More Heat Early Next Week.

Wednesday 7 Day Forecast

Wednesday 7 Day Forecast

Local coalition provides free food and services in Webb County

Local coalition provides free food and services in Webb County

IMAGES

  1. How to Develop an Effective Disaster Recovery Plan

    business process recovery planning

  2. Business Recovery Planning

    business process recovery planning

  3. Disaster Recovery Plan Template

    business process recovery planning

  4. Business Disaster Recovery Plan Template Database

    business process recovery planning

  5. Business Continuity & Disaster Recovery 101

    business process recovery planning

  6. Create a Disaster Recovery Plan

    business process recovery planning

VIDEO

  1. In Your Business: Helping small businesses navigate through recovery

  2. Business process steps part 1

  3. Business process steps part 3

  4. Motor recovery and disassembly process- Good tools and machinery make work easy

  5. Disaster Recovery Planning for Banks and Credit Unions

  6. Topic 1 Introduction to Business Process and Enterprise Resource Planning

COMMENTS

  1. Step-by-Step Guide: How to Build a Business Recovery Plan

    A business recovery plan is a strategic guide that details processes created to prepare, respond, and recover in the event of an emergency.

  2. Five Strategic Steps Toward Business Recovery

    Sep 28, 2022,08:30am EDT Share to Facebook Share to Twitter Share to Linkedin Eric Allison is Head of Strategic Development of Staffing Venture Capital and President & Managing Partner of...

  3. What Is a Business Continuity Plan (BCP), and How Does It Work?

    Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks. BCP is designed to protect personnel and assets and make...

  4. Business Continuity Planning (BCP)

    Business Continuity Planning (BCP) Business continuity planning (BCP) is a broad disaster recovery approach whereby enterprises plan for recovery of the entire business process. This includes a plan for workspaces, telephones, workstations, servers, applications, network connections and any other resources required in the business process.

  5. Recover from disasters

    Recovery planning Planning is one of the most important elements of recovery. Writing and implementing a business continuity plan will help you minimize financial loss when your business faces a disaster. Your business continuity plan should: Identify and document critical business functions and processes Organize a business continuity team

  6. Business recovery and continuity: planning for multiple scenarios

    This model breaks the crisis recovery model into phases. Each outer circle describes where your focus, as a business leader, should be. Phase 1 (Reaction): Your immediate response to what has just happened. Phase 2 (Adjustment): Focus on short-term stabilization. Phase 3 ( (Re)Build): Decide how to move forward for the longer term.

  7. Guide to Creating Your Business Recovery Plan

    Plan with data-driven decisions In a previous post on How to Leverage Data to Create an Effective Business Continuity Plan, we explored the 5 steps towards creating a BCP, namely: Business Impact Analysis Risk Assessment Risk Mitigation Strategy Crisis Management Team Test and Maintain

  8. Business continuity and disaster recovery planning: The basics

    Here are the basics of a state-of-the-art disaster recovery/business continuity (DR/BC) plan for 2021 and beyond.

  9. Taking Care of Business: How to Write a Business Recovery Plan

    There are four main types of dependencies: 1. Application dependencies. Applications needed for the process (and how will you work if those are not available). 2. Equipment dependencies. The gear that must be available in order for your recovery plans to work. 3. Third-party dependencies.

  10. Business Continuity Management, Disaster Recovery Planning: Compliance

    Business Continuity (BC) is the discipline of creating, implementing, and maintaining policies and procedures to guarantee that important business operations are resilient and ready for disaster response, disaster recovery, and events that threaten an organization's existence (Kliem & Richie, 2015 ).

  11. PDF Business Recovery Plan

    1. outlines the steps and actions you need to take in the event your business operations have been disrupted. A business recovery plan (BRP) directs you on how to recover the critical operations of your specific business area. Introduction. You already know the importance of planning ahead to protect your business in times of distress.

  12. Issues with Business Continuity Management and Disaster Recover

    Business continuity management (BCM) entails all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity —and it can enable an institution to keep operating if a disruption such as a cyberattack, natural disaster, or man-made event occurs.

  13. Change management in disaster recovery and business continuity planning

    Change management is an important process for business continuity and disaster recovery planning for several reasons. Learn about change management best practices and its role in BC/DR planning. By. Paul Kirvan. Published: 15 Jun 2009. Change management is a formal process that ensures changes to a product, process, or system, and is introduced...

  14. What is BCDR? Business continuity and disaster recovery guide

    Organizations embarking on a business continuity and disaster recovery planning process have numerous resources to draw upon. Those include standards, tools ranging from templates to software products, and advisory services. "To build a plan, you have many templates that exist and many best practices and many consultants," ESG's Bertrand said.

  15. Business Continuity & Disaster Recovery Planning (BCP & DRP)

    In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures. The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization ...

  16. Create a business recovery plan

    A business recovery plan is a pre-designed plan that includes: setting timelines to restore critical functions. strategies to trade at pre-incident levels as soon as possible. Your recovery plan is part of your business continuity plan that outlines practical strategies to help you manage and stage a recovery from a crisis.

  17. Business Continuity Event Planning: Building a recovery strategy

    According to BS 25999-1:2006 (Business continuity management code of practice, p. 21), managers should consider three things when assessing whether a process should be recovered and when: The ...

  18. Using Business Continuity & IT Disaster Recovery Planning

    Process Diagram. The following diagram illustrates the overall process enabled by Archer Business Continuity & IT Disaster Recovery Planning.. Creating a Business Continuity or IT Disaster Recovery Plan. Business continuity (BC) plans are the detailed business process recovery plans that give an organization the step-by-step blueprint to recover a business process, facility, function, or ...

  19. What is a disaster recovery plan?

    A disaster recovery plan (DRP) is a detailed document that outlines how an organization will respond to an unplanned incident. Along with business continuity plans (BCPs) and incident response plans (IRPs), DR plans help ensure businesses are prepared to face many different types of disasters, including power outages, ransomware and malware attacks, natural disasters and much more.

  20. What Is a Disaster Recovery Plan? 4 Examples

    A disaster recovery plan defines instructions that standardize how a particular organization responds to disruptive events, such as cyber attacks, natural disasters, and power outages. A disruptive event may result in loss of brand authority, loss of customer trust, or financial loss.

  21. Disaster Recovery: An Introduction

    Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster recovery plan.

  22. Disaster Recovery Planning: The Organizational Guide

    Here are a few important steps that you can follow for your disaster recovery planning: 1. Obtain stakeholder support & commitment to resources. The first step of an effective disaster recovery plan is to obtain strong support from all stakeholders, especially for resource investments and allocation. Disaster recovery requires investments in ...

  23. 30 Emerging Technologies That Will Guide Your Business Decisions

    3 things to tell your peers. 1. The trends and technologies featured in the Gartner Emerging Tech Impact Radar fall into four key themes and help product leaders gain a competitive edge. 2. Use the impact radar to guide your investment and strategic planning around disruptive technologies. 3.

  24. Disaster recovery plan vs. business continuity plan: Is there a

    Disaster recovery is the process of ' as you might imagine ' recovering after any business interruption or crisis. As InvenioIT puts it, ... The 'disaster recovery plan vs. business continuity plan' debate, then, is slightly spurious ' because you clearly need both. Having defined plans, both to respond in the immediate aftermath of a crisis ...

  25. How Machine Learning Will Transform Supply Chain Management

    The Problem. Flawed planning methods make it extremely difficult for companies to protect themselves against supply chain disruptions. A Remedy. A new approach, called optimal machine learning ...

  26. 9 Steps to Creating a Procurement Process for Your Small Business

    Follow this step-by-step guide to develop a procurement process suitable for your business goals and needs. 1. Assess your needs, goals, and budget. Procurement cycles differ by company; small and medium businesses (SMBs) should refrain from trying to create a one-size-fits-all plan.

  27. Governor Mills Announces More Than $3 Million in Maine Jobs & Recovery

    The Maine Jobs & Recovery Plan is Governor Mills' plan, approved by the Legislature, to invest nearly $1 billion in Federal American Rescue Plan funds to improve the lives of Maine people and families, help businesses, create good-paying jobs, and build an economy poised for future prosperity. Since Jobs Plan took effect in 2021, over $743 ...

  28. Roots Recovery Center reports progress in substance abuse treatment

    Viviana Martinez, Detoxification Director at Roots Recovery Center, elaborated on the process, stating, "Our process is calling them up, letting them know they will need to go get a TB test. The ...