Home  >  Learning Center  >  Business continuity planning (BCP)  

Article's content

Business continuity planning (bcp), what is business continuity.

In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures.

The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability.

Start with a business continuity plan

Business continuity management starts with planning how to maintain your critical functions (e.g., IT, sales and support) during and after a disruption.

A business continuity plan (BCP) should comprise the following element

1. Threat Analysis

The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include:

2. Role assignment

Every organization needs a well-defined chain of command and substitute plan to deal with absence of staff in a crisis scenario. Employees must be cross-trained on their responsibilities so as to be able to fill in for one another.

Internal departments (e.g., marketing, IT, human resources) should be broken down into teams based on their skills and responsibilities. Team leaders can then assign roles and duties to individuals according to your organization’s threat analysis.

3. Communications

A communications strategy details how information is disseminated immediately following and during a disruptive event, as well as after it has been resolved.

Your strategy should include:

  • Methods of communication (e.g., phone, email, text messages)
  • Established points of contact (e.g., managers, team leaders, human resources) responsible for communicating with employees
  • Means of contacting employee family members, media, government regulators, etc.

From electrical power to communications and data, every critical business component must have an adequate backup plan that includes:

  • Data backups to be stored in different locations. This prevents the destruction of both the original and backup copies at the same time. If necessary, offline copies should be kept as well.
  • Backup power sources, such as generators and inverters that are provisioned to deal with power outages.
  • Backup communications (e.g., mobile phones and text messaging to replace land lines) and backup services (e.g., cloud email services to replace on-premise servers).

Load balancing business continuity

Load balancing  maintains business continuity by distributing incoming requests across multiple backend servers in your data center. This provides redundancy in the event of a server failure, ensuring continuous application uptime.

In contrast to the reactive measures used in failover and  disaster recovery  (described below) load balancing is a preventative measure.  Health monitoring  tracks server availability, ensuring accurate load distribution at all times—including during disruptive events.

Disaster recovery plan (DCP) – Your second line of defense

Even the most carefully thought out business continuity plan is never completely foolproof. Despite your best efforts, some disasters simply cannot be mitigated. A disaster recovery plan (DCP) is a second line of defense that enables you to bounce back from the worst disruptions with minimal damage.

As the name implies, a disaster recovery plan deals with the restoration of operations after a major disruption. It’s defined by two factors: RTO and  RPO .

disaster recovery plan

  • Recovery time objective (RTO)  – The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services. A different RTO should be assigned to each of your business components according to their importance (e.g., ten minutes for network servers, an hour for phone systems).
  • Recovery point objective (RPO)  – The point to which your state of operations must be restored following a disruption. In relation to backup data, this is the oldest age and level of staleness it can have. For example, network servers updated hourly should have a maximum RPO of 59 minutes to avoid data loss.

Deciding on specific RTOs and RPOs helps clearly show the technical solutions needed to achieve your recovery goals. In most cases the decision is going to boil down to choosing the right failover solution.

See how Imperva Load Balancer can help you with business continuity planning.

Choosing the right failover solutions

Failover  is the switching between primary and backup systems in the event of failure, outage or downtime. It’s the key component of your disaster recovery and business continuity plans.

A failover system should address both RTO and RPO goals by keeping backup infrastructure and data at the ready. Ideally, your failover solution should seamlessly kick in to insulate end users from any service degradation.

When choosing a solution, the two most important aspects to consider are its technological prowess and its service level agreement (SLA). The latter is often a reflection of the former.

For an IT organization charged with the business continuity of a website or web application, there are three failover options:

  • Hardware solutions  – A separate set of servers, set up and maintained internally, are kept on-premise to come online in the event of failure. However, note that keeping such servers at the same location makes them potentially susceptible to being taken down by the same disaster/disturbance.
  • DNS services  – DNS services are often used in conjunction with hardware solutions to redirect traffic to a backup server(s) at an external data center. A downside of this setup includes  TTL-related delays  that can prevent seamless disaster recovery. Additionally, managing both DNS and internal data center hardware failover solutions is time consuming and complicated.
  • On-edge services  – On-edge failover is a managed solution operating from off-prem (e.g., from the  CDN  layer). Such solutions are more affordable and, most importantly, have no TTL reliance, resulting in near-instant failover that allows you to meet the most aggressive RTO goals.

Latest Blogs

Connected World

Lynne Murray

, Shiri Margel

Dec 1, 2023 5 min read

Mobile phone with a stock exchange app displayed and a finger perusing the trend line

Oct 9, 2023 4 min read

sc

Aug 28, 2023 3 min read

Latest Articles

  • Regulation & Compliance

604.6k Views

190.2k Views

41.6k Views

38.9k Views

37.2k Views

35.4k Views

29.3k Views

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The 10th Annual Bad Bot Report

The evolution of malicious automation over the last decade

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

  • Search Search Please fill out this field.
  • Business Continuity Plan Basics
  • Understanding BCPs
  • Benefits of BCPs
  • How to Create a BCP
  • BCP & Impact Analysis
  • BCP vs. Disaster Recovery Plan

Frequently Asked Questions

  • Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

business continuity and disaster recovery plan

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

  • Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
  • BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
  • BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

  • Determining how those risks will affect operations
  • Implementing safeguards and procedures to mitigate the risks
  • Testing procedures to ensure they work
  • Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

  • Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
  • Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
  • Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
  • Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

  • The impacts—both financial and operational—that stem from the loss of individual business functions and process
  • Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

business continuity and disaster recovery plan

  • Terms of Service
  • Editorial Policy
  • Privacy Policy
  • Your Privacy Choices
  • Generative AI
  • Business Operations
  • IT Leadership
  • Application Security
  • Business Continuity
  • Cloud Security
  • Critical Infrastructure
  • Identity and Access Management
  • Network Security
  • Physical Security
  • Risk Management
  • Security Infrastructure
  • Vulnerabilities
  • Software Development
  • Artificial Intelligence
  • United States
  • United Kingdom
  • Newsletters
  • Foundry Careers
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Member Preferences
  • About AdChoices
  • E-commerce Links
  • Your California Privacy Rights

Our Network

  • Computerworld
  • Network World

Neal Weinberg

Business continuity and disaster recovery planning: The basics

Good business continuity plans will keep your company up and running through interruptions of any kind: power failures, IT system crashes, natural disasters, pandemics and more.

storm disaster recovery disruption rain umbrella tornado challenge weather

Editor’s note: This article, originally published on March 27, 2014, has been updated to more accurately reflect recent trends.

Wildfires in California. A snowstorm in Texas.  Windstorms across the Midwest. Floods in Hawaii. Hurricanes in Florida and Louisiana. Russian hackers and ransomware attacks. And let’s not forget the global pandemic.

If anyone still thinks that having a disaster recovery and business continuity plan isn’t a high priority, you haven’t been paying attention to recent events. As we begin to emerge from the COVID-19 pandemic, organizations are shifting to a new normal that will certainly be more remote, more digital and more cloud-based. Disaster recovery plans will have to evolve to keep up with these changing business conditions.

On top of that, business requirements for disaster recovery have changed dramatically. There was a time when it was acceptable for recovery time to be measured in days or hours. Now it’s minutes. In some cases, business units are demanding zero down time in the event of an unplanned outage.

Here are the basics of a state-of-the-art disaster recovery/business continuity (DR/BC) plan for 2021 and beyond. (Without getting too hung up on definitions, let’s say that disaster recovery is getting the IT infrastructure back up and running, while business continuity is a broader discipline that gets the business back up and functioning once the lights are back on.) 

Integrate cybersecurity, intrusion detection/response, disaster recovery into a comprehensive data protection plan

For CISOs, the first goal of a disaster recovery plan is to avoid the disaster in the first place, which is becoming increasingly challenging. First, data is no longer safely tucked away in an on-premises data center. It’s distributed across on-premises environments, hyperscale clouds, the edge and SaaS applications. ESG Research Senior Analyst Christophe Bertrand points out that SaaS presents a serious data protection and recovery challenge because “now you have mission critical applications running as a service that you have no control over.”

Second, the pandemic drove millions of employees out of the secure confines of the corporate office to their home offices, where the Wi-Fi is less secure and where employees might be sharing sensitive data on collaboration applications.

Third, hackers took notice of these expanding attack vectors and launched a barrage of new and more targeted ransomware attacks. According to the Sophos State of Ransomware 2020 Report, hackers have moved from spray-and-pray desktop attacks to server-based attacks. “These are highly targeted, sophisticated attacks that take more effort to deploy. However, they are typically far more deadly due to the higher value of assets encrypted and can cripple organizations with multi-million dollar ransom requests,” according to the report .

In response to these changing conditions, CISOs should focus on beefing up endpoint security for remote workers, deploying VPNs and encryption, protecting data at rest no matter where it lives, and also making sure that collaboration tools don’t become a source of security vulnerabilities.

Conduct a business impact analysis (BIA)

Organizations need to conduct a thorough business impact analysis to identify and evaluate potential effects of disasters through the lenses of financial fallout, regulatory compliance, legal liability, and employee safety. Gartner estimates that 70% of organizations are making disaster recovery decisions without any business-aligned data points or based on an outdated BIA. “Without the fact base the BIA provides, teams can only guess at the appropriate level of DR and what risks are tolerable. This results in overspend or unmet expectations,” according to Gartner.

Remember, you don’t need to protect everything. Organizations that conduct these exercises are often surprised to discover servers that do nothing but run a routine back-end business process once a month, or even once a year.

Organizations need to prioritize applications by their criticality to the business, and to identify all the dependencies associated with a business process, particularly applications that may have been virtualized across multiple physical servers, might be running in containers in the cloud, or in serverless cloud environments.

Classify data

Along the same lines, you don’t need to protect all data, just the data that you need to keep the business running. You do need to go through the process of locating, identifying, and classifying data. Be sure to protect data that falls under regulatory requirements, customer data, patient data, credit card data, intellectual property, private communications, etc. The good news is that tools can automate data identification and classification.

Consider disaster recovery as a service (DRaaS)

DRaaS is an increasingly popular option for CISOs at small- to mid-sized organizations who want to cost-effectively improve IT resilience, meet compliance or regulatory requirements, and address resource deficiencies. The DRaaS market is expected to grow at a rate of 12% a year over the next five years, according to Mordor Intelligence . DRaaS services cover the full gamut of disaster recovery and business continuity, providing flexibility and agility to enterprises, according to the Mordor report.

Gartner adds that as the DRaaS market has matured and vendor offerings have become more industrialized, the size and scope of DRaaS implementations have increased significantly, compared with a few years ago.

Develop a solid communication plan

Simply getting servers back up and running is essentially meaningless unless everyone knows their roles and responsibilities. Do people have the appropriate cell phone numbers and email addresses to share information? Do the relevant stakeholders have a playbook that spells out how to respond to a crisis in terms of contacting law enforcement, outside legal teams, utility companies, key technology and supply chain partners, senior leadership, the broader employee base, external PR teams, etc.?

Depending on the nature of the disaster, networking groups might need to establish new lines of connectivity for remote workers and reconfigure traffic flows; maintenance teams might need to perform remote troubleshooting, security teams might need to re-set firewalls, change access policies, extend security protection to new devices or to cloud-based resources. The biggest problem in a disaster isn’t related to data backups, it’s not having the right people in place and understanding all the steps required for the business to recover, says Bertrand.

Automate testing

To test disaster preparedness, companies traditionally conduct tabletop exercises in which key players physically come together to play out DR scenarios. However, only one-third of organizations perceive the exercises as “highly effective,”  according to a July study  by Osterman Research in association with Immersive Labs, a company that develops human-readiness skills in cybersecurity. The research also found that organizations don’t perform tabletop exercises often enough to keep up with evolving threats and that these exercises cost an average of $30,000. During the pandemic, it’s fair to assume that tabletop exercises fell by the wayside.

Doug Matthews, vice-president of enterprise data protection at Veritas, says there’s a better way. New tools can automatically test backup and recovery procedures on an ongoing basis and identify potential issues that need to be addressed. Modern testing solutions are also able to use sandboxing technology to create safe environments in which companies can test the recoverability of applications without impacting production networks.

Create immutable data backups

Ransomware attackers are targeting backup repositories, particularly in the cloud. They are also targeting SaaS applications. In response, organizations should keep one copy of data that can’t be altered. “Be sure that you have an immutable copy of backup data that nobody can touch,” advises Matthews, who says companies should have three copies of data at all times, not just two.

Companies should also investigate isolated recovery environments, such as air gapping, in which one copy of the data lives in an environment not connected to the production environment.

Consider data re-use

“Business is the data and data is the business,” says Bertrand. Once organizations have a copy of their important data sitting in a safe backup environment, why not think about ways to reuse it to advance the company’s digital transformation efforts.

The idea is for organizations to “understand what you have, where it is, how to protect it, store it and optimize it.”  Ultimately, Bertrand predicts that organizations will evolve an intelligent data strategy that encompasses regulatory compliance, disaster recovery/business continuity and data analytics.

Perform continuous updates

CISOs updating their DR/BC plans should take their cue from DevOps. It’s not about one-and-done, it’s about continuous improvement. DR planners need to be plugged into any changes at the company that might affect recoverability, including employees working from home permanently, stores or remote offices opening or closing, applications being replaced by SaaS, data moving to the edge, or DevOps moving to the cloud. Also, the technology is constantly improving, so be on the lookout for new tools that can help automate DR/BC processes. The plan should not be sitting on the shelf collecting dust. It should be updated on a regular basis.

Do long-term planning

In light of everything that has happened over the past 12 months, it’s a good time to shift thinking about DR/BC from reactive to proactive. Unfortunately, between public health emergencies, climate change and the increase in cyberattacks, disasters seem to be occurring more often and are certainly more devastating. DR/BC plans need to get ahead of the threats, not simply respond to them.

For example, if your company is in California, your DR/BC plan has to assume that there will be power outages from next season’s wildfires. Companies concerned about losing power when the next natural disaster hits might want to think about generating their own power from alternative sources.

A successful DR/BC plan requires that companies perform the basics, but it is also an opportunity for companies to find creative and innovative ways to keep the business running when disaster hits.

Related content

Microsoft outlook flaw opens door to 1-click remote code execution attacks, lawmakers see power grid security risks from chinese storage batteries, google launches a slew of ai initiatives to enhance cybersecurity, top cybersecurity product news of the week, from our editors straight to your inbox.

Neal Weinberg

Neal Weinberg is a freelance technology writer and editor. He can be reached at [email protected] .

More from this author

Best and worst data breach responses highlight the do’s and don’ts of ir, pci dss 4.0 is coming: how to prepare for the looming changes to credit card payment rules, 13 traits of a security-conscious board of directors, consumers are done with passwords, ready for more innovative authentication, most popular authors.

business continuity and disaster recovery plan

  • Cynthia Brumfield Contributing Writer

business continuity and disaster recovery plan

Show me more

Bigid adds access governance targeted at sensitive data and privileges.

Image

Visibility, alarm fatigue top remediation concerns in cloud security

Image

Attack campaign targeting Azure environments compromised hundreds of accounts

Image

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Image

CSO Executive Sessions Australia with Robbie Whittome, CISO at Curtin University

Image

CSO Executive Sessions / ASEAN: Cisco's Anthony Grieco on opportunities in Southeast Asia's cybersecurity landscape

Image

Reaping the Benefits of Security Metrics

Image

Don’t Lose Your Focus: It’s Not About the AI; It’s About the Data

Image

Preventing the Cracks from Becoming a Hole that Becomes a Crater

Image

Sponsored Links

  • Read this IDC spotlight to learn what commonly prevents value realization – and how to solve it
  • Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.
  • Want to justify your IT investments faster? IDC reports on how to measure business impact.

Prepare for Emergencies with Business Continuity and Disaster Recovery Plans

Print button

This article was updated March 21, 2023.

How a company responds during an emergency or other unexpected event can drastically impact how quickly it can resume operations and its prospects for future success. Planning ahead and having systems in place for such events can be just as important as the actual response once an event occurs.

To prepare, companies should have both business continuity plans and disaster recovery plans in place. While business continuity and disaster recovery plans are two separate types of plans, they should complement each other as there are many similar concerns for each.

Below, we outline how these plans differ and steps your company can take to design effective plans should an emergency arise:

  • What Is a Business Continuity Plan?
  • What Is a Disaster Recovery Plan?
  • How Does Disaster Recovering Planning Differ from Business Continuity Planning?
  • What Types of Events Should Be Included in a Disaster Recovery Plan?

What Are the Benefits of Planning Ahead?

  • What Does a Business Continuity Plan Typically Include?
  • What Processes and Procedures Belong in a Business Continuity Plan?
  • What Is the Purpose of a Disaster Recovery Plan?
  • What Does a Disaster Recovery Plan Typically Include?

How Do You Test a Disaster Recovery Plan?

A business continuity plan is a predefined approach and procedure for how a business will continue to run when coping with an emergency.

A disaster recovery plan is a predefined approach and procedure for restoring the business to full functionality, following a system failure or compromise, while keeping the impact to a minimum.

While a business continuity plan focuses on defining how business operations should function under abnormal circumstances during a disaster or emergency, a disaster recovery plan focuses on getting applications and systems back to normal.

Click here to download a cybersecurity guide

Business emergencies can include events that are intentionally or accidentally caused by humans as well as natural disasters.

Potential disasters and threats can include the following:

  • Pandemic flu
  • Banking uncertainty
  • Computer and server shutdown or denial-of-service and sabotage
  • Ransomware attack
  • Bomb threat
  • Severe weather or wildfire

 Regardless of the origin, business disasters may cause:

  • Death or significant injury
  • Damage to property or environmental damage
  • Closing of business
  • Work or service stoppage
  • Negative impact on the company’s financial standing or company image

Business continuity planning and disaster recovering planning both provide several benefits to your organization, especially when they’re drafted in tandem, including:

  • People and property protection
  • Morale boost
  • Improved decision-making
  • Risk management

People and Property Protection

Having emergency plans in place can help safeguard life and property of the company and its employees. The Occupational Safety and Health Administration (OSHA) even requires companies with more than 10 employees to write these plans in compliance with its Regulation 1910.38 Emergency Action Plans .

Morale Boost

When employees know plans are in place, they may feel safer. This can help boost morale and potentially increase business value perception to buyers who recognize the responsibility and preparedness of the company.

Improved Decision-Making

Planning ahead allows for systemic, structured, and timely implementation of your plan and helps you make decisions based on the best available information, should an emergency occur.

It also provides room to be dynamic and responsive to change. Flexibility can allow you to take human and cultural factors into account, such as supporting workers with medical needs or managing teams that operate across geographic regions, and allows the company to be transparent and inclusive with its plans.

Even if you haven’t faced an emergency, planning for one can help facilitate continual improvement of the organization and become an integral part of all organizational processes.

Risk Management

Managing risk for organizations includes risks posed by relationships with third parties, such as service providers or vendors. These third parties can play a significant part in the overall risk for an organization based on the types of data they have access to or handle. They can also be used to provide recovery services or high availability for systems that need to meet high levels of up time.

For companies serving highly regulated industries, such as health care, financial services, and utilities, third-party risk management often includes assessing business continuity plans and disaster recovering plans. By documenting and testing these plans, organizations are better equipped to meet the expectations of those they serve.

There are several key factors to consider when creating a business continuity plan. While employees and customer safety should be your top concern, there are also other areas of focus that are especially important.

Business continuity planning should focus on:

  • Duration your business can last without its tools, assets, operating locations, and other elements crucial to operations
  • Possible outcomes if you’re denied access to facilities, servers, customer records, or other needs
  • Length of time you can operate without telephone service, electricity, or temporary electricity if running only on generators, water, and other utilities
  • Necessary changes to processes and workflows to maintain critical operations until the situation can be returned to normal
  • Scenarios most likely to occur that would create the greatest disruption to the organization

To prepare for those concerns, a business continuity plan should define processes and procedures for the following:

  • Assessing and planning for threats to business operations
  • Maintaining operations and meeting obligations during emergencies
  • Testing your plan, including test types, testing schedules, and documentation requirements

Steps to assess various risks should include the following:

  • Estimating the likelihood of the event based on data, such as the historical frequency of natural disasters in an area
  • Defining risk categories, such as operational, legal, reputational, or security risks
  • Estimating the impact to assets or processes based on the defined risk categories—for example, a natural disaster that causes a server outage may affect a public website hosting a storefront, which could impact revenue or relationships with partners
  • Mitigating controls such as backups and alternate operating locations

Primary and secondary points of contact should be determined internally and externally. It may help to create templates or prewritten communications as well as communications schedules that can be deployed immediately in the event of an emergency. This helps put plans into action and address employee and public concerns.

Emergencies can require all hands on deck, so it’s important to identify top personnel and their responsibilities in your plan, as well as team members to serve as alternates in case the primary role player is unavailable.

Responsibilities should be defined and assigned for the following roles:

  • Crisis manager or site coordinator
  • Engineering or maintenance officer
  • Human resources officer
  • Communications or public relations officer
  • Outside members such as police, fire, and government personnel

Employees will need to be notified and provided instruction in an emergency situation. Employee contact information should be up-to-date and easily accessible with departmental organizational charts as well as cell and home phone numbers and emergency contact information included.

Planning should also consider the likelihood that communications systems may be inaccessible and define alternative means of connecting with employees and team members, including any third parties supporting business continuity efforts.

What Safety and Security Measures Are Included?

First-aid kits and other resources should be inspected at least on a monthly basis. Identify local hospitals, medical treatment options, and available 911 services so the correct parties can be contacted as quickly as possible if needed.

Evacuation and Access to Property

Evacuation plans from all company buildings should be readily available, and employees can be instructed on evacuation routes through drills. Additionally, they should be provided directions to shelter and safe areas.

For those not at a company location or to plan for how to access property following an emergency, alternate routes to key facilities should also be provided in the event of damaged roads.

How Will You Access Contractors, Support Equipment, and Utility Companies?

Should you require the assistance of emergency personnel, repairs to infrastructure, or equipment, it’s important to consider how you’ll access these resources. Contractor contact information and tools and equipment requirements, as well as rentals, should be readily available.

Equipment you should consider having access to includes the following:

  • Generators for backup power including portable options such as trailers
  • Computing equipment and storage
  • Trailers to transport fuel to generators, equipment for repairs, or sandbags before storms

In addition to requesting these materials, it’s important to make sure anyone who will come in contact with the equipment has a deep knowledge of how to properly operate machinery and assess any safety concerns.

Other important vendors and contacts to have easy access to include the following:

  • Banks and financial institutions
  • Computer and IT backup support providers
  • Building contractors
  • Fuel companies

Do You Have Proper Insurance?  

Should damage take place to your property or if people are harmed, you’ll want to make sure the proper insurance protocol is in place. You should be able to easily access the contact and claims reporting information for the following:

  • Property-casualty agent
  • Group health insurance
  • Life or accidental death and dismemberment insurance

Insurance concerns can also extend to cars and other vehicles, so it’s important to have access to vehicle identification numbers (VINs) in case they go missing or are damaged.

The purpose of disaster recovery planning is to support critical operations by returning IT systems to full functionality. This should be prioritized based on customer needs, regulatory requirements, and the importance to your organization or the operations that the IT system supports.

You should be able to determine the availability of workaround options compared to work stoppages to do the following:

  • Reduce the likelihood or impact of an event through technology and controls
  • Maintain minimum mission-critical systems to allow for eventual full restoration
  • Recover post-disaster by bringing all systems back online to full operational state

A disaster recovery plan has many of the same elements of a business continuity plan that need to be documented and defined ahead of time, but there are several key elements that are different. These elements include:

  • Business impact analysis
  • Assumptions and constraints
  • Communication processes
  • Data and system backup plan
  • Damage and impact assessment
  • Response communication and action plan

A business impact analysis is essential for determining and evaluating the effects of an interruption to critical business operations. It assesses a disaster’s impact over time and helps establish recovery strategies, priorities, and requirements based on system criticality.

Business leaders and management should be involved in determining the system recovery priorities as this analysis will be used to document the critical systems, document dependencies with other systems, and prioritize the system recovery efforts.

What Is the Importance of Communication Processes and Role Assignments?

Communication is a key process during the recovery effort so recovery teams should understand their roles and responsibilities. A disaster recovery coordinator should be established, along with a backup to this position. These persons will be responsible for coordinating, communicating, and managing staff during the recovery efforts.

An emergency response team should also be documented as these personnel will be responsible for the actual recovery of the systems. They will need to prepare the recovery site for operation, coordinate recovery steps and activities, interface with system vendors, and ensure recovery is complete once systems are restored.

Disaster preparedness is rooted in an agreed-upon backup strategy that addresses acceptable recovery time and data loss, adequate system redundancy, and sound data restoration processes. The data backup plan details the backup strategy employed to ensure that data is available in order to restore systems during emergency and nonemergency situations.

This plan outlines the backup strategy for all of the critical systems identified in the business impact analysis. The recovery and response action plan provides detailed steps on the recovery procedures that need to be performed in order to restore systems and data. The recovery steps are critical as they will help guide staff in the steps necessary to fully recover a system.

Once a plan is in place, perform tests that help verify that it can be properly executed.

Diverse testing methods must be deployed so that multiple scenarios can be addressed and tested. Suggested testing methods include the following:

  • Walkthrough testing
  • Simulation testing
  • Checklist testing
  • Full-interruption testing
  • Parallel testing

Testing can be done for several purposes including the following:

  • Exercising the recovery processes and procedures
  • Familiarizing staff with the recovery process and documentation
  • Verifying the effectiveness of the recovery documentation and site
  • Establishing if recovery objectives are achievable
  • Identifying improvements to the disaster recovery strategy, infrastructure, and recovery processes

We’re Here to Help

Emergency preparedness is all about planning, training, and maintaining a supportive culture. To learn more about how your business can organize business continuity and disaster recovery plans and confidently test and execute them, contact your Moss Adams professional.

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

Contact us with questions.

IMAGES

  1. Business Continuity & Disaster Recovery 101

    business continuity and disaster recovery plan

  2. Guide to business continuity and disaster recovery

    business continuity and disaster recovery plan

  3. What Is BCDR? Business Continuity and Disaster Recovery Guide

    business continuity and disaster recovery plan

  4. Business Continuity and Disaster Recovery Plan

    business continuity and disaster recovery plan

  5. Business Continuity vs Disaster Recovery

    business continuity and disaster recovery plan

  6. A Business Continuity Plan Is A Disaster Management Plan

    business continuity and disaster recovery plan

COMMENTS

  1. Business Continuity & Disaster Recovery Planning (BCP & DRP) -

    Learn how to create business continuity and disaster recovery plans for plowing through all kinds of disruptive events, from natural disaster to cyberattack. Under DDoS Attack? 1-866-777-9980

  2. What Is a Business Continuity Plan (BCP), and How Does It Work?

    Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses ...

  3. Business continuity and disaster recovery planning: The basics

    Business continuity and disaster recovery planning: The basics Integrate cybersecurity, intrusion detection/response, disaster recovery into a comprehensive data protection plan. For... Conduct a business impact analysis (BIA). Organizations need to conduct a thorough business impact analysis to ...

  4. Disaster Recovery and Business Continuity

    Accordingly, a disaster recovery plan is limited to ensuring data protection, preventing damage to systems and recovering them as quickly as possible, while a business continuity plan covers all aspects of the business including business processes, manpower, partners and suppliers. In this article you learn: • What is a business continuity plan?

  5. Business Continuity and Disaster Recovery

    A disaster recovery plan has many of the same elements of a business continuity plan that need to be documented and defined ahead of time, but there are several key elements that are different. These elements include: Business impact analysis. Assumptions and constraints. Communication processes.