Kezia Farnham Image

Business continuity strategy: Options, best practice approaches and examples

People in a business looking at a continuity strategy

There's no shortage of things to consider when you're upgrading your business continuity strategy. For instance:

  • What should your plan cover?
  • What are the critical inputs to the business continuity strategy?
  • What are the different approaches and solutions available?
  • What should the recovery strategies look like within your business continuity plan?

When it comes to business strategy, preparing for the unexpected is a necessary step, but can be a neglected element of strategic planning. Business continuity strategies ' sometimes referred to as disaster recovery planning ' can be one of the tricky jobs we push to the bottom of the list. Because these unexpected events are, by their very nature, unpredictable, they are difficult to anticipate and account for when planning. This can make developing business continuity strategies a challenge that we put off until we have no choice but to tackle it. And yet the benefits of having a robust business continuity strategy are legion. Your organization minimizes the cost and impact on any business performance during disruption. You are confident that you take a consistent approach to business continuity planning across your sites, entities or geographies. Your clients, suppliers, shareholders and other stakeholders are reassured that your business continuity approach is comprehensive and meticulous. The process of developing a business continuity strategy may also have wider-reaching benefits, encouraging as it does a wholesale review of your risk, supply chain management, and resource management approaches. Here we aim to make this process painless by exploring the various options available for business continuity planning, sharing tried-and-tested approaches and giving best practice examples.

What Business Continuity Strategy Options Exist?

There will be significant differences in approach developing business continuity strategies. The various methods are dependent on the nature of your business, the country or countries you operate in, and the prevailing external landscape when developing or updating the plan. There are, though, some accepted standards and definitions of business continuity. The International Organization for Standardization (ISO), in its ISO 22301:2019 standard, describes business continuity management as 'Requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.' Before you decide on the best continuity strategy for your business, you need to identify your objectives and any interdependencies that may impact the order of the actions you take. Is your primary focus immediate crisis management, restoring IT and systems, or the swift resumption of business? This will impact your priority actions in the event of any business interruption.

Essential Steps To Include In Your Business Continuity Strategy

No matter your sector, your immediate priorities for business continuity, or the nature of the disruption faced, some core elements and steps should feature in every business continuity strategy. You need to:

  • Identify the potential risks to your business. These will vary according to internal and external factors, and some will have more significant potential impact than others. Assess the implications of these risks to prioritize your response to them.
  • Determine who is responsible for creating BCPs for each of these risks.
  • Ensure you have a comprehensive view of your entire organization. Accurate data on all your legal entities is a prerequisite for successful business continuity planning.
  • Put in place arrangements for back-up power, communications, IT and remote working . Think about ways you might work if some of your core team are unavailable. Technology can be an essential partner here, enabling, for instance, e-signatures to ensure business decisions can be made even when people are isolating, working remotely or otherwise unavailable.
  • Plan for recovery . Recovery strategies in business continuity are vital. The immediate disaster response is only the first stage, and business continuity recovery strategies are as important as managing the initial crisis. Set up a team responsible for the various elements of your recovery ' these should include specialists in areas including IT, health and safety, communications and HR.
  • Regularly review your plan to ensure it remains current . Threats to your business change over time; so does the structure and nature of your organization itself. Things like your contact list and your critical functions may have altered since you last checked your plan.

Central to this is the integrity of your entity data . Accurate data underpins your plan; do you have a comprehensive picture of all your subsidiaries and their key information? Of course, the systems themselves that carry this data are also under threat from any business interruption. Your entity data management software , CRM solutions and other systems should be audited and checked to ensure they continue to operate in the event of any disruption.

  • Schedule recurring surprise BCP tests. These drills should be a non-negotiable element within your business continuity strategy.

Harness Technology To Support Your Business Continuity Plans

As the coronavirus pandemic ' the most salient example of business interruption this year ' took hold, organizations with robust systems buoying their operations found themselves better-placed to weather the storm, with best-in-class providers supporting their clients via online support and guidance. Diligent and our cloud-based software, including Entities, our entity management solution, delivered this type of support, partnering with clients to help them through the crisis. Robust entity management and proactive governance solutions help businesses ensure their business continuity planning strategies are comprehensive and reliable, giving assurance that they'll be ready when disaster strikes. Contact us to request a demo to see how our suite of cloud-based governance and compliance software can underpin your business continuity strategy, giving you the best chance of uninterrupted operation in a crisis.

Solutions Solutions

  • Board Management
  • Enterprise Risk Management
  • Audit Management
  • Market Intelligence

Resources Resources

  • Research & Reports

Company Company

Your data matters.

  • Search Search Please fill out this field.
  • Business Continuity Plan Basics
  • Understanding BCPs
  • Benefits of BCPs
  • How to Create a BCP
  • BCP & Impact Analysis
  • BCP vs. Disaster Recovery Plan

Frequently Asked Questions

  • Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

strategy for business continuity plan

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

  • Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
  • BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
  • BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

  • Determining how those risks will affect operations
  • Implementing safeguards and procedures to mitigate the risks
  • Testing procedures to ensure they work
  • Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

  • Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
  • Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
  • Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
  • Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

  • The impacts—both financial and operational—that stem from the loss of individual business functions and process
  • Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

strategy for business continuity plan

  • Terms of Service
  • Editorial Policy
  • Privacy Policy
  • Your Privacy Choices

U.S. flag

An official website of the United States government

Here’s how you know

world globe

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

strategy for business continuity plan

Business Continuity Planning

world globe

Organize a business continuity team and compile a  business continuity plan  to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

  • Business Continuity Plan Situation Manual
  • Business Continuity Plan Test Exercise Planner Instructions
  • Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

feature_mini img

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

What Is A Business Continuity Plan? [+ Template & Examples]

Swetha Amaresan

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

executives discussing business continuity plan

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

Free Download: Crisis Management Plan & Communication Templates

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

  • Business Continuity Types
  • Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

  • Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

strategy for business continuity plan

Crisis Communication and Management Kit

Manage, plan for, and communicate during your corporate crises with these crisis management plan templates.

  • Free Crisis Management Plan Template
  • 12 Crisis Communication Templates
  • Post-Crisis Performance Grading Template
  • Additional Crisis Best Management Practices

You're all set!

Click this link to access this resource at any time.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

Business Continuity Plan

Don't forget to share this post!

Related articles.

20 Crisis Management Quotes Every PR Team Should Live By

20 Crisis Management Quotes Every PR Team Should Live By

Social Media Crisis Management: Your Complete Guide [Free Template]

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

What Is Contingency Planning? [+ Examples]

What Is Reputational Risk? [+ Real Life Examples]

What Is Reputational Risk? [+ Real Life Examples]

10 Crisis Communication Plan Examples (and How to Write Your Own)

10 Crisis Communication Plan Examples (and How to Write Your Own)

Top Tips for Working in a Call Center (According to Customer Service Reps)

Top Tips for Working in a Call Center (According to Customer Service Reps)

Manage, plan for, and communicate during a corporate crisis.

Service Hub provides everything you need to delight and retain customers while supporting the success of your whole front office

strategy for business continuity plan

Move fast, think slow: How financial services can strike a balance with GenAI

strategy for business continuity plan

Take on Tomorrow @ the World Economic Forum in Davos: Energy demand

strategy for business continuity plan

PwC’s Global Investor Survey 2023

strategy for business continuity plan

Climate risk, resilience and adaptation

strategy for business continuity plan

Business transformation

strategy for business continuity plan

Sustainability assurance

strategy for business continuity plan

The Leadership Agenda

strategy for business continuity plan

PwC’s 27th Annual Global CEO Survey: Thriving in an age of continuous reinvention

strategy for business continuity plan

Built to give leaders the right tools to make tough decisions

strategy for business continuity plan

The New Equation

strategy for business continuity plan

PwC’s Global Annual Review

strategy for business continuity plan

Committing to Net Zero

strategy for business continuity plan

The Solvers Challenge

Loading Results

No Match Found

Business continuity

A holistic approach .

Can your organisation sustain operations in the midst of a serious crisis? How do you identify “mission-critical” processes? Do you have a backup strategy in the event of a massive disruption in your technology, facilities or other functions? Are your employees trained to respond during business disruptions?

Companies that take a holistic approach to business continuity management develop the ability to identify, prevent and prepare for events that may disrupt normal activities. 

A fully integrated business continuity strategy helps to build an overall culture of resilience .

67% of organisations applied a business continuity plan as part of their response to the COVID-19 pandemic. Source: PwC’s Global Crisis Survey 2021

Business continuity and a culture of resilience

Business continuity means more than just making sure the lights stay on when a crisis hits. The benefits of establishing a business continuity strategy include:

  • Resilience: With greater awareness of what really matters during a crisis, you can focus resources effectively.
  • Employee engagement and ownership: Your people understand their roles and responsibilities in a crisis, and are invested in executing a seamless recovery .
  • Strategic recovery plans: Pre-defined strategic decisions are embedded into recovery plans to guide your people toward a common goal during disruption.
  • Detailed business impacts and risks identified: Potential risks and areas of concern can be mitigated in “peace time” rather than in the heat of a crisis. 
  • Empowered leadership: Leaders are actively enabled to monitor the state of resilience within the organisation and provide hands-on guidance and support.
  • Continuous improvement: Tests, drills and simulation exercises help you understand what works and what doesn’t, enabling continued resilience and growth.

Assessing an organisation’s business continuity program

Effective business continuity programs have a common framework, core capabilities, and coordination of resources and activities to plan for and respond to events. 

PwC’s Organizational Preparedness Assessment (OPA), based on leading industry practices, helps organisations identify program blind spots and provides actionable recommendations to enhance program maturity.

PwC’s business continuity planning solutions

We’ve built scalable solutions to create a bespoke solution for each of our clients:

  • Business continuity program assessment and design
  • Business impact analysis and interruption risk assessment
  • Recovery plan creation and resilience improvement
  • Business continuity program exercises, maintenance and training
  • Business continuity program technology enablement and enterprise risk management integration
  • Third-party resilience framework and analysis
  • Crisis management program development and exercises
  • Information technology disaster recovery and business continuity program alignment and analysis

PwC brings depth and experience to support your response to an enterprise-wide crisis

Our PwC crisis management teams have developed tools and processes to help you survive an unexpected event and emerge stronger.

We take a holistic view of your organisation’s business continuity needs. And as your trusted advisor, we’ll help you build resilience for the long term.

{{filterContent.facetedTitle}}

{{item.publishDate}}

{{item.title}}

{{item.text}}

Related services

X Follow

We welcome your comments

Your request / feedback has been routed to the appropriate person. Should you need to reference this in the future we have assigned it the reference number "refID" .

Thank you for your comments / suggestions.

Required fields are marked with an asterisk( * )

Please correct the errors and send your information again.

Tick this box to verify you are not a robot

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Dave Stainback

Dave Stainback

Global Crisis & Resilience Co-Leader, PwC United States

Tel: +1 678 419 1355

Bobbie Ramsden-Knowles

Bobbie Ramsden-Knowles

Global Crisis & Resilience Co-Leader, PwC United Kingdom

Tel: +44 (0)7483 422701

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

  • Legal notices
  • Cookie policy
  • Legal disclaimer
  • Terms and conditions
  • Artificial Intelligence
  • Generative AI
  • Business Operations
  • Cloud Computing
  • Data Center
  • Data Management
  • Emerging Technology
  • Enterprise Applications
  • IT Leadership
  • Digital Transformation
  • IT Strategy
  • IT Management
  • Diversity and Inclusion
  • IT Operations
  • Project Management
  • Software Development
  • Vendors and Providers
  • United States
  • Middle East
  • Italia (Italy)
  • Netherlands
  • United Kingdom
  • New Zealand
  • Data Analytics & AI
  • Newsletters
  • Foundry Careers
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright Notice
  • Member Preferences
  • About AdChoices
  • Your California Privacy Rights

Our Network

  • Computerworld
  • Network World
  • Enterprise Buyer's Guides

How to create an effective business continuity plan

A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. Here’s how to create a plan that gives your business the best chance of surviving such an event.

Professional Meeting: Senior Businesswoman and Colleague in Discussion

The tumultuous events of the past several years have impacted practically every business. And with the number of extreme weather events, cyberattacks, and geopolitical conflicts continuing to rise, business leaders are bracing for the possibility of increasingly more frequent impactful incidents their organizations will need to respond to.

According to PwC’s 2023 Global Crisis and Resilience Survey , 96% of 1,812 business leaders said their organizations had experienced disruption in the past two years and 76% said their most serious disruption had a medium to high impact on operations.

It’s little wonder then that 89% of executives list resilience as one of their most important strategic priorities.

Yet at the same time, only 70% of respondents said they were confident in their organization’s ability to respond to disruptions, with PwC noting that its research shows that too many organizations “are lacking the foundational elements of resilience they need to be successful.”

A solid business continuity plan is one of those foundational elements.

“Every business should have the mindset that they will face a disaster, and every business needs a plan to address the different potential scenarios,” says Goh Ser Yoong, head of compliance at Advance.AI and a member of the Emerging Trends Working Group at the professional governance association ISACA.

A business continuity plan gives the organization the best shot at successfully navigating a disaster by providing ready-made directions on who should do what tasks in what order to keep the business viable.

Without such as a plan, the organization will take longer than necessary to recover from an event or incident — or may never recover at all.

What is a business continuity plan?

A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is caused by a natural disaster, civic unrest, cyberattack, or any other threat to business operations.

A business continuity plan outlines the procedures and instructions that the organization must follow during such an event to minimize downtime, covering business processes, assets, human resources, business partners, and more.

A business continuity plan is not the same as a disaster recovery plan , which focuses on restoring IT infrastructure and operations after a crisis. Still, a disaster recovery plan is part of the overall strategy to ensure business continuity, and the business continuity plan should inform the action items detailed in an organization’s disaster recovery plan. The two are tightly coupled, which is why they often are considered together and abbreviated as BCDR.

Why business continuity planning matters

Whether you operate a small business or a large corporation, it’s vital to retain and increase your customer base. There’s no better test of your capability to do so than right after an adverse event.

Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.

Moreover, there are increasing consumer and regulatory expectations for both enterprise security and continuity today. Consequently, organizations must prioritize continuity planning to prevent not only business losses, but financial, legal, reputational, and regulatory consequences.

For example, the risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence.

Building (and updating) a business continuity plan

Whether building the organization’s first business continuity plan or updating an existing one, the process involves multiple essential steps.

Assess business processes for criticality and vulnerability: Business continuity planning “starts with understanding what’s most important to the business,” says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional services firm.

So the first step in building your business continuity plan is assessing your business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, or a week.

“This step essentially determines what you are trying to protect and what you are trying to keep up for systems,” says Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting.

This assessment is more demanding than ever before because of the complexity of today’s hybrid workplace, the modern IT environment, and the reliance on business partners and third-party providers to perform or support critical processes.

Given that complexity, Goh says a thorough assessment requires an inventory of not only key processes but also the supporting components — including the IT systems, networks, people, and outside vendors — as well as the risks to those components.

This is essentially a business impact analysis.

Determine your organization’s RTO and RPO: The next step in building a business continuity plan is determining the organization’s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.

Each organization has its own RTO and RPO based on the nature of its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives need to establish, Nocera says.

“When you meet with individual aspects of the business, everyone says everything [they do] is important; no one wants to say their part of the business is less critical, but in reality you have to have those challenging conversations and determinations about what is actually critical to the business and to business continuity,” he adds.

Detail the steps, roles, and responsibilities for continuity: Once that is done, business leaders should use the RTO and the RPO, along with the business impact analysis, to determine the specific tasks that need to happen, by whom, and in what order to ensure business continuity.

“It’s taking the key components of your analysis and designing a plan that outlines roles and responsibilities, about who does what. It gets into the nitty-gritty on how you’re going to keep the company up and running,” Renner explains.

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.

Although the list of possible scenarios that could impact business operations can seem extensive, Goh says business leaders don’t have to compile an exhaustive list of potential incidents. Rather, they should compile a list that includes likely incidents as well as representative ones so that they can create responses that have a higher likelihood of ensuring continuity even when faced with an unimagined disaster.

“So even if it’s an unexpected event, they can pull those building blocks from the plan and apply them to the unique crisis they’re facing,” Nocera says.

The importance of testing the business continuity plan

Devising a business continuity plan is not enough to ensure preparedness; testing and practicing are other critical components.

Renner says testing and practicing offer a few important benefits.

First, they show whether or how well a plan will work.

Testing and practicing help prepare all stakeholders for an actual incident, helping them build the muscle memory needed to respond as quickly and as confidently as possible during a crisis.

They also help identify gaps in the devised plan. As Renner says: “Every tabletop exercise that I’ve ever done has been an eye-opener for everyone involved.”

Additionally, they help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.

Types and timing of tests

Many organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization itself — its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.

Common tests include tabletop exercises , structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.

In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

Some experts also advise a full emergency evacuation drill at least once a year.

Meanwhile, disaster simulation testing — which can be quite involved — should still be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine whether the organization and its staff can carry out critical business functions during an actual event.

During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.

Reviewing and updating the business continuity plan should likewise happen on an ongoing basis.

“It should be a living document. It shouldn’t be shelved. It shouldn’t be just a check-the-box exercise,” Renner says.

Otherwise, plans go stale and are of no use when needed.

Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.

Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.

Furthermore, a strong business continuity function calls for reviewing the organization’s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.

How to ensure business continuity plan support, awareness

One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.

Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts?

Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.

Related content

Kyndryl bets on partnerships, consulting arm to redeem itself, what are the main challenges cisos are facing in the middle east, american honda it to fuel innovation with generative ai, 8 revealing statistics about career challenges black it pros face, from our editors straight to your inbox, show me more, copilot: an indispensable tool for banking security teams.

Image

Google integrates Gemini AI into enterprise tools

Image

ESG software: 6 tips for selecting the best fit for your business

Image

CIO Leadership Live India with Sankaranarayanan Raghavan, Chief Technology and Data Officer, IndiaFirst Life

Image

CIO Leadership Live Canada with Parm Sandhu, CIO at Immigrant Services Society of BC

Image

AMB Sports and Entertainment CTO on digitally engaging Atlanta Falcons fans

Image

Building a Foundation for Future GenAI Jobs

Image

Sponsored Links

  • Read this IDC spotlight to learn what commonly prevents value realization – and how to solve it
  • Experience the comprehensive solution that provides end-to-end visibility across applications, infrastructure, and network layers. Plus improve your IT operations and enhance overall business performance. Sign up for a Free Trial and explore the benefits
  • Want to justify your IT investments faster? IDC reports on how to measure business impact.
  • Developing Your MVP
  • Incident Management
  • Needs Assessment Process
  • Product Development From Ideation to Launch
  • Visualizing Competitive Landscape
  • Communication Plan
  • Graphic Organizer Creator
  • Fault Tree Software
  • Bowman's Strategy Clock Template
  • Decision Matrix Template
  • Communities of Practice
  • Goal Setting for 2024
  • Meeting Templates
  • Meetings Participation
  • Microsoft Teams Brainstorming
  • Retrospective Guide
  • Skip Level Meetings
  • Visual Documentation Guide
  • Weekly Meetings
  • Affinity Diagrams
  • Business Plan Presentation
  • Post-Mortem Meetings
  • Team Building Activities
  • WBS Templates
  • Online Whiteboard Tool
  • Communications Plan Template
  • Idea Board Online
  • Meeting Minutes Template
  • Genograms in Social Work Practice
  • How to Conduct a Genogram Interview
  • How to Make a Genogram
  • Genogram Questions
  • Genograms in Client Counseling
  • Understanding Ecomaps
  • Visual Research Data Analysis Methods
  • House of Quality Template
  • Customer Problem Statement Template
  • Competitive Analysis Template
  • Creating Operations Manual
  • Knowledge Base
  • Folder Structure Diagram
  • Online Checklist Maker
  • Lean Canvas Template
  • Instructional Design Examples
  • Genogram Maker
  • Work From Home Guide
  • Strategic Planning
  • Employee Engagement Action Plan
  • Huddle Board
  • One-on-One Meeting Template
  • Story Map Graphic Organizers
  • Introduction to Your Workspace
  • Managing Workspaces and Folders
  • Adding Text
  • Collaborative Content Management
  • Creating and Editing Tables
  • Adding Notes
  • Introduction to Diagramming
  • Using Shapes
  • Using Freehand Tool
  • Adding Images to the Canvas
  • Accessing the Contextual Toolbar
  • Using Connectors
  • Working with Tables
  • Working with Templates
  • Working with Frames
  • Using Notes
  • Access Controls
  • Exporting a Workspace
  • Real-Time Collaboration
  • Notifications
  • Meet Creately VIZ
  • Unleashing the Power of Collaborative Brainstorming
  • Uncovering the potential of Retros for all teams
  • Collaborative Apps in Microsoft Teams
  • Hiring a Great Fit for Your Team
  • Project Management Made Easy
  • Cross-Corporate Information Radiators
  • Creately 4.0 - Product Walkthrough
  • What's New

Understanding the Essentials of a Business Continuity Plan

hero-img

In the face of unforeseen disruptions, a robust business continuity plan (BCP) is essential to preserve the trust of stakeholders. If you are able to seamlessly continue operations even in the face of sudden challenges, stakeholders are reassured of the company’s resilience and commitment to their interests.

In this blog post, we offer a comprehensive guide to business continuity planning, how it can benefit organizations and share key insights into Developing and Maintaining an Effective business continuity plan.

What is a Business Continuity Plan?

A business continuity plan (BCP) is an essential blueprint that outlines how a company will continue operating during an unplanned disruption in service. It’s more than just a reactive strategy; it’s a proactive measure to ensure that critical business functions can continue during and after a crisis. The purpose of a BCP is to provide a systematic approach to mitigate the potential impact of disruptions and maintain business operations at an acceptable predefined level.

The role of a BCP is crucial in maintaining operations during unforeseen events such as natural disasters, cyber-attacks, or any other incident that could interrupt business processes. By having a well-structured business continuity plan, organizations can:

  • Minimize downtime and ensure that essential functions remain operational
  • Protect the integrity of data and IT infrastructure
  • Maintain customer service and preserve stakeholder trust

Why is a Business Continuity Plan Important

Immediate Response : A BCP ensures that there is a predefined action plan, minimizing downtime and demonstrating control over the situation.

Transparent Communication : Keeping stakeholders informed during a crisis promotes transparency and maintains confidence in the company’s management.

Inclusive Planning : Involve stakeholders in the business continuity plan development process. Their insights can enhance the plan’s effectiveness and ensure their needs are addressed.

Consistency in Service : By prioritizing critical operations, a BCP helps maintain the quality and consistency of services or products, which is important for customer retention.

The absence of a business continuity plan can lead to a domino effect of negative outcomes, including a tarnished reputation and the potential loss of future business. Stakeholders remember how a company responds in a crisis, and a well-executed BCP can be the difference between a temporary setback and a long-term impact on the company’s image and relationships.

Elements of a Business Continuity Plan

When exploring various business continuity plan examples, certain common elements emerge as critical for their effectiveness. These elements serve as the backbone for a robust BCP plan, ensuring that businesses can maintain operations and protect their reputation during unforeseen events. Here are some of the key components found in successful BCP examples:

Risk Assessment and Business Impact Analysis : Identifying potential threats and assessing their impact on business operations is a foundational step in any BCP plan.

Crisis Communication Plan : A clear communication strategy is essential to manage stakeholder expectations and maintain trust.

Recovery Strategies : Detailed procedures for restoring business functions and services post-disruption are indispensable.

Employee Training and Awareness : Ensuring staff are well-prepared and knowledgeable about the BCP plan is crucial for its successful implementation.

Case studies of successful BCP implementations often highlight how these elements are tailored to fit specific business models and industries. For instance, a financial institution may focus heavily on data security and regulatory compliance within their BCP, while a manufacturing business might prioritize supply chain alternatives and on-site safety protocols. Regular testing and adjustment of these plans are also a common thread, underscoring the importance of adaptability and continuous improvement in business continuity planning.

Business Continuity Plan Toolkit

exit full-screen

Business Continuity vs. Disaster Recovery

It’s important to distinguish between a business continuity plan and a disaster recovery plan. While both are vital, a BCP is broader and focuses on the continuity of the entire business, whereas a disaster recovery plan is more technical and concentrates on the recovery of specific operations, such as IT services. Understanding these differences helps organizations allocate resources effectively and ensures comprehensive preparedness for any type of disruption. Understanding when to activate a business continuity plan (BCP) versus a disaster recovery plan is crucial for maintaining operational resilience.

To ensure a comprehensive crisis management strategy, consider the following integration points:

Pre-emptive Planning : Establish clear triggers for when each plan is activated. For instance, a BCP might be initiated in the face of a supply chain disruption, while disaster recovery would come into play during a data breach or server failure.

Unified Communication : Both plans should have a coordinated communication strategy to inform stakeholders and employees about the status and steps being taken.

Regular Testing : Conduct joint drills that test both the BCP and disaster recovery plans to identify any gaps or overlaps in procedures.

Continuous Improvement : Use insights from drills and actual incidents to refine both plans, ensuring they evolve with the changing business landscape and technological advancements.

By integrating both plans, organizations can navigate crises with agility and confidence, minimizing downtime and protecting their reputation. Tools like Creately, with features such as real-time collaboration and visual project management, can help create and maintain these critical plans, ensuring that all stakeholders are on the same page and ready to act when necessary.

Crisis Communication Strategies within Business Continuity Planning

A business continuity plan (BCP) is not just about responding to the crisis at hand, but also about how you communicate during the disruptions and the decisions you make. Here are some best practices to ensure your crisis communication and decision-making processes effective:

Clear Communication Channels : Establish predefined channels for internal and external communication. This ensures that messages are consistent and reach all stakeholders promptly.

Designated Spokespersons : Identify individuals who are authorized to speak on behalf of the company during a crisis. This helps maintain a unified voice and message.

Factual Updates : Provide regular, factual updates to keep stakeholders informed. Avoid speculation and commit to transparency.

Decision-Making Protocols : Implement decision-making protocols that are clear and allow for swift action. This includes having a chain of command and predefined criteria for making critical decisions.

Training and Simulations : Regularly train your crisis management team and conduct simulations to prepare for potential scenarios. This ensures that when a crisis does occur, your team is ready to act effectively.

By integrating these best practices into your BCP plan, you can maintain control during a crisis, make informed decisions, and communicate effectively with all parties involved. Remember, the goal is to protect your company’s operations, reputation, and stakeholder relationships during unexpected events.

Utilizing Business Continuity Plan Templates and Tools

When it comes to developing a robust business continuity plan (BCP), leveraging templates can offer a significant head start. These templates serve as a foundational framework that can be customized to align with the specific requirements of your business. Here’s why using BCP templates is advantageous:

Efficiency in Development : BCP templates provide a structured approach, ensuring that all critical elements are considered without starting from scratch. This saves valuable time and resources.

Consistency Across the Organization : Templates help maintain a uniform response strategy, which is crucial for coherent and coordinated action during a crisis.

Ease of Customization : While templates offer a general outline, they are designed to be adaptable. This means you can tailor them to reflect your business’s unique operational processes, risk profile, and recovery objectives.

Incorporating features like crisis response directions into your BCP template is essential. With Creately you can,

  • Visualize these procedures on an infinite canvas, ensuring clarity and accessibility for all team members.
  • Easily modify the plan as your business evolves, with the drag-and-drop functionality, making regular testing and adjustment a seamless process.
  • Create a central repository of information by having docs, links and attachments in the notes panel of any shape in your diagram.

Key Insights for Developing and Maintaining an Effective Business Continuity Plan

A robust business continuity plan (BCP) is not a ‘set it and forget it’ document; it requires ongoing attention and refinement. Here’s why regular testing, updates, and staff training are non-negotiables in business continuity:

Financial Protection : By regularly testing your BCP, you can identify and rectify gaps that could otherwise lead to significant financial losses during a crisis. It’s not just about having a plan, but ensuring it works effectively when you need it most.

Reputational Safeguarding : Your company’s reputation is on the line when disaster strikes. A well-rehearsed BCP means your team can respond swiftly and competently, preserving stakeholder trust and customer loyalty.

Customization for Evolving Threats : The threat landscape is constantly changing. Regular BCP reviews allow you to tailor your plan to new types of risks, ensuring your business remains resilient against the unforeseen.

Empowered Employees : Training staff on the BCP turns theory into practice. When every team member knows their role in a crisis, response times improve, and confusion is minimized.

Remember, a BCP is a living document. It thrives on the feedback loop created by regular drills and updates, ensuring that when a crisis does occur, your business is prepared not just to survive, but to continue operations with minimal disruption.

Join over thousands of organizations that use Creately to brainstorm, plan, analyze, and execute their projects successfully.

More Related Articles

AI SWOT Analysis: How to Leverage Artificial Intelligence for Business Insights

Hansani has a background in journalism and marketing communications. She loves reading and writing about tech innovations. She enjoys writing poetry, travelling and photography.

  • Advisera Home
  • ISO in General

Partner Panel

ISO 22301 Documentation Toolkits

Iso 22301 training.

  • Documentation Toolkits
  • White Papers
  • Templates & Tools

Where to Start

New ai tool.

  • Live Consultations
  • Consultant Directory
  • For Consultants

Dejan Kosutic

Dejan Kosutic

  • Get Started

Business continuity plan: How to structure it according to ISO 22301

Advisera Dejan Kosutic

In my experience, companies usually find two things in their business continuity or information security management to be the most difficult: risk assessment, and business continuity planning. Here I’ll give you some tips on business continuity plans (BCP).

ISO 22301 business continuity plan should include Purpose, scope and users, Reference documents, Assumptions, Roles and responsibilities, Key contacts, Plan activation and deactivation, Communication, Incident response, Physical sites and transportation, Order of recovery for activities, Recovery plans for activities, Disaster recovery plan, Required resources, and Restoring and resuming activities from temporary measures.

What is a business continuity plan?

According to ISO 22301 , business continuity plan is defined as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.” (clause 3.5)

This basically means that BCP focuses on developing plans/procedures, but it doesn’t include the analysis that forms the basis of such planning, nor the means of maintaining such plans – all these are required elements of business continuity management that are necessary for enabling successful contingency planning.

To read more about analysis, see Five Tips for Successful Business Impact Analysis , and to find out how to interpret the analysis, read Can business continuity strategy save your money? .

Business continuity plan example

Here’s what I found to be the optimal structure for the business continuity plan for smaller and midsize companies, and what each section should include:

Purpose, scope and users – why this plan is developed, its objectives, which parts of the organization it covers, and who should read it.

Reference documents – to which documents does this plan relate? Normally, these are Business Continuity Policy, Business Impact Analysis, Business Continuity Strategy, etc.

Assumptions – the prerequisites that need to exist in order for this plan to be effective.

Roles and responsibilities – who will be responsible for managing the disruptive incident, and who is authorized to perform certain activities in case of a disruptive incident – e.g. activation of the plans, urgent purchases, communication with media, etc.

Key contacts – contact details for persons who will participate in the execution of the business continuity plan – this is usually one of the annexes of the plan.

Business Continuity Plan (BCP) Structure According to ISO 22301

Plan activation and deactivation – in which cases can the plan be activated, and the method of activation; which conditions need to exist to deactivate the plan. Communication – which communication means will be used between different teams and with other interested parties during the disruptive incident. Who is in charge of communicating with each interested party, and the special rules of communication with media and government agencies.

Incident response – how to react initially to an incident in order to reduce the damage – this is very often an annex to the main plan.

Physical sites and transportation – which are the primary and alternative sites, where the assembly points are, and how to get from primary to alternative sites.

Order of recovery for activities – list of all the activities, with precise Recovery Time Objective (RTO) for each.

Recovery plans for activities – description of step-by-step actions and responsibilities for recovering manpower, facilities, infrastructure, software, information, and processes, including interdependencies and interactions with other activities and external interested parties – these are very often annexes to the main plan. To read more about them, see How to write business continuity plans?

Disaster recovery plan – this is normally a type of recovery plan that focuses on recovering the information and communication technology infrastructure. To read more about the relationship between disaster recovery and business continuity, see Disaster recovery vs business continuity .

Required resources – a list of all the employees, third-party services, facilities, infrastructure, information, equipment, etc. that are necessary to perform the recovery, and who is responsible to provide each of them.

Restoring and resuming activities from temporary measures – how to restore business activities back to business-as-usual once the disruptive incident has been resolved.

What I like about ISO 22301 is that it requires all the elements that are necessary for this plan to be useful in case of a disaster (or any other disruption in a company’s activities). However, no standard can help you unless you understand this task seriously – a properly written and comprehensive plan can save your company in tough times, while a superficially written plan will only make things worse.

Click here to see a sample  Business Continuity Plan .

Banner image

Writing a business continuity plan according to ISO 22301

Free webinar explains the basics about business continuity plans and how to structure them

Banner image

Related Products

strategy for business continuity plan

ISO 27001 Premium Documentation Toolkit

strategy for business continuity plan

ISO 27001 Lead Auditor Course

Upcoming free webinar, related articles.

You may unsubscribe at any time. For more information, please see our privacy notice .

Home  >  Learning Center  >  Business continuity planning (BCP)  

Article's content

Business continuity planning (bcp), what is business continuity.

In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures.

The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability.

Start with a business continuity plan

Business continuity management starts with planning how to maintain your critical functions (e.g., IT, sales and support) during and after a disruption.

A business continuity plan (BCP) should comprise the following element

1. Threat Analysis

The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include:

2. Role assignment

Every organization needs a well-defined chain of command and substitute plan to deal with absence of staff in a crisis scenario. Employees must be cross-trained on their responsibilities so as to be able to fill in for one another.

Internal departments (e.g., marketing, IT, human resources) should be broken down into teams based on their skills and responsibilities. Team leaders can then assign roles and duties to individuals according to your organization’s threat analysis.

3. Communications

A communications strategy details how information is disseminated immediately following and during a disruptive event, as well as after it has been resolved.

Your strategy should include:

  • Methods of communication (e.g., phone, email, text messages)
  • Established points of contact (e.g., managers, team leaders, human resources) responsible for communicating with employees
  • Means of contacting employee family members, media, government regulators, etc.

From electrical power to communications and data, every critical business component must have an adequate backup plan that includes:

  • Data backups to be stored in different locations. This prevents the destruction of both the original and backup copies at the same time. If necessary, offline copies should be kept as well.
  • Backup power sources, such as generators and inverters that are provisioned to deal with power outages.
  • Backup communications (e.g., mobile phones and text messaging to replace land lines) and backup services (e.g., cloud email services to replace on-premise servers).

Load balancing business continuity

Load balancing  maintains business continuity by distributing incoming requests across multiple backend servers in your data center. This provides redundancy in the event of a server failure, ensuring continuous application uptime.

In contrast to the reactive measures used in failover and  disaster recovery  (described below) load balancing is a preventative measure.  Health monitoring  tracks server availability, ensuring accurate load distribution at all times—including during disruptive events.

Disaster recovery plan (DCP) – Your second line of defense

Even the most carefully thought out business continuity plan is never completely foolproof. Despite your best efforts, some disasters simply cannot be mitigated. A disaster recovery plan (DCP) is a second line of defense that enables you to bounce back from the worst disruptions with minimal damage.

As the name implies, a disaster recovery plan deals with the restoration of operations after a major disruption. It’s defined by two factors: RTO and  RPO .

disaster recovery plan

  • Recovery time objective (RTO)  – The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services. A different RTO should be assigned to each of your business components according to their importance (e.g., ten minutes for network servers, an hour for phone systems).
  • Recovery point objective (RPO)  – The point to which your state of operations must be restored following a disruption. In relation to backup data, this is the oldest age and level of staleness it can have. For example, network servers updated hourly should have a maximum RPO of 59 minutes to avoid data loss.

Deciding on specific RTOs and RPOs helps clearly show the technical solutions needed to achieve your recovery goals. In most cases the decision is going to boil down to choosing the right failover solution.

See how Imperva Load Balancer can help you with business continuity planning.

Choosing the right failover solutions

Failover  is the switching between primary and backup systems in the event of failure, outage or downtime. It’s the key component of your disaster recovery and business continuity plans.

A failover system should address both RTO and RPO goals by keeping backup infrastructure and data at the ready. Ideally, your failover solution should seamlessly kick in to insulate end users from any service degradation.

When choosing a solution, the two most important aspects to consider are its technological prowess and its service level agreement (SLA). The latter is often a reflection of the former.

For an IT organization charged with the business continuity of a website or web application, there are three failover options:

  • Hardware solutions  – A separate set of servers, set up and maintained internally, are kept on-premise to come online in the event of failure. However, note that keeping such servers at the same location makes them potentially susceptible to being taken down by the same disaster/disturbance.
  • DNS services  – DNS services are often used in conjunction with hardware solutions to redirect traffic to a backup server(s) at an external data center. A downside of this setup includes  TTL-related delays  that can prevent seamless disaster recovery. Additionally, managing both DNS and internal data center hardware failover solutions is time consuming and complicated.
  • On-edge services  – On-edge failover is a managed solution operating from off-prem (e.g., from the  CDN  layer). Such solutions are more affordable and, most importantly, have no TTL reliance, resulting in near-instant failover that allows you to meet the most aggressive RTO goals.

Latest Blogs

Connected World

Lynne Murray

, Shiri Margel

Dec 1, 2023 5 min read

Mobile phone with a stock exchange app displayed and a finger perusing the trend line

Oct 9, 2023 4 min read

sc

Aug 28, 2023 3 min read

Latest Articles

  • Regulation & Compliance

606.8k Views

191.1k Views

41.7k Views

39.1k Views

37.7k Views

35.5k Views

29.3k Views

25.2k Views

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The 10th Annual Bad Bot Report

The evolution of malicious automation over the last decade

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

  • Skip to content
  • Skip to search
  • Skip to footer

What Is Business Continuity?

What is business continuity

Business continuity is an organization's ability to maintain or quickly resume acceptable levels of product or service delivery following a short-term event that disrupts normal operations. Examples of disruptions range from natural disasters to power outages.

  • Watch video (1:14)
  • Business continuity

Contact Cisco

  • Get a call from Sales

Call Sales:

  • 1-800-553-6387
  • US/CAN | 5am-5pm PT
  • Product / Technical Support
  • Training & Certification

Is business continuity the same as business resilience or disaster recovery?

Business continuity, disaster recovery, and business resilience are not the same, but they are related.

  • Business continuity is a process-driven approach to maintaining operations in the event of an unplanned disruption such as a cyber attack or natural disaster. Business continuity planning covers the entire business—processes, assets, workers, and more. It isn't focused solely on IT infrastructure and business systems.
  • Business resilience encompasses crisis management and business continuity. It requires a response to all types of risk that an organization may face. An organization that is business resilient is essentially in a constant state of "expecting the unexpected." It means continuously preparing to meet disruptions head-on, including events of extended duration that may affect more than one facility or region.
  • Disaster recovery focuses specifically on how to restore an enterprise's IT infrastructure and business systems following a disruption. It is considered an element of business continuity. A business continuity plan (BCP) might contain several disaster recovery plans, for example.

What is a business continuity strategy?

A business continuity strategy is a summary of the mitigation, crisis, and recovery plans to be implemented after a disruption to resume normal operations. "Business continuity strategy" is often used interchangeably with "business continuity plan." Both consider the broader goals, legal and regulatory requirements, personnel, and even the business's clients and partners.

What does a business continuity plan mitigate?

A relevant and well-tested BCP can help ease the negative impacts of an unexpected business disruption in many ways.

  • Financial impact: Disruptions to product supply chains and critical services to customers can directly affect sales and revenue. Downtime caused by unplanned disruptions can also result in higher costs for a business as it looks to repair operations and mitigate previously unidentified threats.
  • Reputation and brand impact: Failure to resume operations quickly and supply customers with the products or services they expect can prompt customer defections and tarnish the brand. Damage to reputation can in turn cause investors and capital sources to pull back funding, exacerbating the financial impact of a business disruption.
  • Regulatory impact: Customers and vendors are likely to complain when businesses fail to respond appropriately to disruptions, which may result in regulatory scrutiny or even censure. In highly-regulated industries, such as energy and financial services, business continuity planning is mandatory to ensure regulatory compliance.

Business continuity planning activities

A well-crafted and tested BCP can go a long way toward helping a business recover swiftly from a disruption. These are key steps a business may want to take.

Identifying critical business areas and functions

Business continuity planning begins with identifying an organization's key business areas and the critical functions within those areas. A business needs to determine and document the acceptable downtime for each area and function considered vital to operations. Then a plan to restore operations can be established, documented, and communicated.

Analyzing risks, threats, and potential impacts

Creating appropriate response scenarios requires knowing what disruptions the business could experience. An upfront analysis of risks and threats is necessary in order to prepare contingency responses to events. Organizations can also conduct a back-end analysis after an event to gather metrics and assess lessons learned. This information can drive improvements in how the business responds to disruptions.

Outlining and assigning responsibilities

A BCP details which personnel will be responsible for implementing specific aspects of the plan. It also identifies key decision-makers and a chain of command. The plan should include alternative options in case primary personnel are incapacitated or unavailable to respond to the disruption.

Defining and documenting alternatives

A business continuity plan should define and document alternative communication strategies in case telephone services or the internet are down. Enterprises should also have alternatives for mission-critical spaces such as data centers or manufacturing facilities in case buildings are damaged.

Assessing the need for critical backups

Essential equipment may be damaged or unavailable during a disruptive event. A business should consider whether it has access to backup equipment and uninterruptible power supplies (UPS) during extended power outages. Business-critical data needs to be backed up regularly, and is mandatory in many regulated industries.

Testing, training, and communication

Business continuity plans need to be tested to ensure they will be effective. (Disaster recovery plans should be tested as well.) A best practice is to conduct a plan review at least quarterly with leadership and key team members who are responsible for executing the plan.

Many companies use role-playing sessions, simulations, and other types of exercises several times per year to test their BCPs. This approach helps to identify gaps, develop strategies for improvement, and determine if more resources are needed. Targeted staff training and communicating to the whole workforce the benefits of having a business continuity plan are also vital to its success.

Related products and solutions

  • Cisco Webex Contact Center
  • Virtual Desktop Infrastructure (VDI)
  • Cisco Intersight Workload Optimizer
  • AppDynamics Application Performance Management
  • ThousandEyes End User Monitoring
  • ThousandEyes Endpoint Agents

You may also like…

  • Cisco’s Business Resiliency Strategy
  • Business Continuity Blogs
  • Business Continuity Planning

strategy for business continuity plan

BCMIWhiteLogo.png

  • ISO22301 BCMS Audit
  • Business Continuity Management
  • Crisis Management
  • Crisis Communication
  • IT Disaster Recovery
  • Operational Resilience

Blog_Jan_Ban.jpg

What Are the Types of Business Continuity Strategy?

This is a continuation of the previous article  Formulating Your Business Continuity Strategy .  This  second part of the BC Strategy phase of the "New BCM Manager" series provides the detailed elaboration of the three strategies for business continuity (BC) implementation.

Output of BC Strategy

The output of the business continuity (BC) strategy phase would generally include a strategy for mitigation, (crisis) response, and recovery.

(a) Mitigation Strategy

BCM Series Recovery Strategy Book

  • Are the implemented controls ineffective, or are there other causes that drive likelihood and/or impact variables up, in spite of these controls?
  • Are there multiple causes of a risk, and have we addressed all or only some of them? Obviously high-risk threats cannot be ignored and must be mitigated to the best of our ability.

These threats must be identified and further attempts to lower the risk posed by them must be implemented with the objective to preventing any potential disruption. In addition, a mechanism must be in place to detect and sound the alarm should an threat materialize. These detection mechanisms could take the form of monitoring tools that captures and records abnormal changes in the environment or process.   

While it is always better to prevent a disaster from happening, it is impossible to say with one hundred percent certainty that one will never occur. In the unfortunate event that a disaster causes business operations to be disrupted, a strategy is required to ensure effective and timely recovery and resumption.

(b) Recovery Strategy

The recovery strategy should focus on re-gaining or re-establishing what has been lost in the disaster.

  • Think people, facilities, systems, records, equipment and the like.
  • What has the disaster deprived the organisation of, and what resource needs to be recovered to allow the organisation to carry out its critical business functions and meet its minimum committed service levels?
  • How quickly must these resources be made available? Then brainstorm on how to acquire these resources within the acceptable time frame, guided by the associated business function recovery time objective (RTO) .
  • What resources could be built or acquired by the organisation in anticipation of a disaster. This model gives the highest level of recovery assurance as the critical resource is guaranteed. For example, facilities, like a hot site, could be purpose-built so that in the event of a disaster, a critical function can be immediately up and running.

Alternatively, an organisation that does not or chooses not to own spare resource, could lease the resource. An example of leasing is to subscribe to a shared recovery space with a reputable service provider.  There is some minimal assurance that recovery seats are available; however, as with such a model, there is no guarantee - the seats are shared and the first caller activating the recovery seats will be given priority. Yet other organisations may choose to procure resources only when a disaster occurs. This model gives the least recovery assurance as the required resources may not be available when needed most.

In developing the recovery strategy, not only must one think about getting back resources needed to continue critical business operations, one must also keep in mind that the recovery must be done within the prescribed RTOs for these critical operations. If a resource cannot be recovered in this time, an alternative means or interim method of carrying on the critical operation must be found. These interim measures are often called Temporary Operating Procedures (TOP).

(c) Crisis Response Strategy

Where an organisation does not already have an incident management or response plan, the strategy might also include a response component that spells out the prioritized activities that the organisation would undertake in a disaster. These activities include emergency responses, like evacuation, situational assessment and modes of communication.

Typically the business continuity strategy outlines the structure of how to prevent, respond and recover from a disaster.

strategy for business continuity plan

It approaches recovery at a macro level and does not dwell on details. This is often useful in providing an overview to management and allows them to see the “big picture” for organisational recovery. It is important to gain their approval before we proceed to decompose the strategy into detailed actionable steps in the plan development phase of the project.

Learn More About Business Continuity Management (BC-CM-CC-ITDR)

You may want to know more about business continuity management courses.

CTA KMA Know More About BCM

      

singapore_flag

For our Singapore colleagues, funding are available under the  CITREP+ and WSQ program.

New call-to-action

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '0ab1a8b7-14ce-444a-a632-b58a1e494344', {"useNewLoader":"true","region":"na1"}); hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, 'dc3955a2-1ceb-4902-9559-49f94948fc8a', {"useNewLoader":"true","region":"na1"}); hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '6cd9625e-8a55-4266-88bb-49ecc436d642', {"useNewLoader":"true","region":"na1"});

New Call-to-action

  • Australasia
  • Asia Pacific
  • Middle East
  • North America

Continuity Central

The latest business continuity news from around the world

A methodology for developing a business continuity strategy.

By Alberto G. Alexander, Ph.D, MBCI

Once an organization has developed its business impact analysis (BIA) and its risk assessment, it has, according to ISO 22301:2012, to determine an appropriate business continuity strategy (BCS) to be able to resume and recover prioritized activities, at a specified minimum acceptable level. This has to be done taking into consideration the time within which the impacts of not resuming the activities would become unacceptable. The development of a BCS is probably one of the most complicated steps in building a business continuity management system (BCMS). An appropriate BCS demands the usage of a methodological approach and creative thinking. In this article the author presents a methodology for developing an effective BCS and the managerial aspects which need to be considered to stimulate a creative thinking environment.

Introduction

The objective of this stage of the BCMS process is to develop a business continuity strategy that satisfies the business recovery requirements identified in the BIA stage. The BCS is composed of a set of recovery options to be utilized as alternatives in the event that existing critical resources become unavailable. The business recovery requirements can generally be grouped into four recovery areas (Hiles, 2011):

  • IT systems and infrastructure
  • Manufacturing and production
  • Data and critical/vital records.

Some illustrations of recovery requirements for these areas could be the following:

Work areas: Arrange an alternate work area for the crisis management team Arrange an alternate office work area for staff

IT systems and infrastructure: Arrange an alternate facility for recovering IT systems Recover damaged systems

Manufacturing and production: Recover damaged manufacturing equipment

Data and critical/vital records: Restore damaged critical records Restore lost data.

This article will describe a framework for developing the BCS. The approach begins by identifying business recovery requirements and ends with a set of recovery options for the BCS. Within the framework, several recovery options are considered as possible solutions to address the recovery requirements. For example, in the area of IT systems and infrastructure, potential recovery options include a hot site, cold site, or warm site. These options generally have different recovery times, costs, and capabilities associated with them.

Only those options that meet the recovery time requirements are selected for further assessment. The framework compares costs and capabilities of the selected options and determines the most appropriate and viable alternative. The final assessment consists of deciding which is the most appropriate recovery strategy. A formal, structured approach should be used for evaluating the pros and cons of the various potential strategies. A strategy selection scorecard is presented which can be used to help ensure a balanced evaluation.

An approach for business continuity development

The BCS development framework consists of four phases:

  • Phase A: Recovery requirements identification
  • Phase B: Recovery options identification
  • Phase C: Availability time assessment
  • Phase D: Cost-capability assessment.

Phase A of the framework determines the recovery requirements to be addressed by the BCS. Phase B identifies possible options as solutions to the recovery requirements. Phase C eliminates those options that do not meet the recovery time requirements. With the remaining options, Phase D assesses their cost and capability trade-offs to select the most viable and effective option.

Figure one, below, illustrates the four phases of the BCS development framework.

strategy for business continuity plan

Figure one: continuity strategy development framework 

Phase A: recovery requirements identification

This phase identifies the recovery requirements to be addressed by the BCS. Phase A consists of five steps as shown in figure one. Step 1 produces a list of recovery requirements to be addressed by the BCS. These requirements, which are primarily derived from the BIA, identify:

  • Critical business processes and resources that should be the focus of the recovery strategy, and
  • Time requirements: maximum tolerable period of disruption (MTPD), work recovery time (WRT), recovery time objective (RTO) and recovery point objective (RPO), for recovering these processes and resources.

Step 1 can also produce additional recovery requirements not included in the BIA. Examples of such additional requirements are the resources needed to support the crisis management center  / centre (a facility from which the crisis management team directs recovery efforts). It can be located in an office work area or a hotel conference room.

Steps 2 to 5 of this phase group the recovery requirements, identified in step 1, into different recovery areas. The most typical four common recovery areas are:

  • IT systems an infrastructure

The recovery requirements for each category area are further divided into different categories. Steps 2 to 5 produce detailed requirements for each category corresponding to their recovery area. The list below shows the recovery areas and requirement categories for steps 2 to 5.

Recovery area: work areas Recovery requirement categories:

  • Alternate office work areas for staff to perform work.
  • Crisis management center, for crisis management team to conduct recovery efforts.

Recovery area: IT systems and infrastructure Recovery requirement categories:

  • Critical IT systems and infrastructure
  • Alternate IT recovery facilities

Recovery area: Manufacturing and production Recovery requirement categories:

  • Critical equipment and resources
  • Critical products
  • Alternate manufacturing and production facilities

Recovery area: data and critical/vital records. Recovery requirement categories :

  • Critical data and off site data storage facilities
  • Critical records and off site record storage facilities.

Phase B: recovery options identification

The objective of phase B is to identify available recovery options for the recovery requirements produced in phase A. As depicted in figure one this phase is divided into several steps, each assigned to a specific recovery area. These steps identify recovery options available for the requirements related to their recovery areas. For example, step 1 identifies three options available for recovering the IT systems and infrastructure recovery area:

  • Pre – established : this is where systems are acquired and installed prior to a disruptive event and are used only for recovery purposes.
  • Pre – arranged (quick ship) : this is where an agreement is made with a vendor that guarantees the delivery of the required systems within an agreed time following a disruptive event.
  • Acquire: as needed this is where the required systems are ordered from a supplier following a disruptive event.

Phase C: availability time assessment

The purpose of this phase is to determine the availability of the recovery options of phase B through an assessment of expected availability time (EAT) of resources specified in the options. For each option, this assessment involves three main steps:

  • Step 1: Evaluate the EAT of the resources
  • Step 2: Compare the EAT with the recovery time requirements-maximum tolerable period of disruption (MTPD), recovery time objectives (RTO), and work recovery time objective (WRT).
  • Step 3: Select the recovery option as viable if its EAT satisfies the recovery time requirements.

 As an illustration of this assessment, assume a pre-arranged (quick-ship) acquisition of IT systems is selected as a recovery option by phase A. Also let us assume that the MTPD, RTO and WRT are less than ten days. The first step evaluates the EAT for IT systems and determines its value as seven days which allows four days of delivery time of the IT systems (based on the pre-arranged acquisition option) and three days of system recovery time. The second step compares the EAT of seven days with the IT system recovery requirements of ten days. Step three selects this option as viable because the EAT of seven days satisfies the ten day recovery requirements.

The options that are not selected by step three are eliminated while the remaining (selected) options are used as input for the next phase.

Step one of the assessment requires a detailed evaluation of various concerns that can adversely impact the EAT of resources.

Phase D: cost capability assessment

The recovery options that satisfy the recovery time requirements in phase C are further analyzed and compared in phase D. The purpose of this analysis and comparison is to select the options which best satisfy the recovery cost and capability requirements. The selected options become part of the business continuity strategy.

As a simple example of this phase, assume that phase B identified the following two systems acquisition options for the recovery of critical IT systems and infrastructure:

  • Pre – established
  • Pre- arranged (quick- ship).

These two options require a further analysis and comparison of their costs and capabilities. Compared to the pre-arranged (quick-ship) option, the cost of pre – established acquisition of systems is generally higher. The recovery effort with a pre-arranged (quick-ship) option, however, is more difficult because the option often requires additional installation and configuration steps compared to the pre-established options. In the pre-established option, such installation and configuration steps occur prior to a disruptive event. Based on this simple comparison, phase D may select the pre–established system acquisition option if the cost is less of a concern compared with the recovery effort.

There are three main steps in phase D. Step 1 defines a list of capability attributes to measure capabilities of recovery options. The capability attributes, which represent specific recovery requirements and preferences of an organization, can include the following:

  • Effort - measures how much effort is needed to implement an option
  • Quality - measures the quality of products, data and service associated with an option
  • Safety - measures how well an option satisfies safety requirements
  • Control - measures how much control organizations have over the use and implementation of an option.
  • Security - measures physical and information security aspects of an option.

Step 2 of phase D evaluates each option in order to determine its cost and assign values to its capability attributes. Qualitative metrics such as low, medium, or high can be assigned to both cost and capability attributes. A low value indicates that an option has high cost or less capability, while a high value represents a low cost or high capability.

Figure two shows an example assignment of values (ratings) to cost and capability attributes of the following recovery options for the IT systems and infrastructure recovery area:

IT system and infrastructure acquisition options

  • Pre – arranged (quick – ship).

Alternate IT recovery facility options

  • Company owned cold site
  • Commercial hot site.

The final step in phase D, selects the most appropriate option by comparing their relative costs and capabilities. The discussion below explains the selection process for the example options in figure two.

Compared with the prearranged (quick – ship) option, the pre-established systems acquisition option requires less recovery effort; results in a higher quality of system recovery; and provides more control over the recovery process. The cost of this type of option, however, is generally much higher than the pre-arranged (quick – ship) option.

Compared to the company owned cold site, the commercial hot site option requires less recovery effort; results in a higher quality of system recovery; offers better safety compliance; and provides better security controls. This is because the hot site is always equipped and ready for use, whereas, a cold site needs additional effort to setup, configure, and test systems and equipment. The safety and security controls are typically provided as part of the services by the hot site vendor. The cost of the hot site option, however, is significantly higher than the cold site option.

strategy for business continuity plan

If the cost is not a primary concern, an organization may select the following options to be included as part of the continuity strategy based on the above comparison:

  • IT system and infrastructure acquisition option-pre-established
  • Alternative it recovery facility option-commercial hot site

General recovery strategy considerations

The key to a successful business continuity strategy is to select recovery options based on an evaluation which considers their characteristics and capabilities. For instance, a hot site option requires a careful consideration of: the distance between the recovery site and the primary site, to ensure it is less likely to be affected by the same disaster; the extent of technical support available during recovery; and the response time to have the hot site available once the disaster is declared.

Illustration of general considerations for evaluating recovery options

Alternate IT recovery facility considerations:

  • Consider a location that would not be affected by the same disaster.
  • Consider the time it would take for the recovery team to arrive at the location.
  • For the most time critical systems, consider the use of commercial hot sites with dedicated mirrored systems capabilities.
  • To reduce the cost, initially use a hot site to recover critical systems then move to a cold site until the original or a new site becomes available.
  • Avoid reciprocal agreements if the system and equipment compatibility is difficult to achieve or maintain.
  • Ensure that the IT recovery facility has adequate power redundancy, fire protection controls, and physical security access controls.
  • Ensure that the IT recovery facility vendor provides adequate technical support.
  • Select an IT recovery facility vendor with a long history of supporting IT recovery facilities.

Alternate work area considerations:

  • Consider a work area, which is at a location not expected to be affected by the same disaster.
  • Consider a contract with a work area vendor for fixed or mobile office work areas.
  • Consider ‘work from home’ as an option.
  • Consider the use of existing remote company locations and spaces.
  • Ensure that the alternate work area is equipped with adequate data and voice communications lines and equipment, and amenities such as bathrooms and shower facilities.
  • Ensure both remote and local personnel can access the alternate office work area.
  • Consider the use of hotel conference rooms for the crisis management center.
  • Ensure the alternate work area is equipped with office resources such as fax, copiers, white boards, and stationary.

Off –site storage facility considerations:

  • Consider a storage location which is at a safe distance away from the primary site, and where it is unlikely to be affected by the same disaster.
  • Ensure that the hours of operation of the storage vendor meet the storage and retrieval requirements.
  • Ensure that the storage facility can adequately protect the storage media from moisture and temperature damages.
  • Ensure that the storage facility has adequate security and safety controls.
  • Ensure that the storage facility vendor has proper storage media handling procedures.
  • Select a storage vendor with a long history of supporting storage facilities.

IT systems and infrastructure acquisitions considerations:

  • For systems with recovery time objectives of less than eight hours, use a pre-established system acquisition strategy where alternate systems are acquired prior to the disaster event.
  • For systems with a recovery time objective of less than 72 hours but greater than eight hours, use a pre-arranged (quick-ship) strategy where alternate systems are delivered after a disaster within an agreed time period.
  • For systems with a recovery time objective greater than 72 hours, use an acquire-as-needed acquisition strategy where the alternate systems are acquired after the disaster event.
  • Use identical replacement systems where possible.
  • Ensure replacement systems are fully tested for recovery prior to a disaster.
  • Frequently test each system separately and together with other systems.
  • Ensure voice and data network systems and equipment have sufficient capacity for recovery.

Manufacturing and production recovery considerations:

  • For critical equipment with a short recovery time objective, use a pre-established system acquisition strategy where the replacement equipment is acquired prior to the disaster event.
  • Where possible, replace older model equipment with newer models, which are easier to repair and replace in the event of a disaster.
  • Harden the alternate manufacturing and production facility with measures such as redundant heating, ventilation, and air conditioning ( HVAC) equipment or back up power generators.
  • Ensure that the alternate manufacturing and production facility complies with safety and environment regulations.
  • Consider maintaining a backup of critical parts at an off-site facility.
  • Consider stocking a surplus of raw material/product inventory needed during recovery time at a remote warehouse.
  • Establish reciprocal arrangements with other similar organizations for recovery assistance.
  • Consider establishing an agreement with a vendor to salvage and restore any damaged equipment and resources in the event of a disaster.

Recovery contracts and service level agreements

Recovery contracts and service level agreements (SLAs) are a means for ensuring proper implementation of the selected recovery options. Written contracts and agreements must be comprehensive and should account for any conditions that can hinder or prevent successful recovery. As a simple example, consider a hot site as an option for an alternate IT recovery facility for highly time-critical systems.

Even though this option satisfies the recovery requirements, the recovery may be hindered if the recovery contract allows the vendor to use untested compatible equipment instead of identical replacement equipment. An effective contract will either restrict the recovery to identical replacement equipment or allow an exception for the use of compatible equipment only if it has been pretested and validated for recovery, prior to a disaster.

Commercial contracts and agreements for work areas, IT systems and infrastructure, and manufacturing and production recovery areas, should clearly ensure the following:

  • Availability of the facility, with the required setup and configurations, within the acceptable time period for recovery.
  • Adequate frequency and time for testing the facility for recovery.
  • Adequate work areas for staff.
  • Sufficient recovery time.
  • Access to technical support.
  • Adequate capacity for voice and telecommunication links.
  • Availability of identical replacement equipment.
  • Guaranteed access to a recovery facility through alternate arrangements in the event that the facility is being used by any other organization.
  • Clearly stated roles and responsibilities for both vendors’ support personnel and the organization’s recovery team.
  • Secure and easy access to the facility.
  • Process for controlling changes to systems, equipment, facilities and resources.
  • Procedures to renew the contract.

While many of the above concerns also apply to reciprocal agreements, there are certain aspects of reciprocal agreements that are unique. Organizations should ensure that reciprocal agreements could accommodate the following:

  • Sufficient additional capacity to recover the partner’s systems, equipment, work areas, communication links, etc.
  • Security controls to protect sensitive data and information while allowing the other organization to conduct disaster recovery efforts.
  • The time required to setup the facility as an alternate recovery facility once the disaster is declared by the other organization.
  • Safety conditions stated in the recovery requirements.
  • Environmental safety requirements (such as lead free, dust free, chemical free, etc.)
  • Sufficient testing time required to validate the recovery process-
  • Alternate arrangements in the event that the existing facility or equipment is unavailable.
  • Procedures to notify the other party of changes to the facility, systems, and equipment.

The terms and conditions in any of the recovery related contracts and agreements must be carefully reviewed by the organizations´ legal departments. It is also important to investigate the short term and long-term financial and operational status of potential recovery vendors and the organization to support the recovery requirements.

Selecting the right strategies

When selecting the right BCS there are some aspects that need to be considered, such as:

  • Selecting the right continuity strategies usually involves several trade-offs that management has to consider.
  • Typically, the most effective strategies are also the most expensive.
  • Conversely, the least expensive strategies are often impractical, risky, or fail to meet operational requirements.
  • The challenge is to identify those strategies, or mix of strategies, that are affordable but will provide an appropriate level of risk management.
  • A formal, structured approach should be used for evaluating the pros and cons of the various potential strategies.
  • The evaluation should be performed by a cross-functional disciplinary group, not by one or two specialists who may have preconceived biases.
  • Failing to do so can result in selection of shortsighted strategies that provide a completely false sense of security.
  • The use of a ‘strategy selection scorecard’ can be an effective technique for ensuring a balanced evaluation

Strategy selection scorecard

Once recovery options have been chosen, they need to be evaluated according to certain criteria and presented to top management for deciding which will be the strategy to choose. There are many issues involved for deciding which strategy is the most appropriate.

In figure three a strategy selection scorecard is presented to be used to evaluate the strategies that have been selected as the most feasible ones. On the left side of the scorecard are the evaluation criteria that will be used to evaluate the strategies. These are just an illustration of the type of criteria that could be utilized. Each organization will actually decide the criteria’s that are more appropriate to its industry and organizational culture. Each criterion is assigned a weighting factor, an assessment of how well the strategy satisfies the criteria is estimated (scale from 0 to 5). Then a target score is calculated. This score reflects how well the strategy accomplishes the criteria.

This is estimated considering the weight score x the highest satisfaction rating. Next step is to estimate a general satisfaction percentage score, which is calculated dividing the score into target, x 100%. Finally, an overall satisfaction is calculated for the strategy that was evaluated. Each strategy will have an overall satisfaction percentage, which allows making comparisons between different strategies.

“It is very important to take into account when using any kind of scoring technique, that it is not really the final score that matters, but the process that the organization goes through to come up with the score” (Hiles, 2011). Using a scorecard allows the participants to focus on the pros and cons of each strategy in a structured fashion, without letting their personal biases distort the selection process.

strategy for business continuity plan

Figure three: strategy selection scorecard

Stimulating creative thinking

In the continuity strategy development framework presented in figure one, the most complicated is Phase B ‘recovery options identification’. Here, for each recovery requirements identified in phase A, new ways of doing things have to be identified. For this phase to be successful, creative supporting techniques have to be used effectively to enhance the creative thinking of the individuals working on the development of the business continuity strategy. To put into action the framework for developing the BCS, a group needs to be chosen and workshops should be facilitated to develop the BCS framework. A very important concern is the group composition. “Heterogeneous groups are more creative than homogenous groups.” (Prince, Krug: 2012) The number of people is also very important. “Groups of three to five people perform better than individuals when solving complex problems”. (Franz,2012))

Here it is important to be clear that two ingredients are necessary; one is to understand the steps in the framework for developing the BCS, and the other one is to facilitate the environment for creative thinking to flourish. Creativity “involves the generation of new ideas or the recombination of known elements into something new, providing valuable solutions to a problem,” (Cyzewski, 2012). The person acting as a facilitator plays a very important role, he or she needs not only to be knowledgeable of the technical concerns with the BCS framework, but also needs to manage different creativity supporting techniques. The main objectives of a “creative thinking process is to think beyond existing boundaries, to awake curiosity, to break away from rational, conventional ideas and formalized procedures, to rely on the imagination, the divergent, the random and to consider multiple solutions and alternatives,” (Michalko, 2011). Some of the creativity supporting techniques that could be used with the BCS groups to foster the creative thinking process are:

  • Brainstorming: this is one of the best known and most used group based creativity processes for problem solving. It is a method of getting a large number of ideas from a group of people in a short time.
  • Story boarding: this is a creativity technique for strategic and scenario planning based on brainstorming and used mainly by groups.
  • Lotus blossom: this technique can also be used in scenario planning and is very useful for forecasting strategic scenarios. It is designed for groups and is used to provide a more in depth look at various solutions to problems.
  • Mapping process: the use of maps is particularly useful in strategic management thinking in organizations, helping to organize discontinuities, contradictions or differences, and bring pattern, order and sense to a confusing situation, acting as a spatial representation of a perspective.
  • The excursion technique: a very useful technique for forcing a group to have new thought patterns to formulate strategies.
  • Nominal group technique: a structured method of group decision-making, which allows a rich generation of original ideas, balanced participation of all members of the group, and a rank-ordered set of decisions based on a mathematical voting method. It is an excellent technique for enhancing group creativity. 

There are many supporting techniques to help teams develop creative thinking. The recovery options in Phase B need a very creative environment. The main issue is not to replicate the process, but to be creative enough to identify alternative ways to deliver the process output. Here, an eclectic approach to creativity is recommended.

Conclusions

The development of a business continuity strategy needs a methodological framework to guide its steps. In this article the BCS framework has been presented. The sequential of steps need to be followed. No step can be skipped.

It is very important to use the workshop style for putting into action all the steps of the BCS framework. The composition of the group is important. The team that is going to create the recovery options is made of individuals that are knowledgeable regarding the recovery requirements and is familiar to the threat scenario.

The team should not be too numerous, five people is good enough.

 The management of the steps involved in the BCS framework is very structure and mechanical. The most difficult part is the ‘identification of the recovery options’, this is a very dynamic and an unstructured approach is needed to be able to foster creative thinking in the team. Here the role of the facilitator and the correct management of support creativity techniques are fundamental.

Alberto G. Alexander, Ph.D, MBCI International Consultant Dr. Alexander holds a Ph.D from The University of Kansas and a MA from Northern Michigan University. He is the Managing Director of the international consulting and training firm “Eficiencia Gerencial y Productividad”, located in Lima, Perú. He is a member of the Business Continuity Institute.

Bibliographical references

  • Hiles, Andrew. The definitive Handbook of Business Continuity Management. Third Edition. Wiley, 2011, London.
  • Prince, George, Krug, Steve. The Practice of Creativity: A Manual for Dynamic Group Problem Solving , 2012. Mc Graw N.Y.
  • Franz, Timothy. Group Dynamics and Team Interventions: Understanding and Improving Team Performance , 2012, Free Press, N.Y.
  • Cyzewski, Ed. Creating Space: The Case for Everyday Creativity. Penguin 2012, San Francisco
  • Michalko, Michael. Creative Thinking: Putting your Imagination to Work, 2011. Mc Graw, N.Y.

strategy for business continuity plan

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Root Cause Analysis

Additional Resources

  • Business continuity resources
  • 2023 predictions
  • Operational resilience
  • Cyber resilience
  • Business resilience
  • DR and ICT continuity information
  • Business continuity standards

A website you can trust

Business continuity, get the latest news and information sent to you by email.

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.

The Backbone of Resilient Organizations: Demystifying Business Continuity

What is business continuity.

No matter what business you’re in, unexpected disruptions can happen. Outages, natural disasters, supply chain failures, cyber incidents, equipment failures, and other physical and technical issues can all disrupt your ability to function and thrive.

To ensure your business is ready for unexpected events, you need to know what to do when things go wrong—and this is where business continuity comes in. Read on to learn more about business continuity, including disaster recovery, and what to include in your business continuity plan. Also, find out about business continuity management and business continuity solutions.

What is business continuity and why is it important?

Business continuity is an organization’s readiness to continue functioning during times of disruption. Business continuity is important because it reduces the potential impact of a disruption on customers, employees, and partners.

Having a business continuity plan (BCP)—which includes the analysis, technology, documentation, training, key team members, and procedures involved in resolving potential crisis situations—is vital for ensuring business continuity. A BCP includes goals focused on minimizing the potential impact of a crisis on a company’s financials and reputation—and maintaining industry, regional, and global compliance standards and regulations.

What’s the difference between business continuity and disaster recovery?

While business continuity and disaster recovery are often used interchangeably, they’re not the same thing.

Disaster recovery is a key part of a business continuity plan and is focused specifically on systems, data, and IT infrastructures. It includes technology, strategies, and processes for saving, restoring, and recovering data and protecting against cyber threats.

For a BCP to be successful in reducing downtime, mitigating risks, and remediating issues like data loss and corruption, disaster recovery measures are crucial. While both involve processes, people, and technology, business continuity offers a much wider scope to encompass the steps necessary for maintaining operations across every part of a business.

What should be included in a business continuity plan?

There are three components of a business continuity plan to consider:

  • Resilience—developing business functions and infrastructures to be prepared for an unexpected situation.
  • Recovery—setting up backup and recovery solutions for your applications, systems, and networks; determining what systems should be prioritized in the event of a disaster; and choosing a third-party vendor for additional help and resources if necessary.
  • Contingency—creating steps for what to do if a disruption occurs. This includes setting up a chain of command with key people and defining their responsibilities when it comes to communication, technology, third-party contracting, and coordinating temporary spaces. Keep these in mind at every step in the planning process to help ensure your BCP covers the full scope of your business.

With these three key components in mind, take the following steps to start building your business continuity plan:

  • Run a business impact analysis (BIA), which examines your current business functions, processes, and technology. An analysis will uncover potential vulnerabilities, risks, and threats you might encounter. Doing so helps identify areas of improvement and what to prioritize. After an analysis, you may consider making additional technology investments as well.
  • Outline and assign responsibilities for who will delegate, act, and support in the event of a crisis. These individuals will execute any necessary steps, be points of contact, gather resources, and guide efforts to minimize downtime for affected business functions.
  • Determine alternative forms of communication in case your standard means of communication are impacted by an outage or downtime.
  • Prepare backup equipment in case of damage or outages to prevent business-critical functions from stopping.
  • Understand and follow business continuity standards, which are legal and regulatory requirements determined for an industry. These are helpful when determining what steps you need to take in scenarios such as a breach or data loss. Creating a plan isn’t the last step—to make business continuity an important part of your organization, you also need business continuity management.

What is business continuity management?

Business continuity management includes the processes you put in place to set up and maintain your business continuity plan. It should include the following:

  • Creating policies that define the scope, objectives, and principles of business continuity. These should always keep the customer in mind to ensure you’ve documented what business-critical functions may impact customers and who is involved in customer service communication in the event of an outage or disruption.
  • Assembling business continuity teams throughout your organization who can communicate and enforce policies and procedures that are put in place. These employees will take part in ongoing reviews and tests to make sure everything and everyone is properly prepared for an incident.
  • Supporting a culture of business continuity by educating your entire organization about risks, policies, and documentation available. Offering ongoing training is an important way to increase awareness and gather data to see if there are any gaps or areas in need of improvement.
  • Maintaining up-to-date compliance standards and best practices to make sure your processes, workflows, and employees all work within the correct industry standards as they relate to data. If a business doesn’t keep up and an unexpected disruption occurs, there’s the risk of increased financial damages, legal costs, and fines.

Keeping track of all the continuously developing parts of a business continuity plan can be daunting for a growing organization. To reduce the time and effort involved, many businesses invest in business continuity solutions.

What kind of business continuity solutions should I consider?

The business continuity solutions you choose should be based on your organization’s needs. Depending on the industry you’re in, the size of your company, and your business-critical functions, you’ll find a range of software and resources available. These options include:

  • Cloud-based storage solutions, which provide a secure, remote location to back up and run workflows and applications, as well as store data. If there’s a breach or error causing data loss, you can access what you need from the cloud.
  • Backup and recovery tools for making copies of the data, applications, and systems within your IT infrastructure. If anything is deleted, corrupted, or shut down during a disruption, you can restore them and minimize downtime. These solutions offer different options for running backups, including automatically on a schedule, instantly, or as needed.
  • Virtualization tools that replicate environments and workspaces. If there’s an outage or device issues, employees can still access their applications and run processes as normal, reducing downtime that may affect services.
  • Contracts with third-party providers, such as disaster-recovery-as-a-service (DRaaS) and backup-as-a-service. Based on your agreement, a provider can run data backups, host your IT infrastructure, and offer support in the event of a disaster. These services are typically offered with a subscription or a pay-as-you-use model and include support from IT and cybersecurity experts.
  • Unified communication tools to support collaboration across your entire organization. With one platform for connecting frontline workers, customer service agents, and other key members of your continuity teams, it’s easier to keep everyone up to date on disruptions and manage shifts and schedules to make sure the right people are available.

Business continuity should be a priority for any growing business looking to ensure the safety and security of their employees, technology, and data. To support the planning process, there are several solutions available to make business continuity planning easier. Though you can’t predict or prevent every disruption, with the right tools, a solid plan, and an educated team, business continuity can save you time, money, and resources across your organization.

Learn more • Developing your business continuity plan • Business continuity and disaster recovery

About the author

Microsoft logo

Get started with Microsoft 365

It’s the Office you know, plus the tools to help you work better together, so you can get more done—anytime, anywhere.

Business Insights and Ideas does not constitute professional tax or financial advice. You should contact your own tax or financial professional to discuss your situation..

Cart

  • SUGGESTED TOPICS
  • The Magazine
  • Newsletters
  • Managing Yourself
  • Managing Teams
  • Work-life Balance
  • The Big Idea
  • Data & Visuals
  • Reading Lists
  • Case Selections
  • HBR Learning
  • Topic Feeds
  • Account Settings
  • Email Preferences

Rethink Your Business Continuity Strategy

  • Ndubuisi Ekekwe

Amadeo Giannini, the founder of Bank of America, rescued all funds from his bank after the 1906 San Francisco earthquake. He used that to lend to customers few days after the disaster. Other banks were in smoldering ruins and unable to operate. Having a plan to get all the funds out, shortly after an earthquake, […]

Amadeo Giannini , the founder of Bank of America, rescued all funds from his bank after the 1906 San Francisco earthquake . He used that to lend to customers few days after the disaster. Other banks were in smoldering ruins and unable to operate. Having a plan to get all the funds out, shortly after an earthquake, was a good continuity strategy.

  • Ndubuisi Ekekwe  is a founder of the non-profit  African Institution of Technology  and Chairman of Fasmicro Group with interests in technology, finance, and real estate.

Partner Center

Steps in Building a Business Continuity Strategy in Facility Management

Put on your risk goggles, crunch the numbers and reveal the true impact of disruptions, perfect your evacuation skills, identify your key allies, restore critical functions to bounce back, don’t leave any vulnerabilities unchecked, train like there's no tomorrow, spot threats before they strike, keep your plan supercharged, promote a culture of preparedness.

Bhupendra Choudhary

Ever had that sinking feeling when you realize your facility’s critical systems can fail, leaving you in a state of panic? Or that knot of anxiety that tightens when you discover a major equipment malfunction that brings operations to a grinding halt?

It’s like being in a high-speed car chase, but you’re driving with a blindfold on. You’re determined to keep your facility running smoothly, but all the while, you anticipate the looming disaster around the next corner.

But it doesn’t have to be that way. That’s where a business continuity strategy comes into play.

It’s your lifeline during times of crisis, outlining the procedures and guidelines you need to follow to keep your organization afloat.

But here’s the thing: many facility managers underestimate the importance of having a solid strategy in place.

You might think, “I can handle it when the time comes. I’ll deal with it on the fly.”

But that’s a risky mindset. Without a well-thought-out facilities business continuity plan, you’re putting your staff, resources, and even profitability at stake.

In this article, we’ll delve into the next-gen steps in building a business continuity strategy in facility management, exploring best practices, key considerations, and real-world examples.

Imagine you’re managing a corporate office building. You need to consider various risks such as fire hazards, power outages, natural disasters, or even cybersecurity threats.

Each of these risks has the potential to disrupt your facility and affect business operations. By conducting a comprehensive risk assessment, you can identify these potential risks and their potential impact on facility management.

Once you’ve identified the risks, it’s time to put on your detective hat and uncover the critical functions that are essential for your facility’s smooth operation. These critical functions can vary depending on the nature of your facility, but they often include security, HVAC systems, electrical infrastructure, and communication networks.

Prioritizing the continuity of these functions ensures that even in the face of disruptions, your facility can continue to operate efficiently.

For example, if a power outage occurs, identifying the critical function of electrical infrastructure will prompt you to have backup generators or alternative power sources in place to keep the lights on and essential systems running. Similarly, understanding the potential impact of a cybersecurity threat will lead you to prioritize the continuity of your facility’s data security measures.

Understanding the potential impact of disruptions is crucial for building a robust business continuity strategy.

That’s where the Business Impact Analysis (BIA) swoops in to save the day.

Think of it as your trusty sidekick, helping you crunch the numbers and reveal the true impact of disruptions.

First, you embark on a thorough analysis of your facility’s operations and processes. You leave no stone unturned, examining every nook and cranny to identify the critical functions that keep your facility running smoothly.

Whether it’s HVAC systems, security protocols, or maintenance procedures, you assess their significance and prioritize their continuity.

But it doesn’t stop there. The BIA dives into the financial and operational implications of potential disruptions. You put on your detective hat, investigating the potential consequences of a power outage, a cyber attack, or even a natural disaster. By quantifying the impact in terms of downtime, revenue loss, and customer satisfaction, you gain a clear understanding of the risks at hand.

Furthermore, the BIA uncovers the intricate web of dependencies and interdependencies within your facility. It reveals the domino effect that disruptions can trigger, highlighting the interconnectivity between various systems, departments, and stakeholders. For example, a failure in the electrical infrastructure can disrupt not only lighting and equipment but also impact security systems and employee productivity.

When unforeseen disasters hit, you want to be the expert who swiftly guides everyone to safety, creating a sense of security and preparedness.

Your emergency response plan is the ultimate playbook for handling various situations, from evacuation to sheltering and even lockdown scenarios. It’s like having a superhero team ready to leap into action, ensuring the safety and well-being of everyone within your facility.

For example, imagine a facility manager responsible for a large office building. He creates a comprehensive Emergency Response Plan that outlines the evacuation routes, designated assembly points, and roles for each team member during emergencies. They also set up communication channels, ensuring quick and efficient dissemination of critical information.

When an unexpected fire breaks out on one of the floors, His well-prepared response plan springs into action. Employees follow the clear evacuation procedures, emergency response teams act promptly, and communication channels keep everyone informed about the situation. Thanks to the well-rehearsed plan, everyone safely evacuates the building, and the fire is quickly brought under control.

By developing a top-notch emergency response plan, facility managers like you can instill confidence, protect lives, and safeguard the continuity of business operations, making them the real heroes in the world of Facility Management.

Key allies could include facility staff, tenants, vendors, local authorities, and emergency services. By involving them in the crisis communication plan, you create a united front to tackle any emergency head-on.

For instance, imagine a scenario where a major water pipe bursts in a commercial building, flooding several floors.

In this case, your key allies might include facility staff to coordinate immediate evacuations and shut off water supplies, tenants to inform them about the situation and safety measures, vendors to assist with repairs, and local authorities or emergency services to manage the overall response.

By integrating digital platforms for real-time communication, like mobile apps or group messaging systems, you ensure rapid dissemination of critical information during the crisis.

This approach enhances the facility’s responsiveness, minimizes disruptions, and showcases a coordinated effort that builds trust among stakeholders.

When the unexpected strikes and disrupts critical functions in facility management, it’s time to put our recovery strategies into action.

The goal? To bounce back stronger than ever and restore normal operations swiftly. Developing these strategies is a crucial step in building a robust business continuity plan for facility management.

First and foremost, we analyze the impact of the disruption and identify the critical functions that need immediate attention. With a clear understanding of what needs to be restored, we devise comprehensive strategies to get things back on track.

For example, if a facility is damaged due to a natural disaster, we might establish alternate facilities or activate remote work capabilities to ensure uninterrupted service delivery.

Collaboration is key in the recovery process. We work closely with our trusted vendors and suppliers, leveraging their expertise and resources to expedite the recovery. By forging strong partnerships, we can access necessary equipment, materials, and services promptly, minimizing downtime and ensuring a timely recovery.

When it comes to building a business continuity strategy in facility management, one crucial step is implementing preventive measures to ensure vulnerabilities are not left unchecked. This proactive approach helps safeguard critical systems and functions from potential disruptions.

To begin, it is essential to establish preventive maintenance programs for critical systems. Regular maintenance and servicing can prevent unexpected breakdowns and identify any underlying issues before they escalate. By staying ahead of maintenance needs, facility managers can minimize the risk of system failures and ensure smooth operations.

Another vital aspect is integrating redundancy and backup systems for key functions. Having backup systems in place provides an additional layer of protection against potential failures. Redundancy ensures that if one system fails, there is a backup ready to take over, minimizing downtime and maintaining continuity.

Conducting regular inspections and audits plays a significant role in identifying potential vulnerabilities. By regularly assessing the facility’s infrastructure, equipment, and processes, facility managers can detect any weak points or areas that require improvement. This proactive approach allows for timely corrective actions and mitigates the risk of unexpected disruptions.

Train Like There’s No Tomorrow

When it comes to building a solid business continuity strategy in facility management, one crucial step stands out: training and testing the plan. In this stage, we embrace the motto “train like there’s no tomorrow” to ensure our emergency response teams are prepared for any situation.

Regular training sessions are the backbone of our preparedness efforts. We gather our teams, share knowledge, and sharpen their skills in handling emergencies. Through interactive sessions, we empower our team members with the confidence and expertise to navigate challenging scenarios.

But training alone is not enough. We go a step further by organizing drills and simulations that put our plan to the test. These real-life scenarios allow us to assess the effectiveness of our strategies, identify areas for improvement, and fine-tune our response procedures. It’s like a dress rehearsal, preparing us to perform flawlessly when the spotlight is on.

Training and testing the plan are not just checkboxes to tick off. They are ongoing processes that ensure our facility management team is always prepared and ready to handle any disruption that comes our way. With each training session and simulation, we become stronger, more resilient, and better equipped to safeguard our operations.

By exploring technology solutions like facility management system software , organizations can gain a competitive edge in maintaining business continuity in facility management.

Automation and monitoring systems take center stage, allowing for early detection of potential issues. These systems can monitor critical functions, equipment, and infrastructure, providing real-time insights and alerts.

They act as a watchful eye, ensuring that any deviations or anomalies are promptly identified and addressed before they escalate into major disruptions.

Moreover, leveraging data analytics becomes a game-changer in proactive risk management. By collecting and analyzing vast amounts of data, facility managers can uncover patterns, identify trends, and predict potential risks.

This data-driven approach enables them to make informed decisions, implement preventive measures, and allocate resources effectively.

Integrating technology solutions not only enhances operational efficiency but also empowers facility managers to take a proactive stance in managing risks.

You’ve created a business continuity plan that’s your trusted companion in times of crisis. But here’s the secret to staying ahead of the game – keeping that plan supercharged through regular reviews and updates.

In the world of facility management, change is the only constant. That’s why maintaining business continuity in facilities management requires establishing a regular review process for your business continuity strategy.

Take a step back, gather your team, and evaluate the effectiveness of your plan based on real-life scenarios.

Did it hold up when faced with challenges? Were there any gaps or areas for improvement?

But don’t stop there. Embrace feedback from your team, stakeholders, and even external experts. They bring fresh perspectives and insights, helping you address emerging risks that might have flown under the radar. Their input can be invaluable in making updates and enhancements to your plan.

Let’s say your facility experienced a recent power outage that lasted longer than anticipated. During the review process, you realized that your plan lacked sufficient measures to handle extended power disruptions.

With this feedback, you can update your plan to include backup power solutions or alternative work arrangements to keep operations running smoothly.

Remember, a supercharged plan is a living document – one that evolves and adapts to the ever-changing landscape of facility management.

When it comes to building a business continuity strategy in facility management, engaging stakeholders and promoting a culture of preparedness is essential. It’s not just about having a plan on paper; it’s about fostering a mindset of resilience within the organization. This involves engaging facility management staff in the planning and implementation process.

By involving your team in the development of the business continuity plan for facility management, you create a sense of ownership and responsibility. Their input and expertise can uncover valuable insights and ensure that the plan reflects the unique needs of the facility. Through training sessions, drills, and regular communication, you can empower your staff to become active participants in building resilience.

But it doesn’t stop there. Collaboration with external stakeholders is equally crucial. This includes partnering with local authorities and emergency services. By establishing relationships and open lines of communication, you can tap into additional resources and expertise in times of crisis. They can provide guidance, support, and coordination during emergency situations, enhancing the effectiveness of your business continuity efforts.

Overall, engaging stakeholders and building resilience is about creating a shared commitment to preparedness. It instills a sense of confidence and readiness within the organization, ensuring that everyone is prepared to respond effectively to any disruption that may come their way.

As facility managers, it’s crucial to recognize the importance of building a solid business continuity strategy. By taking proactive steps such as implementing preventive maintenance programs, integrating redundancy systems, and conducting regular inspections, you can ensure smooth operations and minimize disruptions.

With FieldCircle , you can streamline preventive maintenance tasks, automate inspection processes, and stay ahead of potential risks. By embracing a proactive approach and leveraging technology, you can effectively manage your facility’s maintenance needs, identify vulnerabilities, and address them before they escalate into major issues.

These measures not only protect your business from unexpected downtime but also contribute to long-term cost savings and increased productivity. So, whether you’re a startup founder or a seasoned facility manager, understanding the difference these strategies can make is key.

Embrace a proactive approach, invest in preventive measures, and stay ahead of potential risks. By doing so, you’ll build a resilient facility management system that can weather any storm and keep your operations running smoothly.

Related Posts

space management strategy

Managing your facility space has to be no more difficult. But all you need is…

advantages of facility management software in building ops

As an organizational function, facility management integrates processes, people, and places. Enhancing building operations and…

Book a Personalized Demo

Learn how your businesses can use FieldCircle to achieve more efficient, transparent, and profitable service operations.

By submitting your details, you agree that we may contact you by call, email, and SMS and that you have read our terms of use and privacy policy .

Got questions?

Give us a call on.

+1 512.601.5091

+91 120.796.1096

Or email us at:

[email protected]

Schedule a Demo

Everything that you need to know to start your own business. From business ideas to researching the competition.

Practical and real-world advice on how to run your business — from managing employees to keeping the books.

Our best expert advice on how to grow your business — from attracting new customers to keeping existing customers happy and having the capital to do it.

Entrepreneurs and industry leaders share their best advice on how to take your company to the next level.

  • Business Ideas
  • Human Resources
  • Business Financing
  • Growth Studio
  • Ask the Board

Looking for your local chamber?

Interested in partnering with us?

Start » strategy, business continuity : how to make your small business more resilient by planning ahead.

Can your company operate under challenging circumstances? Establish a business continuity plan, so you know the answer is yes.

 Five employees stand in a group in a high-end restaurant. The group's focus is on the woman in the middle of the photo; she holds an electronic tablet and wears a white blouse and dark blue pants. The other employees are dressed in button-up shirts under either aprons or vests. In the background is a set of shelves filled with various wine bottles and a large indoor plant, the leaves of which reach the ceiling.

Business disruption costs your company money. It can result in lost revenues and extra expenses. The worst part is that potential threats can come anytime and anywhere. A natural disaster or sudden illness can leave your company without a leader, supplier, or office space. A business continuity plan (BCP) ensures your organization can function during a crisis.

In 2020, more than 50% of companies worldwide didn’t have a business continuity plan. While many have since implemented one, others lag behind. Learn what a BCP is, how it benefits your company, and how to start.

What is a business continuity plan, and who needs one?

A business continuity plan is a written document that outlines the steps your organization takes during an emergency. On a basic level, your BCP explains who handles essential business operations and highlights time-sensitive tasks. You assign each person a role and describe operational processes so that you can fill empty positions with another team member or new employee as needed. It should be updated regularly and accessible to all staff in digital and paper forms.

All companies benefit from having a business continuity plan, even solo entities. After all, if you are a solopreneur, who will communicate with your clients if you can’t? Also, corporations in some industries must create a BCP. For instance, the Financial Industry Regulatory Authority (FINRA) requires member firms to keep plans according to Rule 4370 .

[ Read more: 5 Types of Organizational Structures for Small Business ]

Core components of business continuity plans

Although business continuity plans vary according to industry and company size, most include similar sections. A solopreneur without employees will have a less extensive guide than an entrepreneur with multiple locations and a large staff.

Your business continuity plan may include the following:

  • A list of roles and responsibilities.
  • Communication protocols for staff, vendors, and customers.
  • An outline of critical functions like payroll and revenue operations.
  • Your strategy for assessing risks, testing your plan, and updating it.

Assessing threats and having an actionable plan gives your company a competitive edge.

Business continuity vs. disaster recovery

A disaster recovery plan (DRP) helps your company move forward after an incident. It’s focused on returning to business as normal. In contrast, a business continuity plan prioritizes keeping your store open and running regardless of the circumstances. A DRP is often part of a more extensive business continuity plan; alternatively, it can be a stand-alone document. The key to creating a resilient business is having both strategies in place.

[ Read more: How to Write an Emergency Preparedness Plan ]

How small businesses benefit from having a BCP

Assessing threats and having an actionable plan gives your company a competitive edge. It ensures that you’re prepared to handle anything that comes your way while reassuring your customers, employees, and suppliers that your business will remain open during trying times.

Here are a few ways business continuity planning benefits your company:

  • Increases organizational awareness: Going through the planning process can alert you to insurance issues, unknown risks, or supply chain concerns . It also encourages your staff to take their roles seriously and understand what’s expected of them.
  • Reduces financial risks: Having strategies to resolve employee, supply chain, or location problems can decrease downtime, allowing you to continue to generate revenue during an emergency.
  • Prevents customer dissatisfaction: Communication issues and business disruption can lead to clients turning to your competitors. Remaining operational means you can fully support customers in their time of need.
  • Improves employee relations: Instability can lower worker retention rates. A BCP shows your staff how and when you will communicate during a crisis. Also, you can engage them during the process to demonstrate their importance to your small business.

Getting started: BCP tips and resources

Ready.gov provides top-notch resources to help you throughout the business continuity planning process. Along with guides and templates, you can view training and testing information or learn how to complete a risk assessment.

Check out free business continuity plan templates from the following agencies:

  • Federal Emergency Management Agency (FEMA).
  • Department of Homeland Security (DHS).

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here .

Next Event: Tax Filing Tips!

Join us on Thursday, February 22, at 12 pm ET for the first episode of our expert series, Ready. Set. Scale.: Smart Tax Tips for a Stress-Free Filing. We will have seasoned leaders offering actionable tips to help minimize the stressors of tax time for small businesses.

Subscribe to our newsletter, Midnight Oil

Expert business advice, news, and trends, delivered weekly

By signing up you agree to the CO— Privacy Policy. You can opt out anytime.

For more business strategies

9 steps to creating a procurement process for your small business, how to file a beneficial ownership information report for your business, 22 resources for black-owned businesses.

By continuing on our website, you agree to our use of cookies for statistical and personalisation purposes. Know More

Welcome to CO—

Designed for business owners, CO— is a site that connects like minds and delivers actionable insights for next-level growth.

U.S. Chamber of Commerce 1615 H Street, NW Washington, DC 20062

Social links

Looking for local chamber, stay in touch.

  • HousingWire
  • Altos Research
  • Reverse Mortgage Daily
  • Newsletters
  • HousingWire Annual
  • Gathering of Eagles
  • Virtual Events

Popular Links

  • Mortgage Rates Center
  • Whitepapers
  • Marketing Solutions
  • We’re Hiring

vpjoebiden_hud2015

Reduce title, real estate and mortgage risk with a cyber response plan

It's time to build a cyber response plan for your business

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to email a link to a friend (Opens in new window)
  • Click to share on SMS (Opens in new window)
  • Click to copy link (Opens in new window)

In today’s rapidly changing technology landscape, businesses in the title insurance , mortgage and real estate industries must prioritize cybersecurity response planning and business continuity. The second in our “ Reducing Risk ” series, this month’s article provides practical strategies for safeguarding your enterprise to ensure its resilience against cyber threats.

By breaking down complex concepts into bite-sized pieces, we’ll equip you with the information you need to protect your digital assets. Read on to learn how to create a strong shield against risk through the development of an effective cyber response plan and solid business continuity measures. 

Understanding cybersecurity response planning and business continuity

Cybersecurity response planning involves creating a plan that outlines how your business will respond to cyber incidents. It’s like having a superhero team ready to jump into action whenever trouble strikes. 

On the other hand, business continuity planning focuses on preparing for potential disruptions to your business operations. It’s like having a backup generator to ensure the lights stay on even during a power outage.

The importance of response plans and business continuity

Now that we know what response plans and business continuity are and how they differ, let’s talk about why they matter for your business:

  • Minimizing Downtime: By having a response plan in place, you can quickly recover from cyber incidents and get back to business as usual. It’s like having a spare key to your office when you accidentally lock yourself out.
  • Protecting Your Reputation: A well-prepared response plan helps you maintain customer trust and protect your brand. It’s like being known as the go-to real estate agent who consistently delivers results and closes deals on time, ensuring your clients have unwavering faith in your abilities.
  • Reducing Financial Loss: In the realm of cyber resilience, crafting a response strategy and maintaining business continuity measures is like building a financial fortress. This proactive defense serves as a vigilant sentinel, defending against cyber threats and safeguarding your company’s treasury. It’s the difference between just weathering a storm and strengthening your position, ensuring financial security and operational continuity.

Creating your cybersecurity response plan

Now that we understand the benefits of having a response plan, let’s talk about how to create one that’s tailored to your unique business:

  • Identify Potential Risks: Start by identifying the cybersecurity risks that could affect your operations. These could include data breaches, phishing attacks , ransomware threats, and more. In much the same way that a seasoned mariner watches the sky to foresee an impending storm, preparing your cyber defenses requires a perceptive eye to detect the subtle signs of digital tempests. Failing to identify and prepare for cybersecurity risks is like ignoring darkening clouds on the horizon. By keeping a vigilant watch and using sophisticated forecasting tools, just as a meteorologist uses radar, we can navigate safely through the turbulent waters of cyber risk.
  • Establish Roles and Responsibilities: Clearly define roles and responsibilities for your team members so they know how and when to respond in the event of a cyber incident . It’s critical to have a game plan in place in which everyone on your team knows their position and play. Like a well-coordinated football team, in which each player has a specific role that is crucial for the team’s defensive and offensive strategies, clearly defining roles and responsibilities enables your team members to execute a seamless response during a cyber incident. 
  • Document Incident Response Procedures: Create step-by-step guidelines for responding to different types of incidents. These procedures may involve isolating affected systems, contacting law enforcement if necessary, and notifying affected parties. It’s like having a well-drawn map guiding you through a labyrinth. With a clear roadmap in place, you can effectively navigate the complexities of incident response, ensuring a swift and effective resolution. 

Building business continuity measures

Creating a response plan is just the first step. Let’s also discuss business continuity measures to ensure your operations stay up and running:

  • Identify Critical Systems: Determine which systems and services are critical for your business operations. Like a bustling metropolis, where data flows like traffic through its streets, your customer database, transactional infrastructure, and communication platforms serve as critical arteries that keep your business traffic flowing smoothly. By identifying these critical systems, you can put safeguards in place to ensure that information flows freely and that your operations remain uninterrupted.
  • Develop Backup Strategies: Implement robust backup solutions to ensure the availability and integrity of your important data. Robust backup strategies are analogous to an impenetrable digital safe protecting your most valuable documents. Crafting a multi-faceted backup plan is crucial, as it ensures that in the event of a digital disaster, your critical data is retrievable and safe. 
  • Test and Conduct Regular Reviews: Regularly test your response plan and business continuity measures to ensure they’re effective and up to date. Like a top-ranking sports team, success hinges on both strategy and practice. Frequently running through your emergency protocols is similar to holding scrimmages before the championship. It enables your team to address weaknesses and enhance performance prior to an actual cyber threat. 

Final Thoughts on Creating Cyber Resilience

Congratulations on reaching the end of our cyber resilience journey! By creating response plans for cyber incidents and implementing business continuity measures, you can reduce risk and protect your title insurance, mortgage or real estate business. Remember to identify potential risks, establish clear roles and responsibilities, and document incident response procedures. And don’t forget to develop backup strategies, test them regularly, and keep everything up to date. With these steps in place, you’re ready to face any cyber challenges that come your way. Stay cyber-resilient, my friends, and protect your digital kingdom!

Bruce Phillips is Senior Vice President and Chief Information Security Officer for MyHome , a Williston Financial Group Company .

  • Cybersecurity

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Most Popular Articles

Latest articles.

Balance

Mortgage rates have risen recently but they could be much worse than they are today.

Boston is the nation’s hottest housing market 

Hud issues $3.8 million in funding opportunities to research ways to boost inventory , gap between black and white renters who were mortgage ready narrowed during the pandemic , rocket lost money last year, so why are its shares up , texas capital bank shoots back at ginnie mae over dismissal motion .

3d rendering of a row of luxury townhouses along a street

Remember me

Don't have an account? Please Sign Up

strategy for business continuity plan

COMMENTS

  1. 11 Critical Aspects Of An Effective Business Continuity Strategy

    No matter its industry or size, every company should have a solid business continuity plan in place to ensure that it can remain operational in the event of any disaster, disruption or...

  2. Business continuity strategy: Options, best practice approaches and

    What should the recovery strategies look like within your business continuity plan? When it comes to business strategy, preparing for the unexpected is a necessary step, but can be a neglected element of strategic planning. Business continuity strategies ' sometimes referred to as disaster recovery planning ' can be one of the tricky jobs we ...

  3. What Is a Business Continuity Plan (BCP), and How Does It Work?

    BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural...

  4. Business continuity plan (BCP) in 8 steps, with templates

    Step 1: Establish an emergency preparedness team Assign a team the responsibility for emergency preparedness. Select a few managers or an existing committee to take charge of the project. It's advisable to assign one person to lead the planning process. You should also ensure that this "emergency manager" has the authority to get things done.

  5. Business Continuity Plan: Example & How to Write

    A Business Continuity Plan should include: 1. BCP Team In the midst of a disaster or emergency, having a team or point person to go to will be essential. The BCP team will be responsible for planning and testing business continuity strategies.

  6. Business Continuity Planning

    Business Continuity Training Part 3: Planning Process Step 1 The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should "prepare" to create a business continuity plan. View on YouTube

  7. What Is A Business Continuity Plan? [+ Template & Examples]

    Published: December 30, 2022 When a business crisis occurs, the last thing you want to do is panic. The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

  8. Business continuity: PwC

    A fully integrated business continuity strategy helps to build an overall culture of resilience. 67% of organisations applied a business continuity plan as part of their response to the COVID-19 pandemic. Source: PwC's Global Crisis Survey 2021 Business continuity and a culture of resilience

  9. How to create an effective business continuity plan

    A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is...

  10. How To Write & Implement a Business Continuity Plan

    A business continuity plan is the outline of procedures to prevent damage, maintain productivity and recover in the event of a national emergency or disaster. When you create such a plan, identify possible threats like fires, utility disruptions or social engineering attacks. Then proactively determine what employees can do to get the business ...

  11. Understanding the Essentials of a Business Continuity Plan

    Here are some of the key components found in successful BCP examples: Risk Assessment and Business Impact Analysis: Identifying potential threats and assessing their impact on business operations is a foundational step in any BCP plan.

  12. Business Continuity Plan (BCP) Structure According to ISO 22301

    According to ISO 22301, business continuity plan is defined as "documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption." (clause 3.5) This basically means that BCP focuses on developing plans/procedures, but it doesn't include the analysis that forms ...

  13. What is a Business Continuity Plan (BCP)?

    Business continuity planning is a proactive business process that lets a company understand potential threats, vulnerabilities and weaknesses to its organization in times of crisis. The creation of a business continuity program ensures company leaders can react quickly and efficiently to business interruption.

  14. Business Continuity & Disaster Recovery Planning (BCP & DRP ...

    The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability. Start with a business continuity plan

  15. What Is Business Continuity?

    A business continuity strategy is a summary of the mitigation, crisis, and recovery plans to be implemented after a disruption to resume normal operations. "Business continuity strategy" is often used interchangeably with "business continuity plan."

  16. PDF Crisis management and business continuity guide

    KPMG to hold a pilot implementation of the strategy, upskill relevant stakeholders and prepare them for further employment of the project plan. Phase 4: Implementation Project Plan Develop a prioritized implementation project plan to achieve the desired target state for Business Continuity. Phase 5: Debrief & Review

  17. What Are the Types of Business Continuity Strategy?

    What Are the Types of Business Continuity Strategy? This "New BCM Manager" series examines the detailed breakdown of each strategy within the Business Continuity Strategy (BCS) phase. Typically, BCS outlines the structure of how to prevent (mitigate), respond and recover from a disaster. Moh Heng Goh Apr 13, 2019

  18. A methodology for developing a business continuity strategy

    The key to a successful business continuity strategy is to select recovery options based on an evaluation which considers their characteristics and capabilities. For instance, a hot site option requires a careful consideration of: the distance between the recovery site and the primary site, to ensure it is less likely to be affected by the same ...

  19. What is Business Continuity?

    A BCP includes goals focused on minimizing the potential impact of a crisis on a company's financials and reputation—and maintaining industry, regional, and global compliance standards and regulations. What's the difference between business continuity and disaster recovery?

  20. PDF Creating a Business Continuity Plan

    CREATING THE BUSINESS CONTINUITY PLAN The business continuity plan (BCP) is intended to be a dynamic plan and can be used in emergencies, disasters, and other catastrophic events where the technology, facility, or a department is severely impacted. BCPs are critical in keeping the facility open and providing care to the community.

  21. Rethink Your Business Continuity Strategy

    Having a plan to get all the funds out, shortly after an earthquake, was a good continuity strategy. Ndubuisi Ekekwe is a founder of the non-profit African Institution of Technology and Chairman ...

  22. Steps in Building a Business Continuity Strategy in Facility

    Train Like There's No Tomorrow. When it comes to building a solid business continuity strategy in facility management, one crucial step stands out: training and testing the plan. In this stage, we embrace the motto "train like there's no tomorrow" to ensure our emergency response teams are prepared for any situation.

  23. Business Continuity: Small Business Planning and Considerations

    Your business continuity plan may include the following: A list of roles and responsibilities. Communication protocols for staff, vendors, and customers. An outline of critical functions like payroll and revenue operations. Your strategy for assessing risks, testing your plan, and updating it.

  24. How To Ensure Business Continuity In The Face Of Internet ...

    Artificial intelligence (AI) can be further leveraged for business continuity, with a 2022 Deloitte survey revealing that 76% of respondents plan to increase investments in AI to gain more ...

  25. 30 Emerging Technologies That Will Guide Your Business Decisions

    This theme focuses on making the right business and ethical choices in the adoption of AI and using AI design principles that will benefit people and society.. Human-centered AI (HCAI) is a common AI design principle that calls for AI to continuously benefit from human input. Behavioral analytics refers to session-tracking capabilities that monitor user interactions with a protected service to ...

  26. Reduce title, real estate and mortgage risk with a cyber response plan

    Reducing Financial Loss: In the realm of cyber resilience, crafting a response strategy and maintaining business continuity measures is like building a financial fortress. This proactive defense ...