Business Continuity Simplified

In business continuity management (BCM), a company identifies potential threats to its activities and the threat impact. The company then develops plans to respond to those threats and continue activities through any crisis.

A business continuity plan (BCP) describes how a business will continue to run during and after a crisis event. The BCP details guidelines, procedures, and work instructions to aid continuity.

To learn more about writing a plan, see our how-to guide to writing a business continuity plan.

Business continuity planning (BCP) refers to the work a company does to create a plan and system to deal with risks. Thorough planning seeks to prevent problems and ensure business processes continue during and after a crisis.

Business continuity planning ensures that the company deals with disruptions quickly, and minimizes the impact on operations. Business continuity planning is also called business resumption planning and continuous service delivery assurance (CSDA).

The main goal of business continuity planning is to support key company activities during a crisis. Planning ensures a company can run with limited resources or restricted access to buildings. Continuity planning also aims to minimize revenue or reputation losses.   

A business continuity plan should outline several key things that an organization needs to do to prepare for potential disruptions to its activities, including the following:

• Recognize potential threats to a company.
• Assess potential impacts on the company’s daily activities.
• Provide a way to reduce these potential problems, and establish a structure that allows key company functions to continue throughout and after the event.
• Identify the resources the organization needs to continue operating, such as staffing, equipment, and alternative locations.

A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan. 

The basic steps for writing a business continuity plan are as follows:

1. Create a governance team.
2. Complete your business impact analysis (BIA) and risk assessment documents.
3. Document your plan. Remember to include detailed guidelines and procedures that cover key processes and facilities.
4. Test and update the plan regularly.

Business continuity management includes preparing for and handling unexpected events. BCM has a six-step lifecycle. This cycle repeats during both in regular business times and crises, as you take the right steps to keep activities always running.

The BCM lifecycle includes the following points:

1. Mitigate Risk: Proactively identify business continuity risks to your company, and plan how your company will respond.
2. Prepare: Train staff on your business continuity plan and ensure they understand what they need to do to help the business respond.
3. Respond: Ensure that your company and all employees respond appropriately to a crisis. Be prepared to adapt in the moment.
4. Resolve: Ensure that the company plans how to communicate effectively with staff and that it does so appropriately during the crisis.
5. Recover: Inform employees, customers, and other important people about the status of the crisis and your company’s response.
6. Resume: Communicate with employees and others after the crisis ends.

Also called business continuity events, business continuity risks are the most common events that can disrupt a company’s regular operations — these can be natural and human-made crises. Defining these risks is a vital part of business continuity planning.

Such events might include the following:

• Severe weather
• Natural disasters (tornadoes, floods, blizzards, earthquakes, fire, etc.)
• A physical security threat
• A recall of a company’s product
• Supply chain problems
• Threats to staffing and employee safety
• Accidents at an organization’s facilities
• Destruction to a company’s facilities or property
• Power disruptions
• Server crashes
• Failures in public and private services (communications, transportation, safety, etc.)
• Environmental disasters, including hazardous materials spills
• Network disruptions
• Human error/human-made hazards
• Stock market crashes
• Cyber attacks and hacker activity

Any of these triggers can result in broader problems for a company, such as danger or injury to staff and others, equipment damages, brand injury, and loss of income and net worth. Business continuity management and planning address and mitigate these contingencies.

A business continuity strategy is more often called a business continuity plan. The strategy includes the processes and structure a company uses to manage an unexpected event.

Some people consider business continuity strategy to be a step in the planning process. In the strategy phase, business continuity planners describe the overall approach a company should take to prevent, manage, and recover from a crisis.

There are several goals, key elements, and benefits to business continuity management and planning. The primary goals of management and planning are as follows:

• Build Company Resiliency: Doing so means that your company’s tools, buildings, and operations are resistant to — and not greatly affected by — most disruptions.
• Create a Plan for Recovery (with Contingencies that Aid in That Recovery): If a major event does cause problems, you should have a plan for how to recover quickly. That plan will include contingencies. For example, you should plan for how key operations will resume if there is a widespread power outage.

Business continuity management and planning generally cover the following areas, with differences depending on the organization and industry:

• Disaster Recovery: Disaster recovery involves recovering technology after a disruptive event. You can learn more about disaster recovery and download free templates in our comprehensive article.
• Emergency Management: Emergency management focuses on avoiding and mitigating catastrophic risks to staff and communities.
• Business Recovery: Considered part of business continuity, business recovery centers on short-term activities after a disruptive incident. The short-term is sometimes defined as less than 60 days.
• Business Resumption: This describes the longterm phase of recovery (60 or more days after an even), wherein the company returns to near-normal conditions.
• Crisis Management: Crisis management focuses on communicating with stakeholders during and after a crisis, and controlling damage during the event. To learn more, read our comprehensive guide to crisis management.
• Incident Management: Incident management is an ITIL (previously known as Information Technology Infrastructure Library) framework for reducing or eliminating downtime after an incident.
• Contingency Planning: This covers outlier risks that are unlikely to occur but which could have disastrous results.

“A well managed business continuity management program will help protect people, assets, and business processes,” says Scott Owens, founder and managing director of BluTinuity, a business continuity firm based in New Berlin, Wisconsin. “It may not be able to prevent all incidents. But it can reduce the likelihood of incidents, decrease response time, and lower the cost and impact of an incident.”

Companies don’t have to face business continuity planning alone. There are a variety of tools and services that can help, including the following:

Consultant Services

There are hundreds, if not thousands, of consultants and companies that can provide help with developing your business continuity plan. Below are a few things to think about in choosing one:

• How experienced are they? How long have they been around?
• What’s their reputation as a company? What do their clients say about them?
• Are they focused on a specific industry or area of business continuity, or do they have experience with a range of industries and a broad spectrum of business continuity?
• How do they think about business continuity (as a somewhat separate practice or something that needs to be ingrained within your organization)?
• How aligned is their advice with standards in your industry?

Business Continuity Software

There are also hundreds of pieces of business continuity software on the market. Here are some things to consider:

• Are you looking for software that will automate the development of plan components, or software that offers more in-depth help during the planning phase?
• What is the history of the software and the company behind it? How long has this particular software been on the market and what is the history and the reputation of the company behind it?
• Is the software being continually updated and improved?

Below are some specifics to consider as you test drive the software:

• Does it have an easy-to-use interface?
• Does it cover all aspects and components of business continuity, including business impact analysis and risk assessment?
• Does it include sufficient storage for your company’s supporting documents?
• Does it provide secure portable access via mobile or other technologies, if a crisis interrupts your information technology systems?
• Does it provide strong data analytics?
• Is it secure and private?

The best business continuity system is useless if no one knows about it. Find ways to promote your plans in daily company activities, and discuss business continuity regularly in company and team meetings. Also, be sure to include the business continuity manager in cross-functional planning meetings so they can represent the business continuity perspective. Above all, exercise your plan, test your plan, and then test again.

A business continuity plan is vital to ensure that your company mitigates downtime during a crisis. Resuming activities quickly after an event also helps ensure your company’s financial health.

It is crucial that your company set up a group of people to help create your business continuity plan. The group should include senior leadership, experts, and staff. A simple, practical plan is the best plan. At a minimum, include continuity team roles and duties, and team member contact information. You should also add guidelines and checklists for dealing with unforeseen events. 

Daily business functions rely on many resources — human, utilities, machines, and even paper, pens, and pencils. Business recovery after a disruptive event is no different. See our in-depth article on writing a business continuity plan for a complete list of resource types you may want to include in a plan.

You can ask certain questions as you form your strategy, and a business continuity plan usually includes common resources and elements. See our article on how to write a business continuity plan to learn more.

Business Continuity Plan Template

This template can help you document and track business operations in the event of a disruption/disaster to maintain critical processes. The plan includes space to record business function recovery priorities, recovery plans, and alternate site locations. Plan efficiently for disruption and minimize downtime, so your business maintains optimal efficiency.

Download Business Continuity Plan Template

Word | PowerPoint | PDF

You’ll find other most useful free, downloadable business continuity plan (BCP) templates, in Microsoft Word, PowerPoint, and PDF formats in this article. 

A business impact analysis (BIA) is one of the most important parts of business continuity planning. The analysis considers how an unforeseen disruption could affect a company. BIA results also suggest how a business can recover from a crisis.

The business impact analysis will include details on the following:

• Recovery time objectives that outline the organization’s goals relating to how quickly various services and processes will resume after an event
• Financial impact of an incident
• Impact on customers
• Other possible impacts of an incident
• How the organization will prioritize recovery steps
• How the organization will prioritize critical services or products
• Identification of potential revenue loss
• Identification of additional expenses the organization will incur because of the event
• Identification of insurance an organization has or needs to have
• Identification of an organization’s dependencies on other agencies, companies, and providers

See our business impact analysis toolkit to find guidelines and templates to get started.

Risk assessment is one of the first steps in preparing your business continuity plan. 

Risk management includes identifying and ranking risks, and risk control includes identifying policies and procedures to avoid and contain risks. 

To learn more about risk management, read our comprehensive guide.

Even the best business continuity plans are useless if you do not continually test them in real-world mockups. Testing helps you continuously improve procedures, and also keeps plans synched with current business context.

Robert Sollars, a security trainer and consultant from Mesa, Arizona, says, “You must exercise your plan and train your employees in it. This can be costly and unwieldy at times, but it is an absolute must. I liken this to buying a Lamborghini and letting it sit in the garage, never starting it up, never driving it, never doing anything but admiring it. Your plan must be taken out and test driven at least two to three times per year. If you don’t test it, then when the real thing pops you will realize what the books, consultants, and experts have told you is useless for your organization. Testing it allows you to figure out the bugs and tweak the necessary items to make it more efficient and effective.”

Owens adds, “If you haven’t tested your plans, you aren’t ready for a disaster.”

You can do some testing through simpler table top exercises — for example, by talking through hypothetical incidents with your team. But Owens and other business continuity experts say organizations should also periodically do exercises that more closely mimic a real-world event.

“Organizations need to move … to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes,” he writes in a blog post about business continuity. “This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.”

The most important result from testing your plan is an understanding of where theoretical solutions won’t work in real events. This understanding will then allow your organization to amend the plan to be more effective.

Many companies set up a business continuity plan governance committee, which consists of staff members and senior leaders (their continuity efforts is vital). Governance tasks include writing the business continuity plan and supervising ongoing plan maintenance.  

The committee is often responsible for the following duties:

• Approving the governance structure of the committee
• Clarifying the roles of committee members and others working on the plan
• Overseeing the creation of working groups to develop and implement the plan
• Providing overall direction and communicate important information to employees
• Approving the continuity plan and essential specifics within it
• Setting priorities within the plan

The committee often includes the following members:

• A senior leader from the business, often the sponsor
• A business continuity manager and assistant manager
• The company employee, or outside consultant, who will serve as overall coordinator of the business continuity plan
• The company’s security officer
• The company’s chief information officer, or information technology leader
• Representatives from the company’s business department, to help with the business impact analysis
• An administrative representative

A resilient organization has the tools and abilities to survive a disruptive event, and also regularly looks for new threats and adapts to changes in the organizational and industry landscape. Resilience experts recognize two types of resilience: reactive resilience uses a company’s existing processes to meet and overcome a crisis; proactive resilience anticipates disruptions and considers methods to prevent problems.  

Organizational leaders and business continuity experts learned a lot from the terrorist attacks of September 11, 2001. Worst of all, the attacks killed thousands of people. But they also severely disrupted communications, financial transactions, and some commerce in New York City and throughout the world.

The following are among the lessons learned:

• Business continuity plans must be tested frequently, and updated where needed.
• The plans must assume a wide range of threats.
• The plans must take into account how much companies, agencies, and other entities depend on each other.
• Key people from any organization must be available and reachable when an incident happens.
• The ability to communicate, especially through landline phones, cell phones, and the internet, is vital.
• Sites that organizations use for backup of their digital information should be located at a distance from their primary information technology site.
• Employee support and counseling may be important during and after a crisis.
• An organization should store copies of its business continuity plan at a location apart from its primary location.
• Security perimeters around the scene of an incident may be large, which may affect employees’ access to organization facilities for long periods.

The United Kingdom did approved the Civil Contingencies Act in 2004, which requires businesses to have business continuity plans in place.

Some industries do have regulatory bodies that may impose business continuity requirements within those industries. For instance, the Financial Industry Regulatory Authority (FINRA) is a private self-regulatory organization overseeing the U.S. financial securities industry. FINRA established FINRA Rule 4370. This rule requires securities firms to create and maintain written business continuity plans. Utility bodies, such as North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC), also require continuity plans.

Guidelines, Standards, and Resources Providing Guidance on Business Continuity Management and Planning

Organizational leaders can use a number of standards set by industry and other groups to guide their business continuity planning and management programs. Below are some commonly used standards:

• ISO 22301: Developed by the International Organization for Standardization (ISO), a standard-setting body, this group of standards sets out appropriate business continuity management practices. Learn more about how this standard can help businesses of all sizes in our guide to ISO 22301. 
• NFPA 1600: Developed by the National Fire Protection Association, the standard is one of the most widely recognized in the U.S. on emergency preparedness and business continuity.
• National Institute of Standards and Technology SP 800-34: Sets contingency planning standards for federal information systems in the U.S.
• SPC-2009 — Organizational Resilience: Security, Preparedness and Continuity Management Systems provides critical business and infrastructure security standards developed by the American Society for Industrial Security.
• ISO 27000: Standards for security in information technology systems, which include standards for business continuity in information technology. Learn more about ISO 27000 and find free checklists and templates. 
• DRI International: Professional Practices for Business Continuity Management
• Federal Emergency Management Agency (FEMA): Continuity Guidance Circular: Continuity Guidance for Non-Federal Entities: An 86-page formal document, the circular presents FEMA’s perspective on how businesses can prepare for disasters.
• Insurance Institute for Business & Home Safety: Open for Business Continuity Toolkit: This site offers a video, FAQ, and downloadable continuity planning tools.

The Business Continuity Institute (BCI), based in the United Kingdom, is a non-profit professional organization providing education, certification, and leadership on business continuity management. The Institute has more than 8,000 members in more than 100 countries.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.