What Is Business Continuity Management?
In business continuity management (BCM), a company identifies potential threats to its activities and the threat impact. The company then develops plans to respond to those threats and continue activities through any crisis.
See how Smartsheet can help you be more effective
Watch the demo to see how you can more effectively manage your team, projects, and processes with real-time work management in Smartsheet.
What Is a Business Continuity Plan?
A business continuity plan (BCP) describes how a business will continue to run during and after a crisis event. The BCP details guidelines, procedures, and work instructions to aid continuity.
To learn more about writing a plan, see our how-to guide to writing a business continuity plan.
What Is Business Continuity Planning?
Business continuity planning (BCP) refers to the work a company does to create a plan and system to deal with risks. Thorough planning seeks to prevent problems and ensure business processes continue during and after a crisis.
Business continuity planning ensures that the company deals with disruptions quickly, and minimizes the impact on operations. Business continuity planning is also called business resumption planning and continuous service delivery assurance (CSDA).
What Is the Primary Goal of Business Continuity Planning?
The main goal of business continuity planning is to support key company activities during a crisis. Planning ensures a company can run with limited resources or restricted access to buildings. Continuity planning also aims to minimize revenue or reputation losses.
A business continuity plan should outline several key things that an organization needs to do to prepare for potential disruptions to its activities, including the following:
- Recognize potential threats to a company.
- Assess potential impacts on the company’s daily activities.
- Provide a way to reduce these potential problems, and establish a structure that allows key company functions to continue throughout and after the event.
- Identify the resources the organization needs to continue operating, such as staffing, equipment, and alternative locations.
Business Continuity Planning Steps
A business continuity plan includes guidelines and procedures to guide a business through disruption. The efforts to create a plan are the same for large or small organizations. A simple plan is better than no plan.
The basic steps for writing a business continuity plan are as follows:
- Create a governance team.
- Complete your business impact analysis (BIA) and risk assessment documents.
- Document your plan. Remember to include detailed guidelines and procedures that cover key processes and facilities.
- Test and update the plan regularly.
The Business Continuity Management Lifecycle
Business continuity management includes preparing for and handling unexpected events. BCM has a six-step lifecycle. This cycle repeats during both in regular business times and crises, as you take the right steps to keep activities always running.
The BCM lifecycle includes the following points:
- Mitigate Risk: Proactively identify business continuity risks to your company, and plan how your company will respond.
- Prepare: Train staff on your business continuity plan and ensure they understand what they need to do to help the business respond.
- Respond: Ensure that your company and all employees respond appropriately to a crisis. Be prepared to adapt in the moment.
- Resolve: Ensure that the company plans how to communicate effectively with staff and that it does so appropriately during the crisis.
- Recover: Inform employees, customers, and other important people about the status of the crisis and your company’s response.
- Resume: Communicate with employees and others after the crisis ends.
What Are Business Continuity Risks or Events?
Also called business continuity events, business continuity risks are the most common events that can disrupt a company’s regular operations — these can be natural and human-made crises. Defining these risks is a vital part of business continuity planning.
Such events might include the following:
- Severe weather
- Natural disasters (tornadoes, floods, blizzards, earthquakes, fire, etc.)
- A physical security threat
- A recall of a company’s product
- Supply chain problems
- Threats to staffing and employee safety
- Accidents at an organization’s facilities
- Destruction to a company’s facilities or property
- Power disruptions
- Server crashes
- Failures in public and private services (communications, transportation, safety, etc.)
- Environmental disasters, including hazardous materials spills
- Network disruptions
- Human error/human-made hazards
- Stock market crashes
- Cyber attacks and hacker activity
Any of these triggers can result in broader problems for a company, such as danger or injury to staff and others, equipment damages, brand injury, and loss of income and net worth. Business continuity management and planning address and mitigate these contingencies.
What Is a Business Continuity Strategy?
A business continuity strategy is more often called a business continuity plan. The strategy includes the processes and structure a company uses to manage an unexpected event.
Some people consider business continuity strategy to be a step in the planning process. In the strategy phase, business continuity planners describe the overall approach a company should take to prevent, manage, and recover from a crisis.
An Overview of Business Continuity Management and Planning
There are several goals, key elements, and benefits to business continuity management and planning. The primary goals of management and planning are as follows:
- Build Company Resiliency: Doing so means that your company’s tools, buildings, and operations are resistant to — and not greatly affected by — most disruptions.
- Create a Plan for Recovery (with Contingencies that Aid in That Recovery): If a major event does cause problems, you should have a plan for how to recover quickly. That plan will include contingencies. For example, you should plan for how key operations will resume if there is a widespread power outage.
Business continuity management and planning generally cover the following areas, with differences depending on the organization and industry:
- Disaster Recovery: Disaster recovery involves recovering technology after a disruptive event. You can learn more about disaster recovery and download free templates in our comprehensive article.
- Emergency Management: Emergency management focuses on avoiding and mitigating catastrophic risks to staff and communities.
- Business Recovery: Considered part of business continuity, business recovery centers on short-term activities after a disruptive incident. The short-term is sometimes defined as less than 60 days.
- Business Resumption: This describes the longterm phase of recovery (60 or more days after an even), wherein the company returns to near-normal conditions.
- Crisis Management: Crisis management focuses on communicating with stakeholders during and after a crisis, and controlling damage during the event. To learn more, read our comprehensive guide to crisis management.
- Incident Management: Incident management is an ITIL (previously known as Information Technology Infrastructure Library) framework for reducing or eliminating downtime after an incident.
- Contingency Planning: This covers outlier risks that are unlikely to occur but which could have disastrous results.
“A well managed business continuity management program will help protect people, assets, and business processes,” says Scott Owens, founder and managing director of BluTinuity, a business continuity firm based in New Berlin, Wisconsin. “It may not be able to prevent all incidents. But it can reduce the likelihood of incidents, decrease response time, and lower the cost and impact of an incident.”
Key Elements of Business Continuity Management
All business continuity management programs should include a number of key elements, which serve to ensure that your plan is positioned for success and that you regularly update and improve it.
These important elements include the following:
- Governance: This is the structure and team your business sets up to create and monitor the program.
- Business Alignment: This section details how your company’s current business continuity management and planning processes compare to expert approaches and industry standards.
- Continuity Strategy and Recovery Strategies: Include a detailed plan that assesses risks to your organization and how you can recover, should those risks become reality.
- Plan Documentation: Provide details on the plan that everyone in your company can access. To get started, see our roundup of free business continuity plan templates.
- Tactical Implementation: This section includes details on the specific ways your company plans to recover from certain types of incidents.
- Training: In this section, detail how you will train your staff to understand the business continuity plan and their role in it.
- Testing: Include real-world simulations of a crisis event, and test how your company and its employees respond and the effectiveness of your business continuity plans.
- Maintenance: Make changes to the plan where necessary to increase its effectiveness.
- Monitoring: This section details how you will continue to compare industry standards and expert advice to how your plan is working.
To learn about formal requirements for business continuity planning and management, see our comprehensive article on the ISO 22301 standard.
The Costs of Business Continuity Management
The costs to do an appropriate job of business continuity management can be significant. However, some reports say that the cost of unforeseen downtime may be as much as $2.5 billion a year for Fortune 1000 companies.
Kurt Engemann, Ph.D., is Director of the Center for Business Continuity and Risk Management at Iona College in New York, Editor-in-Chief of the International Journal of Business Continuity and Risk Management and author of Business Continuity and Risk Management: Essentials of Organizational Resilience. In the book, he says that costs for business continuity preparation do not only include the groundwork to assess a company’s risks and plans to manage those risks. Rather, they also cover the needed backup facilities and equipment and company assets for emergency response. In addition, costs must cover resources for training employees and testing the plan.
Some experts have estimated that business continuity management and planning within only the crucial information technology aspects of companies can cost two to four percent of the information technology budget. But the costs are necessary, and worth it in the long run, according to business continuity experts.
“There is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis,” Engemann writes in his book. “Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective.”
When an organization’s top executives complain about the costs, Owens says, “Ask them what it would cost their organization for an hour of downtime. Or eight hours. Or 24 hours. Chances are the cost — financial, operational, and to brand and reputation — of having key business functions unavailable for an extended period are significant. They will most likely find business continuity management to be worth the investment.”
Benefits of Business Continuity Management
Like Engemann, Owens points out that there are significant benefits to the investment organizations make in business continuity management, including the following:
- Mission Critical Processes: If you understand your key processes, you can plan to protect them and prioritize their recovery.
- Legal and Regulatory Compliance: Laws or regulations require companies in some industries to implement a formal business continuity management system.
- Satisfying Demands from Other Organizations: Some groups and companies may require that your company sets up BCM before they do business with you.
- Insurance Payments: To get the maximum payments from an insurance policy after an event, a company must have suitable business continuity management policies in place.
- Reputation Management: Your business’s brand will be greatly helped or hurt, depending on how an unforeseen event affects its operations.
- Competitive Advantage: A strong business continuity plan can offer your company the advantage over peers who are not as well prepared.
- Seamless Recovery: Cloud-based technologies make data backup, remote work, and business recovery affordable and accessible. Groups and businesses of all sizes can benefit from such tools. See our article on cloud computing for business continuity to learn more.
- Time Savings: Planning prevents teams from scrambling at the last minute to cobble together a recovery effort. Strong planning helps you get back online — and back on track — faster.
Michael Herrera, CEO of MHA Consulting, a business continuity and disaster recovery firm, cites two other significant benefits:
- Keeping Customers and Avoiding Major Financial Losses: Getting operations back to normal quickly after an event means your company loses less money.
“Your customers aren’t as patient as you think they are,” Herrera explains. “They expect you to have a business continuity system and they expect you to be up and running. Their patience does run out.”
- Improving Day-to-Day Operations: Herrera says his firm’s clients often discover how business continuity planning gives them insights into the day-to-day operations of their company. “It really can help you with process improvement and getting a good understanding of what your business does every day.”
Additionally, strong business continuity planning will enable you to do the following:
- Officially declare a disaster and alert senior management.
- Assist in the development of an official public statement regarding a disaster and its effects on a business.
- Monitor your business’s progress and present the recovery status.
- Provide ongoing support and guidance to teams with pre-planned operations.
- Review critical processing, schedules, and backlogs to keep everyone up to date on status.
- Ensure businesses have both the resources and the information to deal with an unforeseen emergency.
- Reduce the risk that an emergency might pose to employees, clients, and vendors, etc.
- Provide a response for both man-made and environmental disasters.
- Improve overall business communication and response plans.
- Summarize both the operational and the financial impacts resulting from the loss of critical business functions.
- Allow businesses to plan for a loss of function that has potentially larger, more severe consequences.
See our article on the importance and benefits of business continuity planning to read more expert examples of how business continuity can bolster your company.
Key Business Continuity Management and Planning Considerations
Companies don’t have to face business continuity planning alone. There are a variety of tools and services that can help, including the following:
There are hundreds, if not thousands, of consultants and companies that can provide help with developing your business continuity plan. Below are a few things to think about in choosing one:
- How experienced are they? How long have they been around?
- What’s their reputation as a company? What do their clients say about them?
- Are they focused on a specific industry or area of business continuity, or do they have experience with a range of industries and a broad spectrum of business continuity?
- How do they think about business continuity (as a somewhat separate practice or something that needs to be ingrained within your organization)?
- How aligned is their advice with standards in your industry?
Business Continuity Software
There are also hundreds of pieces of business continuity software on the market. Here are some things to consider:
- Are you looking for software that will automate the development of plan components, or software that offers more in-depth help during the planning phase?
- What is the history of the software and the company behind it? How long has this particular software been on the market and what is the history and the reputation of the company behind it?
- Is the software being continually updated and improved?
Below are some specifics to consider as you test drive the software:
- Does it have an easy-to-use interface?
- Does it cover all aspects and components of business continuity, including business impact analysis and risk assessment?
- Does it include sufficient storage for your company’s supporting documents?
- Does it provide secure portable access via mobile or other technologies, if a crisis interrupts your information technology systems?
- Does it provide strong data analytics?
- Is it secure and private?
Primary Things Your Organization’s Business Continuity Management System Should Accomplish
While your business continuity management system will have various elements and details, there are some primary things it should do for your organization. They correspond to the key elements listed earlier in this article.
For example, a BCM system should help do the following:
- Understand your company’s needs for business continuity and disaster preparedness. A BCM system should be able to assist company leaders in understanding the need for a business continuity management policy.
- Understand which processes should be recovered and in what order.
- Establish business continuity metrics to gauge success.
- Plan for communicating with customers, staff, and other stakeholders.
- Determine what tools, technology, and staffing are required to restore activities and support customers.
- Establish remote-work support or relocation plans for staff and activities.
- Implement ways to continually assess and manage continuity risks.
- Monitor and review how its business continuity management system is working.
- Continually improve the system.
- Respond effectively in a real-world crisis, and allow the business’s critical operations to continue and all operations to resume quickly.
Although nobody wants to think about disasters or the effort needed to prepare to meet and mitigate crises, the alternative is the potential loss of reputation, income, or the entire business. In sum, planning translates to determining your key processes, equipment, and tools, and applying basic recovery strategies.
The Importance of Senior Organizational Leaders Strongly Supporting Your Business Continuity Management and Planning
Your senior leaders must strongly support your company’s business continuity management plan for it to succeed. Such leadership is key as storms, floods, pandemics, and data breaches increase in force and frequency.
“Make sure senior management is committed to the planning, development, execution, and implementation of a business continuity/disaster recovery program,” says Paul Kirvan, a business continuity consultant and a fellow of the Business Continuity Institute with 25 years of experience in business continuity work. “Otherwise, it simply won’t happen. Such programs work best if they have top-down support and funding, as opposed to being developed from the ground up.”
Business Continuity Plan Test Types
Testing verifies the effectiveness of your plan and provides training for participants. To ensure better communication, include suppliers, vendors, and other stakeholders in exercises. If appropriate, also consider including local emergency preparedness officials.
There are four types of testing, and each requires increasing levels of planning, resources, and focus. You should try to run each type of drill regularly.
- Plan Review: Plan reviews are often the first test applied to a new plan. In this test, top management and some key BCP personnel review the relevance and completeness of a plan. Such a review can verify risk and BIA results, and help you check for gaps and inconsistencies among continuity documents.
- Tabletop or Structured Walkthrough: A tabletop test requires more preparation and time. It provides a role-playing exercise for recovery teams.
- Simulation or Walkthrough Drill: In a walkthrough drill, your continuity team physically completes the type of tasks they'd find in a crisis. They may practice evacuating a building during a fire, restoring a backup, or switching to another communication frequency.
- Functional or Live Scenario: Functional tests include a complete physical drill of continuity plans. Live tests may focus on one aspect of the plan or include the complete plan. They may include one part of the company or all team members.
Be sure to document what happened in the test so everyone involved in the exercise — and especially those who created the plan — can understand what did and didn’t go well, and can revise as necessary.
Business Continuity Management Policy Statement
A business continuity policy statement is a written document that outlines an organization’s business continuity management program. The policy statement should be communicated to all employees and should be signed and endorsed by the organization’s senior management.
See real-world examples of a business continuity policy statement.
Cultivating Awareness of Business Continuity Plans
The best business continuity system is useless if no one knows about it. Find ways to promote your plans in daily company activities, and discuss business continuity regularly in company and team meetings. Also, be sure to include the business continuity manager in cross-functional planning meetings so they can represent the business continuity perspective. Above all, exercise your plan, test your plan, and then test again.
What Is the Importance of a Business Continuity Plan?
A business continuity plan is vital to ensure that your company mitigates downtime during a crisis. Resuming activities quickly after an event also helps ensure your company’s financial health.
How to Write a Business Continuity Plan
It is crucial that your company set up a group of people to help create your business continuity plan. The group should include senior leadership, experts, and staff. A simple, practical plan is the best plan. At a minimum, include continuity team roles and duties, and team member contact information. You should also add guidelines and checklists for dealing with unforeseen events.
Daily business functions rely on many resources — human, utilities, machines, and even paper, pens, and pencils. Business recovery after a disruptive event is no different. See our in-depth article on writing a business continuity plan for a complete list of resource types you may want to include in a plan.
You can ask certain questions as you form your strategy, and a business continuity plan usually includes common resources and elements. See our article on how to write a business continuity plan to learn more.
Business Continuity Plan Template
This template can help you document and track business operations in the event of a disruption/disaster to maintain critical processes. The plan includes space to record business function recovery priorities, recovery plans, and alternate site locations. Plan efficiently for disruption and minimize downtime, so your business maintains optimal efficiency.
Download Business Continuity Plan Template
You’ll find other most useful free, downloadable business continuity plan (BCP) templates, in Microsoft Word, PowerPoint, and PDF formats in this article.
What Is a Business Impact Analysis and Why Is It an Important Part of a Business Continuity Plan?
A business impact analysis (BIA) is one of the most important parts of business continuity planning. The analysis considers how an unforeseen disruption could affect a company. BIA results also suggest how a business can recover from a crisis.
The business impact analysis will include details on the following:
- Recovery time objectives that outline the organization’s goals relating to how quickly various services and processes will resume after an event
- Financial impact of an incident
- Impact on customers
- Other possible impacts of an incident
- How the organization will prioritize recovery steps
- How the organization will prioritize critical services or products
- Identification of potential revenue loss
- Identification of additional expenses the organization will incur because of the event
- Identification of insurance an organization has or needs to have
- Identification of an organization’s dependencies on other agencies, companies, and providers
See our business impact analysis toolkit to find guidelines and templates to get started.
Risk Mitigation for Business Continuity
Risk assessment is one of the first steps in preparing your business continuity plan.
Risk management includes identifying and ranking risks, and risk control includes identifying policies and procedures to avoid and contain risks.
To learn more about risk management, read our comprehensive guide.
The Importance of Periodically Testing an Organization’s Business Continuity Plan
Even the best business continuity plans are useless if you do not continually test them in real-world mockups. Testing helps you continuously improve procedures, and also keeps plans synched with current business context.
Robert Sollars, a security trainer and consultant from Mesa, Arizona, says, “You must exercise your plan and train your employees in it. This can be costly and unwieldy at times, but it is an absolute must. I liken this to buying a Lamborghini and letting it sit in the garage, never starting it up, never driving it, never doing anything but admiring it. Your plan must be taken out and test driven at least two to three times per year. If you don’t test it, then when the real thing pops you will realize what the books, consultants, and experts have told you is useless for your organization. Testing it allows you to figure out the bugs and tweak the necessary items to make it more efficient and effective.”
Owens adds, “If you haven’t tested your plans, you aren’t ready for a disaster.”
You can do some testing through simpler table top exercises — for example, by talking through hypothetical incidents with your team. But Owens and other business continuity experts say organizations should also periodically do exercises that more closely mimic a real-world event.
“Organizations need to move … to progressively more complex scenarios, involving cross-functional teams and interdependent systems and processes,” he writes in a blog post about business continuity. “This is the only way that a company can get outside its comfort zone to truly understand if what they have designed will really work. My preference is to involve role-playing, actors, and include participation from vendors, business partners, and local law enforcement when appropriate. This will almost always result in lessons learned and opportunities to improve the plan, which is another great outcome.”
The most important result from testing your plan is an understanding of where theoretical solutions won’t work in real events. This understanding will then allow your organization to amend the plan to be more effective.
What Is a Business Continuity Plan Governance Committee?
Many companies set up a business continuity plan governance committee, which consists of staff members and senior leaders (their continuity efforts is vital). Governance tasks include writing the business continuity plan and supervising ongoing plan maintenance.
The committee is often responsible for the following duties:
- Approving the governance structure of the committee
- Clarifying the roles of committee members and others working on the plan
- Overseeing the creation of working groups to develop and implement the plan
- Providing overall direction and communicate important information to employees
- Approving the continuity plan and essential specifics within it
- Setting priorities within the plan
The committee often includes the following members:
- A senior leader from the business, often the sponsor
- A business continuity manager and assistant manager
- The company employee, or outside consultant, who will serve as overall coordinator of the business continuity plan
- The company’s security officer
- The company’s chief information officer, or information technology leader
- Representatives from the company’s business department, to help with the business impact analysis
- An administrative representative
How to Cultivate Resilience in Your Organization
A resilient organization has the tools and abilities to survive a disruptive event, and also regularly looks for new threats and adapts to changes in the organizational and industry landscape. Resilience experts recognize two types of resilience: reactive resilience uses a company’s existing processes to meet and overcome a crisis; proactive resilience anticipates disruptions and considers methods to prevent problems.
Real World Example: Lessons Learned About Business Continuity from the Terrorist Attacks of Sept. 11, 2001
Organizational leaders and business continuity experts learned a lot from the terrorist attacks of September 11, 2001. Worst of all, the attacks killed thousands of people. But they also severely disrupted communications, financial transactions, and some commerce in New York City and throughout the world.
The following are among the lessons learned:
- Business continuity plans must be tested frequently, and updated where needed.
- The plans must assume a wide range of threats.
- The plans must take into account how much companies, agencies, and other entities depend on each other.
- Key people from any organization must be available and reachable when an incident happens.
- The ability to communicate, especially through landline phones, cell phones, and the internet, is vital.
- Sites that organizations use for backup of their digital information should be located at a distance from their primary information technology site.
- Employee support and counseling may be important during and after a crisis.
- An organization should store copies of its business continuity plan at a location apart from its primary location.
- Security perimeters around the scene of an incident may be large, which may affect employees’ access to organization facilities for long periods.
Legislation Governing Some Business Continuity Management and Planning
The United Kingdom did approved the Civil Contingencies Act in 2004, which requires businesses to have business continuity plans in place.
Some industries do have regulatory bodies that may impose business continuity requirements within those industries. For instance, the Financial Industry Regulatory Authority (FINRA) is a private self-regulatory organization overseeing the U.S. financial securities industry. FINRA established FINRA Rule 4370. This rule requires securities firms to create and maintain written business continuity plans. Utility bodies, such as North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC), also require continuity plans.
Guidelines, Standards, and Resources Providing Guidance on Business Continuity Management and Planning
Organizational leaders can use a number of standards set by industry and other groups to guide their business continuity planning and management programs. Below are some commonly used standards:
- ISO 22301: Developed by the International Organization for Standardization (ISO), a standard-setting body, this group of standards sets out appropriate business continuity management practices. Learn more about how this standard can help businesses of all sizes in our guide to ISO 22301.
- NFPA 1600: Developed by the National Fire Protection Association, the standard is one of the most widely recognized in the U.S. on emergency preparedness and business continuity.
- National Institute of Standards and Technology SP 800-34: Sets contingency planning standards for federal information systems in the U.S.
- SPC-2009 — Organizational Resilience: Security, Preparedness and Continuity Management Systems provides critical business and infrastructure security standards developed by the American Society for Industrial Security.
- ISO 27000: Standards for security in information technology systems, which include standards for business continuity in information technology. Learn more about ISO 27000 and find free checklists and templates.
- DRI International: Professional Practices for Business Continuity Management
- Federal Emergency Management Agency (FEMA): Continuity Guidance Circular: Continuity Guidance for Non-Federal Entities: An 86-page formal document, the circular presents FEMA’s perspective on how businesses can prepare for disasters.
- Insurance Institute for Business & Home Safety: Open for Business Continuity Toolkit: This site offers a video, FAQ, and downloadable continuity planning tools.
What Is the Business Continuity Institute?
The Business Continuity Institute (BCI), based in the United Kingdom, is a non-profit professional organization providing education, certification, and leadership on business continuity management. The Institute has more than 8,000 members in more than 100 countries.
Improve Business Continuity Planning with Real-Time Work Management in Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.