procedure for business continuity plan

• Artificial Intelligence
• Generative AI
• Business Operations
• Cloud Computing
• Data Center
• Data Management
• Emerging Technology
• Enterprise Applications
• IT Leadership
• Digital Transformation
• IT Strategy
• IT Management
• Diversity and Inclusion
• IT Operations
• Project Management
• Software Development
• Vendors and Providers
• United States
• Middle East
• Italia (Italy)
• Netherlands
• United Kingdom
• New Zealand
• Data Analytics & AI
• Newsletters
• Foundry Careers
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

How to create an effective business continuity plan

A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. Here’s how to create a plan that gives your business the best chance of surviving such an event.

The tumultuous events of the past several years have impacted practically every business. And with the number of extreme weather events, cyberattacks, and geopolitical conflicts continuing to rise, business leaders are bracing for the possibility of increasingly more frequent impactful incidents their organizations will need to respond to.

According to PwC’s 2023 Global Crisis and Resilience Survey , 96% of 1,812 business leaders said their organizations had experienced disruption in the past two years and 76% said their most serious disruption had a medium to high impact on operations.

It’s little wonder then that 89% of executives list resilience as one of their most important strategic priorities.

Yet at the same time, only 70% of respondents said they were confident in their organization’s ability to respond to disruptions, with PwC noting that its research shows that too many organizations “are lacking the foundational elements of resilience they need to be successful.”

A solid business continuity plan is one of those foundational elements.

“Every business should have the mindset that they will face a disaster, and every business needs a plan to address the different potential scenarios,” says Goh Ser Yoong, head of compliance at Advance.AI and a member of the Emerging Trends Working Group at the professional governance association ISACA.

A business continuity plan gives the organization the best shot at successfully navigating a disaster by providing ready-made directions on who should do what tasks in what order to keep the business viable.

Without such as a plan, the organization will take longer than necessary to recover from an event or incident — or may never recover at all.

What is a business continuity plan?

A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is caused by a natural disaster, civic unrest, cyberattack, or any other threat to business operations.

A business continuity plan outlines the procedures and instructions that the organization must follow during such an event to minimize downtime, covering business processes, assets, human resources, business partners, and more.

A business continuity plan is not the same as a disaster recovery plan , which focuses on restoring IT infrastructure and operations after a crisis. Still, a disaster recovery plan is part of the overall strategy to ensure business continuity, and the business continuity plan should inform the action items detailed in an organization’s disaster recovery plan. The two are tightly coupled, which is why they often are considered together and abbreviated as BCDR.

Why business continuity planning matters

Whether you operate a small business or a large corporation, it’s vital to retain and increase your customer base. There’s no better test of your capability to do so than right after an adverse event.

Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company’s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company’s reputation and market value, and it can increase customer confidence.

Moreover, there are increasing consumer and regulatory expectations for both enterprise security and continuity today. Consequently, organizations must prioritize continuity planning to prevent not only business losses, but financial, legal, reputational, and regulatory consequences.

For example, the risk of having an organization’s “license to operate” withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence.

Building (and updating) a business continuity plan

Whether building the organization’s first business continuity plan or updating an existing one, the process involves multiple essential steps.

Assess business processes for criticality and vulnerability: Business continuity planning “starts with understanding what’s most important to the business,” says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional services firm.

So the first step in building your business continuity plan is assessing your business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, or a week.

“This step essentially determines what you are trying to protect and what you are trying to keep up for systems,” says Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting.

This assessment is more demanding than ever before because of the complexity of today’s hybrid workplace, the modern IT environment, and the reliance on business partners and third-party providers to perform or support critical processes.

Given that complexity, Goh says a thorough assessment requires an inventory of not only key processes but also the supporting components — including the IT systems, networks, people, and outside vendors — as well as the risks to those components.

This is essentially a business impact analysis.

Determine your organization’s RTO and RPO: The next step in building a business continuity plan is determining the organization’s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.

Each organization has its own RTO and RPO based on the nature of its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives need to establish, Nocera says.

“When you meet with individual aspects of the business, everyone says everything [they do] is important; no one wants to say their part of the business is less critical, but in reality you have to have those challenging conversations and determinations about what is actually critical to the business and to business continuity,” he adds.

Detail the steps, roles, and responsibilities for continuity: Once that is done, business leaders should use the RTO and the RPO, along with the business impact analysis, to determine the specific tasks that need to happen, by whom, and in what order to ensure business continuity.

“It’s taking the key components of your analysis and designing a plan that outlines roles and responsibilities, about who does what. It gets into the nitty-gritty on how you’re going to keep the company up and running,” Renner explains.

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.

Although the list of possible scenarios that could impact business operations can seem extensive, Goh says business leaders don’t have to compile an exhaustive list of potential incidents. Rather, they should compile a list that includes likely incidents as well as representative ones so that they can create responses that have a higher likelihood of ensuring continuity even when faced with an unimagined disaster.

“So even if it’s an unexpected event, they can pull those building blocks from the plan and apply them to the unique crisis they’re facing,” Nocera says.

The importance of testing the business continuity plan

Devising a business continuity plan is not enough to ensure preparedness; testing and practicing are other critical components.

Renner says testing and practicing offer a few important benefits.

First, they show whether or how well a plan will work.

Testing and practicing help prepare all stakeholders for an actual incident, helping them build the muscle memory needed to respond as quickly and as confidently as possible during a crisis.

They also help identify gaps in the devised plan. As Renner says: “Every tabletop exercise that I’ve ever done has been an eye-opener for everyone involved.”

Additionally, they help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.

Types and timing of tests

Many organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization itself — its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.

Common tests include tabletop exercises , structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.

In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

Some experts also advise a full emergency evacuation drill at least once a year.

Meanwhile, disaster simulation testing — which can be quite involved — should still be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine whether the organization and its staff can carry out critical business functions during an actual event.

During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.

Reviewing and updating the business continuity plan should likewise happen on an ongoing basis.

“It should be a living document. It shouldn’t be shelved. It shouldn’t be just a check-the-box exercise,” Renner says.

Otherwise, plans go stale and are of no use when needed.

Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.

Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.

Furthermore, a strong business continuity function calls for reviewing the organization’s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.

How to ensure business continuity plan support, awareness

One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.

Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts?

Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.

Related content

When your ai chatbots mess up, new research: how it leaders drive business benefits by accelerating device refresh strategies, toyota transforms it service desk with gen ai, csm certification: costs, requirements, and all you need to know, from our editors straight to your inbox, show me more, when natural disasters strike japan, ōita university’s edison is ready to act.

BMC on BMC: How the company enables IT observability with BMC Helix and AIOps

The data deluge: The need for IT Operations observability and strategies for achieving it

CIO Leadership Live Middle East with Amna Al-Balushi, Chief Information Security Officer, Bank Nizwa

Salesforce CIO Juan Perez on transforming logistics with genAI

CIO Leadership Live Canada with Adam Ennamli, Chief Risk Officer, General Bank of Canada

Sponsored Links

• Automation: So you got a bot…Cue the sentimental tunes. We love bots, and their progeny are not evil overlords but business’s productive new friends.
• Leverage 25 years of AWS developing AI to advance your team’s knowledge.
• 81% of IT leaders are planning to use AI in cybersecurity—Get the Report
• Organizations are accelerating AI initiatives to optimize digital experience—Watch Now

• Español (LATAM)
• Português (LATAM)
• English (APAC)

6 Steps for Developing a Business Continuity Plan

Every minute that your business is offline is expensive. While every business differs, you'll find some guidelines for projecting your downtime costs  in this post . But there are other costs beyond dollars. Your reputation, for example, is hard to repair if you're unavailable when your customers need you and your company name is front-page news. No company wants to be responsible for delivering a lesson in security to the rest of its industry, as noted in the headline of a Forbes article  about the Colonial Pipeline  hack.

The best way to avoid these costs is through business continuity planning, including data backup and disaster recovery plans.  That way, if any disaster strikes—from a ransomware attack to a hurricane—you know what to do and have the tools to keep your business running . With that in mind, let's look at the specific areas you need to address as you develop your plan—and how you can ensure it will be effective if and when it is required.

1.    Assess Your Risks

Regardless of your company's size or structure,  you must understand where your risks lie to reduce or eliminate them . You'll want to list every potential threat to your business operations so you can consider how to mitigate those risks most effectively.  Risk assessment should be a team effort, addressing every aspect of your operations and every kind of threat , including:

• Natural disasters
• Cyberattacks
• Human error
• Unplanned downtime
• Power outages
• Data corruption
• System failures
• Hardware failures

2.    Perform a Business Impact Analysis

As noted on Ready.gov, the business continuity planning process should include a  business impact analysis  that addresses lost revenues, increased expenses, regulatory impacts, and other factors. You'll also  find a helpful  business impact analysis worksheet  on the Ready.gov site . As part of this analysis,  you need to establish or update your  recovery time objective  (RTO)—the amount of downtime your business can tolerate—and your  recovery point objective  (RPO) —the amount of data your business can afford to lose before the impacts are just too significant.

3.    Identify Critical Systems

With a clear understanding of your risks and the potential impacts on your business,  the next step is identifying mission-critical systems and functions . This list will help you prioritize these systems for protection and recovery. As you build out your business continuity plan,  mapping your network, hardware, and software topology and dependencies can be invaluable for locating and troubleshooting issues , thus accelerating recovery.

4.    Back Up Your Data

While you are likely already backing up your data in some form,  your risk assessment and business impact analysis should give you a solid foundation for choosing the most effective backup strategy and solution for your needs . At a minimum,  your data backup solutions should adhere to Arcserve's recommended  3-2-1-1 backup rule : Keep three copies of your data in two media types, with at least one copy offsite in the cloud or secure storage and one copy in immutable storage. 

5.    Plan for Recovery

Every IT business continuity plan should include a disaster recovery (DR) plan . Your plan should account for procuring the technologies you need to meet your RPOs and RTOs. It should also designate your recovery strategy—from file-based recovery to virtual machine (VM) and cloud-based recovery, as Arcserve offers with our business continuity cloud. Cloud-based backup services and disaster recovery, such as  Arcserve Cloud Services and Arcserve Cloud Hybrid, ensure business continuity, no matter what.

6.    Test Your Plan (Regularly)

If you need to implement your business continuity and disaster recovery plans, there's no time to waste. It is essential to test your IT business continuity plan to perform as expected if disaster strikes .  Arcserve Cloud Services allows you to  test (or start) a site-wide failover process by pressing a single button.

There's a lot to consider when developing your business continuity plan. And when it comes to business continuity technologies like backup and disaster recovery, it's worth talking to an expert.  Choose an Arcserve technology partner  and get the product information you need to make an informed decision.

You May Also Like

Why management buy-in to cybersecurity solutions and strategies is essential, how all-in-one appliances deliver cyberattack protection and data loss prevention, 7 crucial questions to ask your disaster recovery as a service provider: business continuity matters most.

Ecommerce Business Continuity Planning: 7 Steps to Assess Risk and Plan for the Unexpected

Victoria Fryer

Get The Print Version

Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.

A link to download the PDF will arrive in your inbox shortly.

In 2018, a ransomware attack  hobbled the City of Atlanta. The disruption to their computer systems impacted city services including police and court records, parking, and utilities. Workers were forced to complete paperwork by hand.

In the end, the cyberattack cost the City of Atlanta $17 million — even though the ransom was only $52,000.

The City of Atlanta was caught off guard, with out-of-date software and a number of other IT vulnerabilities.

A story about a German telecom business , however, shows what happens when a plan goes right. When workers discovered a fire inching closer to one of their crucial facilities, they engaged their incident management system to notify and mobilize employees and emergency responders.

The German company’s fast reaction time — facilitated in part by a solid business continuity plan — along with a redundant network design had the facility back in service in just hours.

A solid business continuity plan (BCP) left the German company with better emergency management and the ability to bounce back quickly.

What is a Business Continuity Plan?

A business continuity plan details processes and procedures that will help keep operations up and running — or restore them as quickly as possible — in the event of a major disaster, whether it be a physical disaster (e.g., extreme weather event) or a technological one (e.g., cyberattack).

Whether you’re a small business owner or work for a large enterprise, business continuity planning will help you respond faster when disruption strikes and minimize the negative impact on your business.

Without a plan in place, you run the risk of being unable to continue selling  and shipping products during unplanned disruptions. Your ability to recover from these unplanned disruptions will be much slower and less effective — potentially impacting both your revenue and your brand reputation.

A business continuity plan is not a disaster recovery plan. Disaster recovery planning is part of a business continuity program, but the latter has a much broader scope.

Top Threats to Business Continuity

Depending on your particular business and level of risk, every brand will have different primary threats to business as usual. That’s why risk assessments prior to assembling a business continuity plan can be so helpful.

While you’ll need to have a plan in place for every possible outcome, the following threats are the most common business disruptors to watch.

1. Global pandemics.

Pandemics can throw a wrench in your business plans from all angles and directions. With citizens forced to stay home and do as much work from there as possible, to increased demand for certain items, and decreased supply due to  manufacturer shut-downs or disruptions across the supply chain.

One of the most important plans to put in place if you fear a global pandemic is how your people will communicate with each other and conduct necessary business offsite. It’s also important to have options when it comes to supply in case your supply chain  is disrupted.

2. Natural disasters.

A natural disaster refers to anything weather related — tornados, hurricanes, tsunamis, etc. — or other natural phenomena like earthquakes, wildfires, and volcanic eruptions. Some of these types of disasters are difficult to predict and can onset in seconds. They could cause grave damage to physical structures and anything inside, as well as disrupt supply chains through affected areas.

3. Utility outages.

A loss of power generation, communication lines, or water shutoffs can cause severe disruption to day-to-day operations, potentially damaging physical assets, and losing productivity and service.

4. Cybersecurity.

A cyberattack is any computer-based attack on a technical asset. Examples of cyberattacks include ransomware attacks, data theft , SQL injections, and distributed denial of service ( DDoS ) attacks. At best, your technical infrastructure will be at limited functionality until the issue is resolved. At worst, if you don’t have a data backup , you could potentially lose access to all your business data.

4 Characteristics Guiding Your Continuity Planning

You may be able to avoid some major disruptions, but there’s always room for the unexpected. That’s why you need a solid plan to restore your business after disaster strikes.

1. Comprehensive.

You may never be able to plan for every single possible disruption — or the combinations thereof — but it is worth trying. Don’t assume your first plan is going to work. You’ll need to make sure you have backup plans, and backup plans for your backup plans. Consider every single factor that could play a role, and assume that everything will go wrong at some point.

2. Realistic.

You don’t want to get into a disaster situation and find that your best laid plans actually cannot be carried out as planned. Be realistic about the plan you’ve laid out and make sure that it has as many contingency plans built in as possible.

3. Efficient.

Business is complex, so we won’t sit here and say your business continuity plan needs to be simple. But it needs to be able to be executed efficiently and with the resources you have at hand. The extra stress and expectations in a time of disaster or disruption can make even regular tasks more difficult to accomplish. Make sure this is accounted for in your plan.

4. Adaptable.

Nothing on paper could ever compare to the curveballs that nature or other unexpected forces may throw at us. Leave lots of room in your plan to adapt to the moment, as circumstances change — sometimes minute to minute. The plan should account for constant monitoring of the situation and provide a good foundation from which to pivot to addressing the issue at hand.

Benefits of Business Continuity Planning

Business continuity planning isn’t just a nice-to-have; it’s essential to every business, and disruptions can be costly. We’re talking anything from a DDoS attack taking your site offline for an afternoon, to a warehouse fire resulting in mass loss of product, to a supply chain disruption that keeps your products from making their way to you in a timely manner.

Lacking a plan for initiating emergency response can lead to financial loss, loss of consumer (and team member) confidence, and impact your brand reputation. Here are some of the primary benefits of having a continuity plan in place.

1. Maintain business operations.

If you can keep your business operations running through a crisis, you can mitigate financial loss and send a message of stability to your team members and your customers. Having a strong partnership with your human resources function will be important here.  

2. Build customer confidence.

Your customers want to know that you can respond to anything, so they can keep expecting the service from your brand that they’re accustomed to. In disaster situations, consumers often look to their favorite brands to see how they’re reacting on the public stage and how they’re able to weather the internal storm.

3. Preserve your brand and reputation.

Large-scale disasters and disruptions are likely going to be media fodder, so it’s unlikely you’ll get a chance to follow your plan quietly. The world will be watching. Brands that seem prepared and able to rise to the occasion with strength, consistency, and grace will prove their resiliency to their consumers.

4. Protect your supply chain.

Supply chain is a great example of the maxim, “Don’t put all your eggs in one basket.” Supply chain disruptions are common because there are so many ways they could happen. A pandemic could shutter manufacturing facilities, for example. Or a natural disaster could cripple transportation in an important geographic area. A good plan will set out already-vetted options for circumventing  supply chain  issues.

5. Gain a competitive edge.

In cases where many businesses are affected by a disruption, your ability to get business moving again will go a long way in showing consumers that your brand is among the best. In disaster times, too, consumers watch brands closely to see how they’ll react. Quick but poised action will build trust in your brand, giving you an edge on your competitors.

6. Mitigate financial risk.

Knowing what to do quickly in case of a business disruption is an important piece of risk management. The longer the downtime, the more potential for financial loss. But with the right plans to pick up quickly and restore functionality where you need it most, you can keep your loss as minimal as possible.  

Creating Your Ecommerce Business Continuity Plan

Creating a business continuity plan is, admittedly, probably not the most fun day you’ll have at work. But it is a critical piece of running a resilient business, and it’s important that you, your business continuity team, and the rest of your staff take this seriously.

1. Identify objectives and goals of the plan.

Business continuity management extends beyond your information technology department and related IT systems — it applies broadly to all critical business functions, including human resources, operations, public relations, and more. At the highest level, the objective of creating a business continuity plan is to keep essential business processes running or minimize disruption.

But every business is different — so you’ll need to identify the goals and objectives most important to the way you operate. Those goals will guide your risk assessment, the business continuity planning process, and potential recovery strategies.

2. Establish an emergency preparedness team.

Select a few cross-functional managers or leaders, and anyone else you identify who may bring something valuable to the table. Make sure someone is designated as the leader to keep things moving forward and make decisions when necessary.

3. Perform a risk assessment and business impact analysis (BIA).

Here’s where you’ll identify the biggest potential threats to your business, then research and analyze them thoroughly. Discuss with the team what would happen if you have to reduce, modify, or eliminate essential services or functions. Be sure to document all the identified issues and related business impact.

4. Identify essential ecommerce business functions.

You’ll have to determine how your organization will maintain essential services/functions in the event of an emergency. Here are some of the essential services and functions that you’ll need to have a plan for.

Inventory management and supply continuity.

Think about what happens when you encounter a product shortage. Supply chain issues are common in disasters like major weather events or pandemics. During a disaster, will you have enough inventory? Do you have an inventory management tool or system to help manage inventory? Do you have a plan for times with low or no inventory ?

Order fulfillment and shipping deadlines.

If a crisis hits, can you still fill orders and meet shipping deadlines? It may be helpful to diversify shipping providers. If you use a 3PL , ask them about the steps they take toward business continuity to gauge whether they’ll be able to fulfill and ship in disaster conditions.

Ecommerce platform functionality.

If a crisis were to happen, can you adjust your ecommerce platform  to show out-of-stock items? Can you handle an influx of customers in a situation where supply is greatly increased? Do you have strong cybersecurity and all of your data backed up?

Maintaining customer service.

During a crisis, customers need transparency and empathy. You’ll need to provide a communications plan for your marketing/communications teams and your customer support team. You may need to bring on more personnel to answer customer questions.

5. Prepare a plan for each essential function/service.

Your ecommerce engine runs as a combination of parts, including:

Team members.

Suppliers/ subcontractors.

Each of these parts has to have its own plan. How will you address the situation with your customers? Does that  communication plan  change when it’s the kind of disruption that may have also put their lives in danger? (E.g., as we deal with pandemic conditions, our customers are dealing with that too — and we have to be empathetic as well as informative in every interaction.)

Will you be prepared to switch to another supplier to make sure you don’t run out of inventory? Do you know what your options are if your shipping partner experiences a disruption?

6. Review and make sure every business function has been addressed.

Leave no business function out of your plan, but that doesn’t mean that one doesn’t become more important as you look for ways to operate during disruption. You’ll want to make sure you’ve documented the following:

Level of business risk.

Impact on employees and customers, and how you’ll communicate with them.

Emergency policy creation.

Financial resources that can be tapped into in the event of a disaster.

External organization or community partners who can work together with you to be mutually beneficial.

7. Train staff, test, revise, and update the plan.

Present the plan to all your stakeholders, and suggest being proactive by performing trial runs — for a gut check that each part of the plan works as it should. This will help you identify any missing aspects or weaknesses. Then, once you’ve made any updates based on the feedback, begin to train all staff accordingly.

Nothing is ever certain. Maybe you’ll never encounter a major disruption to your business. But the chances are just as good — if not better — that you’ll have your fair share of challenges.

Being fully aware of your level of risk and what needs to be done to keep the business moving is where you want to start. That alone will give you a competitive edge and help mitigate any financial risk involved.

Then, creating your whole plan will help you rest easier at night. Once everyone in your business is fully comfortable with and trained on implementing this plan, you will have the peace of mind to know that if disaster strikes, not all will be lost.

Victoria is a content marketing writer, researcher, and content project manager at BigCommerce. Specializing in writing and web content strategy, she previously spent eight years in public relations and marketing for Tier I research universities. She holds a B.A. in English Writing and Rhetoric from St. Edward’s University and a Master of Liberal Arts from Lock Haven University of Pennsylvania.

• Australasia
• Asia Pacific
• Middle East
• North America

The latest business continuity news from around the world

A step-by-step guide to writing a business continuity plan for your business.

In an article aimed at providing assistance to those starting out in business continuity, CMAC overviews the basics of business continuity and offers a useful framework for writing your first business continuity plan.

What is a business continuity plan?

A business continuity plan is a written document that describes the emergency procedures that should happen if a business-critical process fails.

Several sources can threaten businesses. Sometimes, disruption can take the form of  Force Majeure  circumstances, like extreme weather or political unrest. Other circumstances are less obvious, but just as disruptive: supply chain issues, web server downtime or power outages can leave permanent damage to a business’s finances after a certain amount of time.

Businesses must prevent unwanted downtime to ensure critical functions and services aren’t affected. The best way to ensure a consistent and effective response to potential issues is to implement a robust, documented business continuity plan.

What is the purpose of a business continuity plan?

A strategically structured and rehearsed business continuity plan provides a number of benefits to both employees and the company itself.

With improvements to communication, technology and resilience, here are a number of examples of the positives that you can expect from a business continuity plan:

Helps your business to survive a disruptive event  - Ensuring you have a robust plan in place will enable your business to recover in the shortest possible timeframe from an incident.

Protect your organization’s reputation and brand  - Whether it’s in the eyes of the public, suppliers and/or clients you work with, showing that you can respond well to the unexpected will instil confidence in your business and help to mitigate any negative feelings due to disruptions.

Strengthen your relationship with third parties and subsidiaries  - With an effective business continuity plan, you’ll demonstrate that your company is being run well from the top down. By showing that you’re a reliable partner that can be depended on, you’ll attract new business and solidify your relationship with current clients and service providers.

Ensure staff safety  - The well-being of your employees is a natural factor in a business continuity plan. By ensuring your team is looked after and knows what the procedure is during disruptions, you can establish clear roles and responsibilities to keep everyone under your care safe in an emergency.

Meet regulatory standards  - Globally, there are corporate governance regulations that require directors and key stakeholders to exercise reasonable care, skill and diligence to mitigate risks facing an organization. With an effective business continuity plan in place, you can ensure you’re meeting the requirements of a growing body of legislation.

What does a good business continuity plan look like?

The three key elements of a business continuity plan are resilience, recovery, and contingency:

1. Resilience

Businesses can increase their resilience by designing critical functions and infrastructures to protect against specific scenarios. Examples include; data redundancy, staffing rotations and maintaining a surplus of capacity. If implemented efficiently, resilience in business continuity can even keep essential services running on-site or remotely without interruption to daily operations.

2. Recovery

There’s no way an organization can prepare for every eventuality. But with rapid recovery, you can future-proof your business by ensuring you have strategies in place to restore business functions in an emergency. With recovery time objectives for different systems, you can analyse and prioritise which needs recovering first.

3. Contingency

A contingency plan ensures that an organization has procedures in place to distribute and delegate responsibilities for a range of external scenarios. These can include replacing hardware, sourcing an emergency workspace and contracting third-party vendors for assistance.

Who is responsible for a business continuity plan?

To ensure your organization’s readiness, it’s important to designate who will be responsible for implementing and managing your business continuity plan. For small businesses, a single individual could be tasked with writing a business continuity plan. Or for larger organizations, a whole team could be involved with developing a business continuity plan.

In such cases, business unit leaders - such as payroll, corporate travel, human resources and security - will be given the responsibility of creating their respective unit’s business continuity plan with a program manager overseeing the process.

It is essential to make sure each person understanding their responsibilities and that there are clear lines of communication between employees and external stakeholders, in order to keep everything as smooth as possible during an disruptive scenario.

What is the first step in writing a business continuity plan?

The first step you should take when preparing to write a business continuity plan is to conduct a full Business Impact Assessment (BIA).

A BIA predicts the consequences of a significant disruption to your business processes. It clarifies the potential losses that could be incurred in each circumstance.

A BIA should include the following:

Potential losses  - What would your lost sales and income look like for each hour of downtime, or each day?

Delayed sales  - Could disruption create cash flow issues for you by delaying your sales or income? If so, to what extent? What lines of credit would you have to rely on?

Increased expenses  - How much would you have to spend on resources to mitigate the issue? Think about things like overtime, outsourcing, and costs associated with expediting business-critical activities.

Regulatory fines  - How much could you be fined by regulators for breaches to things like data privacy or health and safety?

Contractual penalties  - Are there any charges you could incur for failing to meet SLAs with your business partners?

Customer satisfaction  -  How much damage to your public reputation could a disruption have? You can quantify by thinking of the number of additional negative reviews you could receive for each day of delays.

Delay of new business plans  - Would you need to push back any planned launches or new business agreements while you deal with disruptions?

Writing your plan: a step-by-step framework

Identify your business-critical processes  - Critical business processes are those necessary for the survival of the company in the case of loss of revenue, customer service interruption or reputation damage. E.g. Manufacturing - what you would need to keep your production line going. Finance — how to recover important documents that contain sensitive information. IT - is home working feasible for your business?

Specify the target recovery time for these processes  - How long would it take for the loss of a business-critical process to do irreparable damage to your business? Your target recovery time for each process you identified should be within this window. Determine how long you could tolerate a disruption: this is known as a recovery time objective (RTO). Your business continuity plan should enable you to mitigate disruptions within this time window.

Define the specific resources needed for each process  - Once you’ve identified how long you’ll need to restore a process, you’ll need to outline everything you’ll need to do so, and plan within that time frame. You could split this into internal resources (key people in your organization, passwords, office space, specialist equipment) and external resources (e.g. supplies, transportation). Along with identifying how readily available they can be, and for how long you’ll need them.

Describe the steps needed to restore each process  - If your business is disrupted by an IT failure, fire, flood or an extreme weather event, what is your plan to address this? Devise a backup plan for each key operation you have, detailing who to contact, what resources you’ll need, and how much you might need to spend in order to restore each process.

Decide on a schedule to update the information  - Once you’ve compiled the above four points, you’ll have a strong business continuity plan that you can action. But it won’t be bulletproof forever. As your business evolves, so will the technology it uses and the relationships it has. Therefore, you need to plan ways to keep the information up-to-date. It might be that you decide on a regular date that the whole plan needs to be revisited, whether that’s yearly, quarterly or even monthly. Alternatively, you might decide it’s better to update small elements of the plan as and when they change: e.g. if a password to a critical folder is changed, there’s someone in your organization who is responsible for updating your business continuity plan accordingly.

What are the four P’s of business continuity planning?

The four P’s of business continuity are people, processes, premises, and providers:

• People  - This covers your staff, customers and clients.
• Processes  - This includes the technology and strategies your business uses to keep everything running.
• Premises  - Covers the buildings and spaces from which your business operates.
• Providers  - This includes parties that your business relies on for getting resources, like your suppliers and partners.

You can use the four P’s when reviewing the initial draft of your business continuity plan to ensure you’ve considered the impact on each of them at every stage.

For example, how might your plan to recover important documents out of working hours impact your staff? How hard would it be to access the premises? When should you notify your clients and business partners?

What is the most important part of a business continuity plan?

Every element of your business continuity plan is important, but perhaps the most critical part to get right is how you plan to respond to potential issues. It’s advantageous to have precise calculations about potential losses and the impact of your business relationships, but without a clear and effective way of reacting to disruptions, your business will incur serious - and sometimes irreparable - financial damage.

Business continuity plan template

The following example business continuity plan template will help you get started:

1. Objective of the plan

Open with a short summary of the ‘why’ behind the how. Explain clearly and succinctly that the aim of your business continuity plan is to protect your business in the event of a disruption to business-critical processes.

2. Business-critical processes checklist

Your plan will need to contain a list of its most important processes. Below are a few examples:

3. Recovery plan

For each critical function you listed in step 2, you’ll need to specify a comprehensive, tailored recovery plan that should be followed in order to get the process back up and running within your RTO. For example:

4. Contact list

Create lists of staff, suppliers and insurers that should be contacted in case of an emergency.

List of key staff: example

Supplier list: example

List of insurers: example

About the author

CMAC specialises in providing emergency assistance to businesses experiencing transport disruptions to keep things running smoothly and minimise potential losses.  Learn more about CMAC’s full suite of industry-leading recovery solutions , from ground transport to emergency accommodation.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Additional Resources

• Business continuity resources
• 2023 predictions
• Operational resilience
• Cyber resilience
• Business resilience
• DR and ICT continuity information
• Business continuity standards

A website you can trust

Business continuity, get the latest news and information sent to you by email.

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Pete Rathburn is a copy editor and fact-checker with expertise in economics and personal finance and over twenty years of experience in the classroom.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How to Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be identified and corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ," Pages 15 - 17. Accessed Sept. 5, 2021.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

For an optimal site experience, we recommend using a different browser. Using Internet Explorer may prevent you from accessing Chubb.com, and some site features may not function as expected.

• Chubb in Vietnam
• Corporate News
• Chubb General Insurance
• Chubb Life Insurance
• Chubb Life Offices
• Chubb Non Life Offices

5 Steps for Creating a Business Continuity Plan

Businesses can be impacted by a wide variety of disasters such as severe weather, burst pipes, server failures, fires, and pandemics. Chubb risk managers advise that one of the best ways to make sure your business is prepared for recovery after a disaster is to develop a business continuity plan.

What Is a Business Continuity Plan?

A business continuity plan provides a framework for returning to normalcy following a disaster. It is a key tool in protecting business revenues, your company's reputation, recovery costs and even people’s lives. It generally covers the following key areas:

• Disaster preparedness: A listing of the types of events that might hurt your business, how large a threat they pose, and how you can minimize their impact.
• Emergency response: The procedures you’ll follow when a disaster is headed your way or has occurred.
• Business recovery: A listing of your company’s critical business functions and the steps you’ll take to restore sales, production, and operations to pre-disaster levels.

How to Develop Your Business Continuity Plan

All successful business continuity plans begin with commitment and support from top management, and a designated person responsible for overseeing the process. Here are some tips for creating your plan and keeping it up to date:

• Build a team. Get support from top management and designate someone to be responsible for overseeing the process. Then assemble a core team, with representatives from each critical business department, such as production, human resources, quality, finance, and other critical business areas.
• Assess the risk. Identify and rank the events or hazards that are most likely to threaten your business, including elements like facility construction, technology resources, staffing, past events, supply chain issues, specialized equipment, climate, security, and utilities.
• Develop a business impact analysis. This will rank your business functions from most to least critical, so you know which ones to restore first after a disaster. Ask your business units to recommend recovery strategies that will enable key functions to be up and running within a specified time frame. Include information on how to recover your backup data files (which should be stored offsite) within a few hours, and which IT vendor you’ll contact for replacement equipment, if needed.
• Put it in writing. Document your plan and procedures step by step. Make sure to share it with staff, and assign clear responsibilities for carrying out the plan.
• Test and retest. Think of business continuity planning as a cycle – one that requires continual reviews, updates, and adjustments based on changes to your business operations. Offer training sessions so your employees are prepared to collaborate in the recovery of the business, and conduct regular drills to assess and improve response.

While the ideal time to put a business continuity plan in motion is before disaster strikes, even businesses that do not yet have a plan in place can invest time during the course of an event to protect their employees, assess the potential impact, and prepare for a smooth recovery.

Have a question or need more information?

Contact us to find out how we can help you get covered against potential risks