IT Governance Blog: how to write a business continuity plan

Earthquake. Virus. Cyber attack. The threat of disruption looms over organisations more than ever, thanks to the increasing use of technology in business processes, consumer expectations and the rapid rise in cyber crime.

You’ll rarely get advance warning about when a disruption will occur, which is why you need a BCP (business continuity plan).

In this blog, we explain how a BCP works, what it covers and how to create one.

What is a business continuity plan?

A BCP outlines the processes and procedures that an organisation must follow in the event of a disruption.

The plan must identify relevant risks that could cause issues, be they cyber attacks, internal vulnerabilities, weather events or technological problems.

Each identified risk should be accompanied with a set of temporary measures or quick fixes that ensure the most important business operations remain functional.

Organisations’ top priorities tend to be their technologies – and for good reason. Network connections, online systems, phone lines, network drives, servers and business applications are all vulnerable to a range of disruptions and can cause huge headaches if they are compromised.

But business continuity planning isn’t just about recovering IT functions. It’s primarily concerned with critical activities that, if disrupted, could immediately jeopardise your productivity or the availability of your services.

In that regard, business continuity considers IT one of several critical resources for preserving those activities.

However, restoring your IT may take some time, so you should have a plan on how to manage in the meantime. Such temporary solutions may well be lo-fi, such as completing processes with pen and paper.

Whatever methods you choose, they must be documented in a BCP so that employees know how to proceed.

Why is a business continuity plan important?

The most obvious reason to implement a BCP is to ensure that your organisation remains productive in the event of a disruption.

Customers must still be able to use your services, employees must be able to continue doing their job and you can’t allow yourself to face a huge backlog of work as delays continue.

But business continuity isn’t only about short-term goals. The cyber security landscape has become increasingly volatile in recent years, with cyber crime continuing to spiral and organisations’ reliance on technology leading to vast numbers of accidental and deliberate data breaches.

As a result, organisations need to prove to customers and stakeholders that they are prepared for anything.

Business continuity is especially important for OES (operators of essential services) and DSPs (digital service providers), as the delays could either be widespread or cause major headaches.

To ensure that such organisations are sufficiently prepared for risks, the EU adopted the NIS Directive, which was transposed into UK law as the NIS (Network and Information Systems) Regulations 2018.

DSPs within the Regulations’ scope are explicitly required to put business continuity measures in place. Although the same isn’t true of OES, they should still consider implementing a BCP as a means of providing a more reliable service.

Benefits of a business continuity plan

Creating a BCP will make it easier for your organisation to cope in a crisis and minimise the disruption for you and your customers.

A BCP can also reduce or even avoid the risk of losing revenue if you are hit with a disruption. Returning to business as usual promptly minimises the time that your organisation is unable to operate and therefore unable to generate revenue.

But beyond these reasons, you should also consider the BCP’s ability to:

Protect your organisation’s reputation

In demonstrating a fast and efficient response to disruption, the public will be impressed by the way you operate. This will mitigate any negative sentiments that accompany the loss of productivity – and it might even improve your reputation.

Boost employees’ morale

No one wants to work in a chaotic environment, so your staff will be pleased to know that management has a plan in case things go wrong.

If the plan is well written (which we’ll show you how to do shortly), everyone in the organisation will be accounted for, proving to employees that management has considered their needs.

Build your relationship with third parties and subsidiaries

An effective BCP demonstrates that the organisation is being run well from top to bottom, which will encourage anyone that you work with.

It shows that you are a reliable partner that has taken into account its responsibilities to customers, employees and third parties.

Who should have a business continuity plan?

All organisations, no matter their size, should create a BCP. Consider it a small investment that will save you a fortune when you suffer a data breach – and it is a matter of when, rather than if.

In the past year alone, 32% of organisations in the UK were breached, according to ICAS’s 2019 UK Cyber Security Breaches Survey. That percentage has grown steadily in the past few years, as has the associated costs of a data breach.

Organisations spent £4,180 on average responding to security incidents in 2019, compared to £3,160 in 2018 and £2,450.

The larger your organisation, the higher these costs will be. The report found that medium-sized businesses spent £9,270 on data breach recovery, and large businesses spent £22,700.

Key features of an effective business continuity plan

1. Purpose and scope

Your first task is to define the purpose and scope of the plan. This is especially relevant if your organisation comprises several subsidiaries or is based in different locations, as each one will have its own requirements.

If this is the case, it’s up to you to decide whether to create one plan that covers each subsidiary/location separately or to focus on just one part of your business.

2. Responsibilities

The next step is to decide which employee(s) will be responsible for enacting the plan. You might opt to put one person in charge of the plan or delegate responsibility to people across your organisation.

Small organisations might be able to get away with a single leader, as there’s a good chance that a senior member of staff will have oversight of every department and its needs. However, if that’s not the case, a group of employees will need to share responsibility.

You also need to identify who has the authority to grant financial costs outside of the normal department budget. This could be the same person (or people) responsible for enacting the plan, or it could be a specific duty assigned to someone else.

3. Plan invocation

This step defines when and how the plan will take effect. After all, it’s not always clear that a serious (and possibly planned-for) disruption has occurred; it’ll often begin with, say, the office lights going out and employees looking across the room at each other asking: ‘What’s going on?’

It’s only when someone takes charge that you can determine what caused the problem and how to respond.

You don’t need to get into specifics here (that’s covered in step five), but you do need to document who will get the process started, how response teams will be mobilised and where those responsible for enacting the plan should meet.

4. Developing the BCP

This is the meat of your plan, containing the actions you will take to recover from various incidents. It will be the result of two other processes – the risk assessment and BIA (business impact assessment) – in which you identify the threats you face and the way your organisation will be affected by them.

Once you’ve collected this information, you should take each business disruption and outline the steps that must be taken to protect individuals (staff, customers and third parties) during the business disruption and actions that should be taken to contain the disruption and prevent further loss, disturbance or unavailability of prioritised activities.

You should also use this opportunity to create guidelines on record-keeping requirements during and after the incident (such as what needs to be recorded and where), document the prioritised recovery objectives and the actions and resources that are needed to achieve them, and your internal and external (inter)dependencies, and how these might affect one another during a disruptive incident.

5. Communications

This stage focuses on internal and external communications. Internal communication refers to the way you will keep employees informed about the state of the business, something that’s particularly important if your usual modes of communication are disabled due to the disruption.

In the event of serious disruptions, you should also consider contacting employees’ next of kin to update them of their wellbeing. This is both thoughtful and prevents your organisation’s phone lines being jammed by concerned family members.

External communication refers to the way you will deal with the media regarding the incident. If the disruption is severe enough, you should release a statement explaining the nature of the incident, what has been affected and how you are responding.

In extreme cases, you might also be obliged to give interviews, in which case you should decide who will represent your organisation and what your strategy will be.

6. Stakeholders

You will be required to contact stakeholders as soon as possible following a disruption, so your BCP should contain their contact details for easy reference.

7. Document owner, approver and change history

The business continuity manager is the owner of the BCP and is responsible for ensuring that the procedure is reviewed and tested regularly.

8. Change management

Once the plan is finalised, it should be published in hard copy and as a digital file, and be made accessible to all members of staff.

Every time changes are made to the BCP, you must ensure that the digital and hard-copy forms are updated.

The importance of testing your business continuity plan

The only way to be sure that your plan works is by testing (or ‘validating’) it. How often you test the plan is up to you, but we recommend doing it at least twice a year or whenever there are substantial changes to your organisation.

There are three types of test that you can conduct:

The first are table-top exercises. This is essentially a read-through of the plan. Senior employees and those with BCP responsibilities should go through the plan together, looking for gaps and ensuring that all business units are represented.

Alternatively, you might choose to conduct a structured walkthrough. This is like a rehearsal, with each team member role-playing their responsibilities according to specified disruptions.

The objective is to familiarise employees with their responsibilities and to make sure the plan works as intended.

You might choose to simulate the process across the entire organisation, but it can obviously be difficult to make everyone available at the same time, particularly given that the walkthrough will probably have to occur outside of office hours.

As such, you might choose to split the walkthrough across the week, with one or two departments playing out a disaster at a time.

Finally, you might conduct a disaster simulation test, which is essentially a dress rehearsal. ou create a test environment that simulates an actual disaster across the entire organisation and then put the plan into action.

Unlike other types of test, you aren’t looking for gaps as you go. Instead, you should see the plan through to its conclusion, so you know exactly what the consequences of your actions (or lack thereof) are.

Only after you’ve seen the plan through to the end should you review your actions and look for ways to improve.