How to Create a Business Continuity Plan in 5 Steps
Your business shouldn’t shut down when an emergency hits. But with a thorough business continuity plan template, you can keep your people safe and stay operational through whatever crisis you’re hit with.
Making sure you can protect your employees and operations is a complicated issue, especially the larger and more widespread your business is. Companies like Boeing, with locations in over 70 countries, know this firsthand. The only way to tackle complicated problems is with a plan.
“With such a broad geographic footprint, it really is challenging and difficult to prepare for every single type of outcome out there,” Keith Berthiaume told us on The Employee Safety Podcast. Keith is Enterprise Emergency Preparedness Program Manager at Boeing. “So having a plan that looks at what the impacts are and how we can prepare and respond to those, makes it a lot easier for us to have an enterprise-level response.”
During business-critical events, having a plan for business continuity is imperative to helping emergency response leaders and key stakeholders understand what to do, who to contact, how to respond, or the necessary steps to mitigate the impact. A business continuity plan also helps accelerate response times, bolstering employee safety and protecting the company’s infrastructure.
A well-developed business continuity plan serves as an emergency checklist for all emergency scenarios that might occur. In this post, we discuss what makes for a useful business continuity plan and how you can create your own business continuity plan checklist that fits your organization’s unique needs.
What Is Business Continuity?
Business continuity is your organization’s ability to maintain important business functions during emergencies or disruptions. The processes and procedures put in place through business continuity help to prevent, mitigate, and recover from threats to your operations. This way, you can maintain some level of function even when faced with potentially harmful events.
Often, larger businesses have entire business continuity management (BCM) teams or individuals whose responsibility is to develop processes and procedures. But smaller organizations tend to rely on HR to establish and communicate these protocols. No matter what your industry or size, every organization needs a business continuity plan (BCP) to document how they will protect their people and operations.
What is a business continuity plan (BCP)?
A business continuity plan outlines business processes that will take place before, during, and after an emergency to minimize interruptions and keep things as close as possible to “business as usual.” Business continuity management means spinning a lot of plates at once, and your business continuity plan will help you stay organized and prepared. A robust plan prepares you for all significant events that could endanger your people or interrupt business operations.
Emergencies often lead to interruptions in normal business operations, and these disruptions—large and small—can create long-term issues for human resources, information technology, and other business stakeholders when organizations’ emergency response plans—or those of their providers—are inadequate. They can take people and technologies offline for hours, even days or weeks, during and after an emergency.
“Regardless of the incident type, there are four ways we as a company could be impacted: the loss of our most important resource—which is our people—our buildings, our supply chain, or our IT applications. Most incidents have the potential to impact more than one of these areas, so it’s the protection of these four groups that forms the basis for how we perform business continuity.”
—Keith Berthiaume, Boeing
The nature and impact of interruptions will vary depending on your industry, business locations, number of employees, and exposure to various types of threats. Some of the most common interruptions may include
- Supply chains
- Distribution channels
- Technology operations like power or internet outages, cyberattacks, or data center failures
- Critical machinery or equipment operations
- Employee travel and accessibility to work locations
- Employee accessibility to work-related systems, applications, and data
- Customer accessibility to storefronts, websites, call centers, or customer-facing applications
A business continuity plan is an important component of risk management and emergency response. While the first objective during any crisis is to safeguard employees, the second is to safeguard the business. Planning for an unplanned emergency is critical if you’re going to stay up and running.
What to Include in Your Business Continuity Plan
Your business continuity plan should include all the information necessary to coordinate an effective response to any emergency or crisis event. Typically, a BCP will include each of the following:
- A comprehensive risk assessment
- A business impact analysis for each risk type
- A process for monitoring and detecting relevant threats
- Documented recovery time objectives
- Communication strategy and procedures
#1 Risk assessment
According to Bob Arnold, president of Disaster Recovery Journal, the key to developing a sound business continuity plan is understanding an organization’s potential risks. “Threats come at us more frequently and more violently today,” Bob told us. You may not be able to predict which risks will impact your locations and assets, but you can conduct a business threat assessment to ensure you will be prepared for threats when they inevitably arise.
- People impact: What are the situations that would impact your employees’ ability to work? Which job functions are most critical to your organization’s business continuity?
- Partner impact: Which partners and service providers are you most reliant on?
- Facility impact: What are the scenarios that could cause one or more of your worksites to become unavailable?
- Technology impact: Which systems or tools are used to deliver goods and services to customers? What systems are used to communicate and coordinate internally?
- Brand/reputation impact: What is the impact on your brand should your business no longer operate normally?
Specific threats will vary from organization to organization based on their geographical location and surroundings. However, most companies can perform a business continuity risk assessment for common scenarios such as
- Severe weather
- Workplace and structural fires
- Power and IT outages
- Pandemics and other health crises
- Physical threats from individuals
- Cybersecurity threats from inside and outside of the organization
- Natural disasters
By taking stock of historical events and most likely-to-occur scenarios, organizations can begin to develop an ongoing list of potential threats. This list will evolve as the company grows its employee base, the number and locations of additional sites, the locations where employees may travel for business, and its fleet/equipment/technology assets. Keeping this list fresh and adjusting the plan accordingly is a must.
#2. Business impact analysis
Once you complete the threat assessment, conduct a business impact analysis (BIA) to determine how each of these threats could influence the business. The goal of a BIA is to predict consequences of various types of disruptions and their impact on personnel and critical business functions. You can then use this information to develop effective recovery strategies to mitigate risks and improve outcomes.
Any business disruption can have a detrimental operational and financial impact. These may include lost and/or delayed sales and income, delays in manufacturing or development, an inability to deliver goods or meet contractual agreements, increased expenses, customer dissatisfaction, and even regulatory fines.
Of course, the impact will depend greatly on the duration and timing of the disruption. A two-hour power outage will have less impact than a two-day work stoppage resulting from a hurricane. A fire in a remote and partially empty warehouse will be less of an interruption than a fire in an active manufacturing facility. By analyzing different possible scenarios, an organization can be better prepared to handle the emergency and bring operations back online more rapidly. Reevaluate this analysis regularly as new threats arise.
#3. Threat monitoring and detection
Once you’ve identified potential threats, you need a way to effectively monitor and assess critical events near your people and assets so you can react immediately. Monitoring events before they strike is critical to protecting your people and brand. It allows you to recognize and to predict critical situations before they happen—giving you the benefit of alerting and organizing your audience in advance.
Companies like Whataburger use threat intelligence solutions to keep an eye on threats for their thousands of locations, a feat that would be next to impossible for their small team. Automatic threat monitoring allows business continuity teams to focus on response and mitigation while trusting that they will be notified immediately about any detected threats.
Learn more about how Whataburger protects its people and business during critical events with AlertMedia.
#4. Recovery time objective
Once your risks have been identified and you’ve established a process for both identification and monitoring, it’s time to set goals. Your recovery plan outlines how to get your business back to normal as quickly as possible, and a recovery timeline is a part of that plan.
Establishing a recovery time objective (RTO)—the maximum acceptable time until the business is up and running following a crisis event—is a critical component of any BCP to ensure your response plans sufficiently protect the organization against long-term damages, including data loss, financial penalties, and more. This information will also have a direct impact on crisis management, risk mitigation, and communication strategy and how you prioritize response efforts.
You can also include your assigned recovery team in your plan to clarify the responsibility and ownership of the RTO. This team will be made up of personnel responsible for coordinating, communicating, and managing employees and stakeholders during an emergency or business interruption.
#5. Communication strategy
A business continuity program should have at its foundation a solid emergency communication strategy. In times of crises and critical events, communication is a lifeline. Being able to relay information and instructions to employees and other business partners will help your people stay calm and guide them to the appropriate behavior. While some employees will only need to keep themselves safe, others may be designated as part of a skeleton crew who will be responsible for operating and/or maintaining the business and its vital functions.
Your emergency management and business continuity teams should designate specific individuals accountable for emergency communication, as well as at least one level of backup per function, and train them accordingly. These employees will become the most important contacts during and after an emergency and will require multiple channels for communication.
Additionally, the types of communication channels are equally as critical as the communications themselves. Using an emergency communication system will help ensure notifications and alerts are sent across multiple channels simultaneously so that every employee receives the message intended for them. Remember: During an emergency, IT infrastructure may be compromised, or computer systems may be inaccessible, so you should plan on using all available channels to communicate with critical personnel. Your system should also enable two-way communication so you can confirm whether messages were received while allowing employees to confirm their safety and contribute valuable information to help reduce downtime.
These channels may include
- Text message
- Mobile app push notification
- Phone call
- Social media posts
- Slack/Team message
- Intranet site alert
- Desktop alert
In today’s mobile culture, this multi-modal approach is the only way to ensure the affected employees receive the messages quickly, in real-time, and on the devices they are most likely to have with them. It would be completely ineffective, for instance, to send an emergency email to every employee when a portion of employees are field workers with no access to email. According to Michelle Schutte, Managing Director of Business Continuity and Incident Management at Charles Schwab, you also need to have a method of communication that is based on urgency. “You need something that really captures someone’s attention and makes them click it to go away,” said Schutte. Urgent communications shouldn’t be sent via regular, day-to-day methods such as email.
What to Expect from a Business Continuity Template
You can use our business continuity plan template to streamline your planning. Here are some of the helpful elements you can line up to ensure a fast and effective response.
Roles and responsibilities — Establish a chain of command so everyone knows who to turn to when a critical decision needs to be made. Be sure to include departments beyond the crisis team members, including internal communications, IT, and any executives who may need to communicate important information to employees and other stakeholders. Don’t forget to outline secondary contacts as well in case primary stakeholders become unavailable.
Emergency contact information — Make sure to have phone numbers readily available for staff as well as local police and fire departments, utility companies, and any other external organizations that may be able to help in the event of a threat. An emergency communication system capable of integrating with your HRIS can also help ensure this information is regularly updated and reflects employees’ current information.
Backup plan — Nearly all businesses today use computers to complete daily tasks, so a loss of those systems could mean devastation. For that reason, perform regular backups of all your computer systems and make copies of critical information either to a remote location or server. Once you back it up, make sure you also record details of how to access it. Other considerations for contingency planning include
- Backup power: Consider keeping backup generators on hand in the event of a power outage so you can get your electrical systems or computers back up and running quickly.
- Alternate operations site: Set up a second physical location where business operations can still be conducted if you lose access to your headquarters. This alternate site should include all the same tools and systems needed to continue work as planned, as well as equipment to recover the primary site.
- Essential equipment and services: Essentials include access to email, web servers, data backup sites, and any other tools your day-to-day operations require. Consider the applications and vendors you depend on, and make sure you’ll still be able to use them should an incident occur.
5 Steps to Creating a Business Continuity Plan
JetBlue Airways’ 22,000 employees serve millions of customers across 26 countries. The company’s business continuity plans include dozens of possible threat scenarios, ranging from severe weather to fleets getting grounded to acts of terrorism.
Not every organization will face the same threats as JetBlue, but Penny Neferis, Director of Business Continuity and Disaster Response at the airline, takes an approach to business continuity that offers a good example for how every organization should handle a crisis.
Here are the steps she laid out for building your business continuity plan. You can follow these steps on your own or make it a little easier on yourself by using a business continuity plan template and looking through examples to base your plan off of.
Step #1: Create your team
The first step to developing a business continuity plan involves determining who will be responsible for updating and executing the plan. Business continuity and disaster recovery warrants its own team; however, the team should consider which other departments will be vital to recovery.
According to Penny, “Our small-but-mighty disaster response team [can] only work so long, and we had to learn to count on other groups to step in and help. Our teams are robust, but we felt ownership to take all emergency responses on our shoulders in the past.”
Assign one person the sole responsibility for taking charge, but assign additional recovery tasks to a variety of people across each unit of the business to guarantee no department gets left behind. True resilience management integrates various teams’ experience and awareness to ensure each strategy is as strong as it can be.
Step #2: Conduct your business impact analysis
According to Ready.gov, a business impact analysis “predicts the consequences of disruption of a business function and process, and gathers information needed to develop recovery strategies.” While similar to the threat analysis mentioned above, a BIA views threats from a cost perspective and outlines the total time it would take to recover an organization’s most important functions—including dependencies, such as people and communities. Emergencies often extend beyond the borders of an organization.
“When a crisis does happen, we look at it from three different lenses,” said Penny. “What impact does this have on our staff and crew members? What impact does this have on our customers, and what impact does this have on our community?”
Step #3: Map out your plan
Now that you have your team and you understand each threat’s impact to your business, you need to actually map out a strategy for how to keep your business running—easily the most important component of a business continuity plan. Make a list of the most critical functions to your organization as well as the disruptions that could hinder them, and develop practical recovery strategies for each scenario. Consider various “what ifs” to instill confidence among your team that they’ll be able to respond no matter the situation.
Step #4: Train and educate
You’ve completed your plan, and now you need to train your staff on it. Conduct tabletop exercises and emergency drills so everyone knows the role they will play should a disaster occur. The more “real” the event feels, the better prepared employees will be. Include key personnel and first responders, and use these training sessions to identify missing aspects or weaknesses in your plan. Keep reading for some additional tips on practice and implantation of your business continuity plan.
Step #5: Analyze and update as new threats are identified
The threat landscape evolves constantly, with new risks to business operations occurring every year. Before 2020, few organizations probably expected they would be dealing with an ongoing global pandemic, but they quickly learned to adapt. Business continuity requires both immediate and ongoing attention, and plans should be frequently analyzed and updated based on recent events and predictions.
For instance, we know severe weather and the effects of climate change will continue to be an ongoing threat to businesses across the globe, but we are seeing significant changes in how weather threats crop up. Our 2023 Threat Outlook Report breaks down changes in where weather events occur and longer seasons that may require shifts in your business continuity plan around weather threats.
Maintaining a Living Document
Your business continuity plan and BCP checklist shouldn’t be a single line-item task that you mark off and never look at again. These documents work best if they are integrated consistently through your yearly safety planning, so you can keep them updated with any necessary changes, and so your team keeps the processes top of mind. Here are a few tips for keeping your BCP a central piece of your broader safety culture.
Practice makes perfect
No emergency plan is complete without practice. This philosophy holds true for the business continuity plan. Every person in the company should have a solid understanding of business processes and what they are to do in case of specific incidents (such as a cyberattack) or general emergencies (such as fires, severe weather, workplace injuries, etc.). The designated skeleton crew needs to be clear on their roles and responsibilities, and exactly what, when, and how the business continuity plans will be triggered.
There are three basic steps in implementing both a disaster recovery plan and BCP. Not all employees will be involved in both, but all should have at least a general understanding of what will happen when the emergency plan is activated and which critical business functions will be prioritized. All employees should also have a current contact list of all of those who will be in authority during an emergency.
Before a company initiates a drill, it is a good idea to gather key stakeholders and decision-makers together to carefully and methodically evaluate the emergency and business continuity plans. Review each step with a critical eye to ensure nothing was missed and every area of the business is represented.
Once the plans are considered complete, it’s time to educate employees. Depending on how dispersed your employees are, you may choose to conduct on-site training sessions, tabletop exercises, or develop an on-demand training curriculum that employees can watch on their own time. Because the goal is to obtain 100% participation, design a measurement tool that can provide a current list of employees who have and have not watched the webinar.
The next step is to practice what was learned. Scheduling regular full emergency evacuation drills is recommended. The more “real” the event appears, meaning key personnel and first responders participate, the better-prepared employees will be should an actual critical event occur.
Those responsible for triggering the emergency plan and those involved in the skeleton crew should walk through their respective roles during a critical event. Role-playing is a successful tool that first responders often use themselves to ensure no step is missed. This role-playing will also give the organization valuable insight into how the plan actually works in a “real-life” scenario. Often, a plan will look comprehensive on paper but when it is practiced, weaknesses appear.
If possible, ask partners, vendors, and anyone who may be impacted by your company’s potential business interruption to be a part of the drill. They may be able to identify gaps in planning and provide additional “what if” scenarios.
Assess the success
Practicing the plan is not the end of the process. In fact, it simply provides a lens into how well (or not) the plan performed. You can gather valuable intelligence from each practiced drill and from the people involved. From the business leaders and skeleton crew to the employees who were impacted, it is important to gather feedback from every angle.
Questions to Ask
- Did every employee in every location know what to do?
- Was there any confusion, chaos, or panic during the drill?
- Were the emergency communications delivered across multiple channels simultaneously?
- What were the open rates for each mode of communication?
- Did the message communicated provide the proper level of information with instructions on where to find additional information?
- Were employees able to respond with two-way communication?
- How long did it take to trigger the business continuity plan?
- Was the designated skeleton crew able to keep operations going?
Of course, there could be any number of additional questions; These are just a guide, but be sure to include the opinions and experiences of employees. Their perception of how well the drill was orchestrated is as important as the actual results. The goal is not only to protect the employees but also to give them peace of mind that in virtually any situation, their company has their backs. Their perception is their reality and should be taken seriously.
All the information you gathered in your questions can be used on its own or through an after-action report to make improvements to your plan and your process, so that the next drill, and the real response, are as effective and smooth as possible. By bringing people together at least annually to review the current plan, evaluate alternative available technologies, and assess potential new threats, your organization will be better prepared for any situation. Planning is never a one-time event. It is ongoing and always has room for improvement. Be sure you have business continuity management processes in place to keep it at the forefront of your annual planning.
At the end of the day, an effective business continuity plan must be fluid. But perhaps more importantly, it must also be consistent. Events will never happen exactly as you plan, but by remaining vigilant, you’ll steer clear of “deer in the headlights” syndrome and be prepared for any new challenges that may come your way.