How to write a business continuity plan

How to write a business continuity plan

Your business is maturing and the time has come to think more strategically about business continuity in the event of an emergency. But the question remains, how to write a business continuity plan? This quick guide will take you through the steps one by one to creating business continuity plans for your organisation.

What is a business continuity plan?

A business continuity plan or contingency plan is a strategy that sets out a course of action to follow in the event of a crisis or emergency. 

The purpose of the plan is to help your organisation mitigate the impact of the emergency, and return to normal business operations as quickly as possible.  A business continuity plan will consider all the different elements involved in returning to normal, including employees, media relations, emergency services, and more. A well thought out plan will ultimately save an organisation time, money, reputation, and even lives.

The four steps of how to write a business continuity plan

Before you start writing a business continuity plan, ensure that you have the right time in place to create it and champion it across your organisation. Your business continuity plan should have sponsorship and support from the very top. The team creating the business continuity plan should also include key operations managers who know what is needed for their functions, and can advise the tasks and responsible staff for each element of the plan.

Now, let’s look at how to write a business continuity plan:

Step 1: Define your organisation’s risks and carry out analysis of their impact

Every organisation faces their own unique set of risks. These risks can be related to IT requirements, local weather conditions, supply chain reliance, cyber attack, staff sickness (or a global pandemic, who knew?), and much much more.

Carry out a business impact analysis on each risk to identify the impact that each risk would have on your organisation. The business impact analysis should balance the likelihood of an event taking place against its overall severity, enabling you to begin to understand what your response plan should contain, and to prioritise some risks over others.

At this stage you should also look at the scenarios that an emergency could create for your organisation. If the emergency hit, what would fail? How could this emergency affect operations? Which critical functions will be affected by the crisis? How much work will it take to return to normal operations, and how long will that take?

Step 2: Create business continuity plans

Pull the scenarios identified in the risk analysis into actionable tasks and timelines, and assign the relevant teams for dealing with each one. It should also contain the people, places, and technologies required to carry out each task in the plan.

Your business continuity plan should contain all the information you need to respond effectively to a crisis, but it should also be accessible and readable. Consider what information is essential  for a crisis situation, and ensure it is easy to find. Just some of the information in your contingency plan includes:

Emergency contact information: Include contact information for all key stakeholders. This includes your own emergency response teams, emergency services, regulators, insurance companies, and more. Make sure they are clearly marked, or even set up groups with pre-prepared messages so you can get the message out quickly during the crisis.

Critical functions list and action plan: Create lists of the functions that are critical to your operations, for example IT, operations teams, and more. Include assessments of what it will take to keep them running, or get them back to operation, and assign responsible staff for each one, and the tasks they need to carry out to ensure critical functions are operational. These tasks may include manual workarounds, and back up plans should the original plan be unavailable for any reason.

Triggers and alerts: Define the systems that can trigger alerts for different crises. For example, if you have IT perimeter alerts set up, integrate them with an alerting system to ensure that the right people are notified of a cyber attack as soon as possible.

Succession plan: Identify alternate team members who can cover if a member of your key response team is unavailable during the emergency.

Operations plan: Define the actions and tasks required to return to normal operations. Include information about backups, key employees, suppliers, and equipment requirements. Store this plan in an accessible, centrally managed location.

Crisis communication strategy: Create a strategy for informing employees, key stakeholders such as suppliers or customers, or even the general public of events, and keep them up to date with follow up messages. The crisis communication strategy should consider communications if IT or cell networks are down, security of messaging, reliability, and more.

Step 3: Test the business continuity plan

Simply creating a business continuity plan and filing it away isn’t enough. Testing your business continuity plan or plans is vital to ensuring they make a difference on the day. It is recommended to test business continuity plans once a quarter, and testing can be carried out as a tabletop exercise reviewing the plan for accuracy, structured walkthrough (for example a fire alarm drill), or a full on disaster simulation.

Testing the plan provides several important functions:

  • It helps familiarise key responders with the tasks that they need to carry out on the day. This in turn will make them more confident in a crisis, and improve their response.
  • Testing enables you to check that the plan works, refine any actions or processes, and identify any gaps that need to be added to the plan, for example technology that may be needed, or additional tasks or resources that were missing the first time round.

Step 4: Share, maintain, and store the business continuity plan

Now that the business continuity plan has been created, it should be shared with all members of staff so that they understand what is in it. The plan itself should also be stored somewhere central that is easily accessible during an emergency.

When it comes to storing the business continuity plan, consider how it will be accessed in an emergency. Will responders need access from a mobile device? What happens if the organisation’s IT goes down, so you can’t access it from within the network? Is it stored as a massive document, or in easy to use tasks or block of actions? Does it tie in automatically to your incident management platform?

Start creating your business continuity plans

There is no definitive answer to how to write a business continuity plan, however every contingency plan should contain the actions and resources needed to return to operations as quickly as possible. What these are will depend on both your particular organisation and the crisis you face.

The Crises Control Incident Plan Builder provides step by step support on how to write a business continuity plan that works for your organisation. Templates for different crises help you consider the different requirements for each one. All plans can then be stored in the Incident Manager, which enables you to bring them to life when an emergency hits.

Contact us for more information on how we can help you learn how to write a business continuity plan and build resilience in your organisation.