When a business crisis occurs, the last thing you want to do is panic.
The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.
A business crisis can cost your company a lot of money and ruin your reputation if you aren't proactively prepared to handle one. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with a plan to uphold its essential functions.
In this post, we'll explain what business continuity is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.
Business continuity is the idea that your business should maintain or be able to work to recover regular business operations in response to crises. This mentality translates into an actionable business continuity plan that is used to handle minor disruptions and bull-blown threats.
If you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions. Below we’ll go over different types of business continuity.
Business Continuity Types
Operational continuity means that the systems and processes your business relies on are able to continue functioning without disruption. As these processes are critical to business operations, it’s important to have a plan in place in case disruption occurs so you can minimize loss of revenue.
Organizations that rely on technology to run want to ensure the integrity and continuity of those systems. For example, while the functionality of Google Drive is not within your realm of control, there are many internal systems that you’ll want to maintain and mitigate, like maybe having an off-line file storage system to access important documents.
Economic continuity means that your business is still able to continue being profitable during possible disruptions. Every business has its ups and downs, so one thing you'll want to do is future-proof your organization for negative scenarios that can hit the bottom line.
Workforce continuity means that you’ll always have enough staff, and the right staff, to handle the work that comes through your doors, especially during times of crisis.
Workforce continuity goes beyond planning the right roles and staffing the right people to fill them. In order for them to show up every day and perform well, they must feel safe to do so. This involves creating a comfortable work environment, and ensuring that, even during crisis, people have the tools they need to succeed and feel supported in the workplace.
Environmental continuity means that your team is able to operate effectively and safely in their work environment. This can mean considering possible threats to your physical office or headquarters, and coming up with plans of action if these issues occur.
You want your employees to be safe. You also want your employees and business assets to be secure as well. Security breaches can cause major harm to your operations, safety, and reputation. Continuity in this realm means prioritizing employee security and safety of important business information, and plans of action if information were to become compromised.
Customer satisfaction and a good reputation can fuel your flywheel and result in increased revenue. The flip side of this coin, however, is that a tarnished reputation can cause great harm.
Reputation continuity means continuously monitoring conversations about your brand or business, prioritizing customer satisfaction, and coming up with action plans for rectifying situations if your reputation is called into question.
Business Continuity vs. Disaster Recovery
Disaster recovery plans are created as part of an overarching business continuity plan. The difference lies in that disaster recovery plans are technical plans focused specifically on recovering from failures, while business continuity plans manage relationships during a crisis.
For instance, in a larger crisis — like a building being flooded — you may have lost some of your IT services. Thus, included in the larger business continuity plan would be one or more disaster recovery instructions that would focus specifically on recovering those IT services.
Business Continuity Planning
Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it’s important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.
How often should a business continuity plan be tested?
It's simple — the more time you put into your business continuity plan, the better it's going to be.
You should constantly be looking over the plan to make sure it's up-to-date with your current business processes. The larger your organization is, the more complex your systems are going to be, meaning you'll want to review your business continuity plan more frequently to ensure there aren't any overlooked gaps.
The following schedule is recommended to maximize the reliability and validity of your plan, while also minimizing the amount of time you're putting into plan review.
1. Review your checklist twice a year.
Your teams should review the elements of your business continuity plan bi-annually to make sure all the responses still apply to your current status. In addition, you'll use this opportunity to ensure that each response aligns with your desired business goals.
2. Conduct emergency drills once a year.
Just like schools have fire drills, your organization should have emergency drills to prepare your staff for the steps that are laid out in your business continuity plan. This will also help when a real crisis occurs because they will have practiced the steps before.
3. Hold tabletop reviews every other year.
All stakeholders that are involved in your business continuity plan should meet every other year to discuss it. The review doesn’t need to take too much time and doesn’t require physically running through the steps, but it can help you uncover red flags that may otherwise go unnoticed without testing.
4. Conduct a comprehensive review every other year.
Unlike the tabletop review, the comprehensive review takes a deep dive into the plan. It should look closely at cost-benefit analyses as well as recovery procedures to ensure everything is up-to-date with current business operations.
5. Mock Recovery Test, every two to three years
This is an in-depth test in which your continuity plan is put into motion to test for any weaknesses or mishaps. Since this test is time-consuming, it shouldn't occur frequently, but it will ensure all internal stakeholders are confident in the plan.
No matter what type of business you are operating, you need to be constantly considering the possible threat of a crisis. If you want to be able to effectively manage them, then it's essential that you have a business continuity plan in place to tackle difficult or unexpected situations.
Business Continuity Plan
A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders.
For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.
Below we’ll go over the process of writing a business continuity plan.
How to Write a Business Continuity Plan
- Select a business continuity team.
- Define plan objectives.
- Schedule interviews with key players in your departments.
- Identify critical functions and types of threats.
- Conduct risk assessments across each area identified.
- Conduct a Business Impact Analysis.
- Draft the plan.
- Test the plan for gaps.
- Revise based on your findings.
1. Select a business continuity team.
Before you begin strategizing, assemble a management team to be in charge. The job of crafting a business continuity plan isn't a light one, so this group should include people who are detail-oriented and organized. Some of the roles on the team are:
- Executive manager: This is the person who leads the writing process and is the link between company executives and the rest of the business continuity team.
- Program coordinator: This is the team leader who coordinates all activities related to the plan, such as budgeting and development of recovery procedures.
- Information officer: This person is responsible for accessing and sharing data related to the business continuity plan.
2. Define plan objectives.
What are you trying to achieve with this plan? It's important to know the end goal, whether it be resuming business processes as normal or improving the organization's reputation. When laying out the objectives, you should also consider your budget to get a sense of the resources that you're going to be working with.
3. Schedule interviews with key players in your departments.
Executives and upper management have a great bird's eye view of an organization, but business continuity issues happen at all levels of an organization. For an analysis that's truly comprehensive (and, in effect, valuable), you'll want to interview key team members in various departments of your organization.
Choose individuals who know the ins and outs of their department's operations and understand the importance of its functionality within the grander scheme of the organization. You can ask questions such as:
- What are your top 5 most important processes?
- What systems or applications are needed to support your operations?
- How does [X department] depend on your work in this area?
- In your opinion, what's our biggest blind spot?
- What were to happen if [worst case scenario]?
- Who would be impacted if [worst case scenario] and how?
4. Identify critical functions and types of threats.
The above questions are a guide to help give you insight into the areas of your business that require the greatest degree of business continuity. Prioritize the business functions and threats that are the most critical according to:
- The likelihood of it happening,
- The extent of the loss based on impact.
5. Conduct risk assessments across each area identified.
The idea here is to quantify the information you received during the interviews:
- How long would it take to recover from a critical situation in this area?
- How much revenue would be lost during that time?
- How much productivity would be lost during that time within that department?
- How much productivity would be lost for other departments as a result?
- How much customer and/or stakeholder confidence will be lost?
- Will there be additional cost to get it resolved?
- Will there be additional liability cost?
- How much does it cost to implement prevention measures?
6. Conduct a Business Impact Analysis.
Once you've gathered information across disparate processes, it's time to compile that information into a format that reflects the broader business.
A Business Impact Analysis (BIA) analyzes the main operations of an organization, the major resources it uses, how its operations relate to one another — a.k.a. when one function goes down, how does it affect other operations — and how long each function generally takes to complete.
A BIA is a key part of the final business continuity plan. This is where you summarize your findings regarding costs against benefits to further underscore what gets prioritized.
7. Draft out the plan.
Now that you have a good idea of what to include in your plan, start by composing a first draft that can serve as a baseline. The draft should include the following aspects to ensure a well-rounded, actionable plan:
- The purpose, objectives, budget, and timeline of the plan.
- The members of the business continuity team and their roles.
- All of the important stakeholders that are involved in the business continuity plan.
- The Business Impact Analysis.
- Proactive strategies that will be put into place to prevent crises.
- Reactive strategies that will immediately respond to crises.
- Long-term recovery efforts.
- Training and testing schedules for proactive preparation.
8. Test the plan for gaps.
Of course, you should immediately test your plan.
Start with communicating with those that play a critical role in your continuity plan. After they know what their involvement is in the plan, conduct a mock recovery test and put the plan into action. Make note of any gaps that arise during this process.
9. Revise based on your findings.
After testing is complete, correct any flaws you've uncovered throughout the process.
Continue testing and implementing changes until you're satisfied with the outcomes.However, it is important to be aware that business changes will likely require updating the plans you have. Given this, it’s important to keep testing your plan to ensure it’s up to date with your business needs, and you’re properly prepared for any type of crisis.
Now that you've learned everything there is to know about business continuity plans, use the following template to start creating one for your organization.
Business Continuity Plan Template
Name of Organization
I. Program Administration
1. [Purpose of the plan]
2. [Objectives of the plan]
The gathering process for this section could take anywhere from 1-2 weeks, as you’ll want to take enough time to uncover all the necessary information that helps you understand why the plan is necessary for your business. It is essentially the background information for your plan.
1. [Members of the business continuity team with their roles and contact information]
2. [Other stakeholders with their contact information]
III. Business Impact Analysis
1. [Business Impact Analysis]
This section of your plan will take the most amount of time to complete. As it is a full assessment of how a crisis will affect your business, you’ll need to analyze multiple different types of scenarios that you may encounter and analyze how each one will affect your business, and the specific areas of your business that will be affected.
Aim to spend a week or so drafting the analysis and collaborating with the relevant teams and stakeholders that will be involved in enacting your plan when a crisis does occur. To conduct the actual analysis, give yourself 1-2 weeks, or enough time to accurately assess the possible scenarios and impacts they will have on your business if they occur.
IV. Strategies and Requirements
1. [Proactive strategies to prevent crises]
2. [Reactive strategies to immediately respond to crises]
3. [Reactive strategies for long-term recovery from the crises]
After conducting your business impact analysis, you should have an understanding of how your business will need to respond to crises when they arise in order to come out on top. Spend a week or so crafting the strategies that will make up your continuity plan, and collaborate with relevant stakeholders.
V. Training and Testing
1. [Training schedule for employees]
2. [Testing schedule]
It’s best to test and iterate on your plan multiple times a year to ensure that it’s up-to-date with your business needs. Maybe you run-through the plan once a quarter to ensure that everyone is on the same page and new hires have the chance to learn along with their experienced peers, or maybe you do scenario run thoughts twice a year.
Let's go over some examples of scenarios that would require a business continuity plan that will help you understand why your business needs one.
Business Continuity Examples
- External product outage.
- Unplanned internet or telecom outages.
- Revenue loss.
- Turnover of critical employees.
- Workplace emergencies.
- Property hazards.
- Negative publicity.
1. External product outage.
Let's say that your entire workforce accesses, creates, and manages necessary files in Google Drive throughout the day. What happens if Google Drive has an unplanned product outage? Do you have a backup plan in place for your team to access files, or will there be a major loss of productivity until the issue is resolved?
Identifying your essential operational functions can help you identify and mitigate risk. This is where your interviews will come into play the most.
Examples of operational failure may include:
- Product failure,
- Outages with essential suppliers or services,
- Disruptions in your supply chain,
- Departmental bottlenecks and human error.
2. Unplanned internet or telecom outages.
Say your network goes down in the middle of the day and employees are unable to access the internet or dial out with their phones.
Do you have an information technology department who can quickly diagnose the issue? If you don't, do you know the numbers to your ISP provider so that you can quickly get them on the phone and resolve the issue?
You can't always anticipate unexpected errors, but you can put a process in place to handle them swiftly and effectively.
Here are some examples of tech-related business continuity issues:
- Data loss,
- Unplanned internet or telecom outages,
- Hardware/software failures.
3. Revenue loss.
Your biggest client goes out of business, slashing your annual recurring revenue by hundreds of thousands of dollars. Did this client make up the majority of your revenue and you counted them as a sure thing, or did you insulate yourself against this loss with other sources of income? How will you adjust to the revenue loss, where will you cut budget, and do have a concrete plan to protect against workforce layoffs?
Markets change, client attrition happens, economies ebb and flow. The important part is to understand how your organization can weather these events.
Here are some examples:
- Financial loss,
- Market changes or disruption.
4. Turnover of critical employees.
Let's say that you have a rockstar on your leadership team. With extreme performance comes opportunity, and that rockstar may decide to leave your organization to pursue employment elsewhere.
Are there critical business functions that only this employee knows how to do, or do you have a cross-functional team who can take on the work should they decide to leave? How does this impact the workflow of the company, especially if it takes time to fill the role with someone else?
It all comes down to resource management and making sure that you can adapt to workforce changes in an agile way.
However, this is often easier said than done, and here are some examples of threats to your workforce continuity:
- Staffing issues,
- The turnover of a critical employee,
- Work stoppages and/or strikes,
- Interpersonal conflict,
- Not scaling and formalizing your systems and processes.
5. Workplace emergencies.
A fire broke out in the break room. Do you have a fire alarm that alerts employees it's time to vacate? Do your employees know where the fire extinguishers are located in the building? Do they know where to evacuate to? What plans do you have in place post-fire in case the worst is realized for your physical office?
Ultimately, you have to protect your staff and create an environment where they can do their best work instead of worrying about threats to their person.
Here are examples of safety risks your business continuity plan should account for:
- Occupational hazards, injury, and death,
- Workplace emergencies such as gas leaks or fire,
- Health hazards such as a pandemic,
- Incidents of violence.
6. Property hazards.
Let's say that a pipe burst in your bathroom and flooded out the building. What kind of threat does water damage pose to your office or workplace? Is your technical equipment safe? Your employees? Your files? Will you lose anything irreplaceable? Do you know who to call for water damage and restoration? Do you have funds set aside for emergencies like this?
Your office space is a business asset, but it can quickly become a liability if you're unprepared.
- Property hazards such as plumbing issues or gas leaks,
- Severe weather such as flooding or snow,
- Natural disasters such as earthquakes or tornadoes.
A phishing company chooses to target your employees' emails to gain access into your sensitive data.
Do you have a strong spam filter that can reduce the number of emails employees receive? Are employees trained on email security, and will they recognize phishing attempts? If someone does accidentally buy into the scam, what protocols do you have in place to mitigate the damage from a breach?
A feeling of safety can come from having security procedures in place to mitigate risk as well as deal with issues as they arise.
Here are some example of security risks to plan for and mitigate (both technological and physical):
- Cyberattacks and network breaches,
- Malware and viruses,
- Theft and vandalism,
- Phishing emails.
8. Negative publicity.
Do you have a plan in place to manage your reputation, and do you know the biggest risks for negative publicity in your space?
Once you create a business continuity plan, your work isn't over. Continue to iterate on the plan and identify new risks that become possible over time and/or with increased experience.
Business continuity planning isn't a one-time feat. Your plans need to be constantly reassessed if you want to adequately prepare for every situation. Consider adopting a business continuity management team to oversee your continuity plans and keep them up-to-date.
Here are examples of reputation issues that can affect business continuity:
- Negative publicity,
- Company layoffs,
- Negative reviews.
Business Continuity Management
Business continuity management oversees a business's continuity plan and makes necessary changes to it when needed. This type of management determines the potential threats to a company and how each of these threats might impact business functions. Based on these findings, business continuity management is able to tweak the company's continuity plan to address any new potential hazards.
One responsibility that business continuity management teams have is planning for disaster recovery. Disaster recovery is a component of the business continuity plan that specifically focuses on product issues.
As mentioned above, the more time you put into your business continuity plan, the better it’s going to be. The more often you test, the stronger your plan will be, as you’ll be able to quickly identify problem areas and correct them before you’re forced to deal with them during a crisis.
Editor's note: This post was originally published in March 2019 and has been updated for comprehensiveness.
Originally published Apr 26, 2021 5:00:00 PM, updated April 27 2021