When a business crisis occurs, the last thing you want to do is panic. The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.
A business crisis can cost your company a lot of money and ruin your reputation if you aren't proactively prepared to handle one. Customers aren't very forgiving especially when a crisis was caused by accidents within the company or from other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with a plan to uphold its basic functions.
Business continuity is the idea that your business should maintain or work to recover business functions in response to crises. This mentality translates into an actionable plan that is used to handle both minor disruptions and full-blown threats.
Business Continuity Planning
Business continuity planning is the proactive process by which a business creates a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.
Business Continuity vs. Disaster Recovery
Disaster recovery plans are often created as part of an overarching business continuity plan. The difference is that disaster recovery plans are technical plans focused specifically on recovering from product failures, while business continuity plans manage stakeholder relationship during a crisis.
For instance, in a larger crisis — like a building being flooded — you may have lost some of your IT services. Thus, included in the larger business continuity plan would be one or more disaster recovery instructions that would focus specifically on recovering those IT services.
Business Continuity Plan
A business continuity plan outlines directions and procedures that a company will follow when faced with a crisis. They're laid out on a case-by-case basis and assist with a variety of crises ranging from natural disasters to human error. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain the brand's relationships with its stakeholders.
For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.
How often should a business continuity plan be tested?
It's simple — the more time you put into your business continuity plan, the better it's going to be. You should constantly be looking over the plan to make sure it's up-to-date with your current business processes. The larger your organization is, the more complex your systems are going to be, meaning you'll want to review your business continuity plan more frequently to ensure there aren't any overlooked gaps.
The following schedule is recommended to maximize the reliability and validity of your plan, while also minimizing the amount of time you're putting into plan review.
1. Review your checklist twice a year.
Your team will review the elements of your business continuity plan bi-annually to make sure all the responses still apply to your current status. In addition, you'll use this opportunity to ensure that each response aligns with your desired business goals.
2. Conduct emergency drills once a year.
Just like schools have fire drills, your organization should have emergency drills to prepare your staff for the steps that are laid out in your business continuity plan. This will also help when a real crisis occurs because they will have practiced the steps before.
3. Hold tabletop reviews every other year.
All stakeholders involved with the business continuity plan should meet every other year to discuss it. This review doesn't take too much time and doesn't require physically running through the steps, but it can reveal red flags that would otherwise go unnoticed.
4. Conduct a comprehensive review every other year.
Unlike the tabletop review, the comprehensive review takes a deep dive into the plan. It should look closely at cost-benefit analyses as well as recovery procedures to ensure everything is up-to-date with current business operations.
5. Mock Recovery Test: Every two to three years
This is an in-depth test in which the business continuity plan is put fully into motion to test for any weaknesses or mishaps. Since this test is time-consuming, it shouldn't occur frequently, but it will ensure all internal stakeholders are confident in the plan.
No matter what type of business you are operating, you need to be constantly considering the possible threat of a crisis. If you want to be able to effectively manage them, then it's essential that you have a business continuity plan in place to tackle difficult or unexpected situations.
Now that we understand business continuity and its vocabulary, the next step is to learn the process of writing a business continuity plan.
How to Write a Business Continuity Plan
- Select a business continuity team.
- Define the objectives of the plan.
- Schedule interviews with major players in your departments.
- Identify critical functions and types of threats.
- Conduct risk assessments across each area identified.
- Conduct a Business Impact Analysis.
- Draft the plan.
- Test the plan for gaps.
- Revise based on your findings.
1. Select a business continuity team.
Before you begin strategizing, assemble a management team to be in charge. The job of crafting a business continuity plan isn't a light one, so this group should include people who are detail-oriented and organized. Some of the roles on the team are:
- Executive manager: This is the person who leads the writing process and is the link between company executives and the rest of the business continuity team.
- Program coordinator: This is the team leader who coordinates all activities related to the plan, such as budgeting, development of recovery procedures, and more.
- Information officer: This person is responsible for accessing and sharing data related to the business continuity plan.
2. Define the objectives of the plan.
What are you trying to achieve with this plan? It's important to know the end goal for your business continuity plan, whether it be resuming business processes as normal or improving the organization's reputation. When laying out the objectives, you should also consider your budget to get a sense of the resources that you're going to be working with.
3. Schedule interviews with major players in your departments.
Executives and upper management have a great bird's eye view of an organization, but business continuity issues happen at all levels of an organization. For an analysis that's truly comprehensive (and, in effective, valuable), you'll want to interview key team members in various "departments" of the organization.
Choose individuals who know the ins and outs of their department's operations and understand the importance of its functionality within the grander scheme of the organization. From there, you can ask questions such as:
- What are your top 5 most important processes?
- What systems or applications are needed to support your operations?
- How does [X department] depend on your work in this area?
- In your opinion, what's our biggest blind spot?
- What were to happen if [worst case scenario]?
- Who would be impacted if [worst case scenario] and how?
4. Identify critical functions and types of threats.
The above questions are a guide to help give you insight into the areas of your business that require the greatest degree of business continuity. Prioritize the business functions and threats that are the most critical according to:
- The likelihood of it happening
- The extent of the loss based on impact
5. Conduct risk assessments across each area identified.
The idea here is to quantify the information you received during the interviews:
- How long would it take to recover from a critical situation in this area?
- How much revenue would be lost during that time?
- How much productivity would be lost during that time within that department?
- How much productivity would be lost for other departments as a result?
- How much customer and/or stakeholder confidence will be lost?
- Will there be additional cost to get it resolved?
- Will there be additional liability cost?
- How much does it cost to implement prevention measures?
6. Conduct a Business Impact Analysis.
Once you've gathered information across disparate processes, it's time to compile that information into a format that reflects the broader business.
A Business Impact Analysis (BIA) analyzes the main operations of an organization, the major resources it uses, how its operations relate to one another — a.k.a. when one function goes down, how does it affect other operations — and how long each function generally takes to complete.
A BIA is a key part of the final business continuity plan. This is where you summarize your findings regarding costs against benefits to further underscore what gets prioritized.
7. Draft out the plan.
Now that you have a good idea of what to include in your plan, start by composing a first draft that can serve as a baseline. The draft should include the following aspects to ensure a well-rounded, actionable plan:
- The purpose, objectives, budget, and timeline of the plan
- The members of the business continuity team and their roles
- All of the important stakeholders that are involved in the business continuity plan
- The Business Impact Analysis
- Proactive strategies that will be put into place to prevent crises
- Reactive strategies that will immediately respond to crises
- Long-term recovery efforts
- Training and testing schedules for proactive preparation
8. Test the plan for gaps.
Of course, you should immediately test your plan. Start with communicating with each member of the organization who would play a role in the business continuity plan. After a brief training in the steps they must take, conduct a mock recovery test that can put the plan into action. Make note of any gaps in the plan.
9. Revise based on your findings.
After testing is complete, correct any flaws you find in your plan. Keep testing and implementing changes until you're satisfied with the final result. This completed plan, however, isn't permanent as it will likely undergo changes in the future as your organization adapts and grows. Thus, it's important to keep testing your plan if you want to be properly prepared for a crisis.
Business Continuity Examples
If you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions. Here are some examples of areas that necessitate business continuity:
Operational continuity means that the systems and processes your business relies on are functioning without disruption. With that in mind, you'll want to have a plan in place in case such disruption occurs so that you can minimize loss of revenue.
Examples of operational failure may include:
- Outages with essential suppliers or services
- Disruptions in your supply chain
- Departmental bottlenecks and human error
For example, let's say that your entire workforce accesses, creates, and manages necessary files in Google Drive throughout the day. What happens if Google Drive has an unplanned product outage? Do you have a backup plan in place for your team to access files, or will there be a major loss of productivity until Google is able to resolve the issue?
Identifying your essential operational functions can help you identify and mitigate risk. This is where your interviews will come into play the most.
Speaking of operations and outages, organizations that rely on technology to run may also want to ensure the integrity and continuity of those systems. While the functionality of Google Drive is not within your realm of control, there are many internal systems that you'll want to maintain and mitigate.
Here are some examples of tech-related business continuity issues:
- Data loss
- Unplanned internet or telecom outages
- Hardware/software failures
For example, let's say your network goes down in the middle of the day and employees are unable to access the internet or dial out with their phones. Do you have an information technology department who can quickly diagnose the issue? If you don't, do you know the numbers to your ISP provider so that you can quickly get them on the phone and resolve the issue?
You can't always anticipate unexpected errors, but you can put a process in place to handle them swiftly and effectively.
Every business has its ups and downs, so one thing you'll want to do is future-proof your organization for negative scenarios that can hit the bottom line. Here are some examples:
- Financial loss
- Market changes or disruption
For example, let's say your biggest client goes out of business, slashing your annual recurring revenue by hundreds of thousands of dollars. Did this client make up the majority of your revenue and you counted them as a sure thing, or did you insulate yourself against this loss with other sources of income? How will you adjust to the revenue loss, where will you cut budget, and do have a concrete plan to protect against workforce layoffs?
Markets change, client attrition happens, economies ebb and flow. The important part is to understand how your organization can weather these events.
Workforce continuity comes down to the idea that you always have enough (and the right) staff to handle the work that comes in through your doors.
However, this is often easier said than done, and here are some examples of threats to your workforce continuity:
- Staffing issues
- The turnover of a critical employee
- Work stoppages and/or strikes
- Interpersonal conflict
For example, let's say that you have a rockstar on your leadership team. With extreme performance comes opportunity, and that rockstar may decide to leave your organization to pursue employment elsewhere. Are there critical business functions that only this employee knows how to do, or do you have a cross-functional team who can take on the work should they decide to leave? How does this impact the workflow of the company, especially if it takes time to fill the role with someone else?
It all comes down to resource management and making sure that you can adapt to workforce changes in an agile way.
Workforce continuity goes beyond planning the right roles and staffing the right people to fill them. In order for them to show up every day and perform well, they must feel safe to do so.
Here are examples of safety risks your business continuity plan should account for:
- Occupational hazards, injury, and death
- Workplace emergencies such as gas leaks or fire
- Health hazards such as a pandemic
- Incidents of violence
For example, let's say that a fire broke out in the break room. Do you have a fire alarm that alerts employees it's time to vacate? Do your employees know where the fire extinguishers are located in the building? Do they know where to evacuate to? What plans do you have in place post-fire in case the worst is realized for your physical office?
Ultimately, you have to protect your staff and create an environment where they can do their best work instead of worrying about threats to their person.
Speaking of creating an environment, environmental continuity means that your team is able to operate effectively and safely in their work environment. This often means considering threats to your physical office or headquarters such as:
- Property hazards such as plumbing issues or gas leaks
- Severe weather such as flooding or snow
- Natural disasters such as earthquakes or tornadoes
For example, let's say that a pipe burst in your bathroom and flooded out the building. What kind of threat does water damage pose to your office or workplace? Is your technical equipment safe? Your employees? Your files? Will you lose anything irreplaceable? Do you know who to call for water damage and restoration? Do you have funds set aside for emergencies like this?
Your office space is a business asset, but it can quickly become a liability if you're unprepared.
You want your employees to be safe. You also want your employees and business assets to be secure as well. Security breaches can cause major harm to your operations, safety, and reputation.
Here are some example of security risks to plan for and mitigate (both technological and physical):
- Cyberattacks and network breaches
- Malware and viruses
- Theft and vandalism
For example, let's say a phishing company chooses to target your employees' emails to gain access into your sensitive data. Do you have a strong spam filter that can reduce the number of emails employees receive? Are employees trained on email security, and will they recognize phishing attempts? If someone does accidentally buy into the scam, what protocols do you have in place to mitigate the damage from a breach?
A feeling of safety can come from having security procedures in place to mitigate risk as well as deal with issues as they arise.
Customer satisfaction and a good reputation can fuel your flywheel and result in increased revenue. The flip side of this coin, however, is that a tarnished reputation can cause great harm.
Here are examples of reputation issues that can affect business continuity:
- Negative publicity
- Company layoffs
Do you have a plan in place to manage your reputation, and do you know the biggest risks for negative publicity in your space?
Once you create a business continuity plan, your work isn't over. Continue to iterate on the plan and identify new risks that become possible over time and/or with increased experience.
Business continuity planning isn't a one-time feat. Your plans need to be constantly reassessed if you want to adequately prepare for every situation. Consider adopting a business continuity management team to oversee your continuity plans and keep them up-to-date.
Business Continuity Management
Business continuity management oversees a business's continuity plan and makes necessary changes to it when needed. This type of management determines the potential threats to a company and how each of these threats might impact business functions. Based on these findings, business continuity management is able to tweak the company's continuity plan to address any new potential hazards.
One responsibility that business continuity management teams have is planning for disaster recovery. Disaster recovery is a component of the business continuity plan that specifically focuses on product issues.
Now that you've learned everything there is to know about business continuity plans, use the following template to start creating one for your organization.
Business Continuity Plan Template
Name of Organization
I. Program Administration
1. [Purpose of the plan]
2. [Objectives of the plan]
1. [Members of the business continuity team with their roles and contact information]
2. [Other stakeholders with their contact information]
III. Business Impact Analysis
1. [Business Impact Analysis]
IV. Strategies and Requirements
1. [Proactive strategies to prevent crises]
2. [Reactive strategies to immediately respond to crises]
3. [Reactive strategies for long-term recovery from the crises]
V. Training and Testing
1. [Training schedule for employees]
2. [Testing schedule]
Part of your business continuity plan should also include how you intend to communicate to internal and external stakeholders should the worst case scenario become reality, how you plan to pivot from a crisis, and how to reflect and learn from it once it's over. Our Crisis Management Kit can help with that.
Editor's note: This post was originally published in March 2019 and has been updated for comprehensiveness.
Originally published Oct 14, 2020 8:00:00 AM, updated October 14 2020