background

How to Write a Business Continuity Plan + Template

  • grcangle-right
  • How to Write a Business Continuity Plan + Template

The goal of risk management is not to eliminate all risks but to effectively reduce their likelihood and impact. One way to do that is through business continuity planning. 

Having a business continuity plan in place can help your organization keep operating at some capacity in the event of a disaster. 

Below, get straightforward answers to what a business continuity plan includes, why it’s important, and how to write one. You’ll also find a business continuity template to simplify the process.

What is a business continuity plan?

A business continuity plan is a document containing a predetermined set of procedures that describe how an organization will sustain its business operations during and after a significant disruption.

This disruption may be caused by a broad range of potential threats, including natural disasters, power outages, supply chain failures, technical failures, and cyberattacks.

What is business continuity management?

A business continuity plan is one part of business continuity management (BCM). BCM includes risk assessment, response planning, recovery, and long-term maintenance of the policies and procedures developed, tested, and used for crisis management.

What is the primary goal of business continuity planning?

The primary goal of business continuity planning is to identify preparations and recovery actions that can assist an organization in resuming operations and services as quickly as possible during and after a crisis.

For example, most business operations depend heavily on technology and automated systems, and the disruption of these IT systems for even a few hours may cause severe problems. Consider a Zoom outage. This may impact meetings with colleagues, customers, and prospects and important projects and deals as a result. A company with a business continuity plan that has identified a substitute tool for video meetings will be able to recover faster than a company without one. 

To ensure your business runs as smoothly as possible even when faced with system failures, cyber attacks, natural disasters, and other major disruptions, there must be an awareness of potential crises that could impact critical systems, tools, and skills of your organization and a plan to deal with them.

Business continuity planning is also important for getting and staying compliant with some privacy and cybersecurity standards, including SOC 2®. Let’s take a look at this other reason for creating a BCP and keeping it up to date.

Recommended reading

How to Create an Incident Response Plan + Template

Read Moreangle-right

Who is responsible for business continuity planning?

Business continuity planning must be a top-down effort. Meaning, it must have the support and willing participation of a director or senior manager at the company. While they will act as the executive sponsor, another individual should be appointed as the BCP coordinator. Depending on the size of the organization, a planning team representing all major areas of operations may also need to be appointed to assist the BCP coordinator.

This coordinator and/or business continuity team should be appropriately announced and empowered to execute on a range of responsibilities, including uncovering your business’s weaknesses and making plans to mitigate them, testing those plans to make sure they’re effective for different types of crises, and updating them as new threats emerge.

What’s the difference between business continuity, disaster recovery, and incident response plans?

There are several contingency plans and business continuity strategies that can help minimize the impact of catastrophic events. Let’s take a look at the three most common plans and how they differ from each other below.

Business continuity plan vs disaster recovery plan

The key difference between a business continuity and disaster recovery plan is that a BCP provides procedures for sustaining business operations while recovering from a significant disruption, whereas a DRP provides procedures for recovering information systems operations after a significant system disruption like a major software failure or a natural disaster by relocating them to an alternate location. 

Many organizations choose to combine their business continuity and disaster recovery plans into a single document. However, some choose to create them as standalone documents.

Business continuity plan vs incident response

The key difference between a business continuity plan and incident response plan is that a BCP provides procedures for sustaining business operations while recovering from a significant disruption, whereas an IRP provides procedures for mitigating and correcting a system after a security incident, like a virus or Trojan horse.

An IRP plan should detail a recovery process for when security incidents do happen.

This is another crucial document that a SOC 2 auditor will likely review to determine your level of compliance with the TSC you’ve selected.

Disaster recovery plan template

A disaster recovery plan outlines the procedures an organization will follow to recover and restore its critical systems, operations, and data after a disaster. Use this template to kick off your disaster recovery planning and customize it based on your organization's specific risks and objectives.

What does a business continuity plan typically include?

A business continuity plan typically includes the following:

  • Mission critical services, processes, and resources: Every BCP should include a list of mission critical services, processes, and resources. These need to be recovered first when a BCP event occurs to minimize downtime.
  • Alternative location considerations: During a significant BCP event, an organization may need to use back-up data centers, back-up sites for operations, remote locations, or other alternative locations. These are typically documented in the BCP along with considerations like the accessibility of these alternative sites, transportation alternatives to these sites, the number of staff necessary to perform critical activities at these sites, and other resources that will be required. 
  • Vendor relationships: Organizations may categorize vendors into risk levels and evaluate the risk in their BCP plans. 
  • Telecommunications services and technology considerations: Organizations  typically detail strategies for maintaining operations during communications disruptions  in their BCP. This may include using multiple telecommunication providers, secondary phone lines, cloud technology, temporary phone lines, mobile telecom units and Wi-Fi for staff without power, as well as back-up mobile phone services with different carriers. 
  • Communication plans: Organizations typically establish contact information and communications plans with staff, customers, and other external third parties, including regulators, exchanges, and emergency officials, in their BCP as well. 
  • Regulatory and compliance considerations: Organizations typically include regulatory requirements in their BCPs and should regularly update them to include any new requirements. 
  • Review and testing methods: Organizations should include how their BCP is reviewed and tested and how often. For example, they may conduct full BCP tests at least annually or sooner if significant changes are made. They may also conduct employee training or require employees to review their BCP annually to ensure all personnel are familiar with the plan and their responsibilities. 
  • Recovery objectives: A BCP will typically include key recovery objectives that help organizations plan how quickly they need to recover data and systems in order to minimize disruptions and maintain smooth operations during unexpected events. These are defined below: 
    - RPO (Recovery Point Objective): RPO sets the limit for how much data loss a business can tolerate after a disruption. It defines the latest acceptable point in time to recover data, minimizing potential losses.
    - RTO (Recovery Time Objective): RTO is the maximum acceptable amount of time for systems or processes to be down. It indicates how quickly a business needs to recover and resume normal operations after a disruption.

Business continuity plan example

This business continuity plan example from Santa Cruz Health is designed for different facilities to customize to ensure measures are taken to prepare and pre-position resources to ensure continuity of mission critical business functions and processes in an event that disrupts normal operations and impacts essential functions of the facility. It is broken down into several sections, including: 

  1. General: Describes the purpose of the BCP, as stated above.
  2. Activation: Briefly describes when the plan should be activated. 
  3. Overview: Briefly describes what the plan is, how it was developed, what steps need to be taken to ensure it’s effective, and what’s included. 
  4. Continuity requirements: Lists the facility’s mission critical services, processes, equipment and supplies, information technology applications, records, and business continuity personnel.
  5. Continuity and recovery actions: Lists procedures following the occurrence of different BCP events, including loss of power, loss of HVAC, and relocation of departmental services to an alternate location.  

How to write a business continuity plan

Now it’s time to start formulating and building out your business continuity program. To guide you through the business continuity planning process, we’ve broken it down into six key steps. We’ve also provided a template below to help get you started.

1. Conduct a business impact analysis

The first major task of writing a BCP is conducting a Business Impact Analysis (BIA) to identify critical IT infrastructure and functions and the impact that a disruption—such as a natural disaster, pandemic outbreak, cyberattack, or system failure—could have on those functions. For example, some environmental threats may be likely to cause physical damage to your building. Other types of threats may have an impact on your staff and their families. 

Consult with department heads and conduct interviews or surveys to gather information about the resources required to maintain key operations (personnel, technology, facilities); the time-sensitive nature of each function or process (i.e., how long the organization can operate without it before experiencing serious consequences); dependencies between functions, departments, and external partners; and the financial, operational, and reputational impact of a disruption.

The risks that are most threatening to your operations should be prioritized. 

2. Identify critical elements of your organization.

The next major task is identifying the tools, systems, and skills that are essential to your operations and how critical they are to recover. You can kick off brainstorming by posing the question, how do we achieve our goals? 

For example, let’s say one of your mission critical services is fundraising. In that case, a critical asset might be pledge cards. The vendor that prints your pledge cards would also be considered critical. 

When identifying these systems, tools, and skills, you’ll also want to determine what resources would be required to restore them and therefore resume the mission critical services and business processes they are part of. Examples of resource requirements are facilities, personnel, equipment, software, data files, system components, and vital records.

This will help determine priority levels for sequencing recovery activities. In other words, what needs to be restored first in order to get back to work as quickly as possible during and after a crisis?

3. Identify ways to mitigate risks.

Now that you understand your organization’s unique risks and critical elements, you’re ready to create a plan of action. 

Start by identifying strategies that will eliminate the risks you identified in step 1 entirely. If that’s not possible, identify strategies that will lessen their impact. For example, it’s impossible to eliminate the threat of environmental threats like snowstorms entirely. Instead, you can create a procedure to have your employees and contractors work remotely if a snowstorm makes it impossible or difficult to get to the office. This will require that all employees and contractors have the appropriate supplies and equipment and receive the same communications. 

These mitigation strategies are designed to eliminate or lessen the impact of a threat before a crisis and should therefore be implemented as quickly as possible. 

4. Identify ways to prepare for and recover from the loss of any critical elements. 

Since it is impossible to eliminate all threats facing your organization, your next step is to identify as many strategies as possible for dealing with the loss of each critical element identified in step 2.  

For example, installing protective systems like a security system, fire alarm system, regular data backups, and antivirus software can all be considered strategies to prepare for and recover from the loss of critical elements caused by theft, vandalism, environmental hazards, cyber attacks, and other threats.

The goal is to come up with as many preparedness strategies as possible in order to best prepare and recover from the loss of mission critical assets during and after a crisis.

During the review or testing stage, you can remove any strategies that are too time-consuming or expensive.

5. Prepare for how you will respond after a crisis. 

Now that plans and strategies are in place, you can take steps to improve the efficiency and quality of your organization’s response to a crisis to help you get back to work as quickly as possible if a disaster strikes. 

Consider creating a recovery team that can assess your losses and initiate recovery actions after a crisis. The roles and responsibilities of this team can be documented in your BCP. 

6. Update and test your business continuity plan.

Your business continuity plan is a living document. It should be updated to reflect the evolving risks and needs of your business. Whether you’re integrating new software that suddenly crashes or bringing on a new management team member, your BCP should reflect these changes.

If there are no major changes impacting your business, you should still test your business continuity plan once a year at a minimum. This is a best practice and compliance requirement. You can use a variety of testing methods, including tabletop exercises and simulation tests. 

Testing and keeping documentation like this up to date is an important part of continuous compliance.

Business continuity plan template

Use this template to begin identifying the risks, critical elements, mitigation actions, and preparedness strategies that will make up the basic components of your business continuity plan.

FAQs

What are the benefits of a business continuity plan?

Implementing and maintaining an effective business continuity plan offers a range of emergency management benefits, including:

  • reduced costs and impact on business performance when a disruption occurs
  • a consistent, organization-wide approach to respond and recover from a significant disruption
  • assurance for clients, suppliers, regulators, and other stakeholders that the organization has systems and processes in place for business continuity
  • improved business performance and organizational resilience
  • a better understanding of the business, its critical issues, and areas of vulnerability

What are the 5 components of a business continuity plan?

While every business continuity plan is unique, five key components are: 

  • Risks and their potential business impact and likelihood of occurrence
  • Mission critical services, processes, and resources
  • Risk mitigation actions
  • Preparedness strategies to prepare for and recover from the loss of any critical elements
  • Training, testing, and plan maintenance

What are the 4 P’s of business continuity?

The four P's of business continuity are people, processes, premises, and providers. Below are definitions of each:

  • People: This includes your employees and customers.
  • Processes: This includes the technology and processes your business uses to keep everything running.
  • Premises: This includes the buildings and spaces from which your business operates.
  • Providers: This includes partners, vendors, and suppliers that your business relies on for resources. 

What is a real-life example of business continuity?

A real-life example of business continuity is the response to the Cape Town water crisis, which began in 2015.  During a period of severe drought, Cape Town implemented several response and recovery strategies which averted the catastrophe of running out of water — also known as “Day Zero.” This included the introduction of innovative pressure reduction methodologies to curb water losses, sustained reduction in water use, and effective public communication and awareness programs to avoid “Day Zero.” 

How do I write a BCM plan?

Below is a step-by-step process for writing a BCM plan:

  1. Identify and assess risks (can use the 4 P’s)
  2. Identify mission critical products, services, or functions
  3. Evaluate the potential impact of risks and disruptions to critical elements
  4. List actions to mitigate these risks
  5. List strategies to prepare for and recover from the loss of any critical elements 
  6. Maintain, review, and continuously update the business continuity plan

Why do business continuity plans fail?

Business continuity plans fail for a variety of reasons, with the most common being a lack of buy-in from top management. Other reasons are that no one is appointed to take ownership of business continuity planning, or the plan isn’t tested and updated regularly to keep up with changes affecting the business.

Use trust to accelerate growth

Request a demoangle-right
cta-bg
angle-rightHow to Create a Risk Register + TemplateHow to Create an Incident Response Plan + Templateangle-right

GRC Overview

Governance

Risk

Compliance and Auditing

How to Implement a GRC Program

GRC Automation

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.