Business Continuity Plans 101
In previous articles, Castellan has espoused the value of using a management systems approach to business continuity and articulated the notion that business continuity is more than just a collection of plan documentation. This approach is reflected in many different standards, including ISO 22301.
Even though business continuity plans represent just one component of a larger business continuity planning effort, they are what guide the organization through all phases of response and recovery following the onset of a disruptive incident – from the initial response and assessment to the eventual return to normal operations. Effective planning is meant to ensure that response and recovery efforts align to the expectations of all interested parties and provide a repeatable approach to minimize downtime.
This perspective explores the different types of business continuity plans that Castellan finds to be the most effective for organizations and examines their purpose within a wider business continuity strategy.
The Crisis Management Plan
The crisis management plan has many different names depending on the organization using it. For example, the term “incident management plan” is also commonly used. In reality, the name does not matter; what matters is the function that the plan serves. Crisis management plans provide a structured response to a disruptive incident that could threaten the survivability of an organization. An effective crisis management plan will typically represent high-level tasks that members of an organization will undertake to respond to and recover from an incident. In order to facilitate this response, effective crisis management plans:
- Introduce a structure to convene the right people to assess the situation and understand the impact – or potential impact – associated with the disruptive incident
- Use an organization’s risk appetite to define when the plan will be activated
- Summarize the priority of the activities and resources that need to be recovered within the organization
- Define the roles and responsibilities of those that will execute crisis management activities
- Document where the crisis management team will meet
- Provide recommended courses of action and direction that will allow participants to work through a disruptive incident
Crisis management plans are designed with higher level managers in mind and reflect the coordination of response and recovery tasks throughout the organization. Crisis management plans typically do not focus on the recovery activities enabling a single business process or activity. Rather, they provide the resources and guidance to allow the organization as a whole, or perhaps a location or major business unit, to recover, and they serve to allow the redistribution of the organization’s resources, as needed, to execute a prioritized response and recovery. There is no rule on who should participate in a crisis team and who will lead the organization’s response, but in general it should be comprised of individuals that can make decisions on behalf of the organization.
The Crisis Communications Plan
A crisis communications plan serves to supplement crisis management activities by coordinating two-way communications with key internal and external interested parties. Many different entities may be affected by, or could contribute to the recovery, including employees, customers, business partners, regulators, and suppliers. A crisis communications plan helps to minimize the communications burden and increase the timeliness of messaging and feedback by providing a framework that defines who (to communicate with), how (to deliver the message or receive information), and what (to say). In order to facilitate effective communications, crisis communications plans should:
- Identify those individuals that will serve on a communications team and have the responsibility for communicating with internal and external stakeholders
- Identify those different stakeholder groups that will need to receive communications, such as customers, business partners, regulators, suppliers, etc.
- Determine the primary and secondary methods of communicating with the identified stakeholders
- Develop the type of content that needs to be distributed to each of these different stakeholders (Note: this may result in the development of pre-written holding statements relevant for each group)
- Determine when and how often different stakeholder groups will need to be contacted
- Contain general guidance for employees and media reminders for those involved with the organization’s response
Those serving in communications roles need to be familiar with the organization’s communications capabilities, any legal implications that may be associated with public communications, and key sources of information that could affect response and recovery. Ideally, organizations will have representatives from a communications, public affairs, and/or human resources department that would be natural participants for this role. In some cases, organizations may employ third-parties or public relations firms to assist with message development and delivery, but organizations should always remember that they are still ultimately responsible for the success or failure of any communications activities.
Crisis communications plans often contain communications reminders, as well as reference materials such as pre-defined audiences and holding statements. The type of situation will dictate those groups and requirements to be considered, but having an idea of possible audiences that would likely be affected and providing guidance on what to communicate can minimize reputational damage resulting from poor communication.
The Business Continuity Plan
Business continuity plans focus on the recovery of business activities and resources that support the creation and delivery of products and services, or as ISO 22301 notes: “[business continuity plans] typically cover resources, services and activities required to ensure the continuity of critical business functions.” The orientation of a business continuity plan is also similar to a crisis management plan in some ways; however, the scope is the primary differentiator. While a crisis management plan seeks to recover an organizational entity by coordinating recovery activities, a business continuity plan works to restore a subset of related activities and resources. Effective business continuity plans often have the following characteristics:
- A well-defined scope based on the activities that need to be resumed to support the organization’s products and services
- Department or plan-specific assumptions concerning resource availability or prioritization following the onset of a disruptive incident
- Defined roles, responsibilities, and contact information of those that will be executing recovery procedures
- Alternate work locations
- Methods of communication with team members
- Recommended courses of action and tasks that will allow participants to recover and operate in “recovery mode”
- Return to normal procedures
- Provisions for communicating progress and resource requests with the crisis management team, other departments, and third-parties, if appropriate
The key to any successful business continuity plan is the focus on the resumption of business activities. A successful organizational recovery may resemble a series of business continuity plans being activated, working to recover business activities in a prioritized fashion, reporting progress and issues to the crisis management team, and allocating resources in accordance with the organization’s priorities. To support this process, phased or structured recovery activities in a business continuity plan should resemble those in the crisis management plans. Or to put this more simply, the business continuity plan should have a similar structure as the crisis management plan.
In some situations business continuity plans may be activated without the activation of a crisis management plan and vice-versa. Flexible, mature business continuity programs may allow for this type of activation, and successful execution depends on the maturity of business continuity plans and the experience of the plan owner. While these plan owners will be responsible for the business activities they oversee, they may be subject to higher-level decision making authority exercised by the crisis management team. This relationship between the department level recovery team and the crisis management team is critical in maintaining an effective recovery during and following an interruption.
The IT Disaster Recovery Plan
A simple search on the internet for business continuity will typically yield two types of results. The first type of result is the more standard approach for business continuity as the discipline to continue operations and product and service delivery. The second type of result refers to business continuity as a very IT-centric system where plans do not necessarily recover departments and their activities but the IT systems, data, and communications assets that help enable these areas. These technology-centric plans are often known as IT disaster recovery plans.
IT disaster recovery plans are distinguishable from business continuity plans in a few key ways: 1) they tend to be very oriented on the technical details required to restore a technology asset and 2) recovery steps in an IT disaster recovery plan are often much more prescriptive than those in crisis management and business continuity plans. IT disaster recovery plans are also typically designed to be executed by IT practitioners, not participants in general business or operational areas. Although it is worth noting that end users of a given system or application may be involved with validation and testing.
Effective IT disaster recovery plans generally:
- Align to business expectations through defined and approved recovery objectives (in terms of both recovery time and data loss tolerance)
- Are able to define what functionality the application will serve once recovered, based on approved end-user requirements
- Contain technical specifications for infrastructure required to restore the system or application (e.g. hardware, software, and bandwidth requirements, etc.)
- Detail any specific recovery considerations, such as timing, security considerations, licensing information, catch-up considerations, access methods, and upstream and downstream dependencies
- Detail who will manage the recovery, execute recovery tasks, and validate and test the recovered technology asset
- Detail step-by-step procedures to recover the technology, and also return the technology asset to normal following the conclusion of the incident
- Document contact information for IT’s customers and the technology asset’s end-users, so IT recovery participants can notify stakeholders after the restoral process completes (or in the event a technology asset cannot be recovered)
IT disaster recovery plans are very important when one considers how intertwined organizations are with technology, but it is important to note that IT disaster recovery plans are not, by themselves, a complete business continuity strategy.
The four types of business continuity plans presented in this article represent only a sampling of different types of plans that are available to organizations. In addition to emergency response plans that address health/safety issues (e.g., evacuation or shelter-in-place), organizations may choose to create IT-specific crisis management plans or even plans based on different threat scenarios. Planning documentation is important to business continuity strategy development, but plans should serve as tools to facilitate a response, never inhibit the decision-making of experienced personnel or trump common-sense.
In the meantime, don’t hesitate to reach out to us for more information or assistance in developing business continuity plans and strategies for your organization. We look forward to hearing from you!
Get business continuity insights delivered to your inbox.