What is Business Continuity?
Business continuity is the process to minimize the risk of disruption. More specifically, business continuity means working to decrease the likelihood of a disruptive incident and preparing your organization to continue the delivery of its most essential products and services if a disruption were to occur.
A business continuity process should result in two things:
- An understanding of the disruption-related risks that the business faces.
- Confidence from executives in the organization’s ability to respond and recover.
We call this the right level of resiliency. Business continuity is also known as continuity planning, organizational resilience, or business continuity management.
This is how business continuity works:
- First, identify the critical products or services that need to be protected.
- Next, identify risks to those products or services; these are most often the resources needed for delivery, specifically people, technology, facilities, equipment, and third-parties.
- Once resources are identified, implement strategies that protect key resources (such as remote work, manual processes, or alternate facilities).
- From there, you can document business continuity plans that outline how to implement recovery strategies.
- Finally, perform exercises to confirm that the plans and strategies work as expected.
There is a range of disciplines related to business continuity, including:
- Emergency Management: Emergency management is a discipline focused on facility-specific issues involving life-safety and property protection.
- Disaster Recovery: Also known as IT disaster recovery, is a discipline focused on protecting and recovering technology and data.
- Risk Management: Business continuity is a special type of risk management process. Other risk management processes include compliance and information security.
- Crisis Management: This effort is focused on the executive response to disruption and is a key part of business continuity.
- Crisis Communications: This effort is focused on the communications aspect of responding to a disaster. It goes hand in hand with Crisis Management.
Why Do I Need Business Continuity?
Business continuity helps protect an organization regardless of what disaster may occur. And, that’s important in today’s increasingly unpredictable world! Whether it’s unscheduled technology downtime, a supply chain disruption, a natural disaster, or a man-made event, organizations of all sizes recognize that they need to be ready for just about anything.
Most organizations build a BC program for one of three reasons:
- Customers Demand It (most common in B2B)
- Regulators Demand It (most common in banking and energy)
- Board or Senior Executives Demand It (recognizing their fiduciary responsibility)
All these groups are demanding business continuity as a way to protect the organization over the long-term.
Who is Responsible for Business Continuity?
It varies. Every organization is unique; however, a good rule of thumb is it should be placed with an executive that has the respect of others and has good visibility to the rest of the organization.
Common owners of business continuity include:
- Chief Financial Officer (CFO): This is a recommended location for a business continuity program since the CFO has great visibility into the rest of the organization and is focused on protecting revenue.
- Chief Operations Officer (COO): This is a recommended location for a business continuity program since the COO understands the processes needed to deliver key products and services.
- Chief Information Officer (CIO): We recommend that you avoid assigning the CIO as the program sponsor for business continuity because it often creates the belief this is a technology-focused effort (it’s not!).
- Audit Director: We also recommend that you avoid assigning the Audit Director as the program sponsor since their role is focused on oversight, not execution.
Regardless of who owns the program, cross-functional input throughout the process is essential to select solutions that fit the organization. Most business continuity standards also require senior executive involvement.
Build Executive Support for Your Business Continuity Program
How To Build a Business Continuity Program?
Business continuity planning is an on-going process, not a one-time project. There are the six main, recurring planning phases, or activities, that enable an organization to develop an effective program aligned to the strategy of the organization. Let’s take a closer look at each.
During the Startup phase, the organization determines why business continuity is important, who should be involved in the program, and what the scope of the program should include. To do this, Castellan completes a Frame meeting with the Business Continuity Steering Committee. When determining the scope of the program, Castellan recommends identifying which departments contribute to the production and delivery of the organization’s key products and services. We’ve included more on this topic below.
The Analysis phase is used to document the business activities, or processes, of in-scope departments, along with their dependencies (applications, people, suppliers, facilities, and equipment) for completing the identified activities. These activities and dependencies are captured during the business impact analysis. As part of this process, an organization should identify its overall risks and determine whether to accept or address each one. For more information on this topic, check out our ultimate guide to the business impact analysis.
The Strategy phase is when an organization determines the strategies it will use to recover different dependencies during a disruption in order to continue the delivery of the organization’s key products and services. A few quick examples of strategies include:
- Loss of Facility: Secondary locations, work from home capabilities
- Loss of Applications: Manual workarounds, alternate data sources
- Loss of Suppliers: Alternate vendors, in-sourcing activities, safety stock of supplies
- Loss of People: Cross-functional employees, third-party contractors
Business continuity plans are used to help an organization respond to and recover from a disruptive incident. Plans should focus on the people that need to be involved and the procedures that need activated to return to normal (based on the determined strategies) following an incident. At Castellan, we create resource loss-based plans versus threat-based plans, and we recommend that you do the same! This approach allows you to be prepared for a countless number of threats.
The Exercise phase is where business continuity plans are tested and validated. During this phase, plan participants are asked to demonstrate how they would respond to an incident. There are a variety of exercise types that can be completed based on your specific goals. That said, the most important part of exercising is that participants become familiar with their recovery responsibilities, the plan is validated, and improvement opportunities are identified and addressed.
Documenting a BC program and “leaving it on the shelf” negates all of the hard work you put into the program. Organizations change and evolve, and your business continuity program needs to do the same as personnel change, new suppliers and applications begin to be used, and as the critical products and services that impact your organization’s bottom-line evolve. The Improve phase ensures that a program continues to evolve alongside the business. After completing a business continuity program, it is important to continue to refresh and develop the program, track the program’s success, and determine short and long-term action items in order to help it grow.
Get The Business Continuity Operating System Book by Brian Zawada
How To Scope Your Business Continuity Program
Properly determining the scope of your program is the difference between a successful business continuity program and one that stalls with endless analysis. Here are three steps to properly scope your program:
Understand Stakeholder Requirements
Stakeholders include customers, regulators, management, and other interested parties. Examples of these requirements include:
- Contractual Obligations (service level agreements)
- Regulatory Requirements
- Customer Promises
- Employee Commitments
- Health/Safety Requirements
Documenting stakeholder requirements allows the steering committee to effectively set the scope of the program using products and services.
Define Products and Services
Defining products and services is an effective way to manage the scoping effort at a strategic level because management, employees, regulators, and customers easily understand them. They create value! The program scope should include those products and services that, if interrupted, would result in missed obligations or unacceptable consequences.
Map Products and Services to Departments
Once the organization defines a list of “in-scope” products and services, it can map departments or business units back to these products and services (remembering that not every department will be included). This exercise:
- Provides clarity on the departments that must be addressed by business continuity; and
- Provides insight into the time and resources required to implement business continuity.
To take your scoping effort even further, download our free guide to building executive support for business continuity.
Types of Business Continuity Plans
There are four main types of business continuity plans – Crisis Management, Crisis Communications, Business Recovery, and IT Disaster Recovery – that all work together to create a seamless response to a disruption. Let’s take a closer look at each.
Crisis Management Plan
Crisis management plans supply a structured response to a disruption that could threaten the survivability of an organization. An effective Crisis management plan includes high-level tasks for executives to respond to an incident.
Effective crisis management plans:
- Introduce a structure to gather the right people to assess the situation and understand the impact – or potential impact – associated with the disruption
- Define when to activate the Crisis Management Team
- Summarize the desired timing of activity and resource recovery
- Define the roles and responsibilities of those that will lead the response
- Document where the Crisis Management Team will meet
- Provide procedures to work through an incident
- Address roadblocks getting in the way of a successful recovery
Crisis management plans typically do not focus on recovering activities. Rather, crisis management supplies the resources and guidance to allow the organization to recover in a timely manner by eliminating issues impacting a successful recovery. There is no rule on who should take part in a Crisis Management Team, but in general, it should include individuals that can make decisions on behalf of the organization.
Crisis Communications Plan
A crisis communications plan serves as a supplement to a crisis management plan by coordinating two-way communications with key internal and external interested parties. Many different entities may be affected by, or could contribute to, the recovery effort, including employees, customers, partners, regulators, and suppliers. A crisis communications plan helps to minimize the communications burden and increase the timeliness of messaging and feedback by providing a framework that defines who (to communicate with), how (to deliver the message or receive information), and what (to say). To enable effective communications, crisis communications plans should:
- Include people with responsibility for communicating with internal and external stakeholders
- Document the stakeholder groups that will receive communications, such as customers, partners, regulators, suppliers, etc.
- Determine the primary and secondary methods of communicating with the identified stakeholders
- Include default content that will be distributed to each of these different stakeholders
- Determine when and how often different stakeholder groups will be contacted
- Have general guidance for employees and media reminders for those involved with the organization’s response
Ideally, organizations have representatives from Communications, Public Affairs, and/or Human Resources that participate in this plan. Organizations may also employ third-parties or public relations firms to aid with message development and delivery.
Business Continuity Plan
Business continuity plans focus on the recovery of activities and resources that support the creation and delivery of products and services, or as ISO 22301 notes: “[business continuity plans] typically cover resources, services and activities required to ensure the continuity of critical business functions.” The orientation of a BC plan is also like a crisis management plan in some ways; however, the scope is the primary differentiator. While a crisis management plan looks to respond in a timely manner to enable the recovery an organizational entity, a business continuity plan works to restore a subset of related activities and resources. Effective business continuity plans often have the following characteristics:
- Clear scope based on the activities that support the organization’s products and services
- Documented assumptions concerning resource availability or prioritization following the onset of a disruptive incident
- Defined roles, responsibilities, and contact information of those involved
- Alternate work locations
- Methods of communication with team members
- Recommended courses of action and tasks that will allow participants to recover and run in “recovery mode”
- Return to normal procedures
- Provisions for communicating progress and resource requests with the crisis management team, other departments, and third-parties, if appropriate
In some situations, Business Continuity plans may be activated without the activation of a crisis management plan and vice-versa. Flexible, mature business continuity programs allow for this type of decentralized or isolated activation. This relationship between the department level recovery team and the crisis management team is critical in supporting an effective recovery during and following a business disruption.
IT Disaster Recovery Plan
IT disaster recovery plans are focused on the technical details required to restore a technology asset. IT disaster recovery plans are also typically designed to be executed by IT practitioners.
Effective IT disaster recovery plans:
- Align to organizational expectations through defined and approved recovery objectives (in terms of both recovery time and data loss tolerance)
- Can define what functionality the application will serve once recovered, based on approved end-user requirements
- Have technical specifications for infrastructure required to restore the system or application (e.g. hardware, software, bandwidth requirements)
- Detail any specific recovery considerations, such as timing, security considerations, licensing information, catch-up considerations, access methods, and upstream and downstream dependencies
- Detail who will manage the recovery, execute recovery tasks, and confirm and test the recovered technology asset
- Detail step-by-step procedures to recover the technology, as well as how to return the technology asset to normal following the conclusion of the incident
- Document contact information for IT’s customers and the technology asset’s end-users, so IT recovery participants can notify stakeholders after the restore process completes (or in the event a technology asset cannot be recovered)
IT disaster recovery plans are important when one considers how intertwined organizations are with technology, but it is important to note that IT disaster recovery plans are not, by themselves, a complete business continuity strategy.