The Only Guide You Will Need
From the definition of business continuity and its related plans, to the description of the planning involved in establishing the business continuity plan, right down to its management, we cover everything in this ultimate Business Continuity guide.
20 min Read
What Is Business Continuity?
High-profile events and disasters such as terrorist attacks, natural disasters, and data breaches have increased global awareness of the need for robust business continuity practices and strategies.
Business continuity encompasses the people. processes, technologies, and frameworks needed for an organization to ensure the continuous delivery of critical business functions when a disaster occurs. The business continuity definition also includes the prevention and mitigation of such disruptions from happening in the first place.
Company leaders have a crucial role to play in ensuring the resilience and continuity of business operations during crisis events.
Business continuity does not have an end date or state. It is a continuous process that keeps on evolving to adapt to never-ending business transformations and changes in the business environment.
Business Resilience vs. Business Continuity: What’s the Difference?
Although both terms are sometimes used interchangeably within business circles, there are several subtle differences.
Business resilience describes the ability to return to a state of functionality that may either be the same as prior to a disruptive event, or a new state that enables operations in a new reality. It includes disaster response, incidence response, and business continuity management. A truly resilient organization is impervious to the effect and fallout of various kinds of disasters or disruptions.
On the other hand, business continuity assists companies to return to functional status by addressing the consequences of outages and disruptions to business operations. The goal of business continuity is to return the business to a state of operation/functionality prior to a disruptive event, in the shortest amount of time and with the least amount of disruption. It does this by reducing and preventing data loss and the risk of reputational harm by mitigating the consequences of disastrous events.
Essentially, business continuity is concerned with helping a company resume operations immediately when a disaster occurs while business resilience is the company’s ability to resist and adapt to disruptive events or trends.
The Plans in Business Continuity
Multiple plans result from the business continuity planning process. They are all considered part of the business continuity plan (BCP).
Business Continuity Plan (BCP): business continuity initiatives, strategy, policies, standards, and planning activities produce this plan. It is all encompassing and includes the other plans below, or at least references to them.
Disaster Recovery Plan (DRP): this plan will focus on business continuity from an IT / technology infrastructure standpoint.
Crisis Management Plan (CMP): this identifies the chain-of-command and provides criteria to determine if a crisis has occurred —and therefore the activation of the BCP and related emergency response— the reporting and response management of the crisis, along with a communication plan.
Emergency Response Plan (ERP): also called Incident Response Plan, this details the actions that need to take place to mitigate the immediate effects or consequences of an event responsible for business disruption. The priority of this plan is the safety of people directly or indirectly involved in the business. Then comes the protection of the business infrastructure (IT, building, equipment). Once the response phase is completed, it is possible to move to the Restore, Recover and Resume phases.
What Does Business Continuity Mean in a Business Emergency?
It means that the organization has made adequate preparations and has the ability to execute a business continuity plan that addresses customers, people, processes and technology.
Ensuring Services or Products Are Delivered (Customers)
At its core, business continuity proactively ensures that organizations can still execute mission-critical operations and deliver products or services to customers during a disruption.
Proper business continuity mandates different responses to different levels of threats and disruptions. This is done for one major reason – to ensure that the products and services that are most vital to customers aren’t disrupted.
Supporting Employees (People)
The scope of business continuity covers the safety and security of human resources – from executive and middle management down to frontline workers – along with organizational assets and systems.
Since disasters and business emergencies can be confusing, business continuity planning takes cognizance of how, when, and what kind of information is delivered to employees…once disaster strikes.
To help support company staff during operational disruptions and emergencies, business continuity ensures that employees have key information on how the organization plans to respond. Everyone needs to know what to expect from the BCM team as it implements strategies to navigate the company back to a state of normalcy.
Knowing Which Steps and Actions to Take (Process)
Company management and key personnel need to know what steps to take when faced with incidents that result in a business emergency.
A business continuity plan typically includes the contact information of relevant personnel, a guide on how to use the BCP document as well as clear guidelines on what to do to maintain critical operations. The plan should be honest about service level agreements (SLA), recovery point and recovery time objectives (RPO and RTO) and identify what employees should or should not do to assist processes, facilities, and team members stay operational and productive.
The Crisis Management and Emergency Response plans would actually provide detailed step-by-step procedures to follow to address particular situations addressed in the BCP.
Having the Right Disaster Recovery Solution in Place (Technology)
It’s imperative for organizations going through the business continuity planning process to leverage the right technologies.
In recent years, there has been a significant increase in the number of disaster recovery (DR) solutions, due to the prevalence of cloud computing applications and the aftermath of the COVID-19 pandemic.
Depending on their DR needs, enterprises can build or rent off-site disaster recovery facilities or leverage a variety of cloud-based options such as disaster recovery as a service (DRaaS). These offerings come with a range of tools and services that offer incident response capabilities such as DR, backup, and restore to prevent data loss and ensure the high availability of IT systems and databases. It is all about having the right solution to execute the DR plan.
Managing Business Continuity: The BC Management Team
While business continuity processes and strategies are designed to help organizations stay on track during unexpected disruptions, the success of these strategies depends largely on how well they are executed.
Business continuity management (BCM) teams are critical to the design and implementation of business continuity plans. They provide the insight, focus, and leadership that keeps a business on its feet when disaster strikes. As such, deciding who is responsible for business continuity planning, and collating the resources and technologies needed to help them operate effectively are indispensable parts of business continuity initiatives.
Putting together a strong BCM team is challenging. A world-class business continuity team is cross-functional and includes personnel drawn from pockets of expertise across the entire organization, from executives to team members drawn from legal, facilities, finance/accounting, IT, HR, etc. The roles and responsibilities of individual BCM team members are outlined in the business continuity policy.
Regardless of company size, industry vertical, or business objectives, the BCM team should comprise the following:
Every BCM team must be headed by a company leader with the skill and experience to oversee business continuity efforts and make high-level decisions on the focus of the BCM team. The sponsor is usually drawn from the ranks of senior management.
For large enterprises, the Risk Management Officer may lead the BCM team assisted by someone from the IT department. In smaller organizations, the CTO or CFO may be picked to head the BCM team.
The Business Continuity Steering Committee or Office
This is an interdisciplinary team at the C-suite level usually made of people overseeing key functions in the organization (COO, CIO, CSO, CISO, CPO, Legal Counsel, etc.). Their role is to ensure the BC program stays in lock-step with the corporate strategy, that proper resources are allocated and that goals are established and met within set timeframes.
In most instances, the BC Sponsor is also the chair of the Steering Committee when it exists.
The Business Continuity Plan Owners
In larger organizations, the Business Unit or group leaders are accountable for the creation and maintenance of their own BCP, under the established policies, standards and processes set at the BC program level.
Business Continuity Planners and Managers
The BC planners are the people in charge of developing the actual business continuity plan for their business unit or group. In larger enterprise, they will report to a BCP owner. In smaller organizations, they may just be reporting to the BC Program manager, and help to develop the BCP for various functions of the business.
The BC manager role is to ensure the BCP readiness by coordinating and organizing simulation exercises, training of the resources that would be involved in any BC activation plan. He also ensure a feedback loop into the process by bringing up any challenges that may arise during exercises testing the BCP.
BC planner and manager functions can be fulfilled by the same person. Again the size and global footprint of an organization will impact how these roles are set up.
Crisis Management Team (CMT) and Emergency Response Team (ERT)
These are the people who are responsible for executing the BCP when it gets activated and they :
1) Ensure all the activities get triggered and implemented,
2) Make sure the proper resources get allocated,
3) Make decisions to adjust the course of operations as needed,
4) Execute the workflows and steps of the BCP ,
5) Provide updates/reporting on the situation and its evolution on the ground .
In some organizations this might be two teams, working closely together outside of a crisis, and obviously during one. In that scenario, the CMT would mainly cover areas 1) to 3) while the ERT would take care of 3) and 4). The overlap over decision-making (3) considers that adjustments can be made on the ground but also at higher level.
Crisis Communication Management Team (CCMT)
Some organizations may also have a dedicated Crisis Communication Team that manages communication with the media and all key stakeholders of the organization (employees, customers, partners, etc.) during a crisis.
The Map to Recovery: The Business Continuity Plan (BCP)
Business continuity planning culminates in the production of a business continuity plan that usually becomes a living document, constantly evolving.
The BCP is the tangible asset an organization produces to translate its strategy and approach to deal with disruptions and ensure its business can continue to operate. Because it is the result of a cyclical process —business continuity planning— it will evolve over time. Regular testing of the BCP usually brings its own set changes and adjustments too, making the BCP an actual living document.
Developed by the business continuity managers and planners, it will become the recovery map the crisis and emergency teams will rely on when disaster strikes.
What Is a Business Continuity Plan?
The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters.
According to ISO 22301¹, a business continuity plan is defined as “documented procedures that guide organizations to complete the four R’s: Respond, Recover, Resume, and Restore to a pre-defined level of operations following disruption.”
The business continuity plan aims at meeting the four R’s against defined types of risks that can affect the organization’s operations —such as floods, fires, disease outbreaks, weather-related events, cyber-attacks, and other external threats— for specified sites or geographical areas.
Key Elements of a Business Continuity Plan
There is unfortunately no one-size-fits-all template that can be applied but at least the elements listed should be considered as minimum requirements.
The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. The BCP should at a minimum contain the following elements:
- Contact information of the key individuals in charge of the BCP
- A revision log with reference to documentation that describes change management procedures – This is key for audit purposes and to ensure that only the latest versions of a BCP are available. It also enables to connect changes and BCP testing, by highlighting what elements of a test drove changes in the BCP.
- Information about and/or references to BC governance, policies and standards
- The purpose and scope of the BCP – As seen later there will most likely be multiple BCPs developed for a single organization, to address specific types of disruptions over specific entities or locations. So, it is key to know what is the intended application of a particular BCP.
- Instructions about how to use the plan end-to-end, from activation to de-activation phases
- Service Level Agreements (SLAs) over key business processes, defining the amount of time within which these processes must be restored.
- References to Disaster Recovery, Crisis Management and Emergency Response plans and procedures along with the identification of key roles and individuals.
- References to Runbooks detailing all applicable procedures step-by-step, with checklists and flow diagrams.
- A glossary of terms used in the plan
- A schedule showing dates for reviewing, testing and updating the plan, along with a record of past test dates and references to the results of these tests.
Each organization will have other items deemed important that will make it to their BCP. There is unfortunately no one-size-fits-all template that can be applied to meet every business needs.
The Lifecycle of an Active BCP
Great, you have a solid BCP. And now what? What happens when a crisis hits?
A business continuity plan can be activated at multiple levels of the business continuity chain-of-command. This is how a business is best protected as it enables speed over its BCP activation when required. Obviously, this will vary with the type of disruption as not all disruptions are equal.
The response to a pandemic such as COVID-19 would provide more time to plan and decide what parts of a BC plan to activate. In this case, it is most likely that the activation decision would be taken at the highest level of the chain.
In contrast, the event of a shooting in a building office would most likely trigger the activation of that local BCP by the members of the teams located there. The activation would put in motion various elements of the BCP, including the reporting and potential further activations up the chain of command. The situation may end up being managed at a different level later for various reasons.
The BCP should ensure that many members of the BC team, at various level of the organization, 授权作为领导人和激活BCP吗, in order to enable a swift response when needed. Proper availability and coverage of these individuals is essential (designated backups in case of absence, redundancy in locations, shifts, etc.).
Systems and procedures should also be in place to record events as they take place, or soon after (time stamps for events or decisions, people or agencies involved, etc).
It is the responsibility of the Crisis Management Team to decide when the BCP needs or can be de-activated. The highest “ranked” individual in the activated crisis management cell is the one to make the call.
The BCP should incorporate the criteria to be met to start the deactivation process, and during the step-down process itself (validate at each step that the situation meets set criteria and conditions). At this stage, it is usually easier to properly document all these steps, and record time stamps, decision-makers names, and any other pieces of information that may be valuable for a later review of the response to a disruption.
Other Consideration: BCP Accessibility
While it is impossible to list all the considerations that could apply to an organization’s BCP, there is one that is essential: the accessibility to the BCP, and any runbooks describing the applicable procedures step-by-step.
Training is of course important to make a lot of the activities and tasks feel like second nature for the individuals involved in executing the BCP, however it is still highly probable that during a crisis there will be a need to check some elements of the BCP.
However old-fashion this might feel, having print versions of the BCP available in designated locations is important, since some disruptions may bring down the IT infrastructure of an organization, or even the local grid, hence limiting or preventing any access to digital documents. Obviously, that adds another layer of management to ensure these documents are kept up-to-date. Other options can include having digital copies of a BCP hosted on other secured 3rd party systems or platforms.
The Journey to a BCP: Business Continuity Planning
Business continuity planning is a top priority for any organization looking to minimize downtime and maintain the high availability of systems, products, and services, regardless of disastrous occurrences.
Business continuity planning describes the process of establishing risk management procedures and protocols (that should be followed in the event of a disaster) to prevent interruptions to mission-critical services and help re-establish full operational functionality as quickly as possible. It culminates in the production of a business continuity plan (BCP).
The Key Parts to Business Continuity Planning
To ensure that the most likely scenarios are covered, the planning process involves identifying critical functions and the possible risks and disasters that would cause the failure/downtime of said functions.
The nature and severity of these threats will guide the rest of the planning process. The key parts of the business continuity planning process are:
- Identification of critical functions or business processes – Reveals what processes are critical to maintaining and running in the event of an unplanned disruption in order to prioritize and focus recovery there
- Business Impact Analysis (BIA) – A systematic process used first to evaluate the disruptive effects of disasters, accidents, or emergencies on critical business processes.
- Risk Assessment – Identifies all potential hazards to a company such as technology failures, cyberattacks, or natural disasters. It is also used to determine risk mitigation strategies and implementations.
- Establishment of Service Level Agreements (SLAs) – Based on the information collected from the previous stages, realistic and appropriate SLAs must be defined for specific services/teams supporting particular business functions or processes. This will drive technology solutions and processes used to deliver on these SLAs.
- Communications – Crisis communication management involves many parts and must be well planned in order to ensure clear and consistent information to many stakeholders during a crisis, which include: media, employees, customers, partners, agencies, etc.
- Testing and Maintenance – Testing the resulting BCP is essential to identify gaps and make improvements. Planning BCP testing should help determine test frequency, but also how to partially or fully test the BCP, i.e. what method to use.
The various analysis and planning processes highlighted above will lead to the creation of other plans —and their related procedures— that are part of the business continuity plan, such as:
- Disaster Recovery Plan
- Crisis Management Plan, which will include the communication aspect.
- Emergency Response Plan
While driven and led by the BCM team, a lot of cross-organizational and cross-functional work and teams are involved to feed into and receive information from the various activities taking place to establish the BCP. This is not an easy task that requires a lot of coordination and alignment, hence the necessity to have a dedicated team managing that planning process.
Establish Key Business Continuity Metrics: MTD and MTDL
Through the business impact analysis (BIA), an organization will estimate the downtime it can tolerate for a given process or function, and the maximum data loss it can handle. These limits are reflected in the SLAs.
Within the context of business continuity, an SLA represents a promise about how long a business process or function will remain unavailable in the event of a disruption. It assumes the commitment of every party involved.
Maximum tolerable downtime (MTD) and maximum tolerable data loss (MTDL) are two of the most important metrics of any business continuity plan, and are reflected in the business continuity SLAs related to each critical business process and/or function.
MTD, also referred to as maximum allowable downtime (MAD), is the longest downtime an organization can tolerate before facing serious repercussions. It is measured in units of time.
MTD is made of several components, including recovery time objective (RTO), meaning setting things up to stay below its defined value is more complex and involves several teams.
MTDL determines the most amount of data or transactions the business can afford to lose over a specific business process or function. This limit is measured in units of time. MTDL will directly inform the DR team about the recovery point objective (RPO) that needs to be achieved to meet the SLA of a specific business process.
Where To Begin Your Business Continuity Planning
Let’s take a look at the core steps company leaders must undertake when embarking on business continuity planning.
Start With A Thorough Prep-work and a Strong Disaster Recovery Plan
The key parts of the business continuity planning —risk assessment, BIA, identification of critical functions— contribute to determine the business requirements for the DR plan, mainly through the establishment of SLAs. There is no shortcut: that is the tedious prep-work that has to be done in order to deliver a strong disaster recovery plan.
A strong disaster recovery plan is a core part of your business continuity strategy and is integral to its success. The DRP focuses on the technology infrastructure required as well as the specific steps organizations must take to resume operations and access their data easily following a disaster. The DRP should include the following
- plan goals and objectives
- authentication tools
- incident response and recovery steps
- the DR policy statement
- key action steps and guidelines for when to use the plan
- responsibilities of individual DR team members
- contact information of personnel needed to enact critical recovery tasks.
Train a Strong BCM Team
Designating who will manage and implement your BCP, and all its related plans, is of paramount importance to the success of business continuity initiatives. As mentioned previously, the BCM team is broad, considering it goes from the sponsor, steering committee, program manager, plan owners and planners to the crisis and emergency response teams spanning across all the areas of the business. Therefore training and simulation exercises are critical to help prepare your BCM team for when an actual disruption occurs.
Since it’s difficult to know ahead of time how well your BCM team would perform during an actual crisis, continuous training will go a long way in ensuring they’re ready to oversee and execute the BCP when disaster strikes. Training also includes getting BCM team members up to speed on the latest BCM best practices. The team can also leverage cloud-based or on-premise business continuity management software to help pinpoint areas of risk, create and update plans and conduct BIAs.
Have Something Small In Place, Test It And Grow From There
Traditionally, business continuity planning was largely the province of big businesses and most plans seem to be designed with large enterprises in mind. However, anyone can undertake BCP without breaking the bank or straining already limited company resources. Savvy business leaders can begin their BCP journey with a small but easily scalable plan.
The plan could target one specific area at a time (such as IT assets and sensitive business data) and expand to include other business areas and processes. Such a plan should be rigorously tested to minimize loopholes and vulnerabilities. Over time, company leadership can expand the initial BCP to ensure 360-degree business continuity across the entire organization.
Business Continuity: How to Do It the Right Way
A solution that fits your BCDR strategy, and delivers on data protection and recovery.
BC planning takes inputs from the Risk Assessment, BIA, identification of critical functions and defined SLAs to establish the appropriate processes, procedures and technology solutions to be implemented and enabling the DR plan to achieve the defined SLAs.
To protect your data from disasters and instantly recover applications without data loss, companies need a reliable data protection mechanism and cost-effective BCDR solution in place. A lot of enterprise-grade applications and databases have the built-in capability to handle data replication synchronously and asynchronously.
However, this is not a viable option for business continuity purposes. Companies need a single data protection solution that supports their business continuity strategy and objectives, and that provides ransomware resilience, DR, restore and testing capabilities. This solution should be designed to work independently of any resource or host platform on a company’s IT estate and scalable enough to protect single applications as well as large clusters or multisite environments.
Introducing Zerto for Business Continuity
Zerto, built on a foundation of continuous data protection, enables continuous availability which is essential to achieve business continuity. Zerto’s solution provides everything you need for ransomware resilience, disaster recovery, and data mobility while delivering the very best recovery time objective (RTO) and recovery point objective (RPO) possible.
With easy implementation and deployment, the Zerto solution can scale with your organization to ensure continuous data protection for all of your business-critical and lower tier applications.
Business Continuity & Disaster Recovery in Healthcare
Business Continuity and Disaster Recovery in the Cloud Era
Learn the different types of Cloud BCDR solutions along with their pros and cons, and then see how Zerto addresses these challenges and improves upon many of the traditional solutions that leave gaps in cloud-based BCDR.