7 Things Every Business Continuity Plan Should

Contain

eBRP Thoughts

This is the first of a blog series reviewing form & content of typical Business
Continuity Plans from basics to testing. While not intended to define any
standard for BCPs, these articles should provide assistance for new Planners, and
provoke the thought processes of experienced Planners. We begin by examining
the basic content of a Business Continuity Plan.

Regardless of the type or

intent of a Business Continuity Plan (and there are many), the following seven
components should be incorporated in every Plan:
1. Initial Response
When something disrupts day-to-day operations, everyone should understand
what if anything they should do immediately. By planning for that and
exercising it no one will be running in circles muttering Whatll we do?
Whatll we do?
Whoever notices the event should know what to do (like calling 911, alerting
Security, pulling the fire alarm, etc.). Protocols for alerting the proper decision-
makers should be planned (along with contact information for those decisions-
makers).
The Initial Response should also include a clear plan for who will be in charge.
Whether thats locally, regionally, or corporately, making it clear to all
participants will understand and the chance of an Alexander Haig incident will be
alleviated.
2. Stabilization
Every disruption regardless of cause needs the same treatment:
Containment to prevent the situation from getting worse.
This involves understanding what happened, the cause of the event and
its potential impact if left unchecked. Like containing wildfires, containment
needs to be a simple procedure; theres no time to get caught up in
analysis/paralysis, or to delay decisions while awaiting more detailed
information.
Assess the impact, determine how to stop the bleeding and figure out what
short-term and medium-term goals are appropriate to the situation.
3. Activation
Once an Impact Assessment has been conducted, what services need to be
restored will become evident.
Linking the plan to the services/assets it is designed to recover (or continue)
enables the Incident Management Team (IMT) to determine which Plans to
activate.
Who is responsible for the Plan? Who will be contacted by the IMT? What will
they do, where will they do it, and with whom?
4. Communication
In response to an incident, multiple stakeholders might initiate various actions
to stabilize and or restore services. This could be a diverse group of
responders coordinating across multiple geographically dispersed locations.
Timely communication between the various respondents is critical to effective
incident response.
Communications during an incident response may be to

Alert potential stakeholders,

 Notify management,

Invoke responders,

Update current state of restoration activities,

Report to senior management

Facilitate collaboration among responders.

Every Plan should ensure that communication is emphasized and protocols are
defined as to when in the recovery process is it appropriate, who is
responsible for initiation and who is the target of the notification.
5. Planned Response
After the Initial Response activities and completion of initial Assessment,
Incident managers might declare a disaster and invoke Business Continuity
Plans The Planned Response. The scope of The Planned Response should
include:

What is the incident scenario or is it a combination of scenarios?

What are the true impacts and the causality / downstream impacts?

What are the available response strategies?

Are Resources (Work areas, people, technology, supplies ) available to

deliver the planned response.

Protocols to monitor, measure & manage the recovery efforts

6. Extended Response
While you may plan for a specific RTO, actual recovery may take longer;
perhaps days, perhaps weeks, or even months longer.
Be prepared for an extended response even though you dont expect it (after
all, isnt a Business Continuity Plan supposed to be about preparing for the
unexpected?).
What resources (facilities, people, supplies, suppliers, technology, equipment
) will you need to sustain a lengthy recovery? Also plan for rotating staff, roles
& responsibilities and task hand-offs for extended response.
Be prepared to work with or under the direction of others outside your
organization. In an event that impacts more than your organization, local,
regional or federal authorities may assume command of the response. A
simple acknowledgement of that possibility and how youll deal with it
should be included in your plan.
7. Return to Normal
When a disruptive event ends, its not like a football game. Theres no final
whistle and there are questions that will need to be answered:

Is the return to normal or a new normal?

How will back-logs of work be reduced?

How will work be divided between normal operations and post-event

catch-up tasks?

How will information for insurance and regulatory purposes be

collected?

No two Business Continuity Plans are alike, but all can benefit from
considering these seven components. In many cases, smaller plans
containing only some of these components may be rolled up into a larger
Plan that, with their inclusion, contains them all.
About the Author

eBRP Thoughts
eBRP Thoughts, eBRPs Blog voice, represents 50 + years of cumulative BCM
knowledge gained through experience in corporate BCM program
management, consulting & program implementations. We've worked hand-in-
hand with governments and private enterprises to develop viable BCM
programs. eBRP is an active participant on LinkedIn and Twitter. The opinions
expressed in our eBRP.net blog are ours and are intended to engage resiliency
planners in conversations about the BCM industry, its standards and its future.