The business continuity management process

Figure 1: The business continuity management process

There are four critical steps to business continuity management planning.

1. The first step is to identify what needs to be protected. The simplest way to do this is to conduct a Business Impact Analysis for each functional area of the organisation. This will collect detailed information about their business requirements, both during normal business operations and following a disaster. This is part of the risk assessment process. Your business impact analysis might answer questions like:

• What is the minimum number of staff needed to stay open?
• What machinery or other equipment is required to conduct business?
• What IT do we absolutely have to have? What supplies are essential?
• If the business should shut down, what is the impact over 24 hours, 48 hours, or longer? 

2. The second step is to determine how the elements should be protected. Developing recovery strategies helps to plan procedures by identifying a range of disasters and the corresponding responses. Internal and external communication strategies should then be created for each scenario. Any practical, step-by-step document for initiating recovery procedures following a crisis is likely to contain the following components:

•  Instructions for using the plan
• Emergency response guidelines that define when the plan will be used
• Instructions for recovering operations, relocating and other activities
• Contact information for key team members
• Policies or industry standards to serve as references
• Additional references, such as lists of alternate suppliers and workspaces, emergency service contacts, and more

3. The third step is to validate and test. For example, alternate site and remote access locations could be tested to ensure business operations can resume quickly and efficiently. BCP is not a one-off task, but rather a continuous process that your organisation must undertake. Regular testing enables your organisation to mitigate the potential damage from any unplanned downtime. In addition to risk reduction, testing drives improvements and enhances predictability.

4. The final step is to educate employees. Employee information sessions and table-top exercises can help cascade key messages and ensure everybody understands the policies and procedures. Documentation created as part of Step 2 covering BCM and disaster recovery can be quickly distributed, which may include emergency contact information for internal staff, critical service suppliers, and recovery locations.

What’s next?

During the process described above, you’ll often be tasked with working out the exact impact of a business disruption. This can be difficult to assess at first, however, in the next step, you’ll learn about some key concepts that enable you to measure the impact more accurately than perhaps you are currently.