Business Continuity Planning 101

Starting your BCP process? Here’s what you need to build into your plan

Business continuity plans have long been a staple of corporate America and the public sector. Simply stated, they enable an organization to recover from the adverse impacts of a disaster as quickly as practical. Without a sound business continuity plan, or BCP, chances are far greater that the business will suffer unnecessarily or possibly see its demise when a disaster occurs. In effect, the BCP is an instrument for increasing the chances of the business surviving and prospering over its natural life cycle.

Over the past few years we've been starkly reminded of the importance of BCPs by the wave of major disasters and the unprecedented damage to businesses they've caused. Accompanying this wake-up call is the powerful lesson that it's not sufficient to merely have a business continuity plan - rather, it's essential and compelling to have one that is well crafted, up to date, and fully embraced by the entire organization.

In this first of a series of articles we'll cover the basics of developing a business continuity plan. Whether your organization already has a BCP that's in need of some updating or if you are starting out on your first BCP, the steps and pointers below will be of interest. In a future article we'll cover some finer points by sharing lessons learned and best practices.

Building the Plan Foundation

As a first step, the planner must clearly define the objectives of the BCP. This entails two primary considerations: (1) the manner in which the organization wishes to recovery from a disaster and (2) the types of disasters that the BCP will apply to. In regard to the former, you should set objectives in operative terms. For instance, the Recovery Timeframe Objective (RTO) defines the target timeframe to recover mission critical operations after a disaster.

Choosing and setting the BCP objectives should be guided by potential business impacts and tolerable limits thereof. Quantifying the business impacts can be relatively straightforward, e.g., "Shutdown of a regional distribution center for four hours will cause a backlog of shipments worth $50,000 in revenue." Answering the question "Is a $50,000 backlog tolerable?" may not be as straightforward. To find a reasonable set of limits the planner will inevitably need to blend cost-benefit and sound management judgment.

The RTO and other targets may vary with the type and severity of the disaster. For example, "... in the event of a category-3 hurricane, the corporate headquarters facility should be fully operational within two days after the storm; whereas, the facility should remain fully operational throughout category 1 and 2 storms." It may also be appropriate to set the targets according to a timeline. "Return to 50% operating capacity within 12 hours after resumption of power following a major power outage, 75% within 18 hours and 95% within 36 hours" is an example of such a time-indexed scale.

Designating what types of events will be considered "disasters" is an important part of defining objectives. It's here that you'll need to put on your "imagination" cap and look not just to history but anticipate what could happen in the future. The obvious types of events that can cause a disaster may immediately come to mind: fires, hurricanes, terrorist attacks and other events having man-made and natural origins. Less obvious or smaller-scale events should not be overlooked: server crashes, denial of service attacks, security breaches, power outages, loss of telecom land-line service, and many others may fall within the BCP's scope. Generally stated, as the planner, you should design the BCP to take into account any event that could cause inaccessibility, inoperability or impairment of the business's facilities, technology, functions or processes for an unacceptable duration.

The BCP's scope should address the organization and its geography when applicable. Does your BCP apply to the entire company / enterprise, or just your building? Are you focusing on a particular location, e.g., a single distribution center, or multiple facilities in a metro area or other territory?

This content continues onto the next page...