From the beginning, BCP Business Continuity Planning can be overwhelming, especially if you're looking at it for the first time. There are subtle differences in terminology, lots of acronyms, and a number of different moving parts that can be difficult to keep track of. Let's look at the 5 Business Continuity Planning steps:
These phases can help you keep track of what needs to happen and when. Keep reading and we''ll unpack each of these with respect to how to write a successful BCP.
Let's unpack Step 1 in BCP Business Continuity Planning - Threat Risk Assessment (TRA). The purpose of a TRA is to determine what threats could impact your business. We highlight "what" so you don't think too high-level and discount a threat. In SHIELD, we refer to "ice in shipping lanes" as a threat. If you are a florist in Phoenix Arizona, however, that likely isn't thought of as a threat, right? But what if your supplier sends the roses you ordered through a frozen shipping lane? And what if this happens to be 4 days before Valentine's Day? What happens then? It becomes a threat you should consider.
WARNING - The TRA can take a looong time to finalize (due to back and forth discussion). Avoid letting the scenario grow with never ending "what ifs"... that happens A LOT! For the most part, if you are considering adding a specific threat, you are going to have to agree on the impact of that threat to your business. When is comes to defining (serious) steps needed to address the threat if it occurs, then it becomes real. While it's fun to have something like a Zombie Apocalypse as a threat, remember that this is open to your customers, auditors, and Board of Governors.
The frequency in which you conduct a TRA should be every time there is a major shift in personnel, location, technology, or anything else that would introduce new threats to your business.
Step 2 in BCP Business Continuity Planning is all about the Business Impact Analysis (BIA). In this phase, we are trying to measure the impacts of the threats identified in the TRA to our critical business processes. Remember the 80/20 rule? We are trying to protect 80% of the revenue by getting 20% of the products/services back in operation.
Senior Leadership doesn't complete the BIA (don't worry, we'll come back to Senior Leadership in a second). They (likely) don't focus on the daily process and will think too high level. Talk to the people that actually do the work, they know what is critical and why.
The frequency of your BIA should be reflective of your business. If people never change, their processes likely won't change much either. If the business processes don't change, don't feel the need to conduct a BIA every month. Best practices suggest every two years (at the most) due to the evolution of businesses/technology.
Step 3 of the 5 BCP Business Continuity Planning steps life cycle is the whole reason we are here... planning! While Phases 1 & 2 lay the foundation by identifying potential threats and impacts, Phase 3 is for planning how to recover from them. During this phase, keep "Objective" from Recovery Time Objective (RTO) and "Maximum" from Maximum Tolerable Outage (MTO) front of mind. The reason we stress this when building to the RTO is that it's an "Objective"... So the goal, NOT as absolute. Same goes for the MTO; where "Maximum" has consequences, know those consequences.
Go back to your people who are responsible for the tasks. Ask them "if this resource (product/system/location/person) isn't available, how can you accomplish the task?". Don't put strict limitations on them, allow them to brain storm and think outside of the box.
Remember pre-COVID when working from home was an absolute "no-no"? Well, when a sizeable impact (COVID) arrived and businesses realized they couldn't suspend critical processes for that duration, PRESTO! Everyone was banished from the office to work from home. This is a fantastic example of a BCP response (Phase 3) to an incident (Phase 2) as a result of a threat (Phase 1).
With the theoretical planning done to address any at risk critical processes, it's now time to take the report to senior leadership for their blessing. At the end of the day, this is their "playbook" to recover the business and continue critical processes in the event of an incident. If they have any changes, it's back to the business units to confirm/deny the proposed changes from senior leadership.
You made it to Step 4! If you've been at this 100% of your time, it's probably 1 or 2 years after you started the TRA. The planning process is a marathon in itself, so why not add some (Plan) Exercising to the process?
"Plan Exercising" is a nicer way of saying "Plan Testing". People freak out about "tests" as they feel they could fail. So years ago, we changed it to "Plan Exercising". We even softened it further to lessen the terror in everyone's eyes. We stress "this isn't an exercise for you, it's an exercise of the plan and how well it prepares the business". This takes the responsibility COMPLETELY off the shoulders of the individual. Once they know they can't fail, you can see their buy-in and engagement go up.
To exercise your plan, try to select a threat based on something that has actually happened to the business in the past year. If nothing has threatened your business, select from your Phase 1 - TRA list. This makes it relatable, credible and your exercise will have a better reception. We normally build a full scenario slide-deck to take the teams through to stress the plan. Make sure you take a LOT of notes. The exercising will identify gaps in the plan, how to address them or who will ensure they are closed. Once the gaps are found and addressed, make sure the changes are reflected in your plan.
The frequency in which you exercise your plan really depends on two things: the variability in your workforce and the maturity of your plan. If you have a high turn over rate in your personnel, do the exercises frequently to train your people. If your plan is fresh, do the exercises every 6 months. Once it's matured, push that out to annually.
FINALLY Step 5 - the Plan Maintenance! This is the part of your Business Continuity Planning life cycle that is the most tedious and sometimes the most difficult. In order for your BCP to be effective, it needs to reflect the business, it's resources, and it's deliverables. So, keep an eye on the business and make changes to the BCP to reflect any/all changes in the business.
WARNING - Keep on top of your personnel! Get an extract from HR with updated phones, addresses, etc... Can you imagine if something happens and you need to initiate your BCP only to find the resource doesn't work at your company anymore?? All that work, all the exercises, go down the drain as ad-hoc recovery kicks in. Such a small detail, and so simple to keep on it, just don't let it slip.
Depending on your business, we've seen companies that tie annual employee evaluations to their maintenance of their team's BCP. THAT gets everyone onboard and the plan stays VERY current. Not all businesses do this because either they don't see the value in it, or their company culture wouldn't support it.
PHEW!! If you've made it to THIS point, you are well on your way to building a successful BCP. The BCP Business Continuity Planning life cycle can be a lot to digest! Hopefully breaking it into those 5 Business Continuity Planning steps makes it easier to differentiate. Each one of those phases can be expanded a lot, so don't think because it's two paragraphs it'll be quick. Keep up with your BCP and you'll never have to completely restart the process.
Do you think your business is too small for BCP? Check out our post on "BCP solutions for a small business" where we show you how to do BCP for $0!
At KingsBridgeBCP, we provide Business Continuity Planning solutions that cater to businesses of all sizes. Our SHIELD software packages, from SHIELD - Free to SHIELD - Platinum, offer the right fit for everyone, combining industry expertise and best practices to ensure you’re always prepared. Whether you’re looking for software or services, we’ve got you covered with tailored solutions that deliver exceptional value and peace of mind. Explore our range of BCP software and services today to discover how KingsBridgeBCP can help you safeguard your business.