Resource Corner

Developing an Effective Business Continuity Plan

Check out this article to learn how to create and maintain a business continuity plan.
Notebook with text and graph

Businesses can be impacted by a wide variety of disasters such as severe weather, burst pipes, server failures, fires, and pandemics. Many risk managers advise that one of the best ways to make sure your business is prepared for recovery after a disaster is to develop a business continuity plan.

What Is a Business Continuity Plan?

A business continuity plan provides a framework for returning to normalcy following a disaster. It is a key tool in protecting business revenues, your company's reputation, recovery costs and even people’s lives. It generally covers the following key areas:

  • Disaster Preparedness: A listing of the types of events that might hurt your business, how large a threat they pose, and how you can minimize their impact.

  • Emergency Response: The procedures you’ll follow when a disaster is headed your way or has occurred.

  • Business Recovery: A listing of your company’s critical business functions and the steps you’ll take to restore sales, production, and operations to pre-disaster levels.

Four-Step Planning Process for Your Business Continuity Plan

Threat Assessment

Conduct a threat assessment. It can help identify the nature and likelihood of an event. According to Verizon’s annual Data Breach Investigations Report (DBIR), malware, phishing, and misuse of credentials are some major vulnerabilities. Other events may involve unintentional actions such as an employee emailing a wrong file, sending it to the wrong person, or misplacing a laptop or other electronic device that contains sensitive information.

Your plan should include ways to mitigate the impact of losses caused by these accidental or intentional acts or technological failures. It should also take into account weather-related or natural disasters, including tornados, hurricanes, or earthquakes. Power outages and power grid failures also should be considered. 

Business Critical Impact Analysis

Conduct a business impact analysis. It will help you identify and prioritize the business functions that are most critical to keeping your operations running. This analysis can help ensure your business can be restored quickly. Here are a few reasons:

  • Your data inventory and classification process can help identify the critical data that must be maintained to continue acceptable levels of operation.

  • Having a network inventory can help identify the critical hardware, software, and firmware needed to continue to provide goods and/or services.

  • Determining the maximum time frame before an interruption can cause a significant impact on your business can help you prioritize the areas that need to be addressed first.

Prevention and Mitigation Strategies

Include a comprehensive backup strategy for critical data, hardware, software, and firmware. Other non-critical functions can generally be restored and returned to normal operations over time without interrupting your business.

Be sure to specify in your plan who is responsible for creating backups, where the backups are stored, and who has access to the backups. All backups should be stored at a remote location that cannot be impacted by the same event. The area should be secure with restricted access. You also can use third parties to store your backups. When you set up a contract with a third party, specify the level of security required, and the time frame they have to deliver your backups. You should fully document these procedures and keep them up to date.

Key backup considerations should include:

  • Electronic data should be automatically backed up on at least a weekly basis. Consider backing up data more frequently for systems storing critical information.

  • Back up proprietary or in-house built software and applications off-site so they can be readily reloaded into replacement equipment.

  • A protected authoritative copy of your organization’s web content should be maintained in a safe location.

Testing, Practice, and Continuous Improvement

Routinely test your plan so you can evaluate its effectiveness. Key employees and third parties should be familiar with the backup and restoration processes. They should periodically conduct sample tests of the system backups to verify that the operating system, applications, and data from the backup can be restored.
All content is for informational purposes only and does not constitute legal, tax, or accounting advice. You should consult your legal and tax or accounting advisors before making any financial decisions.