The Business Continuity Planning (BCP) process can be overwhelming, especially if you're looking at it for the first time. There are subtle differences in terminology, lots of acronyms, and a number of different moving parts that can be difficult to keep track of. Let's break BCP into 5 phases:
These phases can help you keep track of what needs to happen and when. Keep reading and we''ll unpack each of these with respect to how to write a successful BCP.
Let's unpack Phase 1 - Threat Risk Assessment (TRA). The purpose of a TRA is to determine what threats could impact your business. We highlight "what" so you don't think too high-level and discount a threat. In SHIELD, we refer to "ice in shipping lanes" as a threat. If you are a florist in Phoenix Arizona, however, that likely isn't thought of as a threat, right? But what if your supplier sends the roses you ordered through a frozen shipping lane? And what if this happens to be 4 days before Valentine's Day? What happens then? It becomes a threat you should consider.
WARNING - The TRA can take a looong time to finalize (due to back and forth discussion). Avoid letting the scenario grow with never ending "what ifs"... that happens A LOT! For the most part, if you are considering adding a specific threat, you are going to have to agree on the impact of that threat to your business. When is comes to defining (serious) steps needed to address the threat if it occurs, then it becomes real. While it's fun to have something like a Zombie Apocalypse as a threat, remember that this is open to your customers, auditors, and Board of Governors.
The frequency in which you conduct a TRA should be every time there is a major shift in personnel, location, technology, or anything else that would introduce new threats to your business.
Phase 2 is all about the Business Impact Analysis (BIA). In this phase, we are trying to measure the impacts of the threats identified in the TRA to our critical business processes. Remember the 80/20 rule? We are trying to protect 80% of the revenue by getting 20% of the products/services back in operation.
Senior Leadership doesn't complete the BIA (don't worry, we'll come back to Senior Leadership in a second). They (likely) don't focus on the daily process and will think too high level. Talk to the people that actually do the work, they know what is critical and why.
The frequency of your BIA should be reflective of your business. If people never change, their processes likely won't change much either. If the business processes don't change, don't feel the need to conduct a BIA every month. Best practices suggest every two years (at the most) due to the evolution of businesses/technology.
Phase 3 is the whole reason we are here... planning! While Phases 1 & 2 lay the foundation by identifying potential threats and impacts, Phase 3 is for planning how to recover from them. During this phase, keep "Objective" from Recovery Time Objective (RTO) and "Maximum" from Maximum Tolerable Outage (MTO) front of mind. The reason we stress this when building to the RTO is that it's an "Objective"... So the goal, NOT as absolute. Same goes for the MTO; where "Maximum" has consequences, know those consequences.
Go back to your people who are responsible for the tasks. Ask them "if this resource (product/system/location/person) isn't available, how can you accomplish the task?". Don't put strict limitations on them, allow them to brain storm and think outside of the box.
Remember pre-COVID when working from home was an absolute "no-no"? Well, when a sizeable impact (COVID) arrived and businesses realized they couldn't suspend critical processes for that duration, PRESTO! Everyone was banished from the office to work from home. This is a fantastic example of a BCP response (Phase 3) to an incident (Phase 2) as a result of a threat (Phase 1).
With the theoretical planning done to address any at risk critical processes, it's now time to take the report to senior leadership for their blessing. At the end of the day, this is their "playbook" to recover the business and continue critical processes in the event of an incident. If they have any changes, it's back to the business units to confirm/deny the proposed changes from senior leadership.
You made it to Phase 4! If you've been at this 100% of your time, it's probably 1 or 2 years after you started the TRA. The planning process is a marathon in itself, so why not add some (Plan) Exercising to the process?
"Plan Exercising" is a nicer way of saying "Plan Testing". People freak out about "tests" as they feel they could fail. So years ago, we changed it to "Plan Exercising". We even softened it further to lessen the terror in everyone's eyes. We stress "this isn't an exercise for you, it's an exercise of the plan and how well it prepares the business". This takes the responsibility COMPLETELY off the shoulders of the individual. Once they know they can't fail, you can see their buy-in and engagement go up.
To exercise your plan, try to select a threat based on something that has actually happened to the business in the past year. If nothing has threatened your business, select from your Phase 1 - TRA list. This makes it relatable, credible and your exercise will have a better reception. We normally build a full scenario slide-deck to take the teams through to stress the plan. Make sure you take a LOT of notes. The exercising will identify gaps in the plan, how to address them or who will ensure they are closed. Once the gaps are found and addressed, make sure the changes are reflected in your plan.
The frequency in which you exercise your plan really depends on two things: the variability in your workforce and the maturity of your plan. If you have a high turn over rate in your personnel, do the exercises frequently to train your people. If your plan is fresh, do the exercises every 6 months. Once it's matured, push that out to annually.
FINALLY Phase 5 - the Plan Maintenance! This is the part of your BCP that is the most tedious and sometimes the most difficult. In order for your BCP to be effective, it needs to reflect the business, it's resources, and it's deliverables. So, keep an eye on the business and make changes to the BCP to reflect any/all changes in the business.
WARNING - Keep on top of your personnel! Get an extract from HR with updated phones, addresses, etc... Can you imagine if something happens and you need to initiate your BCP only to find the resource doesn't work at your company anymore?? All that work, all the exercises, go down the drain as ad-hoc recovery kicks in. Such a small detail, and so simple to keep on it, just don't let it slip.
Depending on your business, we've seen companies that tie annual employee evaluations to their maintenance of their team's BCP. THAT gets everyone onboard and the plan stays VERY current. Not all businesses do this because either they don't see the value in it, or their company culture wouldn't support it.
PHEW!! If you've made it to THIS point, you are well on your way to building a successful BCP. Those are the 5 Phases of BCP. Each one of those phases can be expanded a lot, so don't think because it's two paragraphs it'll be quick. Keep up with your BCP and you'll never have to completely restart the process.
Do you think your business is too small for BCP? Check out our post on "BCP solutions for a small business" where we show you how to do BCP for $0!
KingsBridgeBCP offers businesses of all sizes BCP Software Solutions and industry know how based on best practices. From our SHIELD - Free to our SHIELD - Platinum, there is a SHIELD for everyone. Our software packages meet the wide range of our customers’ needs, ensuring we deliver the best value in every project. Find out more about KingsBridge. BCP software isn't going to address your needs? Check out our BCP Services as we've got a service for almost every BCP need.
