A Business Continuity Plan (BCP) is an executive-sponsored, executive-approved document that provides a roadmap for how an organization will restart operations in the event of an unforeseen, natural or human-made disaster, such as a hurricane, fire, or data breach. If disaster strikes, your business can fail without a Business Continuity Plan.
What is a Business Continuity Plan (BCP Plan)?
Every organization, large or small, should have a tested business continuity plan (BCP) in place. Should disaster strike, lack of a plan causes chaos and can lead to employee injury and death, damage to the business’s reputation, fines for non-compliance, unproductive employees, lost revenues and financial losses. Having a plan versus not having a plan means the difference between getting back to business or going out of business. In fact, 75% of companies without a BCP fail within three years of a disaster. According to a report published by the Federal Emergency Management Agency (FEMA), 40% of small businesses do not reopen following a disaster and another 25% fail within one year.
What Happens Without a Business Continuity Plan (BCP Plan)?
As a business owner or business executive, you should understand how much it can cost your business if operations cease. For example, the International Data Corporation (IDC) reports these typical costs for a Fortune 1000 company:
- The average total cost of unplanned application downtime is $1.25 billion to $2.5 billion per year
- The average hourly cost of an infrastructure failure is $100,000 per hour.
- The average cost of a critical application failure per hour is $500,000 to $1 million
For small to medium-sized businesses (SMBs), the estimated cost of downtime ranges from several hundred to many thousands of dollars a minute. How much it might cost your company depends on the nature and size of your business. You need to factor in all the following to calculate how much it will cost you if your business ceases operations:
- Lost revenue
- Decreased employee productivity
- Stressed employees, especially IT manpower
- Dissatisfied customers
- Brand damage
- Potential legal penalties of regulatory non-compliance
- Compromised service levels (both internal and external)
Who Should be Involved in Business Continuity Planning?
A Business Continuity Manager (BCM) is initially identified to assemble the team and lead the development of the plan. This individual must have the support at the highest levels of an organization to be successful. This means that the program must have an executive sponsor and senior management involvement via a Steering Committee. Experience demonstrates that BCP programs with executive sponsorship are more likely to meet their recovery time objectives (RTOs) than those with no executive sponsorship.
The BCM selects individuals from across the organization to join the team. Selections are based on an analysis of what types of unforeseen events can occur, whether it is natural disasters or weather-related events, fires, threats to employees or the facilities’ perimeters, sabotage, employee strikes, IT events, equipment failures, malicious software attacks, data breaches, employee safety issues, supply chain interruptions, power outages, property damage, property theft, product safety issues, social unrest or terrorist attacks, management or company reputation-related scandals, death or unexpected departure of a top executive.
BCP team members typically include:
- Executive sponsor
- Business Continuity Manager
- Security Officer
- Chief Information Officer
- Key vendors and partners
- Department-specific leads, which include: Finance Risk Management/Compliance Customer Service Facilities Management Public Relations and Employee Communications Human Resources Manufacturing/Distribution Information Technology Operations Logistics
What is the Difference Between Business Continuity and IT Disaster Recovery?
While most people talk about business continuity and disaster recovery planning in the same breath, they are different plans.
A Business Continuity Plan provides the direction to ensure the organization maintains or resumes business after a disaster, establishing recovery point objectives (RPOs) and RTOs to resume company operations. It maps out processes and procedures to activate emergency evacuation and the plan itself and identify roles, responsibilities, and contacts. It ensures employees have a safe, temporary place to work (if necessary) with access to the systems, applications, and phones to do their jobs. It ensures key business processes are up and running, internal and external communications are resumed, the website is up and running, and other crucial operations continue uninterrupted.
An IT Disaster Recovery Plan is a subset of the overall Business Continuity Plan. This plan is intended to recover technology services such as systems, networks, and data to the “employees’ desks.” The Business Continuity Plan then takes over to get employees back to work at their “desks” with all the other tools they need to resume normal business operations.
If you need assistance in developing an IT Disaster Recovery Plan, download “How to Effectively Budget for IT Disaster Recovery.” This document discusses IT risk preparedness and provides a straightforward budgeting approach for estimating the cost of effective disaster recovery and IT continuity for your unique infrastructure.
Mistakes when making a business continuity plan
There are several mistakes which can be made when creating a business continuity plan. Here are some:
IT and the business are not aligned
You are the owner of an SMB. Your organization developed a business continuity plan last year. Today, you asked for a copy of the plan to review. In reading the plan, you were surprised to see that the RTO for executive emails is 24 hours. You do not remember anyone on the team asking you about that. You and your managers thought that the email system would be available within four hours of a disaster. You wondered why you and other managers were not consulted and whether there are other parts of the business that have requirements that are not addressed in the scope of the business continuity plan.
First, the management team must be involved in any business continuity planning initiatives to be effective. In addition, the BCM team should include selected decision makers from other departments across the business, as well as financial associates, customer service representatives, key suppliers and IT personnel. These individuals must be actively engaged to ensure that the business continuity plan and activities are aligned with the organization’s goals. They should be able to make decisions regarding business continuity strategies for their department as well as the business as a whole. Each member of the team must take the time to understand the operations of the organization, including its products and services and how they are delivered. With this knowledge, the team can better scope the program to ensure that the organization can recover in the event of a disaster.
The BCP is not tested
You asked your team for a copy of the business continuity plan test report. You discover that the plan has never been tested. An untested plan is almost as bad as having no plan at all. Without ongoing testing, there is no assurance that the plan will ensure your company recovers from a disaster.
In a recent article, Christopher Britton, Chief Operating Officer at RockDove Solutions, suggests that every plan be exercised as follows:
- A checklist review, which is a high-level check on each element of the plan, should be performed twice a year.
- An emergency drill, which requires all stakeholder participation, should be performed once a year. This reinforces each participant’s role in the event of a disaster and ensures the plan works.
- A tabletop review should be performed every other year. In this type of review, key personnel who are assigned emergency management roles and responsibilities are gathered to discuss simulated emergency situations.
- A comprehensive review should be performed every other year or when there are significant changes in the organization, such as a major IT infrastructure change, a merger, or other major change to business operations. This type of review provides the stakeholders with the opportunity to review the current plan to identify new risks and update the plan accordingly.
- A mock recovery test should be performed every two or three years. With this type of review, the plan is fully tested to identify any gaps, help employees perform their roles, and ensure that the organization can recover in accordance with planned RTOs and RPOs.
The BCP is out of date
Since your team developed the initial version of the business continuity plan, you realize that you have virtualized part of your IT environment and ask if the plan includes these IT infrastructure changes. You are told that the plan has not been updated.
A business continuity plan should be updated whenever the organization introduces a change to operations that introduces new categories of risks. Stakeholders should meet on a regular basis to discuss changes to the business that can affect the plan. For more information on this topic, refer to an Acronis article entitled “Are You Sure Your Business Continuity Plan Still Works?”
New threats are not considered in your BCP Solution
You always need to update your plan to address any new risk and cyberthreat, as a new threat can be just as destructive as the other disasters your plan already includes. During the first half of 2021, four out of five organizations experienced a cybersecurity breach that originated from a vulnerability in their third-party vendor ecosystems. While you may believe that your SMB is “too small to target,” you are at risk from ever-increasing automated and supply-chain attacks targeting your IT service providers.
SMBs are one of the most attractive targets for a cyberattack. Attackers know that SMBs are “in denial” when it comes to cyberthreats, and many do not take the appropriate actions to safeguard and secure their systems and data. This alone makes SMBs a prime target for an attack.
It is important that business continuity and disaster recovery plans have a strong focus on cybersecurity so the business can be sure the organization survives an attack and can do so quickly.
If You Don’t Have a Business Continuity Plan, Start Today
If you are not a company executive, your first action is to get executive sponsorship for a BCP. As a start, forward this article to all your executives to initiate discussion. Once there is executive sponsorship, consider hiring a consultant to assist in developing your plan, if your budget allows. Alternatively, search online for a downloadable plan template that can help guide you through the process.
Consider and prioritize the type of disasters that most commonly affect your type of business and formulate your plan to address those first. Most importantly, be sure to test the plan regularly to ensure you have working processes in place to mitigate potential disasters.
Once you’re drafted your Business Continuity Plan, keep in mind that just as your business continually evolves, so must your plan. For more information about why your plan must always be updated, review “Are You Sure Your Business Continuity Plan Still Works.”
So do you need a Business Continuity Plan
A Business Continuity Plan is vital to keep your business in business should disaster strike. And be forewarned, disaster will strike. If you haven’t had a plan in place and have not yet experienced any type of disaster, consider yourself lucky. No company is immune from natural disasters, such as a fire or extreme weather catastrophe. Perhaps more importantly, human-made disasters — ransomware, malware, and other such hacker attacks on business data — are on the rise at an alarming rate. Every company needs to take proactive steps to protect against potential disaster. Just as importantly, every company needs to prepare to get back in business when, not if, disaster strikes. To do this, you need a tested and updated BCP in place, including an effective and well-document backup strategy.
If you don’t have a BCP, you need to get started putting one together today, if not sooner.
How Acronis can protect any business - A complete business continuity solution
Just as important as a business continuity and disaster recovery plan, every business must have the right cybersecurity solution to ensure business operations, even after failure.
Acronis Cyber Protect provides SMBs and larger organizations with:
- Cybersecurity and endpoint protection management, vulnerability assessments and patch management, remote desktop, and drive health
- Full-stack, next-generation machine intelligence (MI)-based protection against malware, including URL filtering and automated backup scanning
- Fast and reliable recovery of your apps, systems, and data on any device, from any incident
Acronis Cyber Protect utilizes a revolutionary approach to cyber protection. By integrating data protection with cybersecurity, these solutions eliminate complexity, deliver better protection against today’s threats, and maximize efficiency by saving time and money.
Acronis Cyber Protect Cloud, empowers MSPs with integrated backup, disaster recovery, next-generation anti-malware, email security, endpoint protection management, vulnerability assessment and patch management capabilities to detect and eliminate threats before they damage your clients’ environments. It is the only solution that natively integrates cybersecurity, data protection and endpoint protection management to protect your clients’ endpoints, systems and data. This synergy eliminates complexity, so MSPs can mitigate/eliminate risks for clients better, while keeping costs down. It provides:
- The industry’s best backup and recovery with full-image and file-level backup and recovery to safeguard the data across more than 20 workloads – with near-zero RPOs and RTOs.
- Essential cyber protection at no additional cost with a next-generation behavioral detection engine that stops malware, ransomware and zero-day attacks on your client’s endpoints and systems.
- Protection management that is built for MSPs to enable thorough post-incident investigations and proper remediation.
MSPs can also expand their services even further with advanced protection packs and unique cyber protection capabilities, allowing them to control their costs by paying only for the functionalities their clients need. Advanced packs include:
- Next-generation anti-malware, which uses machine intelligence (MI)-based technologies to prevent emerging/new malware along with a signature-based engine for fast detection of known malware
- Global threat monitoring and smart, actionable alerts from Acronis Cyber Protection Operation Centers (CPOC) so you can stay well-informed about malware, vulnerabilities, natural disasters and other global events that may affect your clients’ data protection, so you can take the recommended actions to protect them. For example, this may result in more frequent backups, deeper scans or concrete patch installations
- Forensic backup that allows you to collect digital evidence data, include them in disk-level backups that are stored in a secure place to protect them from cyber threats, and use them for future investigations
- Patch management for Microsoft and 230+ third-party applications on Windows, allowing you to easily schedule or manually deploy patches to keep your clients’ data safe
- Drive (hard disk) Health using MI-based technology to predict disk issues and alert you to take precautionary measures to protect your clients’ data and improve uptime
- Software inventory collection with automatic or on-demand scans to provide deep visibility into your clients’ software inventory
- Hardware inventory collection so you know how many devices your client needs to protect
- Fail-safe patching by generating an image backup of your clients’ systems to enable easy recovery in case a patch renders your client’s system unstable
- Protection for more than 20 workload types from a single console, including Microsoft Exchange, Microsoft SQL Server, Oracle DBMS Real Application clusters, and SAP HAN
- A data protection map that tracks data distribution across your clients’ machines, monitors the protection status of files, and uses the collected data as the basis for compliance reports
- Continuous Data Protection that ensures you will not lose your clients’ data changes that are made between scheduled backup
Advanced disaster recovery provides disaster recovery orchestration using runbooks – a set of instructions that define how to spin up your client’s production environment in the cloud and provide fast and reliable recovery of your clients’ applications, systems and data on any device, from any incident.
Advanced email security blocks email threats, including spam, phishing, business email compromise (BEC), malware, advanced persistent threats (APTs) and zero-day vulnerabilities before they reach end-users’ Microsoft 365, Google Workspace, Open-Xchange or on-premises mailboxes.