A business continuity plan (BCP) is an executive-sponsored, executive-approved document that provides a roadmap for how an organization will restart operations in the event of an unforeseen natural or human-made disaster, such as a hurricane, a fire or a data breach.
If disaster strikes, your business can fail without a business continuity plan.
What is a business continuity plan?
Business continuity planning can make or break your competitive advantage.
Every organization, large or small, should have a tested business continuity plan (BCP) in place. Should disaster strike, lack of a plan causes chaos and can lead to employee injury and death, damage to the business's reputation, fines for noncompliance, unproductive employees, lost revenues and financial losses.
75% of companies without business continuity plans fail within three years of a disaster. According to a report published by the Federal Emergency Management Agency (FEMA), 40% of small businesses do not reopen following a disaster, and another 25% fail within one year.
Why is a business continuity plan important?
As a business owner or executive, you should understand how much an unplanned emergency can cost your business. For example, the International Data Corporation (IDC) reports these typical costs for a Fortune 1000 company:
- The average total cost of unplanned application downtime is $1.25 billion to $2.5 billion per year
- The average hourly cost of an infrastructure failure is $100,000 per hour.
- The average cost of a critical application failure per hour is $500,000 to $1 million
For small to medium-sized businesses (SMBs), the estimated cost of downtime ranges from several hundred to many thousands of dollars a minute. How much it might cost your company depends on the nature and size of your business.
You need to factor in all the following to calculate how much it will cost you if your business ceases operations:
- Lost revenue
- Decreased employee productivity
- Stressed employees, especially in the IT workforce
- Dissatisfied customers
- Brand damage
- Potential legal penalties for regulatory noncompliance
- Compromised service levels (both internal and external)
What are the three key elements of business continuity planning?
Business continuity plans aim to identify, counter and reduce risk from potential threats while ensuring the continuity of your business processes.
A comprehensive business continuity plan (BCP) consists of three primary elements. Let's explore them below.
An emergency response plan
Emergency management plans provide a comprehensive set of guidelines and protocols to minimize the negative impact on the health and safety of personnel and mitigate the overall disruptive effect of an emergency.
Here, it's imperative to train your entire workforce to enable your staff to quickly and efficiently respond to the threat.
Your emergency response plan should include the following:
- Specific goals for emergency responders
- Emergency contact information
- Evacuation routes and staging areas design
- Evaluation and enhancement of emergency response communications
Once the plan is designed, it's vital to review and test it to ensure all critical functions operate as intended and will deliver results if disaster strikes.
Communication protocols and crisis management
When discussing business continuity plans, "crisis management" and "emergency management" aren't interchangeable. Crisis management is the connector between your emergency response and the operational recovery stage.
An effective business continuity plan relies on a thorough crisis management planning process. Every CM plan should:
- Verify the available resources to support the decision-making process and actions of the personnel responsible
- Identify critical functions to provide instructions for managing and recovering from the crisis
- Design and monitor a status dashboard to track key personnel activities and coordinate incident remediation
- Initiate contingency planning to outline the required communication protocols
Disasters strike unannounced. They can test even the most experienced people, so it's crucial to train employees, identify gaps in the anti-crisis plan and thoroughly prepare the responsible teams to ensure a successful business continuity plan.
Restoration of business operations
The third pillar of business continuity management is an operational recovery plan. Such a plan ensures that personnel and business assets are protected and essential functions are restored following a business disruption, emergency, crisis or dedicated cyberattacks.
Operational recovery plans should:
- Procure risk assessments for key business areas
- Calculate a realistic recovery time objective (RTO)
- Assign controls and develop recovery strategies to ensure the business continuity team can manage security risks to your primary site, remote office space, data center environments and alternate site (or sites)
- Procure business impact analysis to determine the effect of significant threats to office productivity, logistics, supply chain and revenue streams
Your business continuity plan template may seem perfect on paper. However, threats and security issues often escalate following a business interruption. It's critical to identify all potential vulnerabilities to your business continuity program — caused by natural disasters, technological failure, or human error — and prepare for them accordingly.
Who should be involved in business continuity planning?
A business continuity manager (BCM) is initially identified to assemble the team and lead the plan's development. This individual must have the support at an organization's highest levels to succeed. This means the program must have an executive sponsor and senior management involvement via a steering committee.
Experience demonstrates that BCP programs with executive sponsorship are more likely to meet their recovery time objectives (RTOs) than those without executive sponsorship.
The BCM selects individuals from across the organization to join the team. Selections are based on an analysis of what types of unforeseen events can occur, whether they are natural disasters or weather-related events, fires, threats to employees or the facilities' perimeters, sabotage, employee strikes, IT events, equipment failures, malicious software attacks, data breaches, employee safety issues, supply chain interruptions, power outages, property damage, property theft, product safety issues, social unrest or terrorist attacks, management or company reputation-related scandals, death or unexpected departure of a top executive.
BCP team members typically include:
- Executive sponsor
- Business continuity manager
- Security officer
- Chief information officer
- Key vendors and partners
- Department-specific leads, which include: finance risk management / compliance, customer service facilities management, public relations and employee communications, human resources, manufacturing / distribution, information technology, operations and logistics
What is the difference between business continuity and IT disaster recovery regarding critical business functions?
While most people perceive business continuity and disaster recovery planning as interchangeable, they are different plans.
A business continuity plan provides the direction to ensure the organization maintains or resumes business after a disaster, establishing recovery point objectives (RPOs) and RTOs to resume company operations. It maps out processes and procedures to activate emergency evacuation and aims to identify roles, responsibilities, and contacts.
It ensures employees have a safe, temporary workplace (if necessary) with access to the systems, applications, and phones required to do their jobs. It ensures key business processes are up and running, internal and external communications are resumed, the website is online and other crucial operations continue uninterrupted.
An IT disaster recovery plan is a subset of the business continuity plan. DR is intended to recover technology services such as systems, networks and data to the "employees' desks." The business continuity plan then takes over to get employees back to work at their "desks" with all the other tools they need to resume normal business operations.
If you need assistance developing an IT DR plan, download "How to Effectively Budget for IT Disaster Recovery." This document discusses IT risk preparedness and provides a straightforward budgeting approach for estimating the cost of effective disaster recovery and IT continuity for your unique infrastructure.
What should be included in a business continuity plan?
The business continuity planning process may seem challenging to many companies. Nonetheless, your business requires a comprehensive strategy to survive a disaster or a cyberattack.
Below are several common ingredients of almost every business continuity management plan.
It's essential to know how you will communicate with staff, clients, business partners, and suppliers if business functions cease. Here, ensuring a secondary communication line to communicate critical messages unhindered is best.
Your plan requires clear points of contact for all employees in a disaster event. You also need to appoint a responsible person (or team) to oversee the BCP and ensure every employee knows how to reach them.
Business impact analysis and threat assessment
Understanding potential threats that can lead to downtime and revenue loss is crucial. As we've discussed - there are various reasons for an outage — you need to categorize them and assign risk levels to each.
Answer the following questions to ease the process:
- How likely is the threat to occur?
- What impact would that threat have on business operations?
Also, consider how disruption of day-to-day processes will affect enterprise software and data backups costs, on-site computer systems, business function efficiency, and customer satisfaction.
Calculating all of those will help calculate how much revenue will be lost due to the disaster event.
Merchants and suppliers
Your BCP relies on uninterrupted contact with merchants, suppliers, landlords, and IT and backup site providers. Knowing you can contact all of them will alleviate some of the stress associated with the disaster recovery process.
Your recovery strategy requires knowing all business-critical operations and prioritizing their recovery. Getting your systems up and running should be the first stage of your disaster recovery plans. It's recommended to implement those in phases. This will reduce the risk of human error, system failure or miscommunication.
Disaster recovery plan
A robust BCP requires a dedicated plan to manage business functions following a natural disaster (flood, fire, hurricane, storms, etc.).
It's essential to calculate how likely it is for a natural disaster to affect your company processes. Then, you should design a plan to outline what to do in specific scenarios to protect your employees, minimize downtime and ensure steady revenue streams.
Common mistakes when creating a business continuity plan
Several mistakes can be made when creating a business continuity plan. Here are some:
IT and the business are not aligned
Suppose you're the owner of an SMB. Your organization developed a business continuity plan last year. Today, you asked for a copy of the plan to review. In reading it, you were surprised to see that the RTO for executive emails is 24 hours. You do not remember anyone on the team asking you about that. You and your managers thought the email system would be available within four hours of a disaster. You wondered why you and other managers were not consulted and whether other parts of the business have requirements not addressed in the scope of the business continuity plan.
First, the management team must be involved in any business continuity planning initiatives to be effective. In addition, the BCM team should include selected decision-makers from other departments across the business, as well as financial associates, key stakeholders, customer service representatives, reliable suppliers and IT personnel. These individuals must be actively engaged to ensure the business continuity plan and activities align with the organization's goals. They should be able to make decisions regarding business continuity strategies for their department and the business as a whole.
Each team member must take the time to understand the organization's operations, including its products and services and how they are delivered. With this knowledge, the team can better scope the program to ensure the organization can recover from a disaster.
The BCP is not tested
You asked your team for a copy of the business continuity plan test report. You discover that the plan has never been tested.
An untested plan is almost as bad as having no plan at all. Without ongoing testing, there is no assurance that the strategy will ensure your company recovers from a disaster.
In a recent article, Christopher Britton, Chief Operating Officer at RockDove Solutions, suggests that every plan be exercised as follows:
- A checklist review — a high-level check on each plan element — should be performed twice a year.
- An emergency drill, which requires all stakeholder participation, should be performed once a year. This reinforces each participant's role in the event of a disaster and ensures the plan works.
- A tabletop review should be performed every other year. In this review, key personnel assigned emergency management roles and responsibilities are gathered to discuss simulated emergency situations.
- A comprehensive review should be performed every other year or when there are significant changes in the organization, such as a major IT infrastructure change, a merger, or other major changes to business operations. This type of review allows the stakeholders to review the current plan to identify new risks and update the plan accordingly.
- A mock recovery test should be performed every two or three years. With this type of review, the plan is fully tested to identify gaps, help employees perform their roles, and ensure that the organization can recover according to planned RTOs and RPOs.
The BCP is out of date
Since your team developed the initial version of the business continuity plan, you realize that you have virtualized part of your IT environment and ask if the plan includes these IT infrastructure changes. You are told that the BCP has not been updated.
A business continuity plan should be updated whenever the organization implements a change to operations that introduces new risk categories. Stakeholders should meet regularly to discuss changes to the business that can affect the plan.
For more information on this topic, refer to an Acronis article entitled "Are You Sure Your Business Continuity Plan Still Works?"
New threats are not considered in your BCP solution
You must continuously update your plan to address any new risks and cyberthreats, as a new threat can be just as destructive as the other disasters your plan already includes.
During the first half of 2021, four out of five organizations experienced a cybersecurity breach that originated from a vulnerability in their third-party vendor ecosystems. While you may believe your SMB is "too small to be targeted," you are at risk from ever-increasing automated and supply-chain attacks targeting your IT service providers.
Many SMBs do not take the appropriate actions to safeguard and secure their systems and data. This alone makes them a prime target for an attack.
Business continuity and disaster recovery plans must focus on cybersecurity so the business can be sure it survives an attack and can do so quickly.
If you don't have a business continuity plan, start today
If you are not a company executive, your first goal should be to get executive sponsorship for a BCP. As a start, forward this article to all your executives to initiate discussion. Once there is executive sponsorship, consider hiring a consultant to assist in developing your plan if your budget allows it. Alternatively, search online for a downloadable plan template that can help guide you through the process. (however, keep in mind that a general template is not sufficient to cover all unique company aspects; the team responsible should tailor it to your company's specific needs and requirements)
Consider and prioritize the type of disasters that most commonly affect your industry and formulate your plan to address those first. And most importantly, regularly test the plan to ensure you have working processes to mitigate potential disasters.
Remember that just as your business continually evolves, so must your plan. For more information about why your plan must constantly be updated, review "Are You Sure Your Business Continuity Plan Still Works."
Is business continuity planning right for your business?
A business continuity plan is vital to keep your business... in business should disaster strike.
No company is immune from natural disasters like fire or extreme weather catastrophes. Perhaps more importantly, human-made disasters — ransomware, malware, and other hacker attacks on business data — are on the rise at an alarming rate.
Every company needs to take proactive steps to protect against potential disasters. Most importantly, every company must prepare to resume business operations if (or when) disaster strikes. It would be best to have a tested and updated BCP, including a practical and well-documented backup strategy.
How Acronis can protect any business — A complete business continuity solution
As important as a business continuity and disaster recovery plan, every business must have the right cybersecurity solution to ensure business operations — even after failure.
Acronis Cyber Protect provides SMBs and larger organizations with the following:
- Cybersecurity and endpoint protection management, vulnerability assessments and patch management, remote desktop and drive health
- Full-stack, next-generation machine intelligence (MI)-based protection against malware, including URL filtering and automated backup scanning
- Fast and reliable recovery of your apps, systems and data on any device from any incident
Acronis Cyber Protect utilizes a revolutionary approach to cyber protection. Integrating data protection with cybersecurity eliminates complexity, delivers better protection against today's threats, and maximizes efficiency by saving time and money.
Acronis Cyber Protect Cloud empowers MSPs with integrated backup, disaster recovery, next-generation anti-malware, email security, endpoint protection management, vulnerability assessment and patch management capabilities to detect and eliminate threats before they damage your clients' environments.
With Acronis, MSPs can mitigate / eliminate risks for clients better while keeping costs down. It is the only solution that natively integrates cybersecurity, data protection and endpoint protection management to safeguard your clients' endpoints, systems and data.
It also provides:
- The industry's best backup and recovery with full-image and file-level backup and recovery to safeguard the data across more than 20 workloads — with near-zero RPOs and RTOs.
- Essential cyber protection at no additional cost with a next-generation behavioral detection engine that stops malware, ransomware, and zero-day attacks on your client's endpoints and systems.
- Protection management is built for MSPs to enable thorough post-incident investigations and proper remediation.
MSPs can expand their services even further with advanced protection packs and unique cyber protection capabilities, allowing them to control their costs by paying only for the functionalities their clients need. Advanced packs include:
- Next-generation anti-malware, which uses machine intelligence (MI)-based technologies to prevent emerging/new malware along with a signature-based engine for fast detection of known malware
- Global threat monitoring and smart, actionable alerts from Acronis Cyber Protection Operation Centers (CPOC) so you can stay well-informed about malware, vulnerabilities, natural disasters, and other global events that may affect your clients' data protection, so you can take the recommended actions to protect them. For example, this may result in more frequent backups, deeper scans, or concrete patch installations
- Forensic backup allows you to collect digital evidence data and include it in disk-level backups stored in a secure place to protect them from cyber threats and use them for future investigations
- Patch management for Microsoft and 300+ third-party applications, allowing you to easily schedule or manually deploy patches to keep your clients' data safe
- Drive (hard disk) Health using MI-based technology to predict disk issues and alert you to take precautionary measures to protect your clients' data and improve uptime
- Software inventory collection with automatic or on-demand scans to provide deep visibility into your clients' software inventory
- Hardware inventory collection, so you know how many devices your client needs to protect
- Fail-safe patching by generating an image backup of your clients' systems to enable easy recovery in case a patch renders your client's system unstable
- Protection for more than 20 workload types from a single console, including Microsoft Exchange, Microsoft SQL Server, Oracle DBMS Real Application clusters, and SAP HAN
- A data protection map that tracks data distribution across your clients' machines, monitors the protection status of files and uses the collected data as compliance reports basis
- Continuous data protection that ensures you will not lose your clients' data changes made between scheduled backups
Advanced Disaster Recovery provides disaster recovery orchestration using runbooks – a set of instructions that define how to spin up your client's production environment in the cloud and provide fast and reliable recovery of their applications, systems, and data on any device from any incident.
Advanced Email Security blocks email threats, including spam, phishing, business email compromise (BEC), malware, advanced persistent threats (APTs) and zero-day vulnerabilities before they reach end-users' Microsoft 365, Google Workspace, Open-Xchange or on-premises mailboxes.
Advanced Security and Endpoint Detection and Response (EDR) — MSP-class EDR solution designed to effectively and efficiently detect and respond to advanced attacks that sneak past other defenses. Empower your team with an unmatched array of responses: investigate and remediate the threat, recover data and minimize downtime, and close security gaps.
· Cut investigation and response times from days to minutes
· Detect advanced attacks that bypass preventive security layers
· Get prioritized view of suspicious activities across endpoints
· Focus threat hunting using an emerging threat intelligence feed to search for IoCs
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 1,800 employees in 45 locations. The Acronis Cyber Protect Cloud solution is available in 26 languages in over 150 countries and is used by 20,000 service providers to protect over 750,000 businesses.