Guide to Business Continuity Management Planning
About this guide
This guidebook gives an overview of Business Continuity Management (BCM) and outlines a step by step approach towards completing a BCM plan. We know that creating a BCM plan can be a daunting task and we will simplify things as best as we could.
Through this guide, you’ll learn how to look at your venture in another perspective and see how it functions as a holistic system. You will have more insight regarding risk assessment and management.
If you run an organization, you would be aware of the fact that strategies are most effective only when they become a part of the culture. Hence, in the end, the guide also illustrates how to embed the initiatives into your organization’s culture and get the most out of it.
To make things much easier and simpler for you, we have attached a template for Business Continuity Planning. We believe you will find it helpful.
What is Business Continuity Management?
Business Continuity Management (BCM) is a risk management process. It ensures that the critical activities required for generating your company’s services and products are maintained and continued especially in the time of an unfortunate event.
It is about the continuity and survival of your organization/business in times of crises. A lack of planning can result in significant financial and reputational loss. In worst-case scenarios, it can force a company to wind up.
All of this might sound very daunting to you right now but it will get clearer as we go along. BCM is based on a number of very simple questions that you should ask yourself/organization. The answers to those are what BCM is founded upon. Those questions are:
- What are your business/organization’s essential services and products?
- What are the most crucial systems and resources that are required for their production?
- What are the potential risks that are associated with those systems/resources?
- How would you continue and maintain those critical systems/activities in the face of a crisis?
This guidebook is based upon these very questions. In the subsequent chapters, we would cover all of them in further detail.
Program management. Making it happen.
Give ownership
The keywords to making it all happen are “give ownership”. Appoint a capable leader to be the overall in-charge. This person will then appoint a committee to take this forward.
The committee can be made up of all the heads of departments who are responsible for completing BCM planning relating to their respective departments. They will go back to their individual teams to carry out discussions and to share what the company is trying to achieve and why the company is doing this.
During committee meetings, the department heads must sync up their plans to ensure that there are no clashes or competition for resources. No one should be planning in silos.
All parties should be in agreement on the final outcome and the BCM plan should be regularly reviewed and owned by the individual head of department.
It will be the responsibility of the head of departments to implement this fully right down to the last person in the organization. They can further allocation responsibilities to team leaders. Ultimately they would need to ensure that all employees within their department are aware of the program and received the necessary briefing/training.
Understanding your business. Identify critical resources.
Your first step should be to identify the resources that keep your business afloat. These resources can be categorized under the 4Ps. With each P comes some questions relating to ensuring their availability during a crisis.
- People
- Processes
- Providers
- Premises
People
- Identify which employees are absolutely crucial to keep the crucial tasks going during a crisis. You need to assess the level of expertise that is required to carry out the key functions of your business. High level of expertise means only a specific few are able to accomplish the task, and this increases the risk of the task not being carried out if the specific few employees did not turn up during an emergency, e.g. flood. Pandemic, fire etc
- Can they be contacted after work hours? (Should an emergency arises)
- Are they equipped enough to carry out the crucial processes during the time of a crisis? E.g. are they able to carry out the task remotely in the event of an emergency.
- What is the minimum amount of staff that would be required to carry out the tasks? How can you cope with a shortfall of staff during an emergency?
Process
- Is your work being documented? (Backups, logs, manual files). If an employee is unable to turn up for work, is there sufficient knowledge stored electronically for another employee to take over? Is the documentation safely secured against hacking during peace and emergency times? A robust Document Management System is a cornerstone to satisfy these requirements.
- What mediums of communication do you use and are they flexible enough to be changed in the time of a crisis? In most situations, communication is key for processes to take place smoothly or for the company to regroup itself during an unforeseen circumstance. What is its reliability? What mediums are crucial to carrying out your most important functions.
- Can you relocate your business processes if a crisis of some sort emerges? Could the processes take place remotely?
Premises
The space you occupy is as important as the people/staff that works for you. The site that you work from needs to be understood with its relation to accessibility and utility. Assess the facilities and equipment used to run your business.
- Are these sufficient backup to your IT systems to continue supporting your company and to carry out the automated functions in the event that current systems and servers are damaged?
- Do you have a backup site so that these processes can continue to take place during a crisis?
- In the worst-case scenario of system failures, could manual labour replace your equipment somehow?
Providers
- Who are your most preferred suppliers and could they be depended on during an emergency? Can they continue to supply? Do you need backup suppliers?
- Evaluate the robustness of your suppliers’ BCM plans.
Determining strategy to secure your critical resources
For this step, you will have to plan to secure the resources, the 4Ps that are mentioned in the above chapter of this guide.
Following are some tactics that you could use to ensure the safety of your resources. Let us visit the 5 Ps again:
People
- Allowing staff to take up roles that are unfamiliar to them. Train your staff in more than one skill (Multi-skill training). So during a crisis, they are able to stand in for role usually done by their colleagues. Peacetime is a good time to do training.
- Ensure critical tasks can be handled by 2 or more staff.
- Equip your employees to work effectively from home (if the crisis makes travelling to work impossible). Equip them with crucial tools such as secured EDMS Electronic Document Management System to access and share information with colleagues. Another important tool is a reliable teleconferencing platform to communicate and sync with colleagues if remote work is needed. Most importantly, train them to be familiar with these tools.
- Individuals or groups that possess the core skills should be geographically separated to reduce the possibility of losing all the staff who are capable of executing a specific role. In the same spirit, MNCs typically have practices that forbid entire teams from taking the same flight.
Processes
- The older equipment that you have can come in handy. You can use that as a replacement if your current equipment/technical systems are damaged.
- If budget allows, sustain the same technological systems and equipment at your backup site so employees are familiar with the equipment and processes.
- Backing up your system is crucial. All important documents should be securely stored and retrievable remotely or from the backup location. A reliable Electronics Document Management System (EDMS) is a cornerstone to this requirement.
- Some document management systems have workflow processes baked into them. E.g. digital forms that will guide users on how to fill in and then be routed through a pre-set process flow. Fully utilise these functions so that office processes/ work-flows will continue automatically and not having to depend on humans to enforce these processes during a chaotic situation.
Premises
- You need to pick up and identify a headquarter from which your BCM team would function to manage the incident.
- You would also need to provide a backup site for your employees to continue the critical processes. The backup site should be equipped with all the resources and technical support needed.
- Consider remote work. In this scenario, you or your staff could work from home or from another location.
Providers
- You would need to think about sourcing your supplies/materials from two or more than two sources.
- All your suppliers should be encouraged to have a BCM capability. Strict penalty clauses should be deployed while drafting contracts for suppliers.
- All the materials should be stored in more than one location.
- List down other suppliers as alternatives to your current ones.
Developing a BCM response. Putting it all in writing. Ready templates made for you.
Let us proceed to learn how to fill up the ready templates.
The most important thing to keep in mind is that these plans should be as holistic as possible, documenting all the necessary actions to take during a crisis. You should keep multiple copies of these plan(s) on and off the site.
| Business Continuity Planning
<Insert Company Name> |
Objective
| To ensure business revenue is not affected during an emergency. |
Steps
|
Version
In the event that this plan is updated, please fill in the version history according to the columns. Notify and forward a copy to the names listed on this distribution list.
| Version | Compiled and uploaded by | Date & time | Changes made |
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | |||
| 8 | |||
| 9 | |||
| 10 | |||
| 11 | |||
| 12 | |||
| 13 |
Distribution list
A collection of key personnel who hold a copy of this plan. In the event that this plan is updated, please notify and forward a copy to the names listed on this distribution list.
| Name | Mobile Phone | Email Address | |
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | |||
| 8 | |||
| 9 | |||
| 10 | |||
| 11 | |||
| 12 | |||
| 13 |
References and supplementary documents
In this table, include any external documentation or instructions that are needed during an emergency but not attached to this BCP.
If possible do attach all relevant documents to this document so users do not need to spend time finding them during an emergency. It will also increase the chance of users actually reading the additional documents,
| Name of the supplementary document | Who has it | Where to find it | Is a copy already attached to this document | |
| 1 | ||||
| 2 | ||||
| 3 | ||||
| 4 | ||||
| 5 | ||||
| 6 | ||||
| 7 | ||||
| 8 | ||||
| 9 | ||||
| 10 | ||||
| 11 | ||||
| 12 |
Business Impact Analysis
On this section,
- list down all the critical functions of the company as well as the consequence of each critical function being affected.
- All critical functions of a company are required to have its own Business Impact Analysis.
- See the example below of how to fill in this section.
SAMPLE
Example of critical functions for a company providing business software to companies that enable employees to working-from-home.
| List of critical functions | |
| 1 | Research and development team |
| 2 | Technical support team |
| 3 | IT |
| 4 | HR |
| 5 | Marketing |
| 6 | Customer billing and support team |
| 7 | Sale etc |
All critical functions of a company are required to have its own Business Impact Analysis. Here is an example of the critical function of the Technical Support Team.
| Critical Function: | Technical Support Team |
| TIME | Effect of disruption |
| Impact in the first 24 hours
|
|
| 24-48 Hours
|
|
| Up to 1 week
|
|
Resource Requirements for Recovery:
Here identify what resources are needed at the different phases of the disaster.
| Time | No. Staff | Is relocation needed | Resources needed | Information needed |
| First 24 hours | 20 | work-from-home | 1. Document management system access
2. CRM access 3. Conferencing software |
Information needed can be found in the Document Management System and CRM software |
| 24-48 hours | 25 | work-from-home | 1. Document management system access
2. CRM access 3. Conferencing software |
Information needed can be found in the Document Management System and CRM software |
| 48 hours – up to 1 wk | 15 | work-from-home | 1. Document management system access
2. CRM access 3. Conferencing software |
Information needed can be found in the Document Management System and CRM software |
| 1 wk – up to 2 wk | 15 | work-from-home | 1. Document management system access
2. CRM access 3. Conferencing software |
Information needed can be found in the Document Management System and CRM software |
For the column “Number of staff”. Using the example of the software company, they will probably need more staff to man the technical hotline as there may be a surge of users during a national crisis, with more users working from home. This surge will be especially pronounced during the first week.
For the column “Is relation needed”. In our example of the technical support team, they can easily work from home with the proper tools and access. They do not need to work from a backup site.
END OF SAMPLE
Please fill in your Business Impact Analysis using the previous example as a reference.
Listing of all critical functions
| List of critical functions | |
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 |
Critical Function 1
All critical functions of a company are required to have its own Business Impact Analysis.
| Critical Function: |
| TIME | Effect of disruption |
| Impact in the first 24 hours | |
| 24-48 Hours | |
| Up to 1 week |
Resource Requirements for Recovery:
Here identify what resources are needed at the different phases of the disaster.
| Time | No. Staff | Is relocation needed | Resources needed | Information needed |
| First 24 hours | ||||
| 24-48 hours | ||||
| 48 hours – up to 1 wk | ||||
| 1 wk – up to 2 wk |
Critical Function 2
All critical functions of a company are required to have its own Business Impact Analysis.
| Critical Function: |
| TIME | Effect of disruption |
| Impact in the first 24 hours
|
|
| 24-48 Hours
|
|
| Up to 1 week
|
Resource Requirements for Recovery:
Here identify what resources are needed at the different phases of the disaster.
| Time | No. Staff | Is relocation needed | Resources needed | Information needed |
| First 24 hours | ||||
| 24-48 hours | ||||
| 48 hours – up to 1 wk | ||||
| 1 wk – up to 2 wk |
Critical Function 3
All critical functions of a company are required to have its own Business Impact Analysis.
| Critical Function: |
| TIME | Effect of disruption |
| Impact in the first 24 hours
|
|
| 24-48 Hours
|
|
| Up to 1 week
|
Resource Requirements for Recovery:
Here identify what resources are needed at the different phases of the disaster.
| Time | No. Staff | Is relocation needed | Resources needed | Information needed |
| First 24 hours | ||||
| 24-48 hours | ||||
| 48 hours – up to 1 wk | ||||
| 1 wk – up to 2 wk |
Critical Function Priority List
Once the BCP committee weighs the consequence and impact, the committee can rank these functions. Priority will be given to the most critical functions. Resources will be channelled to recover these functions first within the Recovery Time Objective (RTO).
RTO is the targeted duration of time by which the critical functions of the business must be restored after the disruption, so as to avoid drastic losses.
| Priority | Critical Functions |
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 | |
| 8 | |
| 9 | |
| 10 |
Hazard Analysis Table
There are many circumstances that can disrupt your business. These are hazards to your business. Examples of hazards include earthquakes, fire, terrorist attacks, accidents, pandemics and much more.
Hazards will affect your business to a different degree. In the below Hazard Analysis table, we will attempt to list down the possible hazards that threaten a business as well as how severe is the potential damage. We will also cover the possible way to minimize or avoid the damage.
A little bit about Risk Matrix Score within the Hazard Analysis Table
You will need to fill up a Risk Matrix Score on the last column of the Hazard Analysis Table, where you rate the hazard as A, B, C & D.
| Impact to the business if the hazard happens 5 means the hazard has a catastrophic effect |
5 | C | B | A | A | A |
| 4 | C | B | A | A | A | |
| 3 | C | C | B | B | B | |
| 2 | D | D | C | C | C | |
| 1 | D | D | D | D | D | |
| 1 | 2 | 3 | 4 | 5 | ||
| How likely is this hazard going to happen 5 being more a high chance of it happening |
||||||
The importance of an event considering its probability and impact
A: Hazard that has a HIGH Probability of happening; and when it happens it will come with an extremely high price to the organization. It may cause the loss of human lives.
B: LOW Probability & HIGH Affect
C: HIGH Probability & LOW Affect
D: LOW Probability & LOW Affect
The objective of the Hazard Analysis Table
When users have diligently completed the Hazard Analysis Table, It will become clear to the BCM committee which scenarios or hazards require immediate attention. These are the ones that come with the highest risk. The committee has two choices.
- To accept the risk: With this, the organization will not do anything about. It is inevitable as the cost to avoid the risk and its consequences outweighs the impact of the hazard.
- To do something about it.: Take actions to reduce the impact of the hazard. The price to pay when the disaster strikes is too high. The company cannot afford to sit and do nothing about it.
| List down all possible hazards | Impact
List all the possible disruptions to business, as well as possible losses. All possible losses including human lives, reputation, financial and more. Think through from the perspective of all stakeholders. People who are strongly impacted by the success or failure of your organization. E.g. staff, contractors, customers, suppliers. |
Mitigation in Place
List down all the possible measures to reduce the occurrence of the disaster or to reduce the impact of the disaster when it happens. Separate them by the measures that have already been carried out and the measures that should be implemented |
Risk Matrix Score
A, B, C or D |
Actions to take |
| Fire |
|
|
A |
|
| Power failure | ||||
| Flooding | ||||
| Loss of staff | ||||
| Theft | ||||
| Cyber hacking
|
Response during an emergency. Checklist of things to do when disaster strikes
| To-dos | Remarks | |
| 1 | Ensure that the BCM committee is activated | |
| 2 | Ensure the appointed liaison officer is activated. A person to synchronise between external emergency services e.g. police, firefighters and the companies internal BCM committee.
This person should be pre-appointed during peacetime and a backup has to be appointed also. A well-synchronised recovery operation will help to minimise loss to human lives and properties. |
|
| 3 | Recap & keep a chronological time log of actions taken
This log is essential to defend the company in the unfortunate occurrence of lawsuits post-disaster, where the company or personnel in-charge has to justify the decisions and courses of action taken. |
|
| 4 | Access the damage
|
|
| 5 | Access the disruption to critical functions | |
| 6 | Keep your employees informed
This is the time where an updated contact list comes into use. Keep your employees informed via real-time broadcasts such as Whatsapp groups and email groups. If necessary, individual department heads should at this point check in on all the staff via a contact tree and report back to the BCM committee on the safety and status of the employees. Give clear information to the employees
|
|
| 4 | Restore critical functions progressively based on the Critical Function Priority List | |
| 5 | Keeping the public informed to avoid reputational loss and false rumours
The media representative should be activated at this point in time. Depending on the scale of the disaster, typically this person holds the role of head of corporate communications. He/she should be a part of the BCM committee and should have a good grasp of the situation, the recovery plans and status. |
|
| 6 | Keep at eye on the Recovery Time Objective (RTO)
It is the targeted duration of time by which the critical functions of the business must be restored after the disruption, so as to avoid drastic losses. |
|
| 7 | Debrief and evaluation of Business Continuity plan.
Is there changes to the predetermined course of action or shall we stay the course |
Contact Sheet
| Name | Office Number | Mobile Number | Useful Information |
A chronological log of action taken
This log is essential to defend the company in the unfortunate occurrence of lawsuits post-disaster, where the company or personnel in-charge has to justify the decisions and courses of action taken.
| Date | Time | Information/Decisions/Actions | Initials |
Emergency Toolkit
Now that you know how the BCP works, what it entails and how you yourself can come up with it, we have devised a list. We call it the ‘emergency toolkit’. This is the culmination of everything that we have talked about in the book so far. Every item present on this list goes back to one of the steps mentioned earlier. We wanted to produce a holistic yet practical guide to Business Continuity Management. And here is the final step to it. This is going to be a lifesaver for your organization in the time of the crises.
An emergency toolkit is an effective way to organize and prioritize the most critical items and things that you need during a crisis. You can treat this as a checklist as well, or a reminder of all the things that you need. This could also be an indicator at anything that might have not crossed your mind. Below are things to include in this toolkit.
Documents
- BCP – You need a copy of your business continuity plan
- List of all the employees and their contacts, that would be associated with the BCP or have taken some sort of risk management responsibility in it. You would need their mobile numbers, home addresses and emails
- A list that details your customers
- A list that details your suppliers
- Site plan of the building of your organization
- Site plan of the backup site
- Details of the insurance companies and all your banking and financial information
- Contact details of your local authorities
- All important legal documentation and confidential trade information
Equipment
- Spare keys to all the locks
- Dust and anti-fume masks
- A camera for recording evidence when need be
- Stationary (Pens, charts etc.)
- A phone that could make calls with a phone charger
Please keep in mind that this list is not final. You could add things to the list depending on your venture/organization. You may also need some cash or credit in order to spend when any risk surfaces.
All the items mentioned above should be regularly checked and updated. Make sure that this ‘pack; is stored off-site, safe and secured.
Exercising and reviewing your BCP
You cannot be a hundred per cent sure about your arrangements but you can increase the probability of them working.
The frequency with which you do these exercises depends on the nature of your organization. They should take into account the change in your organization or its risk profile and consider the previous exercises (if any) and their outcomes.
At the very least, we suggest that you exercise and test your plans on an annual basis.
Exercising
There are four ways to do that, depending on your organization’s scale and its needs. To reproduce a time of crises in order to test out all the activities and tactics mentioned in your business continuity plan.
Testing
Not all details of your plan can be tested. But some important elements can be. You can test out the contact list of your staff and the way they would be activated once an incident is met. You can also test the backup data files, backup power and all the equipment.
Discussion
Set up a meeting that brings together all the people involved in the BCM plan. This is a cheap and quick way of testing and validating things. Bring people together and discuss your plan. They can also come up with their solutions. You could also use this step while drafting the first of your BCM plans to get it validated.
Table-Top
This is all about imagination. Usually occurring on a roundtable, lasting from 2 hours to half a day, this is a scenario-based activity. You would imagine an incident unfolding as it would in real life and then engage the staff and management responsibilities to purpose its solutions. This method is much livelier and more effective.
Live Exercise
This ranges from testing one component to testing all the components full scale. This exercise is deployed to those components and tasks that could not be effectively tested in any other way.
Reviewing
This could be achieved either through an external auditor through self-assessment. The reviewing process should make sure that all the resources and activities are well identified and the plan is an accurate reflection of what your organization stands for.
All the staff should be effectively engaged and stakeholders are kept in the loop. Make sure that any changes that occur after testing and exercising are thoroughly documented and implemented. Questions that you could ask at this stage are:
Are all the aims and objectives of the plan being met?
Are all the arrangements in place and are sufficient to carry out the BCM plan effectively?
Is the staff being trained regularly about the BCM plan?
Immersing BCM in the Culture of your Workplace/Organization
The BCM should be a part of your organization and workplace if you want it to run effectively. You need to communicate your tactics to your stakeholders and hold awareness meetings and memos for the staff.
Most importantly employees need to know why BCM is important. They need to know that it is necessary to ensure the continued survival of the company and their livelihood as disaster can strike anytime.
Training
The four methods of
- Testing
- Discussion
- Live exercise
- Table-top
that are mentioned in the previous chapter should be implemented regularly, involving employees to familiarise themselves with the BCP. So employees will know exactly what to do when disaster strikes and to handle any incident that would lead to the discontinuity of the crucial activities.
Regular desk exercises should be held to achieve maximum clarity and practice.
Awareness
Raising awareness and maintaining it would mean that your entire staff knows the working of BCM in your organization. It also makes sure that your staff knows why BCM is important for the organization. You can achieve that by
- Having discussions over the exercises and working of the BCM. This could involve the entire staff population of your organization carried out in their respective teams or workgroups..
- Sending written memos or doing oral briefings about BCM.
- Use internal and external incidents that happened in the past to bring into light the importance of BCM.
- Distribute multiple copies of this guidebook and give it to personnel in key positions.
- Involving the staff while drafting out the strategy of your BCM. It would also be wise to get every step mentioned in this guidebook reviewed and discussed upon by the members of the senior management and the people in the staff responsible for it.
This concludes all the steps and their workings that are required to develop and execute an effective Business Continuity Management Plan.
None of the steps mentioned in the guide should be missed out. Because each step feeds into the next one. This is all a loop and that is why Business Continuity Management is more like a system, a machine that needs to get integrated with the multiple and complex systems of your organization.
