How to Create an Effective Business Continuity Plan

We rarely get a head's up that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.

This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn't just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.

How Business Continuity, Disaster Recovery Plans Differ

Business continuity (BC) refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood, epidemic illness or a malicious attack across the Internet. A BC plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.

Many people think a disaster recovery plan is the same as a business continuity plan, but a DR plan focuses mainly on restoring IT infrastructure and operations after a crisis. It's actually just one part of a complete business continuity plan, as a BC plan looks at the continuity of the entire organization. Do you have a way to get HR, manufacturing, and sales and support functionally up and running so the company can continue to make money right after a disaster?

For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? Companies such as SunGard sell access to cubicles that include a desk, phone and computer in their recovery centers, along with server- and device-based DR services.

Tutorial: How to Start a Business Continuity Program

Note that a business impact analysis (BIA) is another part of a BC plan. A BIA identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your BCP, which can come with its own risks. The BIA essentially helps you look at your entire organization's processes and determine which are most important.

Why Business Continuity Planning Matters

Whether you operate a small business or a large corporation, you strive to remain competitive. It's vital to retain current customers while increasing your customer base - and there's no better test of your capability to do so than right after an adverse event.

Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company's future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company's reputation and market value, and it can increase customer confidence.

First, Create a Business Continuity Plan

If your organization doesn't have a BC plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a (BIA).

Next, develop a plan. You can use any number of free templates available online or find an actual plan published by an organization similar to yours and modify it as needed.

There are six general steps involved in creating a business continuity plan:

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.

Remember that the disaster recovery plan is part of the business continuity plan, so check with your IT department to ensure it has or is actively developing a DR plan.

Related: A Data Center Story for the Ages: The Fuel Bucket Brigade

As you create your plan, consider interviewing key personnel in organizations who have gone through a disaster successfully. People generally like to share "war stories" and the steps and techniques (or clever ideas) that saved the day. Their insights could prove incredibly valuable in helping you to craft a solid business continuity plan.

Then, Test Your Business Continuity Plan

You have to rigorously test a plan to know if it's complete and will fulfill its intended purpose. Many organizations test a business continuity plan two to four times a year. The schedule depends on your type of organization, the amount of turnover of key personnel and the number of business processes and IT changes that have occurred since the last round of testing.

Common tests include table-top exercises, structured walk-throughs and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A table-top exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.

Analysis: 4 Critical Trends in IT Business Continuity

In a structured walk-through, each team member walks through his or components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

It's also a good idea to conduct a full emergency evacuation drill at least once a year. This type of test lets you determine if you need to make special arrangements to evacuate staff members who have physical limitations.

Lastly, disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies, and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine if you can carry out critical business functions during the event.

During each phase of business continuity plan testing, include some new employees on the test team. "Fresh eyes" might detect gaps or lapses of information that experienced team members could overlook.

Finally, Review and Improve Your Business Continuity Plan

Much effort goes into creating and initially testing a BC plan. Once that job is complete, some organizations let the plan sit while other, more critical tasks get attention. When this happens, plans go stale and are of no use when needed.

Analysis: Did Wall Street's Business Continuity Plans Fail During Sandy?

Technology evolves, and people come and go, so the plan needs to be updated, too. Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.

Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units. If you've had the misfortune of facing a disaster and had to put the plan into action, be sure to incorporate lessons learned. Many organizations conduct a review in tandem with a table-top exercise or structured walk-through.

How to Ensure Business Continuity Plan Support, Awareness

One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.

Management is also key to promoting user awareness. If employees don't know about the plan, how will they be able to react appropriately when every minute counts? Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It'll have a greater impact on all employees, giving the plan more credibility and urgency.

Kim Lindros is a full-time content, online curricula and classroom training developer with a background in project management. She has also contributed to several books on Windows technologies and applications and IT certification. Ed Tittel is a full-time freelance writer and consultant who specializes in Web markup languages, information security and Windows OSes. Together, Minnick and Tittel are the authors of the forthcoming book Beginning Programming with HTML5 and CSS3 For Dummiesas well as numerous other books.

Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about best practices in CIO's Best Practices Drilldown.