The Importance Of Business Continuity Planning

madunixExecutive IT Director
I know some stuff, and I do some things.
Edited by: Andrew Leniart
Business continuity is an important component of an organization’s risk management program.

1. Objectives of the Business Continuity Plan

The BCP must ensure that in the event of disruption of work activities due to unforeseen events, business operations can continue in a normal manner or with as little interruption as possible, and risks and damages can be mitigated.  

The objective of a BCP is to document the solutions that provide Business Continuity for one or more activities. At the same time, the BCP provides guidelines for crisis management relating to various kinds of key crises identified. 

This document attempts to make a preventive, proactive, and reactive plan to help the organization avoid crisis and disasters should they occur, and therefore be able to return to 'business as usual quickly' should such crisis occur. The documents within the BCP must allow the intended users to quickly identify the solutions to be activated according to the nature of the incident (extent of consequences, resource categories affected).

Several events can occur that may disrupt business operations. Organizations must have robust Internal Control and Operational Risk Control measures in place to mitigate the risk. Disasters can result from three types of factors (or combinations of these), including Human behaviors, Natural disasters, Technological breakdowns.

Failure to resolve problems associated with such occurrences swiftly can lead to customer and client dissatisfaction, loss of profits, negatively affect organization reputation, and means that normal functions or services cannot be performed. 

This Business Continuity aims to establish sound practices for business continuity and disaster recovery. It attempts to ensure that business can continue smoothly in the event of any disruption(s) and that critical operations are prioritized as much as possible.

The benefits of the BCP are:

  • Identify the impacts of an operational disruption proactively;
  • Has in place an effective response to disruptions which minimizes the impact on the organization;
  • Maintains an ability to manage uninsurable risks;
  • Encourages cross-team working;
  • Can demonstrate a credible response through a process of exercising;
  • Could enhance the organization reputation; 
  • Might gain a competitive advantage for the organization

What is often underestimated is the value of the process of establishing the BCP for the following two reasons: 


  • Not all negative incidents can be foreseen and planned for, each disaster event has its specifics, and for each disaster event, a BCP has to be designed by the Crisis Management Team (CMT). If the CMT is routinized in developing such plans and familiar with the available tools, valuable time can be saved during a disaster event. 
  • BCP designers identify and value risks and work on mitigations mechanisms before incidents happen and, thus, ensure that organization is well prepared for many incidents.

2. Definitions, Tools, and Concepts

This section introduces the main definitions, tools, and concepts used in business continuity planning. 

Business continuity planning refers to the planning and preparations which are necessary to identify the impact of potential losses arising from an emergency; to formulate and implement viable recovery strategies, to develop recovery plans which ensure continuity of organization services in that relation, and to administer a comprehensive testing and maintenance program. Business Continuity Planning is a methodology for everyone in the organization to ensure normal operations.

Business Continuity Plan (BCP) focuses on preventing and sustaining an organization's business processes during and after a disruption. A BCP involves costs, and it may not be cost-effective to have a fully developed and implemented plan for all scenarios. 

The BCP development process consists of the following steps:

  • Develop a BCP policy statement.
  • Conduct a Business impact analysis.
  • Identify preventive controls.
  • Develop recovery strategies.
  • Develop an IT contingency plan.
  • Perform BCP training and testing.
  • Perform BCP maintenance.

Disaster Recovery Planning (DRP) refers to a policy that defines how people and resources will be protected in a disaster, and how the organization will recover from the disaster. DRP is just a subset of BCP. However, IT DRP is a  detailed information system procedures to facilitate the recovery of capacity on an IT DR site following an incident. For example, the IT DRP contains all information necessary to switch the IT production site over to a DR site (IT backup).

Business impact analysis (BIA) refers to a document that identifies present organizational risks and determines the impact of ongoing, business-critical operations if such risks actualize. The BIA tries to measure the potential loss and escalating losses over time to provide Management, Board Directors, and Shareholders with reliable data for the identification of critical services and sufficient data for decision making.

Recovery Time Objective (RTO)  is the amount of time allowed for the recovery of a business function or resource after a disaster occurs.

Recovery Point Objective (RPO)  is the acceptable amount of data loss measured in time. The RPO is the point in time to which the organization must recover its data as defined by this Policy. 

Emergency Operation Center (EOC) is a location where an organization can quickly relocate following a disaster, such as fire, flood, terrorist threat, or other disruptive events. 

Crisis management team (CMT) refers to a group of Managers who direct recovery operations and are responsible for the organization's survival.

Crisis management refers to the oversight of the process designed to support the CMT. 

Recovery strategy refers to a process to resume the minimum set of critical services identified in the BIA (e.g., use of another delivery channel to provide the same service).

3. Governance

The BCP governance structure is made up of a BCP Committee that ensures senior management commitment and defines senior management roles and responsibilities.

The BCP management committee is responsible for oversight, initiation, planning, approval, testing, and BCP auditing. 

The BCP Committee meets annually. Besides, the Chairman and Committee Secretary can arrange for extraordinary meetings as deemed necessary. The responsibilities of the committee include:  

  • Approve the governance structure; 
  • Clarify the roles of individuals; 
  • Oversee the creation of  working groups, and teams to develop and execute the plan; 
  • Provide strategic direction and communicate essential messages; 
  • Approve the results of the Business Impact Analysis; 
  • Review critical services and products that have been identified; 
  • Approve the continuity plans and arrangement; 
  • Monitor quality assurance activities; 
  • Resolve conflicting interests and priorities;
  • Ensure that the BCP is implemented and that all persons are aware of their roles if a disaster occurs.

4. Communication Channels

In case of a disaster event, rumors can spread quickly, and the ordinary communication channels might be interrupted. All staff must receive the same information from management. This is typically done by email. In the case email of services being interrupted, bulk SMS communication from management to staff is used. The organization should ensure the availability of contact information to bulk SMS providers. In a few severe cases, the organization may need to establish a hotline for staff and their relatives. However, the communication from staff to organization should be routed through the normal hierarchical structures. 

5. Business Continuity Plan for Selected Scenarios

5.1-Selection of scenarios

It is impossible and inefficient to foresee and address each possible scenario that could interrupt normal business operations. For example:

  • Loss of Head Office 
  • Loss of Branch
  • Breakdown of Core Business Systems
  • Cyber Attacks
  • Natural Disasters
  • Power Outages
  • Computer Virus Outbreak
  • Human Error
  • Pandemic

Each of these scenarios is assessed using several criteria, including:

  • Likely causes for the scenario
  • Likelihood of occurrence
  • Impact of disruption (BIA) Business Impact Analysis
  • Preventive measures
  • Mitigation measures
  • Recovery Time Objective (RTO) 
  • Recovery Point Objective (RPO) 
  • Crisis Management Team composition
  • Crisis Management Team member tasks and basic recovery processes

5.2-Likely causes for the scenario

Among likely reasons for events that lead to businesses' disruption are fire, earthquake, flood, storm, terrorism, riot, political unrest, robberies, sabotage, virus attacks, and hardware failures, technical failures at the grid, or communication systems. 

5.3-Likelihood of occurrence

For example, the likelihood that a particular event occurs is assessed in three categories, including:

  • High likelihood – expected to happen up to once per year;
  • Medium likelihood – expected to happen once in 5 years;
  • Low likelihood – expected to happen less than once in 5 years

5.4-Impact of disruption

Business impact analysis (BIA) is one component of the BCP. BIA is an analytical process used to assess the consequences of an incident and the change over time of the quantitative (financial) impact and the qualitative (non-financial) impact resulting from the interruption of an activity. The results of the BIA are necessary to define the Business Continuity Strategy. It is essential to consider interdependencies between systems, business processes, and departments.

Impact of any business disruption may include:

  • Financial Loss
  • Customers and suppliers
  • Employees and staff
  • Public relations and credibility
  • Regulatory requirements 
  • Social and corporate image

For example, in BCP, the business impact is categorized as follows:

  • High business impact:
  1. A severe business interruption that affects the entire organization and cannot be resolved within 24 hours
  2. A severe business interruption that affects branches in more than one region and cannot be resolved within 24 hours
  • Medium business impact:
  1. A business interruption that affects the entire organization, but can be resolved within 24 hours
  2. A business interruption that affects multiple branches in the same region and cannot be resolved within 24 hours
  3. A business interruption that affects several non-operational head office or branch functions and cannot be resolved within 24 hours
  • Low business impact: 
  1. A Business interruption that affects multiple branches in the same region, but can be resolved within 24 hours
  2. A Business interruption that that affects non-operational functions and can be resolved within 24 hours
  3. A business interruption that affects one branch or department only

5.5-Preventive measures

As much as possible, and to the extent that it is efficient, events that interrupt business should be prevented. For example, the availability of well-maintained fire extinguishers can prevent serious damages by fire; or the availability of a well-maintained backup generator will prevent business disturbance due to loss of power. For each of the scenarios, preventive measures should be assessed. 

5.6-Mitigation measures

In case an event cannot be prevented, its impact should be mitigated as much as efficiently possible. For example, the availability of fire insurance will limit the financial damage of fire, and the availability of backup systems will prevent the permanent loss of data. For each of the scenarios, mitigation measures should be outlined. 

5.7-Recovery Point Objective and Recovery Time Objective

Recovery Time Objective (RTO) is the (worst case and achievable) length of time it should take to recover an application back to full service. The shorter the activity's RTO (the period between the incident and resumption, or possibly even no Interruption), the higher the level of requirement in terms of Business Continuity. Recovery Point Objective (RPO) is the (worst case and achievable) duration of processing that can be lost as a result of a disaster. 

Applicable rules and principles for choosing Business Continuity solutions:

• Each organization must, for activities whose continuity or recovery must be ensured, choose business continuity solutions while taking into account: (1) the ability of the solutions to achieve the Business Continuity Objectives set in the strategy RTO/RPO, (2) the power of the solutions to cover (partially or totally) all of the reference scenarios, and (3) the impact at the envisaged solutions on the level of operational risk to which the activity will be exposed when these solutions are executed according to the predefined Business Continuity mode.

• When choices are made between different solutions, the assessment leading to these choices must be documented.

• All organizations must ensure that their chosen solutions allow interdependent entities (internal or external) to continue their activities (e.g., postal mail forwarded to the recovery site).

• The finalized choice of solutions must be articulated and documented. 

5.8-Crisis Management Team composition

In case of a crisis, a Crisis Management Team (CMT) needs to be composed to implement the actions of  BCP. The composition of  CMT can be slightly different from the Composition of the BCP Committee as the latter is more general, and the Crisis Management Team is staffed such that the optimum response to the particular event is ensured. Approval and decision rights remain unaffected. 

5.9-Crisis Management Team member tasks and basic recovery processes

As soon as the Senior Management has declared the state of a BCP event, the Crisis Management Team comes together. After ensuring that emergency issues are solved, and further damage is avoided/controlled, it is the first task to create a detailed recovery plan that can cope with the specific event. BCP outlines the respective steps that need to be taken in selected scenarios and includes various tools (such as contact lists) to ensure they can be followed. However, a more detailed and specific plan will be needed as soon as the particular event and situation can be described. BCPs naturally cannot consider each possible event in all detail. It is the responsibility of the (RM) Risk Management functionality to facilitate the process of creating such a response plan. 

6. Business Continuity Plan Awareness and Training

Business continuity is an important component of the organization's risk management program. Many occurrences highlighted in the BCP are highly unlikely to happen (or are perceived as highly unlikely to happen). For that reason, experience has shown that many employees might not be aware of their role within the BCP, or even its existence. Therefore, it is crucial for the organization to invest resources in training to ensure relevant staff is familiar with the BCP. Raising employee awareness is a must.

Business Continuity Plan looks at an entire organization, not only for requirements but also for dependencies. A formal training and awareness component is necessary for a successful Business Continuity Planning so that the tests and exercises contribute to the ongoing improvement of the program.

7. Testing

The BCP should be tested once per year. The BCP Committee might decide on additional tests if deemed necessary to cope with significant changes in business processes, business technology, facilities, BCP Committee Membership, Executive Management, or anticipated events that might cause a business interruption. It is vital to review BCP and test it regularly.

The goal of BCP testing is to ensure the BCP process is:

  • Accurate
  • Relevant
  • Viable under adverse conditions
8. Protecting Information in the BCP

The availability of the information contained in the BCP must be guaranteed. It is integrity must be preserved, and care must be taken to define an appropriate level of confidentiality. Points to be noted:

• A distribution list must be established as soon as each document is created. Each document must only be distributed to those who are implicated. The level of information must correspond to their responsibilities during the activation and operation of Business Continuity solutions as well as the return to normal. The recipients and end users of these documents must be able to find the information that they are looking for quickly, as they may be under unprecedented pressure due to the urgency of the situation. 

• The documents' format must ensure that the BCP is accessible under all circumstances: in production, in backup, and remotely. 

• It is, therefore, advisable to use different storage media, whether that BCP is in paper or electronic format. A copy of all of the documents for the BCP must be available at the production or usual sites, in backup, in the crisis management room, and remotely. 

• The physical protection (paper version) and logical protection (electronic version) of the information contained in the BCP must be in line with the requirements of their classification level, and their integrity must be maintained (e.g., paper BCP stored in a fireproof safe).

• BCP documents must be updated on an ongoing basis and at least once per year.


madunixExecutive IT Director
I know some stuff, and I do some things.

Comments (2)

Muneeb Imran ShaikhInformation Security Strategy, Governance & Risk Consultant

Well written and crisp ! Easy to read,understand and absorb !
Ronnie TolentinoPrincipal Cybersecurity & Network

Very well said, the translator of CISSP!  

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community