Business continuity plan example

This business continuity plan example from Santa Cruz Health is designed for
different facilities to customize to ensure measures are taken to prepare and pre-
position resources to ensure continuity of mission critical services and processes in
an event that disrupts normal operations and impacts essential operations of the
facility. It is broken down into several sections, including:

1. General: Describes the purpose of the BCP, as stated above.

2. Activation: Briefly describes when the plan should be activated.
 3. Overview: Briefly describes what the plan is, how it was developed, what steps need
to be taken to ensure it’s effective, and what’s included.
4. Continuity requirements: Lists the facility’s mission critical services, processes,
equipment and supplies, IT applications, records, and business continuity personnel.
5. Continuity and recovery actions: Lists procedures following the occurrence of
different BCP events, including loss of power, loss of HVAC, and relocation of
departmental services to an alternate location.

How to write a business continuity plan

Now it’s time to start formulating and building out your business continuity plan. To
guide you through the process, we’ve broken the process down into six key steps.
We’ve also provided a template below to help get you started.

1. Identify and assess your risks.

The first major task of writing a BCP is identifying the risks or threats in your
environment and determining how they might impact your operations. For example,
some environmental threats may be likely to cause physical damage to your building.
Other types of threats may have an impact on your staff and their families.

The risks that are most threatening to your operations should be prioritized.

2. Identify critical elements of your organization.

The next major task is identifying the tools, systems, and skills that are essential to
your operations and how critical they are to recover. You can kick off brainstorming
by posing the question, how do we achieve our goals?

For example, let’s say one of your mission critical services is fundraising. In that
case, a critical asset might be pledge cards. The vendor that prints your pledge
cards would also be considered critical.

When identifying these systems, tools, and skills, you’ll also want to determine what
resources would be required to restore them and therefore resume the mission
critical services and processes they are part of. Examples of resource requirements
are facilities, personnel, equipment, software, data files, system components, and
vital records.

This will help determine priority levels for sequencing recovery activities. In other
words, what needs to be restored first in order to get back to work as quickly as
possible during and after a crisis?

3. Identify ways to mitigate risks.

Now that you understand your organization’s unique risks and critical elements,
you’re ready to create a plan of action.

Start by identifying strategies that will eliminate the risks you identified in step 1
entirely. If that’s not possible, identify strategies that will lessen their impact. For
example, it’s impossible to eliminate the threat of environmental threats like
snowstorms entirely. Instead, you can create a procedure to have your employees
and contractors work remotely if a snowstorm makes it impossible or difficult to get to
the office. This will require that all employees and contractors have the appropriate
supplies and equipment and receive the same communications.

These mitigation strategies are designed to eliminate or lessen the impact of a threat
before a crisis and should therefore be implemented as quickly as possible.

4. Identify ways to prepare for and recover from the loss of any critical
elements.

Since it is impossible to eliminate all threats facing your organization, your next step
is to identify as many strategies as possible for dealing with the loss of each critical
element identified in step 2.

For example, installing protective systems like a security system, fire alarm system,
and antivirus software can all be considered strategies to prepare for and recover
from the loss of critical elements caused by theft, vandalism, environmental hazards,
cyber attacks, and other threats.

The goal is to come up with as many preparedness strategies as possible in order to

best prepare and recover from the loss of mission critical assets during and after a
crisis.

During the review or testing stage, you can remove any strategies that are too time-
consuming or expensive.

5. Prepare for how you will respond after a crisis.

Now that plans and strategies are in place, you can take steps to improve the
efficiency and quality of your organization’s response to a crisis to help you get back
to work as quickly as possible.

Consider creating a recovery team that can assess your losses and initiate recovery
actions after a crisis. The roles and responsibilities of this team can be documented
in your BCP.

6. Update and test your business continuity plan.

Your business continuity plan is a living document. It should be updated to reflect the
evolving risks and needs of your business. Whether you’re integrating new software
that suddenly crashes or bringing on a new management team member, your BCP
should reflect these changes.

If there are no major changes impacting your business, you should still test your
business continuity plan once a year at a minimum. This is a best practice and
compliance requirement. You can use a variety of testing methods, including
tabletop exercises and simulation tests.
Testing and keeping documentation like this up to date is an important part
of continuous compliance.

Business continuity plan template

Use this template to begin identifying the risks, critical elements, mitigation actions,
and preparedness strategies that will make up the basic components of your
business continuity plan.

FAQs

What are the benefits of a business continuity plan?

Implementing and maintaining an effective business continuity plan offers a range of

benefits, including:

 reduced costs and impact on business performance when a disruption occurs

 a consistent, organization-wide approach to respond and recover from a significant
disruption
 assurance for clients, suppliers, regulators, and other stakeholders that the organization has
systems and processes in place for business continuity
 improved business performance and organizational resilience
 a better understanding of the business, its critical issues, and areas of vulnerability

What are the 5 components of a business continuity plan?

While every business continuity plan is unique, five key components are:

 Risks and their potential business impact and likelihood of occurrence

 Mission critical services, processes, and resources
 Risk mitigation actions
 Preparedness strategies to prepare for and recover from the loss of any critical elements
 Training, testing, and plan maintenance

What are the 4 P’s of business continuity?

The four P's of business continuity are people, processes, premises, and providers. Below are
definitions of each:

 People: This includes your employees and customers.

 Processes: This includes the technology and processes your business uses to keep
everything running.
 Premises: This includes the buildings and spaces from which your business operates.
 Providers: This includes partners, vendors, and suppliers that your business relies on for
resources.

What is a real-life example of business continuity?

A real-life example of business continuity is the response to the Cape Town water crisis,
which began in 2015. During a period of severe drought, Cape Town implemented several
response and recovery strategies which averted the catastrophe of running out of water
— also known as “Day Zero.” This included the introduction of innovative pressure reduction
methodologies to curb water losses, sustained reduction in water use, and effective public
communication and awareness programs to avoid “Day Zero.”
How do I write a BCM plan?

Below is a step-by-step process for writing a BCM plan:

1. Identify and assess risks (can use the 4 P’s)

2. Identify mission critical products, services, or functions
3. Evaluate the potential impact of risks and disruptions to critical elements
4. List actions to mitigate these risks
5. List strategies to prepare for and recover from the loss of any critical elements
6. Maintain, review, and continuously update the business continuity plan

Why do business continuity plans fail?

Business continuity plans fail for a variety of reasons, with the most common being a lack of
buy-in from top management. Other reasons are that no one is appointed to take ownership of
business continuity planning, or the plan isn’t tested and updated regularly to keep up with
changes affecting the business.