Professional Documents
Culture Documents
This business continuity plan example from Santa Cruz Health is designed for
different facilities to customize to ensure measures are taken to prepare and pre-
position resources to ensure continuity of mission critical services and processes in
an event that disrupts normal operations and impacts essential operations of the
facility. It is broken down into several sections, including:
The first major task of writing a BCP is identifying the risks or threats in your
environment and determining how they might impact your operations. For example,
some environmental threats may be likely to cause physical damage to your building.
Other types of threats may have an impact on your staff and their families.
The risks that are most threatening to your operations should be prioritized.
The next major task is identifying the tools, systems, and skills that are essential to
your operations and how critical they are to recover. You can kick off brainstorming
by posing the question, how do we achieve our goals?
For example, let’s say one of your mission critical services is fundraising. In that
case, a critical asset might be pledge cards. The vendor that prints your pledge
cards would also be considered critical.
When identifying these systems, tools, and skills, you’ll also want to determine what
resources would be required to restore them and therefore resume the mission
critical services and processes they are part of. Examples of resource requirements
are facilities, personnel, equipment, software, data files, system components, and
vital records.
This will help determine priority levels for sequencing recovery activities. In other
words, what needs to be restored first in order to get back to work as quickly as
possible during and after a crisis?
Now that you understand your organization’s unique risks and critical elements,
you’re ready to create a plan of action.
Start by identifying strategies that will eliminate the risks you identified in step 1
entirely. If that’s not possible, identify strategies that will lessen their impact. For
example, it’s impossible to eliminate the threat of environmental threats like
snowstorms entirely. Instead, you can create a procedure to have your employees
and contractors work remotely if a snowstorm makes it impossible or difficult to get to
the office. This will require that all employees and contractors have the appropriate
supplies and equipment and receive the same communications.
These mitigation strategies are designed to eliminate or lessen the impact of a threat
before a crisis and should therefore be implemented as quickly as possible.
4. Identify ways to prepare for and recover from the loss of any critical
elements.
Since it is impossible to eliminate all threats facing your organization, your next step
is to identify as many strategies as possible for dealing with the loss of each critical
element identified in step 2.
For example, installing protective systems like a security system, fire alarm system,
and antivirus software can all be considered strategies to prepare for and recover
from the loss of critical elements caused by theft, vandalism, environmental hazards,
cyber attacks, and other threats.
During the review or testing stage, you can remove any strategies that are too time-
consuming or expensive.
Now that plans and strategies are in place, you can take steps to improve the
efficiency and quality of your organization’s response to a crisis to help you get back
to work as quickly as possible.
Consider creating a recovery team that can assess your losses and initiate recovery
actions after a crisis. The roles and responsibilities of this team can be documented
in your BCP.
Your business continuity plan is a living document. It should be updated to reflect the
evolving risks and needs of your business. Whether you’re integrating new software
that suddenly crashes or bringing on a new management team member, your BCP
should reflect these changes.
If there are no major changes impacting your business, you should still test your
business continuity plan once a year at a minimum. This is a best practice and
compliance requirement. You can use a variety of testing methods, including
tabletop exercises and simulation tests.
Testing and keeping documentation like this up to date is an important part
of continuous compliance.
FAQs
While every business continuity plan is unique, five key components are:
The four P's of business continuity are people, processes, premises, and providers. Below are
definitions of each:
A real-life example of business continuity is the response to the Cape Town water crisis,
which began in 2015. During a period of severe drought, Cape Town implemented several
response and recovery strategies which averted the catastrophe of running out of water
— also known as “Day Zero.” This included the introduction of innovative pressure reduction
methodologies to curb water losses, sustained reduction in water use, and effective public
communication and awareness programs to avoid “Day Zero.”
How do I write a BCM plan?
Business continuity plans fail for a variety of reasons, with the most common being a lack of
buy-in from top management. Other reasons are that no one is appointed to take ownership of
business continuity planning, or the plan isn’t tested and updated regularly to keep up with
changes affecting the business.