How do you write a continuity plan?

Writing a continuity plan is an action that does not stand alone in isolation. It is embedded in a BCM process. The most necessary step that is necessary for this is the preparation of a business impact analysis. A step that can also be useful, but is less necessary according to some schools, is the risk analysis. They help with the preparation of the risk register.Author: Manu Steens     In this post I write my own opinion, not that of any organization.  

What do you need and how do you create a BCP (Business continuity plan)?

Based on the above, and on the existing processes, you then shape a business continuity plan after drawing up action plans.

These action plans give the BCP a fighting chance. If the measures are not taken, or if they are poorly designed, the BCP cannot have much effect.

The BCP then consists of contact lists, a ‘reasonable worst case scenario’ or crisis files, and recovery plans.

What do those documents look like?

The BCP itself:

According to Wikipedia, a BCP is “A set of documents that are developed preventively to allow an organization to continue to provide its critical services at a predetermined acceptable level within a certain time.”

A possible content of the BCP is as follows:

  • Management Overview
    • Objective and scope of the BCP
    • Critical Processes
    • Types of situations for the plan with a redirect to the crisis files
    • Reference to other documents
  • Roles and responsibilities
  • Activation Schedule
  • Communication processes with the call tree and reporting lines
  • Lists of supplies and contacts
  • Emergency scenarios
    • For each of the critical processes, the following information is provided:
      • the processes on which the critical process depends and the necessary data;
      • the processes that depend on the critical process and the necessary data;
      • the resources necessary for the proper conduct of the critical process;
      • the people who are necessary for the proper running of the critical process.
    • As soon as a critical process fails, the following steps must be taken:
      • notify process owners of dependent users;
      • contact process owners on the supplier side;
      • identify the resources available;
      • Find out which people are available.
  • Schedule of ending the crisis
  • Document management information
  • Attachments
    • Crisis Files
    • Recovery plans
    • Pandemic plan
    • Occupational safety plan
    • Crisis management plan

The crisis cards:

A crisis file is a concise document that recommends a possible handling of a singular type of crisis. It always includes a single cause that can cause numerous consequences for the organization. Causes can be of natural, human, or natech origin.

A possible table of contents for crisis files might be:

  • Description of the type of event
  • Crisis steps to be taken, in a proposal of a possible order.
  • List of people with a possible key role, both internal and external to the organization
  • A list of suggested questions that the CMT (Crisis Management Team) can ask to inform itself in depth about the situation at different times during the crisis handling.

The recovery plans:

A recovery plan contains measures that can be activated in a crisis, allowing the entity to return to normal.

The plan describes repressive and protective measures to be taken, so that after a crisis the damage remains within the specified limits.

The basic approach comes from the business impact analysis with a picture of: 

  • The most important processes;
  • The damage caused by process failure;
  • The limit of the damage one can handle.

 More information about recovery strategies can be found on https://emannuel.eu/what-are-recovery-strategies-for-a-business-continuity-plan/

Made a BCP, then what?

A BCP is therefore not a single document that can disappear into the cupboard once drafted. It must be reviewed every time the BIA is done, or the risk analysis indicates a different situation, either internally in the organization, or externally in the environment. A BCP is a document that must earn its value during crisis situations. That is why it is not written to end up on the scaffold, but to be practiced at least annually. Normally, a lot of inspiration can be drawn from the crisis cards, from which one can deviate by making the situation slightly different from the pure single crisis. A combination of crisis events, or a cascade of events, can provide a very original approach to the needs in the BCP.

The best way to make good and up-to-date changes to the BCP is to look at the production and delivery options in the current (geo)political context and legislation. This can provide input for the BIAs of some (production) processes, so that there are new topics for all kinds of topics in the BCP, with possibly one or more new crisis files and/or recovery plans as a product within the set of documents.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields. Since 2012, he has been working at the Crisis Centre of the Flemish Government (CCVO), where he has progressed in BCM, risk management, and crisis management. Since August 2021, he has been a knowledge worker for the CCVO. As of January 2024, he works at the Department of Chancellery and Foreign Affairs of the Flemish Government. Here, he combines BCM, risk management, and crisis management to create a tailored form of resilience management to meet the needs of the Flemish Government.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts