4 Steps for Creating a Business Continuity Plan

by | Mar 12, 2018 | "Talking IT" BLOG

4 Steps for Creating a Business Continuity Plan

Surviving disasters is all about planning. Find out how to prepare your business for a crisis.

Developing strategies for business growth is a cornerstone of the modern organization. Developing strategies to help avoid business loss is just as important, which means business continuity plans are critical. These documents provide detailed plans on how to keep essential operations running during an emergency in order to minimize losses.

Some organizations call these documents “disaster recovery plans.” Others use this term to refer to department-level recovery plans and use the term “business continuity plan” when discussing organization-wide plans. These organizations will have one business continuity plan and several disaster recovery plans. Regardless of the terminology that your company uses, you need a system in place for getting through a crisis.

Here are four steps for creating a business continuity plan:

1. Perform a Business Impact Analysis

The first step in creating a business continuity plan is to perform a business impact analysis. To begin, list the processes that you use to deliver your products and services to customers. Then, catalog the resources needed to power those processes. The resources often include employees, business partners, office buildings, IT infrastructure and other technology assets, and office supplies.

After completing this inventorying process, ask yourself how a crisis would impact your business. If a critical disk failure causes you to lose a week’s worth of work, would you still be able to deliver your products and services? If a fire destroys your building or your computer system fails, how long would you be able to function without it?

To answer questions like these, you need to find out how long you would be able to operate in an emergency if you were cut off from your resources. This timeframe is known as the maximum tolerable period of disruption (MTPOD). It represents how much time you have to either fix a problem or find an alternative solution. If you are unable to recover in time, you could be held liable for failing to give your customers the service or product that you agreed to provide them. For this reason, you should address legal liabilities and similar issues in your business impact analysis.

2. Prepare Specific Recovery Plans for Employees and Departments

Now that you know your MTPOD, you can set a goal for how long it will take you to recover. This is known as the recovery time objective (RTO). With the RTO in mind, you can start writing recovery plans for each department, team, and senior manager in your organization.

These plans must list all the tasks that need to get done in a crisis and assign each task to a specific person. For example, in a plan that relates to a power failure, one employee might have the task of contacting the power company. Another employee might be in charge of checking the backup generator. A third might be responsible for maintaining the lines of communication between team leaders. After they have carried out these tasks, they can move on to the second job on their lists.

If your departments contain many employees or intradepartmental groups, make sure that your plans explain the departmental chain of command in an emergency. It is also a good idea to cross-train employees in the emergency tasks. That way, if one person is absent, busy, or incapacitated, a second staff member will be able to take that person’s place.

Unfortunately, you might not be able to carry out your primary recovery plan because of some unforeseen detail or series of events. This is why you need to create a set of backup recovery plans as well. These secondary plans might assign the tasks to different people or carry out the tasks in a different order. The secondary plans might even have employees perform the tasks from an alternate location in the event that the office is out of commission.

3. Create a Battle Box

Battle boxes contain equipment and documents that companies need during emergencies. Your battle box should contain all the documentation for your business continuity plan, as well as the plans for each department and senior manager. Plus, it must include key pieces of information about your company’s IT infrastructure, such as product serial numbers. Since communicating during a crisis is important, you also need to include contact information for all your employees and outside partners.

While these business-specific items are important, don’t forget to include practical items such as a flashlight, a cellphone, a laptop, a first aid kit, and a few bottles of water. For small companies, a single battle box should be fine. If your company is large, you might want to provide battle boxes for each department.

4. Practice for the Real Thing

When it comes to your business continuity plan, practice makes perfect. Running crisis simulations as part of your training program will help you determine how well your plan will work in real life. These exercises also let your employees feel what it is like to be in an emergency. That way they will be less likely to panic if an actual crisis occurs.

Amazon, AT&T, Google, and Netflix take practice runs to the next level. They often surprise their emergency response teams by performing crisis simulations without any warning. While some businesses have in-house teams run and monitor crisis simulations, many other companies hire third-party facilitators for this job. These experts record a response team’s actions during a simulation, analyze the results after the fact, and offer suggestions about ways to improve the team’s reactions.

Besides performing emergency response drills, these professionals can help you develop your business continuity plan. Talk to your IT service provider about the ways in which an outside disaster recovery specialist can help your business.

Are You Ready for Worry Free IT?

We’d love to hear more about your organization and design a solution to meet your needs.


Register for our free webinar on 05/19/2023 today! This month learn about Zero Trust Security.

Partner Spotlight

HIPAA Compliance made easy

HIPAA Associates provides HIPAA training and consulting to health care providers, employees and business associates. HIPAA Associates creates HIPAA training programs and compliance plans that fit your needs. We have trained thousands of individuals on HIPAA using our inside knowledge of the health care environment. Call us to get started.
(513) 918-5303
Learn More...

Keep Me Informed!