What is a business continuity plan?
A business continuity plan (BCP) provides a way for organizations to deal with the business impact of any disruptive event and carry on with business. It’s a strategic view that includes the development of specific contingency plans that address high-probability disruptions. Along with its related disaster recovery plan (DRP), the process of a business continuity plan makes up a large portion of an organization’s “worst case scenario” planning and provisions. BCPs help examiners and assessors determine whether an organization has taken sufficient steps to prepare for disaster.
This blog is part of a series to help businesses plan for disaster and disruption. Disaster Recovery Plans (DRP), and specifically IT Disaster Recovery, will be discussed in future blogs.
Is a business continuity plan a legal requirement?
In short, yes. Specific requirements will depend on what types of data a company handles, as well as by which industry standards, government regulations, and/or agencies it is governed.
The activities performed during a proper business continuity plan will satisfy many of the disaster-related requirements from regulatory and governmental agencies. For example, in banking and finance, the FDIC requires institutions to perform thorough disaster planning. In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to maintain a “contingency plan.”
A contingency plan is categorized as an Administrative Safeguard in the HIPAA Security Rule 164.308(a)(7)(i). HIPAA contingency plans address “availability” of data in relation to the security principle. The availability principle concerns the risk of business disruption. The goal is to help ensure authorized access to vital systems and information if and when needed. 2In HIPAA, availability is vital because lives can be at risk if their medical information isn’t available when needed.
The HIPAA Contingency Plan should include a Data Backup Plan (164.308(a)(1)(ii)(A)), which itself includes items like a Disaster Recovery plan, Emergency Mode Operation Plan, Testing and Revision Procedures, and an Applications and Data Criticality Analysis.
Please note that this blog is not intended as legal advice, but to give a basic outline of a BCP.
What are the steps of a business continuity plan?
There are four basic steps in a BCP. Here is how to create your business continuity plan, step by step:
Business Impact Analysis: Create and administer a questionnaire.
Recovery Strategies: Select and implement chosen strategies.
Plan Development: Develop, document, and approve plans.
Testing and Exercises: Train BCP teams to test plan and incorporate lessons learned.
Business Impact Analysis
The Business Impact Analysis (BIA) phase is the first step in your BCP. The purpose of this step is to predict the consequences or impact of disruption to a specific business function. Identify time-sensitive and critical business functions, as well as the resources that support them. With data protection and availability in mind, thoroughly examine all IT components including servers, networks, and devices. Understand what these components do and what would happen if they stopped doing that.
Consider potential impacts to finance or operations such as lost or delayed sales and income, fines, penalties, increased expenses, harm to reputation, and customer loss. Identify at which point in time the loss of a specific business operation or capability would result in the corresponding impact.
The bulk of this step will consist of information gathering activities–which will be used later to create your recovery strategies. These activities revolve around your BIA questionnaire and/or worksheets. Your BIA process should look something like this:
- Create BIA questionnaire
- Train key individuals on how to complete questionnaire
- Collect and review questionnaires
- Hold follow-up interviews to verify and complete questionnaires
Recovery requires resources. Buildings and machinery can be damaged, supply chains fail, IT systems can be compromised. Recovery strategies provide an alternative plan to keep business running and operating at a minimum acceptable level.
Once you’ve collected the BIA questionnaires and worksheets, evaluate the resources that would be needed to recover from the possible impacts identified to this minimum acceptable level. Basically, you need to know what would be required and how much it would cost to get back to this level.
The bigger the company, the more recovery strategies that can be explored. Strategies can include things like relocation, working with third parties, short-term partnerships, and reassigning responsibilities. SAll staff at all levels should be consulted to determine which strategies likely would or would not work.
Collaboration and inclusion are critical because the people doing the work are the ones who understand their procedures best.
The steps of the Recovery Strategies stage include:
- Outline resource requirements based on BIA
- Do a gap analysis on the gap between recovery requirements and current capabilities
- Explore, choose, and approve recovery strategies
- Implement recovery strategies
During Plan Development, you will take the chosen strategies and thoroughly document your plan for their implementation. It is likely that you will have multiple contingency plans to flesh out during this phase.
- Develop framework for your plan
- Create recovery teams
- Fill in actual plans; steps involved, etc.
- Write your official business continuity plan, contingency plans, and disaster recovery procedures
- Finalize, validate, and approve plan
Plan development will take time and the ultimate goal of this phase is to have a complete, authorized, fully vetted, tested, and revised BCP on file.
Testing and Exercises
As with an incident response plan, the success of your BCP depends largely on continual testing and training. If your entire company is not aware of their roles during an emergency or extended business impact scenario, educating them in the event of a crisis will waste valuable time. If employees have not tested their roles in the plan under the pressure of a drill, they will not be able to perform should an actual emergency arise.
Tabletop exercises, drills, training, communication, and messaging are all important parts of this phase, and departments like HR, marketing, and internal communications should be considered key players.
The Testing and Exercises phase should include the following:
- Develop testing, exercise, and maintenance requirements
- Hold regular trainings with business continuity teams
- Conduct drills and testing and document results
- Incorporate lessons learned from drills, tests, and exercise regularly
- Keep BCP relevant, up to date, and easily accessible to all key players
The success of your BCP
Successful business continuity depends on thorough communication and planning within an organization. Out-of-the-box creativity will be helpful at all stages, so all types of thinking, temperament, and attitudes should be included. Make sure you include all the roles in planning and testing that will be expected to perform during an emergency.
Ultimately, your BCP is a binder full of papers and the result of a specific “process,” but it represents human action and impact, and it’s important for all members of your organization to understand the significance and relevance of such a plan.
Jen Stone (MSCIS, CISSP, CISA, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.