How-to guide: How to draft a business continuity plan (USA)

Introduction

This how-to guide provides guidance for an organization that intends to draft a business continuity plan (BCP). It is aimed at in-house lawyers and risk and compliance teams in organizations of all sizes and all sectors in the United States.

Business continuity has always been a concern for organizations. Recent events such as the COVID-19 pandemic, natural disasters (hurricanes, floods, tornadoes), etc. have underscored the importance of planning for a serious disruption. A written, carefully considered BCP will help you and your business continue to operate under adverse conditions or resume operations sooner than your competitors.

This guide covers:

1. What is a business continuity plan
2. Elements of a business continuity plan
3. Drafting a business continuity plan

This guide can be read in conjunction with Checklists: Supplier contracts and unforeseen events and What to consider when terminating a contract.

Section 1 – What is a business continuity plan?

A business continuity plan (BCP) is a procedural manual for key employees to provide a detailed strategy and set of systems designed to ensure an organization’s ability to prevent or rapidly recover from a significant disruption to its operations. A small business may also have a BCP in place to address what will happen in the event of the death or disability of key personnel, such as an owner of the business.

Disruptions, and threats of disruptions, will almost always hurt a business’s profitability. An effective BCP will do the following:

• minimize the impact of potential threats and disruptions;
• enable ongoing operations before and during disaster recovery; and
• maximize your organization’s resilience in the face of unexpected challenges.

Section 2 – Elements of a business continuity plan

An effective BCP is tailored to meet the specific needs and risks of your organization. A generic, off-the-shelf plan will neither address the unique risks that your organization faces, nor will it consider the culture of your organization and how best to use that culture to mobilize to address disruptions. The plan should be supported by all stakeholders, especially senior management, and cover the operations of the entire organization. To be effective, a plan must be proactive. It will include monitoring of the activities most at risk and call for periodic re-evaluation and testing so that gaps and weaknesses in the plan can be identified and fixed. Employees should be trained at initial hire and periodically during employment on their duties and responsibilities in the event of any sort of disruption. Finally, a BCP can only be effective if it is tested and the tests are documented. This will allow for continuous updating of the plan based on the test results and the input of the employees after being trained on the plan.

Every BCP should contain five key components:

• identification of the types of potential disruption most likely to affect your organization;
• contingencies for every aspect of the business that would be affected in each sort of potential disruption, such as business processes, protection of assets, data security, human resources, relations with business partners, and any other key aspects of the business;
• checklists of key supplies and equipment, data backups, and the locations of off-site backups;
• list of key people and their duties and responsibilities in the recovery, including plan administrators, emergency responders, key business personnel, and back-up site providers; and
• strategies for recovering and maintaining operations in both short-term and long-term outages.

An effective BCP takes a holistic approach to recovery from a disruption and considers all the organization’s functions and risks, with the goal of promoting the smoothest and easiest possible organization-wide recovery. While the recovery of some functions will necessarily take priority over others based on the relative importance to business function, the goal should always be to ensure the recovery of all operations. The Federal Emergency Management Agency (FEMA) has developed a Continuity Plan Template and Instructions for Non-Federal Entities and Community Based Organizations that may be used for any organization that is developing a business continuity plan. Another template that may provide helpful guidance is provided by the California Governor’s Office of Emergency Services and Santa Cruz County.

Section 3 – Drafting a business continuity plan

Drafting an effective BCP involves four principal steps:

• conducting a business impact analysis of your organization’s operations;
• conducting a risk and threat analysis;
• designing a strategy for post-disruption recovery; and
• training on the BCP.

3.1 Conduct a business impact analysis (BIA)

A business impact analysis (BIA) is a prediction of the potential disruptions of business function. It is made to gather the information needed to develop effective recovery strategies. An organization should begin its analysis by identifying the functions and processes of the business based upon a preliminary assessment of priority, such as:

• physical security;
• information security;
• data protection;
• core business functions (e.g., production);
• human resources, including payroll and tracking;
• revenue; and
• communications and marketing.

Each organizational function should be described in very basic terms to aid understanding of exactly how and why it operates so as to better evaluate its importance to the organization. This will involve looking past the ‘official’ description of the function, or the job titles of the people involved, and focusing instead on the actual tasks performed. For example, a comprehensive data protection plan should include the appointment of a data protection officer who can educate the company and its employees about compliance, train staff involved in data processing, and conduct regular security audits. Similarly, an organization’s core business functions actually consist of interconnected parts or departments, including marketing, human resources, and production, which work together to achieve the business aim.

The legal requirements, if any, for performing each function should be listed, along with the applicable statute, regulation, presidential directive, or other legal authority.

Each function should be described in terms of the products or services delivered or actions accomplished by that function.

The identification and accurate description of each function will help to determine its exposure to a given disruption and its need for protection under a continuity plan.

The BIA questionnaire can be used to query individual employees about the impacts of a disruption on their individual areas of expertise. Such a questionnaire will not only make use of the insights and experience of these employees, but it will make them active participants in the development of a recovery plan. A helpful example of such a questionnaire is provided by the US government at Ready.gov, the federal government’s disaster preparedness site.

Once the organizational functions are identified, you should determine whether each function is essential or non-essential. An essential function is one that your organization must perform during a disruption to normal operations and that it must continue to perform during emergencies. Essential functions are both important and urgent. On the other hand, a function that can be deferred until after an emergency is identified as non-essential. A business’s ability to maintain its infrastructure, such as utilities, communications, or internet access, or to provide, maintain and recover IT security is considered an essential function. A business’s ability to input data, or conduct marketing or public relations tasks, by contrast, can be identified as non-essential.

The next step is to identify the resources that support the essential functions and processes. These resources should include the following:

• human resources, such as the key employees who will carry out the essential functions and chain of notification should a disaster occur;
• your organization’s physical business locations (if any);
• IT systems;
• equipment;
• documents, including business and procedure documents; and
• supplies.

The key questions to guide you as you identify functions and processes should be:

• what does your business need to carry out its essential processes; and
• how will your organization obtain or have access to those resources in an emergency?

3.1.1 Recovery point objectives

After the identification of your organization’s essential functions and what resources must be available to carry out those functions, set out the recovery point objective (RPO) for each critical function and process. The recovery point objective is the maximum tolerable loss for each critical function and process. For example, in the case of unexpected outages, one or two systems might fail and a business may face considerable downtime before the systems can be restored and the business operations are no longer interrupted. The recovery point objective (RPO) would be a metric for the amount of data loss a business can endure while still continuing to function without any effect on the business operations. To determine the RPO, a business will need to assess the criticality of the data to determine whether all or simply a part of the data can be restored to enable the business to operate without impact. The recovery point objective will vary between industries and organizations and must be determined according to the needs of a particular organization. You should carefully consider the effects of disruption on each essential function and how they will impact your organization’s survival.

3.1.2 Recovery time objectives

In addition to setting the RPOs for each function, you should assign recovery time objectives (RTO) for each function. An RTO is the maximum tolerable amount of downtime allowed to restore each critical function and process. The RPO and RTO of a function will be related. A function that has a lower RPO will have a shorter RTO, because an extended downtime may increase the loss from a critical function not being performed.

3.1.3 Recovery consistency objectives

Your organization should also define a recovery consistency objective (RCO). This is the consistency between different data sources when one or more systems crash or fail. Different systems may be affected at varied times, so different methods of restoring function can cause greater or lesser consistency between systems at the cost of losing potentially good data from a system affected later. For example, in a complex system which works across multiple storage systems, data replication must be synchronous for all storage systems to ensure the alternate site will be in sync with the main production site and data and application consistency are preserved. However, if the storage systems use different data replication techniques, there is a high probability of inconsistencies in the recovered data that will make it difficult to continue using the data in its recovered state. Additionally, recovering data at different times – even if the difference is just a few minutes or a few hours – can result in the recovered data being inconsistent.

All three objectives - RPO, RTO, and RCO - are essential. They need to be balanced, and this balance must be made with a view towards making each one compliment the other two. They should not be seen as being in competition with one another. It is essential to choose methods to improve that do not negatively impact another. For example, a stronger emphasis on bringing back full functionality may make the recovery process longer.

3.2 Conduct a threat and risk analysis (TRA)

A threat and risk analysis (TRA) is an analysis of the potential disruptive events which may affect your business. It begins with a consideration of what actual disruptive events are likely to occur. These could include natural disasters, such as pandemics, wildfires, storms, and so on. It could also include cyberattacks such as ransomware or computer viruses, along with disruptions from theft, terrorism, or civil disorder. You should evaluate the risk and impact of utility outages, including losses of power, water, or Internet connectivity at your facilities. What could cause such failures and what would be the results of disruptions to your critical systems, suppliers, or corruption or loss of your stored data?

Once you have your list of potential disruptive events, sort them into potential types of damage. What will each potential disaster cause in terms of your ability to remain in business? These could include expenses to repair equipment or facilities, legal expenses from unmet contractual obligations (although force majeure provisions may be applicable), loss of revenue, or failure of customer service, and damage to your reputation if you are unable to provide your products or services as your clients expect.

Risk assessments must be accurate and ongoing. It is common practice to schedule risk assessments to be conducted annually at a minimum. Consider conducting risk assessments for business functions deemed more critical as often as quarterly or monthly. Updating the assessment is essential to determining whether new risks have arisen, or whether previously identified risks do not pose the same level of threat as they did in the past. For example, an organization based in New York City may decide, based on the city’s experience in the aftermath of Hurricane Ida, that the organization now faces a strong likelihood of disruption from flooding.

3.3 Design a post-recovery strategy

After determining what potential disruptions are likely to occur and what damage those disruptions are likely to cause, you can design your organization’s recovery strategy. Recovery requirements should be identified for each potential threat, matching the sorts of harm caused by each threat with the requirements to bring your business back into operation.

The next step is to organize recovery teams and procedures. Recovery strategies require resources including people, facilities, equipment, materials, and information technology. These strategies will vary between businesses of different sizes in different industries. Common strategies involve such things as working with third-party contractors to provide services your organization can no longer provide, relocating to different facilities, repurposing existing facilities, securing adequate insurance, or prioritizing the most urgent projects.

Every plan should be developed with feedback from the individuals and managers who will be implementing it in the field. As potential problems are pointed out, the plan can be modified until it is workable and finally approved. This same process should be repeated for each potential disruption, so that your staff know exactly what to do when power goes out, when a shipment fails to arrive, or in any similar circumstance.

3.3.1 Mitigation

In developing a recovery strategy, do not overlook the importance of a mitigation plan. Identified hazards could recur and repeated disruption could be even more damaging. Take care that the mitigation strategy does not open your business to new areas of risk. For example, in the event of a sustained loss of power due to a severe weather event, your IT department may be tasked with getting backup servers up and running. If those servers are not held to the same security and privacy standards, you may be trading having your business operational for an increased risk of a cyber or ransomware attack.

Section 4 – Training

Training on at least some aspects of the BCP is essential for all employees, whatever their responsibilities or role in the organization. At the very least, all employees should know what to do to protect themselves from personal injury in the event of a disaster. For example, an organization with its physical location in an area prone to tornadoes should make all employees aware of where they are going in the event a tornado is sighted in the area. The US government’s Ready.gov website includes specific information on Testing and Training.

Members with specific tasks or duties related to business continuity and crisis communications should be trained so they are familiar with their role and responsibilities as set out in the BCP. Employees with supervisory authority over other personnel should receive a higher level of training, including incident command system training, so they can lead their group’s part of the response.

Training should be on a periodic basis, according to the needs of your organization. The scope of the ‘refresher’ training can vary. It may be a simple email reminding employees of the general procedures they are to follow. It may involve online training, or a review seminar. The frequency of retraining will depend on the specific risks identified, as well as the nature of your organization. Revised training will be necessary when new risks are identified, or when legal requirements change.

Records documenting the scope of training, participants, instructor, and duration should be maintained to help evaluate the effectiveness of the training. Consider implementing a feedback mechanism for employees that undergo training as a tool to evaluate the training’s effectiveness.

Some staff members involved in a recovery plan may be required to have professional certification or licensure from a governmental entity, such as certification as a business continuity professional (CBCP) or as an associate business continuity professional (ACBC). These certifications may require periodic retraining or continuing education, and the nature of that retraining will often be set by the certifying or licensing authority.

ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, and continuously improve a documented management system. The goal is to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents. According to the ISO 22301:2019 standard, business continuity is defined as ‘the capability of an organization to continue the delivery of products and services within acceptable time frames at a predefined capacity during a disruption.’ The Business Continuity Institute (BCI) has drafted Good Practice Guidelines (GPG), a practical methodology that will help to build a robust business continuity program in alignment with the ISO 22301 standard.

Additional resources

The US government’s Ready.gov website provides helpful information regarding preparedness planning for business, and includes a section on Business Continuity Planning. The following entities have also published resources to assist business owners and others in preparing and implementing a BCP:

• National Fire Protection Association, Standard on Continuity, Emergency, and Crisis Management
• Federal Emergency Management Agency, Continuity Resource Toolkit
• US Department of Homeland Security, Prepare my Business for an Emergency
• US Small Business Administration, ‘Seven Ways to Start Your Business Continuity Plan’
• American Red Cross, Ready Rating Program

Related Lexology Pro content

How-to guides:

How to develop a sustainable supply chain
How to assess modern slavery risk in supply chains

Checklists:

Supplier contracts and unforeseen events
Modern slavery in supply chains

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.