How To Create an Effective Business Continuity Plan

California businesses are no stranger to disruptive events, be it a natural disaster or human-initiated incident (e.g., cyberattack). California has made more disaster declarations in recent years than any other state in the U.S. However, it just takes one event to cause devastation for any business in any location. 

Internal or external forces can create a disruption and cause a company’s operations to grind to a halt. Along with the potential of lost revenue, supply chain disruption, and increased costs, there is always the possibility of a negative impact on customers as well as a company’s reputation. Having a business continuity plan in place is essential to reducing your risk.

Our blog illustrates the steps to creating your own business continuity plan, helping you to mitigate the negative impacts of a future business disruption.

What Is a Business Continuity Plan?

Business continuity plans are detailed response procedures that companies use when disruptive events occur. It’s the preparedness, guidance, and training your team relies on to respond quickly and mitigate risk when navigating situations that are threatening to your business’s health.

Without advanced planning and training, you and your employees will be left figuring out how to proceed during the event, slowing response times and decreasing the odds of success.

How Many Business Continuity Plans Do You Need?

While most BCPs will bear a strong resemblance to each other, you need to create one for every event that could disrupt operations for more than an hour. Each response guidance document can be compiled within a large omnibus — there may be a general plan, but individual events require separate, focused information, instructions, and training. 

Disruptive events most California-based SMMs should create plans for include:

• Earthquakes
• Fires (structural and wildfires)
• General power outages
• Cyberattacks (e.g., ransomware)
• Active shooter drills
• Pandemics

Each BCP should address how to prevent the disruptive event (if possible), the steps needed to mitigate negative impacts while it’s happening, and a recovery plan.

What Is the Primary Goal of a Business Continuity Plan?

The primary goal of a business continuity plan is to identify what you can do now to reduce risk as well as identify how you can mitigate the effects of an event if and when it happens. This involves creating actionable steps for response and recovery along with identifying which roles or departments are responsible for them. You know this goal is achieved if, during an event, you simply retrieve the plan and can execute it swiftly and successfully.

For example, consider your response to an earthquake or a general power outage. You cannot merely assume that you will be able to rent generators to maintain power and operations. Whom will you rent it from? What models meet the specifications you need? What will you do when all other businesses are attempting the same? Employees responsible for responding to disruptions should already know what to do and have guidance materials to help them.

Similarly, if your company network is infected with ransomware, how will you respond? Perhaps your information security policy requires performing automatic backups of all digital systems and assets every four hours to enable a speedy recovery. Again, with a well-documented plan and preparatory efforts, you will already know what to do.

Why Is a Business Continuity Plan Important for SMMs?

Without a well-documented business continuity plan in place, the impacts of a disruptive event can be devastating for SMMs — negative impacts can include lost revenue, increased costs, production and supply chain disruptions, and damaged customer relationships and reputations.

Per FEMA, roughly 25% of businesses close following a disaster. That number triples if a business hasn’t implemented a continuity plan, with 75% closing in three years.

But, because SMMs are production-based rather than service providers, the effects can worsen if machinery and equipment are suddenly shut down or damaged. Furthermore, because many SMMs rely on fulfilling contracts, failure to resume operations after a disruptive event could mean missed quotas, threatening future contract awards and the income they provide.

By implementing a BCP, you protect your:

• Reputation as a sustainable and reliable supplier
• Sales and revenue
• Customers and relationships
• Potential for acquiring new customers
• Employees
• Infrastructure
• Intellectual property and confidential information

What Does a Business Continuity Plan Typically Include?

Business continuity plans should be comprehensive and include everything that stakeholders and employees need to deal with disruptive events quickly and efficiently. For a plan to be effective, employees who are responsible for response effort tasks should be able to perform all necessary actions when an event occurs with the information provided. As a result, they should be designed as step-by-step instructions with an emphasis on being easily understood, since an ongoing crisis will cause elevated stress and make it more difficult to focus.

Every BCP should include the following elements:

• An analysis of your business’ critical functions: This will allow you to prepare resources, establish response priorities, and facilitate planning by “working backward” from the processes that need to maintain continuity or resume quickly.
• A list of all potential risks: Any risks that pose a severe threat to your business must be accounted for. This list should be prioritized according to risk likelihood, projected impacts, current tolerances, and your risk appetite to help you determine which ones require the most preparation and training.
• The response plan: You’ll need a list of strategies (or mitigation activities) that help protect the critical components and processes previously identified. Each strategy should provide step-by-step instructions for execution and all necessary information such as contacts (e.g., emergency responders, rental equipment vendors), physical resource locations (e.g., first aid kits), and backup plans to best eliminate response delays or mistakes.
• Evidence supporting the strategies: This information — key metrics, indicators, financial scenarios, and testing — will be less important during the response effort and may be included in the plan’s appendix; but, it’s still necessary as stakeholders, insurance companies, and regulatory agencies may require this information. Moreover, employees benefit from understanding why they’re taking specific actions.
• Reporting information: As BCPs are living documents, they must be updated periodically (every one or two years is recommended). Dashboards and reports that uncover challenges (e.g., during drills or previous responses) will guide your plan refinement.

How Do You Create an Effective Business Continuity Plan?

Creating a business continuity plan can be broken down into five easy steps. This process should be repeated every one or two years to ensure your plan remains current and incident response  is timely and effective.

Step 1: Conduct a Business Impact Analysis

Start developing your BCP by conducting a business impact analysis. This evaluation will help you to determine which time-sensitive or critical business functions must be preserved or maintained as much as possible while the incident occurs and in its immediate aftermath.

Once you have identified these mission-critical processes and functions, you can determine which protective measures should be taken and the resources required to do so. 

This step should also involve determining and describing your objectives for the BCP. When does it need to be completed? What budget should you set for disaster and recovery preparation (e.g., research, training, consultants, and tools)?

Detail any projections or assumptions about available financial resources and begin investigating additional assistance, such as government business continuity grants or state and federal programs that you can contact for more help.

Consult NIST SP 800-30

If you have never performed a risk and business impact assessment, you can begin by consulting the National Institute of Standards and Technology’s Special Publication 800-30 (SP 800-30): Guide for Conducting Risk Assessments. BCPs developed for cyberattacks like ransomware should involve this document and its guidance.

Although SP 800-30 is primarily intended for information security purposes, it outlines how to determine and rank risks based on their likelihood of occurrence and potential impact. So, it can be adapted to any disruptive event as well.

Step 2: Identify and Document the Implemented Plan

Identify the BCPs you’ll need to create as well as their methods for protecting critical business functions and processes against each individual risk. Then, begin developing them more thoroughly.

Most plans (or plan categories) will involve similar information and contain similar steps. To return to the example of renting a generator, the same response steps and information should be included for earthquakes, wildfires, general power outages, and any other incident that might disrupt the grid.

Remember that there's no right way to create a BCP, but the plans created for each event or risk must include:

• Procedures: Processes and tasks that must take place to continue operations
• Agreements: Provisions previously outlined with customers and vendors should a party become unable to perform agreed upon tasks
• Resources: Any available assets that can be utilized during a disaster

This information, along with the responsibilities of each role, informs the steps or tasks that employees must perform to keep operations running as smoothly as possible. Directions should be specific and supported by diagrams or illustrations as needed (e.g., building layouts, first aid procedures, control panel diagrams). Also, be sure to include a backup response plan if any circumstances prevent the original execution.

Break down the response processes into simplified checklists — even if more detailed steps are included within the document. Employees might be overwhelmed by the crisis, so you want the plan to be as clear and easy to follow as possible to convey key steps.

Step 3: Establish a Business Continuity Team

General first responder advice often includes pointing to a specific individual and telling them to call 911. This is because a group can freeze when hearing, “Someone call 911!” as no one is certain whose responsibility it is and, ultimately, no one does.

The same can occur when your business undergoes a crisis. So, one of the most critical steps in developing and implementing a BCP is establishing a dedicated business continuity team with defined roles and responsibilities — including who will lead or require training. 

This information should be included within the plan so people can identify whom to check in with during the ongoing response effort. There should be a list of names, titles, contact information, and what they're responsible for, along with a clearly defined hierarchy that describes authority, succession, and accountability. This section of the plan should also include an organizational or  functional diagram so people can quickly determine what they need to know.

Once you’ve created your BCP, consider reaching out to third-party experts and consulting organizations (who are not involved in the plan’s creation) for an outside assessment.

Step 4: Train Your Business Continuity Team

Once the BCP has been created and implemented, it’s time to begin training the response team to perform their roles and responsibilities promptly and without mistakes. Merely being assigned a job is not sufficient, as you want their response execution to be as automatic as possible and performed as required while managing elevated stress.

After initial training, schedule and perform system tests or live drills to put the plan into practice. This will also enable you to evaluate and refine your BCP.

Tests and drills will require guidelines and schedules and may involve more of your workforce — if not everyone — to perform a realistic simulation. If live simulations cannot be performed, conduct tabletop exercises with your business continuity team.

Remember to create evaluation forms and checklists to record the performance for later review.

Step 5: Establish a Process for Capturing Insights

Shortly after BCP tests and drills, reassemble your team to conduct a review. Determine what worked as intended and where unforeseen complications arose so you can address them before a real crisis occurs. If simulations involve other employees, provide them with feedback forms to collect more data.

These debriefs are essential to the process to ensure your BCP is always updated with new insights.

How Frequently Should a Business Continuity Plan Be Updated?

Business continuity plans should be updated every one to two years, with the same scheduling for tests and drills.

Research when regional or statewide drills are scheduled to align this effort for the most accurate simulations and evaluations. For example, "ShakeOut Day" is an earthquake emergency drill day scheduled annually (often in the Fall).

How Does CMTC Help SMMs With Business Continuity?

If you need assistance with creating, implementing, or updating your business continuity plan, contact CMTC for resources and support. We'll work on-site and alongside your team to help ensure the resiliency and sustainability of your organization.

Reach out to us today to get started.