business continuity plan audit business continuity plan (BCP)

What is business continuity and why is it important?

What is business continuity?

Business continuity is an organization's ability to maintain critical business functions during a disaster and after it has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services and reestablish full day-to-day function to the organization as quickly and smoothly as possible.

The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. A business continuity plan considers unpredictable events and potential threats, such as natural disasters, fires, disease outbreaks, pandemics, supply chain disruptions, cyber attacks and other external threats.

A business continuity strategy is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. According to many experts, the first step in business continuity and disaster recovery planning is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put failover mechanisms in place.

Technologies such as disk mirroring enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This helps data access functions continue uninterrupted if one location is disabled and protects against data loss.

Why is business continuity important?

At a time when downtime is unacceptable, business continuity is critical. Downtime comes from a variety of sources. Some threats, such as cyber attacks and extreme weather, seem to be getting worse. According to Gartner, cyber attacks are growing in sophistication and exploiting poor cybersecurity threat detection. Therefore, it's important to have a business continuity plan in place that considers any potential disruptions to operations.

The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization maintain resiliency in responding quickly to an interruption. Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss.

Business continuity requires an organization to look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience.

Business continuity might even be a requirement for legal or compliance reasons. It's important to understand which regulations affect a given organization, especially in an era of increased regulation.

What does business continuity include?

Business continuity is a proactive way to ensure mission-critical business operations proceed during a disruption or in the event of a disaster. A successful business continuity plan includes the following:

  • Clear and comprehensive guidelines. Business continuity features clear guidelines for what an organization must do to maintain operations. If the time comes for action, there should be no question about how to move forward with business processes. The plan should have contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document.
  • Defined levels of response. Proper business continuity includes different levels of response. Not everything is mission-critical, so it's important to lay out what is most vital to keep running and what could come back online at later times. It's crucial to be honest about recovery time objectives and recovery point objectives.
  • A collaborative and transparent process. The business continuity process includes the whole organization, from executive management on down. Although IT might drive the process, it's essential to get buy-in from management and other stakeholders and to communicate key information to the entire organization. Everyone should know the basic steps for how the organization plans to respond. An important area of collaboration is with the security team; although IT and the security team often work separately, an organization benefits when the two departments share information.

3 key components of a business continuity plan

A business continuity plan has three key elements: Resilience, recovery and contingency.

An organization can increase resilience by designing critical functions and infrastructures with various disaster possibilities in mind; this can include staffing rotations, data redundancy and maintaining a surplus of capacity. Ensuring business resiliency against different scenarios can also help organizations maintain essential services on location and off site without interruption.

Rapid recovery to restore business functions after a disaster is crucial. Setting recovery time objectives for different systems, networks or applications can help prioritize which elements must be recovered first. Other recovery strategies include resource inventories, agreements with third parties to take on company activity and using converted spaces for mission-critical functions.

A contingency plan has procedures in place for a variety of external scenarios and can include a chain of command that distributes responsibilities within the organization. These responsibilities can include hardware replacement, leasing emergency office spaces, damage assessment and contracting with third-party vendors for assistance.

Business continuity standards

Table 1 lists the standards in the ISO 223XX series that apply to business continuity and related activities. The Business Continuity Institute (BCI) also provides global business continuity standards and best practices in its Good Practices Guidelines. Those standards and guidelines, along with several from the U.K., including the British Standards Institute's "Guidance on organization recovery after disruptive events" and "Organizational resilience: code of practice" map closely to the ISO 22301 standard.

List of ISO 223XX series standards
Table 1. The standards in the ISO 223XX series include societal security and video surveillance.

Table 2 provides a partial listing of standards, regulations and good practices developed in the U.S. by several different organizations, including ASIS International, the Federal Emergency Management Agency (FEMA), the Federal Financial Institutions Examination Council (FFIEC), the Financial Industry Regulatory Authority (FINRA), ISACA, the National Fire Protection Association (NFPA) and the National Institute for Standards and Technology (NIST).

List of US business continuity and disaster recovery standards and good practices
Table 2. U.S. business continuity and disaster recovery standards and good practices address areas such as IT auditing guidelines and federal continuity directives for government agencies.

Business continuity vs. disaster recovery

Like a business continuity plan, disaster recovery planning specifies an organization's planned strategies for post-failure procedures. However, a disaster recovery plan is just a subset of business continuity planning.

Disaster recovery plans are mainly data-focused and concentrate on having adequate data backup and storing data in a way that makes it easily accessible following a disaster. Business continuity takes this into account but also focuses on the risk management, oversight and planning an organization needs to stay operational during a disruption.

Diagram of the business continuity and disaster recovery planning process.
Disaster recovery and business continuity plans are created as part of the same process. DR planning is a subset of business continuity.

Business continuity development

Business continuity planning starts with initiating the planning project. Business impact analysis (BIA) and risk assessment are essential steps in gathering information for the plan. They offer the following benefits:

  • Business impact analysis. Conducting a BIA can reveal possible weaknesses, as well as the consequences of a disaster on various departments. The BIA report informs an organization of the most crucial functions and systems to prioritize in a business continuity plan.
  • Risk assessment. A risk assessment identifies potential hazards to an organization, such as natural disasters, power outages, cyber attacks and technology failures. Risks can affect staff, customers, building operations and company reputation. The assessment also details what or who a risk could harm and the likeliness of the risks.

The BIA and risk assessment work hand in hand. The BIA provides details as to potential effects on the possible disruptions outlined in the risk assessment.

Business continuity management

It's important to designate who will manage the business continuity program should a business disruption occur. It could be one person if it's a small business, or it could be a whole team for a larger organization. Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk.

Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its contents to as many people as possible. Implementation of business continuity isn't just for times of crisis; the organization should have training exercises so employees know what they'll be doing in the event of an actual disruption.

Business continuity testing is critical to its success. It's difficult to know if a plan is going to work if it hasn't been tested. A business continuity test can be as simple as a tabletop exercise where staff discuss what will happen in an emergency. More rigorous testing includes a full emergency simulation. An organization can plan the test in advance or perform it without notice to better mimic a crisis.

Once the organization completes a test, it should review how it went and update the crisis management plan accordingly. It's likely that some parts of the plan will go well, but other actions might need adjusting. A regular schedule for testing is helpful, especially if the business changes its operations and staff frequently. Comprehensive business continuity undergoes continual testing, review and updating.

Business Continuity Institute

The BCI is a global professional organization that provides education, research, professional accreditation, certification, networking opportunities, leadership and guidance on business continuity and organizational resilience.

The U.K.-based organization was established in 1994 and features about 8,000 members in more than 100 countries, in the public and private sectors. Business continuity professionals and those interested in the field can use the products and services available from the BCI.

The BCI's objectives and work include raising standards in business continuity, sharing business continuity best practices, training and certifying business continuity professionals, raising the value of the profession and developing the business case for business continuity.

The institute's many published resources include its Good Practice Guidelines document, which offers guidance for identifying business continuity activities that can support strategic planning.

Professional membership in the BCI conveys an internationally recognized status, while certification demonstrates a member's proficiency in business continuity management.

Chapters of the BCI have been established in countries or regions where there is a large community of members. The chapters, which include the United States, Japan and India, have locally elected officers who represent the BCI in their region.

Business continuity plans vary from organization to organization, depending on the specific risks they face. Learn the top 10 business continuity risks to monitor.

This was last updated in June 2023

Continue Reading About What is business continuity and why is it important?

Dig Deeper on Disaster recovery planning and management

Data Backup