business continuity plan audit business continuity plan (BCP)

What is business continuity and why is it important?

Business continuity is an organization's ability to maintain essential functions during and after a disaster has occurred. Business continuity planning establishes risk management processes and procedures that aim to prevent interruptions to mission-critical services, and reestablish full function to the organization as quickly and smoothly as possible.

The most basic business continuity requirement is to keep essential functions up and running during a disaster and to recover with as little downtime as possible. A business continuity plan considers various unpredictable events, such as natural disasters, fires, disease outbreaks, cyberattacks and other external threats.

Business continuity is important for organizations of any size, but it might not be practical for any but the largest enterprises to maintain all functions for the duration of a disaster. According to many experts, the first step in business continuity planning is deciding what functions are essential and allocating the available budget accordingly. Once crucial components have been identified, administrators can put failover mechanisms in place.

Technologies such as disk mirroring enable an organization to maintain up-to-date copies of data in geographically dispersed locations, not just in the primary data center. This enables data access to continue uninterrupted if one location is disabled and protects against data loss.

Why is business continuity important?

At a time when downtime is unacceptable, business continuity is critical. Downtime comes from a variety of sources. Some threats, such as cyberattacks and extreme weather, seem to be getting worse. It's important to have a business continuity plan in place that considers any potential disruptions to operations.

The plan should enable the organization to keep running at least at a minimal level during a crisis. Business continuity helps the organization maintain resiliency, in responding quickly to an interruption. Strong business continuity saves money, time and company reputation. An extended outage risks financial, personal and reputational loss.

Business continuity requires an organization to take a look at itself, analyze potential areas of weakness and gather key information -- such as contact lists and technical diagrams of systems -- that can be useful outside of disaster situations. In undertaking the business continuity planning process, an organization can improve its communication, technology and resilience.

Business continuity might even be a requirement for legal or compliance reasons. Especially in an era of increased regulation, it's important to understand which regulations affect a given organization.

What does business continuity include?

Business continuity is a proactive way to ensure mission-critical operations proceed during a disruption. A comprehensive plan includes contact information, steps for what to do when faced with a variety of incidents and a guide for when to use the document.

Business continuity features clear guidelines for what an organization must do to maintain operations. If the time comes for response, there should be no question about how to move forward with business processes. The company, customers and employees are all potentially at stake.

Proper business continuity includes different levels of response. Not everything is mission-critical, so it's important to lay out what is most vital to keep running, and what could stand to come back online at later times. It's crucial to be honest about recovery time objectives and recovery point objectives.

The process includes the whole organization, from executive management on down. Although IT might drive the business continuity, it's essential to get buy-in from management and communicate key information to the entire organization. One other important area of collaboration is with the security team -- although the two groups often work separately, an organization can gain a lot by sharing information across these departments. At the very least, everyone should know the basic steps for how the organization plans to respond.

Three key components of a business continuity plan

A business continuity plan has three key elements: Resilience, recovery and contingency.

An organization can increase resilience by designing critical functions and infrastructures with various disaster possibilities in mind; this can include staffing rotations, data redundancy and maintaining a surplus of capacity. Ensuring resiliency against different scenarios can also help organizations maintain essential services on location and off site without interruption.

Rapid recovery to restore business functions after a disaster is crucial. Setting recovery time objectives for different systems, networks or applications can help prioritize which elements must be recovered first. Other recovery strategies include resource inventories, agreements with third parties to take on company activity and using converted spaces for mission-critical functions.

A contingency plan has procedures in place for a variety of external scenarios and can include a chain of command that distributes responsibilities within the organization. These responsibilities can include hardware replacement, leasing emergency office spaces, damage assessment and contracting third-party vendors for assistance.

Business continuity standards

Table 1 lists the standards in the ISO 223XX Series that apply to business continuity and related activities. The ISO 22398 and 22399 standards are also worth a look.

The ISO 223XX Series -- Societal Security
Table 1

Table 2 lists the Business Continuity Institute's Good Practice Guidelines. The guidelines provide a comprehensive foundation for understanding the business continuity process, and they map closely to the ISO 22301 standard.

U.K. Standards and Good Practices
Table 2

Table 3 provides a partial listing of standards, regulations and good practices developed in the U.S. by several different organizations such as ASIS International, the National Fire Protection Association, the Federal Financial Institutions Examination Council, the Information Systems Audit and Control Association, the Financial Industry Regulatory Authority, the Federal Emergency Management Agency and the National Institute for Standards and Technology.

U.S. BC/DR Standards and Good Practices
Table 3

Business continuity vs. disaster recovery

Like a business continuity plan, disaster recovery planning specifies an organization's planned strategies for post-failure procedures. However, a disaster recovery plan is just a subset of business continuity planning.

Disaster recovery plans are mainly data focused, concentrating on storing data in a way that can be more easily accessed following a disaster. Business continuity takes this into account, but also focuses on the risk management, oversight and planning an organization needs to stay operational during a disruption.

Business continuity and disaster recovery planning

Business continuity development

Business continuity starts with initiating the planning project. Business impact analysis (BIA) and risk assessment are essential steps in gathering information for the plan.

Conducting a BIA can reveal any possible weaknesses, as well as the consequences of a disaster on various departments. The BIA report informs an organization of the most crucial functions and systems to prioritize in a business continuity plan.

A risk assessment identifies potential hazards to an organization, such as natural disasters, cyberattacks or technology failures. Risks can affect staff, customers, building operations and company reputation. The assessment also details what or who a risk could harm, and the likeliness of the risks.

The BIA and risk assessment work hand in hand. The BIA provides details on potential effects to the possible disruptions outlined in the risk assessment.

Business continuity management

It's important to designate who will manage business continuity. It could be one person, if it's a small business, or it could be a whole team for a larger organization. Business continuity management software is also an option. Software -- either on premises or cloud-based -- helps conduct BIAs, create and update plans and pinpoint areas of risk.

Business continuity is an evolving process. As such, an organization's business continuity plan shouldn't just sit on a shelf. The organization should communicate its contents to as many people as possible. Implementation of business continuity isn't just for times of crisis; the organization should have training exercises, so employees know what they'll be doing in the event of an actual disruption.

Business continuity testing is critical to its success. It's difficult to know if a plan is going to work if it hasn't been tested. A business continuity test can be as simple as a tabletop exercise, where staff discuss what will happen in an emergency. More rigorous testing includes a full emergency simulation. An organization can plan the test in advance or perform it without notice to better mimic a crisis.

Once the organization completes a test, it should review how it went and update the plan accordingly. It's likely that some parts of the plan will go well but other actions might need adjusting. A regular schedule for testing is helpful, especially if the business changes its operations and staff frequently. Comprehensive business continuity undergoes continual testing, review and updating.

Business Continuity Institute

The Business Continuity Institute (BCI) is a global professional organization that provides education, research, professional accreditation, certification, networking opportunities, leadership and guidance on business continuity and organizational resilience.

The BCI, which is based in the United Kingdom, was established in 1994 and features about 8,000 members in more than 100 countries, in the public and private sectors. Business continuity professionals and those interested in the field can use the products and services available from the BCI.

The BCI's objectives and work includes raising standards in business continuity, sharing business continuity best practices, training and certifying BC professionals, raising the value of the BC profession and developing the business case for business continuity.

The institute's many published resources include its Good Practice Guidelines, which offers guidance for identifying business continuity activities that can support strategic planning.

Professional membership in the BCI conveys an internationally recognized status -- certification demonstrates a member's proficiency in business continuity management.

BCI Chapters have been established in countries or regions where there is a large community of members. The Chapters, which include the United States, Japan and India, have locally elected officers who represent the BCI in their region.

This was last updated in January 2020

Continue Reading About What is business continuity and why is it important?

Dig Deeper on Disaster recovery planning and management

Data Backup