For small- to medium-sized businesses (SMBs), the business continuity planning process contains several steps. These include: project initiation, risk assessment, business impact assessment, strategy development, business continuity plan development, business continuity plan testing and maintenance, emergency communications, awareness and training, and coordination with public authorities. This is comparable to the business continuity process found in larger organizations except for the fact that for SMBs, the business continuity planning process can be simplified, depending on the size and complexity of the organization.
For many SMBs, the above business continuity planning activities pose a formidable challenge, especially from the perspectives of time, money and resources. To make the process easier, SMBs have several options, such as business continuity planning tools and software, business continuity templates, checklists or consultants. Each of these options can create a plan and its associated elements, however, because of their simplicity, SMBs often use them to "get something done" quickly. And regrettably, after a plan has been developed, that's the end of the process. Few SMBs invest in exercises to make sure their plans will work.
In this business continuity planning guide, we'll try and simplify this process for SMBs. We'll start off with a more or less standard sample business continuity plan template. Read this guide, and then download our free sample business continuity plan template for smaller businesses and you'll be well on your way to developing a successful business continuity plan.
SAMPLE BUSINESS CONTINUITY PLAN TEMPLATE AND GUIDE: TABLE OF CONTENTS
To have develop a successful business continuity plan, we recommend the following steps:
- Make sure you have the right information. Your business continuity plan doesn't have to be hundreds of pages long. It just needs the right information, and that information should be current and accurate. A one-page plan with the right information can be more valuable than a voluminous document that nobody can use.
- Go to www.ready.gov (part of the Federal emergency Management Agency site) and look at the emergency plan development information available at that site. The information at ready.gov can serve as an effective complement to the template we provide in this report.
- Standards can provide a useful starting point. Almost two dozen business continuity standards are available worldwide. In the U.S., several options are currently in use: NFPA 1600 (the current U.S. national standard), BSI BS 25999 (the British standard) and FFIEC Business Continuity Handbook (used by the banking and finance sectors).
- Limit content to actual disaster response actions.
- Make it happen. Once the plan is complete, exercise it semiannually it to ensure that the documented procedures make sense in the sequence indicated.
- Be flexible. A single template may not be universally applicable to all departments and/or locations in your organization.
Next, we'll examine the structure and content of the template, indicating key issues to address and activities to perform.
- Initial data: If you have identified various people to contact in an incident, locate their contact information at the front of the plan (emergency notification contacts), so you won't have to waste valuable seconds paging through a lengthy document.
- Revision control page: This page is located on the second page of the plan and it reflects your change management process.
- Purpose and scope: Provide details on these attributes, as well as assumptions, team descriptions, a list of terms, and other background information.
- Instructions for using the plan: Provide information about when and how the plan will be activated, including outage timeframes, who declares a disaster, and who should be contacted.
- Policy information: This is a good place to use standards documents as references.
- Emergency response and management: Specify situations in which the plan and response procedures are to be activated.
- Plan review and maintenance: Describe how often the plan is to be reviewed and updated, and by whom.
- Checklists and flow diagrams: Assuming a situation has occurred, have steps identified to address it; these can be in the form of checklists (useful to keep track of scheduled and completed tasks) and flow diagrams that provide a high-level view of response and recovery.
- Notification of incident affecting the site: Information needs to be gathered before officially declaring a disaster; this includes damage assessment data and first-hand reports from staff and first responders; convene meetings as soon as possible with key emergency team members to evaluate the facts before proceeding to a declaration.
- Decide on course of action: This section addresses actions to take when it becomes obvious that management needs to declare a disaster. A damage assessment can be initiated either before or after the declaration; it is up to company leadership.
- Business recovery phase: This section provides instructions on recovering operations, relocating to an alternate site and related activities.
- Appendixes: Detailed appendixes are provided at the end of the template; these include lists and contact details on all emergency teams, primary and alternate vendors, alternate work space locations, and other relevant information. It is very important to keep this information up to date.
The process of developing a business continuity plan for SMBs is generally a straightforward process. The keys to success include defining step-by-step response and recovery procedures, validating these activities through tests, and keeping the plan up to date.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.
This was first published in October 2010