What Is a Business Continuity Plan, and Why Do You Need One?

    Jennifer Hemmah
    By: Jennifer Hemmah
    July 26, 2022

    Odds are, you won’t be struck by lightning today, and the odds are also against your workspace being destroyed today in an earthquake or other natural disaster. However, if you consider any emergency that could disrupt your organization at any time, even remote odds start to add up.

    Many people automatically associate business continuity plans with cybercrime. And that makes sense — nearly half of all small businesses were the victim of a cyberattack in the last 12 months. However, in reality, a business continuity plan is more comprehensive, and provides a roadmap to follow in an emergency — even natural disasters — so that your business can get back on track quickly. Even one hour of downtime can cost a small business $10,000 and a larger one $5 million; according to data gathered by FEMA, 90% of companies that can’t get up and running within five days of a disaster will fail within a year.

    What Is a Business Continuity Plan (BCP)?

    A BCP is a predetermined process that outlines what to do, when to do it, and who is responsible for each task should any of the following disrupt your organization:

    • Natural disasters
    • Cybersecurity incidents
    • Significant technology failures
    • On-Premise Accidents
    • Supply chain issues
    • Any other event that has a severe impact on normal operations

    What Is a Disaster Recovery Plan (DRP)?

    A DRP is a predetermined process that helps your organization’s personnel fully recover its data, systems, resources, and IT infrastructure after a disruption, including those that are hosted or provided in the cloud.

    BCP vs. DRP

    The biggest difference between a disaster recovery plan (DRP) and a BCP is in scope. DRPs focus on restoring data and IT infrastructure, while BCPs focus on restoring normal operations for the organization as a whole.

    After a disaster or unplanned event, following your BCP will be your first priority to keep the organization functioning. Your DRP will be your second priority to restore all systems and resume normal operations. More staff will have responsibilities outlined in a BCP, and more training may be needed; DRPs, on the other hand, will likely only require IT personnel to draft the plan and potentially carry it out.

    Finance, healthcare, and organizations involved in national infrastructure must have both a DRP and a BCP. Even if your organization is not required to by law, we recommend having both a DRP and BCP in place.

    How Does Having a Business Continuity Plan Benefit Your Business?

    Even if the possibility of a natural disaster affecting your business is unlikely, cybercrime is escalating exponentially, and the cost of the average data breach in the U.S. is $8.64 million. You may be lucky and never face a cybersecurity incident, or you can make your own luck and ensure that your organization will survive even if the worst comes to pass.

    1. Gain Trust

    With detailed plans in place, you can assure your clients, vendors, employees, and business partners that your organization will remain intact even in the event of an emergency.  

    2. Reduce Stress

    Emergencies can be extremely stressful when the next steps and responsibilities are unclear, and stress can lead to bad decision-making. With a BCP in place, the big decisions have already been made, and your teams can focus on execution.

    2. Preserve Your Reputation

    Disruptions that affect your organization will also affect the quality of service or products you offer. The longer your business can’t resume normal operations, the longer you rely on the good graces of your clients or customers. Most customers can be forgiving, but they don’t forget a disappointment so easily. 

    3. Reduce Risk

    It’s one thing to lose a physical location. It’s quite another to be unable to recover. BCPs help keep even the largest disasters contained and help prevent them from costing you your entire business.

    4. Reduce Profit Loss

    I mentioned earlier that even one hour of downtime could be extremely costly. Even if having a BCP only reduces your downtime by a few hours, those few hours can make all the difference.

    5. Provide Peace of Mind

    A great BCP can reduce disasters to annoyances. So if you’re the type to worry about worst-case scenarios, those scenarios need no longer keep you up at night.

    Information You Should Include in a Business Continuity Plan

    Your BCP should be quite detailed and should anticipate what your business will need to resume operations in the event of a disaster. To make sure your BCP is as comprehensive as possible, it’s helpful to conduct a Business Impact Analysis (BIA) first, to identify any potential threats to your organization that could disrupt operations, no matter how unlikely they are to occur.

    WHAT — Identify the equipment, processes, and supplies that could be severely affected by an emergency.

    WHERE — Identify areas or departments that would be most at risk and how those roles and responsibilities could adapt in emergency circumstances.

    WHO — Identify leaders and decision-makers that would be needed in emergency circumstances, and gather their contact information as well as that of their support staff. If you work with any managed service providers that could assist in an emergency, include their contact information.

    HOW — Identify actions and processes necessary to resume operations following a disruption, including the backup tools and technology needed.

    How To Stress-Test Your BCP

    These steps will help you ensure your BCP is effective and thorough:

    1. Identify which members of your staff are responsible for BCP-related training
    2. Determine when and how training programs will be carried out with relevant staff
    3. Hold multiple practice sessions that include various scenarios with relevant staff
    4. Document any findings from practice sessions, including areas of strength and weakness
    5. Make any recommended updates

    When Should You Review Your BCP?

    For your BCP to be helpful in an emergency, it should be kept up to date. Ideally, you should review your BCP at least once a year. However, depending on your organization and how often its circumstances change, it may be helpful to review your BCP quarterly.

    Where To Get Help

    It can be challenging to think through every potential scenario and what impacts it might have. And unfortunately, BCPs are not one-size-fits-all. Marco’s experts have helped a wide variety of organizations throughout the country create BCPs. We can help you draft one from scratch, and we can also help you identify any additional areas of risk that may be overlooked in an existing BCP. Additionally, we often provide virtual workshops on this vital topic. Follow our Technology Insights Blog to find upcoming events, or talk with a disaster-planning technician to learn more.

    Talk to a Security Specialist
    Topics: Security