What should be in your BCP?
Having a Business Continuity Plan (BCP) implemented for your organisation is a strong protection against the negative consequences of disruptive events.
However, it is not uncommon for an organisation’s BCP to fail them when it is most critically needed, due to a fundamental disconnect between what is really required to be documented, and what ends up included in a poorly documented plan.
If your organisation has a BCP, or intends to develop one, it’s a worthwhile exercise to undertake a critical assessment of the high-level structure of the plan. Does it have what you really need? Or is it just so many pages of text with theoretical information ready to cause confusion when your staff most needs clarity?
Following is a checklist of the most critical elements of an effective BCP. If your existing or planned BCP does not readily present this information in a clear and concise way, it may be a good time to review it … before you need to rely on it.
- First response
When a disruption occurs, it is important that everyone understands (and has practiced) what to do first. Are the organisation’s critical functions known? Does the person who first notices an event know who to report to first? Does everyone know who’s supposed to be in charge of a business continuity coordinating group in the emergency? Is critical contact information available? These and other relevant first response issues should be planned, documented and exercised.
Is there a quick process agreed and available to assess the event and determine how to contain/prevent escalating impact so as to achieve some stability of the situation? Complex analysis is unlikely to be possible at this stage, but a fast understanding of the cause and key impacts is important, so processes and communication lines to support that should be agreed upon and documented.
Once the key impacts have been identified, the relevant response plans need to be activated. Is there a documented plan to recover each of the critical functions? Is there an agreed process for activating the relevant recovery plans?
Coordination of different responders, potentially across various parts of the organisation, will be required. External stakeholders may need to be notified. Updates will need to be provided to affected workers. Status reports to management will be required. Public and/or media announcements may need to be made. Are the contact details easily available? Is it clear who’s responsible for initiating and managing each type of communication?
While initial responses to recovering critical functions might be quickly completed, full recovery of all functions may take an extended time. Is planning in place for the required resources over time, such as staff rotation timetables, processes for handover of responsibilities, etc.?
Once the emergency is over and all business functions have been recovered, assessment of the organisation’s status and the plan’s success is important. Are there post-event tasks to be managed? Where did the BCP or the personnel using it fail to perform adequately? A process for debriefing and capturing the lessons from the whole event should be documented.
Please contact QRMC for assistance with reviewing or developing your Business Continuity Plan.