Years ago, I was hired as a marketer for a manufacturing company. The first thing I noticed during a tour was one building that was completely off limits. Turns out, a serious industrial fire—one that took 15 firetrucks to extinguish—had raged through the building the year before.
I asked if the person who caused the fire was fired. The president’s response surprised me: “The fire cost the business a lot of money. However, we decided not to fire the individual who caused the fire because of how he handled the situation.”
Seconds within the fire starting, the individual pulled a fire alarm, ran to every workstation, and told everyone to get out fast. He was the last person to leave the building after getting everyone safely out. As a result of his fast action, no one died.
In a media interview after the fire, the company president said, “Careful scenario planning helped to mitigate a tough situation.” If it weren’t for a strong emergency plan, the results could’ve been fatal.
The company then had to turn to another plan—a business continuity plan—to keep things running without a critical part of their infrastructure.
What is a business continuity plan?
A business continuity plan is a set of processes to ensure that a business can sustain operations during an unexpected event, such as a fire, pandemic, or cyberattack.
A business continuity plan centers on what to do during the disruption—the Plan B for when things go awry. A disaster recovery plan, by contrast, focuses on the “return to normal” from an unexpected event. Disaster recovery is how you get back to Plan A.
Benefits of a business continuity plan
As a business owner, you have so many things to do on a daily basis. It’s easy to neglect something like a business continuity plan, especially if you’re a “What if?” skeptic.
However, as we learned with COVID-19 and a record-high surge in hackings, outside factors can hobble business performance and customer trust. By planning ahead and thinking through the risks carefully, you can reduce the impact crises have on your business.
Here are four things you’ll get for your forward-thinking efforts:
1. Continue business operations
The main goal of a business continuity plan is to continue business operations when disaster strikes. For example, if you work in an area that’s prone to power outages, you might choose to invest in a back-up generator so that a blackout doesn’t stop operations.
2. Prevent harm to employees
Many businesses asked employees to work from home to prevent the spread of COVID-19. Few were prepared to do it. A continuity plan that, for example, equips employees with laptops instead of desktops ensures the continuation of business operations while reducing the risk of serious illness or death for employees.
3. Build brand trust
Cyberattacks can erode brand trust in an instant. Customers expect online businesses to be up all the time (and to protect the data they share with them). If a personal emergency requires you to contact a family member through a messaging app, but the app is down, you’ll lose that customer. A cybersecurity plan, as part of a larger business continuity plan, reduces downtime and data breaches.
4. Prevent financial losses
Economic crashes have caused businesses huge financial losses. In moments when customers are dramatically and rapidly more conservative with their spending, businesses need a continuity plan to reduce losses or increase revenue streams. Some brewers and restanteurs, for example, turned to making hand sanitizer during the pandemic when they were unable to serve alcohol on site due to temporary lockdowns.
Are the risks starting to add up in your mind? Let’s walk through how to create your continuity plan.
How to create a business continuity plan
Creating a business continuity plan can take up to six months to iron out all the details, get approval from all parties, and train employees on the plan. Typically, however, many businesses create a business continuity plan and train individuals within three months.
Follow these seven steps:
1. Determine the goal of the plan
The goal of your business continuity plan could be to protect employees, assets, and prevent financial losses, if or when a crisis occurs.
Some business continuity plans are reactive—created after a business experiences its first disaster. In these instances, you could focus on preventing a specific type of disaster, while still reflecting on others that could cause a disruption in business operations.
2. Establish a team
Before picking a team to help execute your business continuity plan, create a set of responsibilities to assign. Responsibilities could include:
Business continuity steering committee. Brings together six to eight individuals from all areas of the business to catalog all potential risks or assets in the business continuity plan. After you create the plan, this team should meet quarterly to assess the plan for accuracy and ensure company-wide knowledge of it.
Business continuity program manager. Manages the daily responsibilities of the business continuity plan, such as employee training, safety assessments, and expectation setting with business leaders and those on the business continuity team.
Business continuity team members. Execute the instructions provided by the business continuity program manager.
Business continuity plan owners. Key stakeholders such as human resources, payroll, cybersecurity, health and safety, and other crucial individuals who will work on a business continuity plan for their area, with direction from the business continuity program manager.
Business continuity planners. Execute instructions directly from the business continuity plan owners to support the rollout of plans.
The number of stakeholders you need varies based on the size of your business. Large enterprises will have more areas of potential risk, which will result in more business continuity plan owners. Having more than eight members in the business continuity steering committee, however, may slow down the process of shipping a complete business continuity plan.
Backup stakeholders can be helpful for transitory periods, such as an employee exit, change in leadership, or merger.
3. Determine risks, assets, functions, and impact
The most common business risks or threats include:
- Natural disasters, fires, and power outages
- Public-health crises, like COVID-19
- Cyberattacks or terrorism
- Economic downturns
- Bankruptcy, bad credit, or cash-flow issues
- Legal disputes, government regulations, and licensing cancellations
- Workplace accidents
- Technology failures, including platform or point-of-sale system crashes
The most at-risk assets include:
- Company property
- Brand trust and customer relationships
- Licensing agreements
In some cases, you may outsource management of assets. For example, if your inventory is held by a third-party because you run a dropshipping business, you lose some control over that asset. Building strong relationships and processes with your partners can mitigate risks to those assets.
Crucial business functions that are most often impacted include:
A business impact analysis—how the business could be affected—determines the biggest risks, assets, and critical business functions for your business. What might shut down your office for a month? And what would be the impact? If you lost all your social media accounts, would your marketing collapse? If your customer data made it out into the open, would you lose all consumer trust?
4. Set mandatory training timelines
Once you’ve completed your assessment of risks, assets, and business functions, train business continuity stakeholders and employees to ensure alignment. You can train employees when they’re first hired and include drills quarterly thereafter.
By training your entire staff, you ensure that everyone is equipped with the knowledge they need in case a key stakeholder isn’t around when a disaster strikes. Train several stakeholders for areas that impact their work. For example, a cybersecurity employee should know to whom to report a breach, even if the head of their department is on vacation.
(While not central to business continuity, consider training all employees in fire safety, CPR, and other health and safety risks. The best-case scenario is not needing your continuity plan.)
5. Identify vulnerabilities and alternatives
After creating your plan, note the primary vulnerabilities in your business. For example, an ecommerce business may feel most vulnerable about their dependency on a single third-party manufacturer, overseas shipping delays, or DDOS attacks.
Then determine how likely it is for each item to happen, using a scale from one to ten to rate the likelihood of each vulnerability. Prioritize each item in your business continuity plan based on likelihood and list potential backup solutions.
For example, if your ad account could be suspended, you may catalog next-best options for marketing (or even realize you should build a more diverse set of marketing channels now). You might have a large email list, run ads on other platforms, or have the potential to create more website content, such as a blog to drive traffic to your website.
6. Detail actions for each vulnerability in your continuity plan
Once you have a list of potential fixes, structure them into if-then statements with a list of potential solutions. A continuity plan for a server crash might look something like this:
If our server is down during a holiday weekend sale, then we can continue to increase our revenue by:
You may also want to start thinking about a recovery plan—how to get back to “normal” or avoid another crisis. In this example, the outcome may be to upgrade your hosting solution or switch to a platform that includes hosting.
7. Ask for feedback
Asking for feedback from stakeholders throughout the company can ensure there aren’t any missing gaps. The goal is to create a detailed plan that takes into account all potential risks and explains how to continue business operations despite them.
A business continuity plan helps your business survive a disaster. Knowing who your stakeholders are, what risks make your business vulnerable, and how to mitigate those risks protects brand trust, ensures employee safety, and reduces financial losses.
Every missed vulnerability or unworkable solution, on the other hand, risks spawning a much bigger crisis—for which there may be no continuity or recovery plan.