Developing a Business Continuity Plan (BCP)

Q. What steps should I go through in order to develop/improve and implement a Business Continuity Plan (BCP) to meet the specific needs of my company?

A. I once heard a CEO tell a group of managers that in order to succeed you need a very good understanding of the business processes, or “what makes the company tick.” Whether you are developing, improving or implementing a BCP, a determination has to be made on what business processes or functions are critical to the company`s operation. Ask yourself – What are the main function(s) performed by a company or in the case of a large company, particular business units?  What functions and processes are required to meet the company’s business objectives?

At first you may be frustrated that there are many functions, and due to a lack of resources all cannot be considered or addressed in your plan.  Upon compiling a list, prioritize them into what are critical, essential, or non-essential.  Think how a loss of any of these functions would impact people, operations, and reputation of the company.  Consider using the following as a guide:

Business function ratings:

  • Critical – Must have to operate
  • Essential –Difficult, but could operate
  • Non-essential – Inconvenient to operations if disrupted

It is important to establish priorities since there are rarely enough resources to respond to every situation.   To further help refine the critical business functions, determine which ones must be immediately addressed and immediately recovered.  Prioritize them according to recovery time or “Maximum Allowable Down Time.This is the time from loss of the function to time when continued disruption is detrimental to the business:

Immediate – 0 to 24 hours

Delayed – 24 hours to 7 days

Deferred – more than 7 days

The critical business functions that must be immediately recovered must be addressed first and all resources directed to them.

Then, list any perceived or actual internal and external threats (manmade or natural) that could impact those critical business functions and what can be done to minimize or prevent such incidents.  These threats should align with threats identified by the other major functions within your company as part of the company`s annual strategic plan. Reviewing the history of past events, not only within your company but outside in the community, can also be very helpful.  Upon estimating how vulnerable your company is to those threats, determine its risk tolerance towards these threats. Then, an allocation of resources to prevent or respond to such incidents can be made.  

This process cannot be done alone but will require the support and contribution of partners within the company as well as outside community resources such as the local police and fire department.  The companies with the most effective business continuity programs ensure that it is aligned with the company`s annual risks and threats, and with cross functional stakeholders involved.

Response provided by Rad Jones and Jerry Miller, Security Executive Council Emeritus Faculty.



This is a Security Bloggers Network syndicated blog post authored by Kathleen Kotwica. Read the original post at: Security Executive Council Faculty Advisor