The six core BCP components include:

• Program governance
• Business impact analysis
• Threat and risk assessment
• Resilience and recovery strategy development
• Business continuity plan documentation
• Training and testing

To prepare for an assessment of your program, ideally you should already have a BCP in place. Note that business continuity planning is a distinct discipline from disaster recovery planning.

BCP consists of a predefined framework for how an organization will continue to function when coping with and recovering from an emergency or other negative event that disrupts normal operations.

Disaster recovery planning, on the other hand, results in a predefined approach for restoring an organization’s information systems to full functionality after a system failure or compromise, while minimizing impact.

Assess the maturity level of the core components of your BCP program using a framework grounded in a capability maturity model (CMM). This model can help evaluate an organization against a scale of maturity levels specific to the assessed subject area, primarily based on the degree of standardization of those processes.

It helps leadership identify the desired maturity level for the organization, then review and consider recommendations to increase maturity.

Following are ways to assess the six core components of your organization’s business continuity planning program.

A successful business continuity planning program has the active support and engagement of executive leadership as well as stakeholders across key business functions.

Responsibility resides with the highest level of management to demonstrate a commitment to business continuity planning efforts, which should be an iterative, multidisciplinary process that engages everyone in the organization.

Key Questions

• Do you have the formal elements of a business continuity planning program in place, such as a program charter that establishes its governance structure?
• Have you identified, approved, and documented the program’s key leadership positions, including executive sponsor and program management?
• What measures are in place to ensure program ownership and support organization-wide visibility and accountability?

Have you adequately funded and appropriately staffed your program?

Business continuity planning requires many complex activities with different sets of specialized knowledge about varying parts of the organization. While many functions play critical roles in day-to-day operations, not every activity tethers to the delivery of your organization’s core services or keeping the doors open.

A business impact analysis (BIA) can help identify essential functions enterprise wide and within each major department.

An effective BIA activity should result in you identifying the following information:

• Essential functions and operations across the organization
• Necessary resources—such as people, processes, and systems—to perform each critical function
• Potential areas of impact a disruption would create and corresponding levels of severity
• Desired recovery timeline for each function

The BIA exercise should include a process to discuss and decide how to measure harm and impact across multiple categories. Disruptions typically impact three major areas for most organizations: property, operations, and people.

All of these can have significant financial, reputational, and compliance implications, both directly and indirectly, and you should assess them in terms of highest areas of risk exposure and severity of impact.

Once you identify and understand essential functions, conduct a threat and risk assessment focused on the impact of disruptions to assess chief vulnerabilities of your revenue and operations.

Instead of trying to identify every single possible threat scenario, consider the severity of the impact if resources become unavailable for the long-term. You should attempt to quantify the impact of these risks as much as possible, both in terms of financial effect and time. For example, if the payroll process slows, you may require a measurable amount of rework to manually enter timecard information if the system tracked it outside of the normal process.

You can quantify this rework both as a delay in time, for example two days, but also as the cost in terms of employee hours—cost per hour per employee to re-do the work or manually enter information.

Take time to remember that many of these areas aren’t isolated; there's typically overlap within an organization’s framework.

Key Questions

• What primary threats to your organizational resources will most likely disrupt essential functions?
• What forms can these threats take that could negatively impact your essential functions?
• How do you prioritize each essential function based on the risk assessment?
• Where do you need to focus your attention and energy on developing resilience and recovery strategies?

An effective business continuity program engages department and functional leaders in the threat and risk assessment process. Their participation not only provides vital input to the risk assessment process, but also the combination of results helps create a document of the operational landscape of the organization.

An effective business continuity program should leverage the results of the BIA and threat assessment to develop and document resilience and recovery strategies. An emergency can impact every area of operations, from productivity to core financial transactions.

An effective business continuity program should include a process to analyze the organization’s financial position—in terms of liquidity, revenue forecasts, investments, and availability of financing—to quantify the minimum cash requirements which can sustain operations for a defined period.

Determine the priorities for cash and payments, and consider the necessary financial transactions in unusual circumstances. For example, emergencies often heavily impact purchasing, affecting both purchasers and their products.

Establishing clear strategies and procedures for controlling costs, reporting information to appropriate groups, and budgeting for and tracking expenditures during a large-scale disruption can have a significant impact on the likelihood of the organization emerging on a positive track.

Key Questions

• Who gets paid to keep the lights on?
• What potential mitigation efforts might reduce or eliminate the risks or similar consequences?
• What effective recovery strategies best meet your recovery timelines?

Business continuity plans should be understandable, actionable, testable, and maintained on a regular schedule. An effective plan should include action steps or flexible alternatives based on different emergency scenarios.

Best practice encourages senior leadership, at any size organization, to periodically engage in a high-level discussion to confirm the alignment of the BCP with business priorities and each person’s assumptions.

There’s a common misconception that employees will know what to do in the event of an emergency; but in a crisis, there’s no business as usual. An emergency’s impact on staff, board members, and leadership can be far-reaching and unpredictable.

Organizations struggling to redefine normal operations following the COVID-19 pandemic make effective continuity planning and risk mitigation efforts more important than ever.

To keep BCPs current and executable, consider training and testing exercises, which many commonly believe to be the most effective solution. Many types of exercises may focus on parts of the plan or its entirety.

You should perform several aspects of a training program at regular intervals to identify areas for improvement and areas of strength, allowing the leadership to better prioritize and address continuity needs and gaps. The following exercises can add value to the company and simultaneously serve as training opportunities.

Training and Testing Exercises

• Plan review workshops
• Focus drills on one specific scenario and recovery procedure
• Discussion-based tabletop exercises
• Cross-functional training and testing involving the activation of all personnel and teams identified in the BCP

Cross-functional training and testing exercises can break down organizational silos while streamlining the process of keeping the plans and documents up to date.

These sessions can increase dialog between leadership and functional teams, speed the identification of emerging issues, and strengthen the overall effectiveness of the program.