Building Out a Business Continuity Plan

Note: Want to skip the guide and go straight to the free templates? No problem - scroll to the bottom.
Also note: This is not legal advice.

Introduction

At Genie AI, we understand the importance of having a comprehensive business continuity plan. With potentially devastating consequences, such as natural disasters, cyber attacks and supply chain interruptions, it is critical for businesses to have a plan in place that ensures their operations continue.

A business continuity plan (BCP) provides detailed instructions on how an organization will respond to an incident and outlines strategies for recovering from it. It should also cover plans to prevent or mitigate the impacts of future disruptions. Having such a plan ensures that operations can remain running during an emergency and allows the company to quickly resume normal activities afterwards - important in protecting a business’ reputation. In addition, having a BCP can help save money by limiting damage incurred through rebuilding the business after an incident and reducing associated costs like increased insurance premiums. Lastly, a well-crafted BCP helps protect assets and reduces legal liability by preparing for potential disasters such as those from cyber threats or natural disasters.

With millions of datapoints teaching Genie AI’s machine learning algorithms what constitutes market standard for these plans, our community template library offers anyone the opportunity to draft high quality legal documents without hiring professional lawyers - regardless of whether or not you have a Genie AI account. Our repertoire of free templates provides step-by-step guidance on getting started with your own BCP; sign up today for more information on how you can access these resources!

Definitions (feel free to skip)

Critical business functions: The activities and processes that are necessary to keep a business running.
Risk assessment: An evaluation of potential risks and their effects on a business.
Business impact analysis: An analysis of how a business would be affected by a disaster or disruption.
Stakeholders: People or organizations who have a vested interest in the success of a business.
Procedures: A set of instructions for completing a task or process.
Protocols: A set of rules or standards for communication or behavior.
Budget: An estimation of the money needed for a project or activity.

Contents

• Identify critical business functions and the resources needed to maintain them.
• Establish a team and assign roles and responsibilities for the planning process.
• Develop a risk assessment and business impact analysis
• Identifying potential risks
• Estimating the probability of their occurrence
• Estimating the impact of each risk
• Establish procedures for responding to and recovering from a disaster.
• Develop a plan for protecting vital records and documents
• Identifying and cataloging important records
• Establishing controls to protect the records
• Establishing procedures for recovering the records
• Establish procedures for testing, maintaining, and updating the plan.
• Develop a communication plan for informing stakeholders about the plan
• Identifying stakeholders
• Establishing communication protocols
• Developing methods for informing stakeholders
• Develop a training program for personnel to be familiar with the plan
• Establishing a training program
• Identifying personnel who need to be trained
• Developing methods for training personnel
• Establish procedures for evaluating and revising the plan.
• Develop a budget to support the plan
• Identifying resources needed
• Estimating costs
• Allocating funds

Get started

Identify critical business functions and the resources needed to maintain them.

• List key business functions, such as accounting, customer service, product development, and sales
• Identify the personnel, technology, and other resources needed to support those functions
• Assess the impact of a disruption to each function and identify any dependencies
• Assess the risks associated with each function
• When you have identified all critical business functions, the resources needed to maintain them, and the risks associated with them, you can check this off your list and move on to the next step.

Establish a team and assign roles and responsibilities for the planning process.

• Create a team of members from all areas of the organization to build out the plan.
• Assign a leader to the team and designate a backup leader in case the primary is not available.
• Assign roles and responsibilities to each team member.
• Set a timeline for the completion of each task.
• Schedule regular meetings to review progress and make updates.

When you can check this off your list and move on to the next step:

• Once the team, roles and responsibilities, timeline, and meeting schedule have been set, you can move on to the next step.

Develop a risk assessment and business impact analysis

• Identify potential risks to the organization, using both internal and external sources
• Assess the probability of occurrence, the impact of the risk, and the potential of the risk to cause disruption
• Assess the potential impact of a risk on operations, finances, personnel, and facilities
• Document the findings in a risk assessment matrix
• Identify the sources of risk and the potential impacts on the business
• Develop a business impact analysis that identifies the critical business functions and the associated impacts of a risk event
• Document the findings in a business impact analysis matrix
• Establish a priority list of risks that need to be addressed

You’ll know you can check this off your list when you have a complete risk assessment matrix and a complete business impact analysis matrix.

Identifying potential risks

• Understand the types of risks that can affect your business by researching natural disasters, human errors, cyber threats, etc.
• Identify the potential risks that could cause disruption to the business by analyzing your business operations, employees, customers, suppliers, and other stakeholders
• Talk to your team to gain their perspectives on potential risks to the organization
• Document the potential risks identified
• Monitor your environment for emerging risks
• When you’ve identified all of the potential risks that could affect your business, you can move on to the next step.

Estimating the probability of their occurrence

• Take the list of potential risks identified in the previous step and assign a probability to each one
• Analyze the likelihood of each risk occurring, based on past experiences, current trends, and other data
• Ask yourself: What is the likelihood of this risk occurring?
• Make notes on each risk associated with the likelihood of it occurring
• Once probabilities have been estimated for all the risks, you can move on to the next step: Estimating the impact of each risk

Estimating the impact of each risk

• Identify the potential consequences of each risk.
• Estimate the cost of each risk in terms of lost time, lost money, lost resources, etc.
• Assign a priority to each risk based on the estimated cost and the probability of occurrence.
• Create a list of the risks in order of their priority.
• When you have completed estimating the impact of each risk, you can move on to the next step of establishing procedures for responding to and recovering from a disaster.

Establish procedures for responding to and recovering from a disaster.

• Identify potential disasters and prioritize them according to the estimated risk and impact.
• Develop an emergency response plan that includes identifying key personnel and their responsibilities, activating backup systems, and other steps to take in the event of a disaster.
• Develop a recovery plan that includes restoring vital systems and communicating with stakeholders.
• Document the procedures and make sure they are available to all relevant personnel.
• Test the procedures periodically to ensure they are up-to-date and effective.
• Once the procedures are documented, tested and understood by all relevant personnel, you can move on to the next step: developing a plan for protecting vital records and documents.

Develop a plan for protecting vital records and documents

• Gather all of the vital records and documents, including financial documents, contracts, employee records, and other important information into one location.
• Create a plan to ensure that these documents are backed up and stored securely.
• Incorporate a system for regularly archiving and updating documents.
• Utilize digital storage as well as physical storage to ensure the documents are secure.
• Develop a plan for quickly retrieving records in the event of an emergency.
• When you have completed the steps above, you can move on to the next step of Identifying and Cataloging Important Records.

Identifying and cataloging important records

• Gather documents from all departments in the organization
• Create an inventory of all important records
• Create a document retention policy that outlines the length of time important records should be kept
• Provide employee training on the document retention policy
• Create a secure storage system for the records
• Label and organize the records in a logical manner
• Track the records and their location
• Set up a system to ensure records are not lost

Once the documents have been identified and cataloged, the step can be checked off the list and the next step, Establishing controls to protect the records, can be completed.

Establishing controls to protect the records

• Set up physical controls such as locked filing cabinets or restricted access to the records.
• Establish digital controls such as encryption, passwords, and access control software.
• Document the processes and controls you have established to protect the records.
• Test your controls to ensure they are working correctly.

Once the records have been identified and cataloged, and the controls have been established to protect them, you can move on to the next step of establishing procedures for recovering the records.

Establishing procedures for recovering the records

• Create a document that outlines how to recover records in the event of an emergency
• Designate specific personnel responsible for recovering records
• Include a list of contact information for all personnel responsible for recovering records
• Identify the types of records that need to be recovered
• Document the steps necessary to recover records
• Create a timeline for recovering records
• Review the plan and make necessary revisions
• Make sure all personnel responsible for recovering records are trained on the plan
• Once the plan is reviewed, revised, and all personnel are trained, it is ready to be implemented

How you’ll know when you can check this off your list and move on to the next step:
You can check this step off your list when the plan has been reviewed, revised, and all personnel have been trained on the plan.

Establish procedures for testing, maintaining, and updating the plan.

• Assign a team or individual to review the plan annually or after any major changes
• Ensure the plan is regularly tested, at least annually
• Establish a timeline for when the plan should be updated
• Ensure the plan is updated whenever any changes occur in the organization
• Ensure all changes to the plan are communicated to the team responsible for testing, maintaining, and updating
• Establish a process for auditing the plan
• Establish a process for recording any changes made to the plan
• Ensure the plan is stored securely

You can check this off your list when you have established procedures for testing, maintaining, and updating the plan and have communicated these procedures to the team responsible for testing, maintaining, and updating the plan.

Develop a communication plan for informing stakeholders about the plan

• Identify all stakeholders that need to be kept informed of the business continuity plan
• Have a plan in place to communicate the plan to those stakeholders in a timely manner
• Consider different communication methods (e.g. email, in-person meetings, intranet, etc.)
• Ensure the communication plan is documented and included in the business continuity plan
• When complete, the communication plan should be tested and monitored to ensure it remains up to date
• When the communication plan has been finalized and tested, it can be checked off the list and the next step can be completed

Identifying stakeholders

• Identify all stakeholders who will be affected by a disruption in operations
• Consider both external and internal stakeholders, such as customers, vendors, and employees
• Create a list of stakeholders who need to be involved in the business continuity plan
• Contact each stakeholder and discuss their roles, responsibilities, and involvement in the plan
• Be sure to get contact information for each stakeholder
• Once the list of stakeholders is complete, check off this step and move on to establishing communication protocols.

Establishing communication protocols

• Determine the primary and secondary methods of communication that will be used in the event of a disruption.
• Make sure everyone is aware of the communication protocols in case of an emergency.
• Identify the personnel responsible for communicating with each stakeholder group.
• Create a communication plan that outlines who to contact and when.
• Test the communication plan to ensure that it is effective and reliable.
• Assign roles and tasks for each team member in the communication plan.
• Evaluate the communication plan to ensure it is up to date and effective.

How you’ll know when you can check this off your list and move on to the next step:

• Once the communication protocols have been established and tested, the team should be confident that they are able to contact each stakeholder group in the event of a disruption.

Developing methods for informing stakeholders

• Identify who needs to be informed of the business continuity plan
• Establish protocols for notifying stakeholders of the plan and its updates
• Determine the most effective channels for communicating with stakeholders (e.g. email, phone, in-person meetings, etc.)
• Create a timeline for when stakeholders will be informed about the plan and its updates
• Once stakeholders have been successfully informed of the plan and its updates, check this step off the list and move on to developing a training program for personnel to be familiar with the plan.

Develop a training program for personnel to be familiar with the plan

• Research the best methods to train personnel on the business continuity plan
• Decide on the best method to use, and create a program for personnel
• Develop an agenda for the training program
• Designate a trainer or facilitator for the program
• Schedule dates for the training program
• Invite personnel to participate in the training program
• Prepare materials and resources needed for the training program
• Conduct the training program
• Keep track of who attended the training program
• Follow up with personnel and ensure that they understood the plan
• Check off this step when all personnel have completed the training program.

Establishing a training program

• Create a training program outline that includes the objectives and goals of the program
• Develop a timeline of when training will be conducted
• Identify personnel that need to be trained and create a list of participants
• Develop a training plan for each participant
• Select the methods of training that will be used (e.g. classroom, online, etc.)
• Create instructional materials for each training program
• Schedule and conduct training
• Evaluate the effectiveness of the training program

When you have completed all of the above steps, you can be sure that you have established a training program and can check it off your list and move on to the next step.

Identifying personnel who need to be trained

• Identify personnel who need to be trained on the business continuity plan.
• Consider who in your organization will need to be knowledgeable about the plan and how to implement it.
• Make sure that all levels of the organization are included in the training.
• Make sure that all departments are represented in the training.
• Review the roles and responsibilities for each individual who will be trained.
• Determine the best method of training the personnel.
• Once personnel have been identified, the training program can be developed.

How you’ll know when you can check this off your list and move on to the next step:

• You will know that you have completed this step when you have identified all personnel who need to be trained on the business continuity plan and reviewed the roles and responsibilities for each individual.

Developing methods for training personnel

• Develop a training program for personnel that outlines the objectives and goals of the business continuity plan
• Establish a timeline for training personnel
• Identify resources and materials needed for training personnel
• Develop a system for tracking personnel training progress
• Utilize online learning platforms for remote training, if necessary
• Schedule testing to ensure personnel understand the objectives and goals of the business continuity plan

You can check off this step when you have developed a training program for personnel that outlines the objectives and goals of the business continuity plan, established a timeline for training personnel, identified resources and materials needed for training personnel, developed a system for tracking personnel training progress, utilized online learning platforms for remote training, if necessary, and scheduled testing to ensure personnel understand the objectives and goals of the business continuity plan.

Establish procedures for evaluating and revising the plan.

• Develop a timeline for evaluating and revising the plan
• Designate a team responsible for evaluating and revising the plan
• Create a process for regularly reviewing the plan
• Outline criteria for when the plan should be updated
• Assign tasks and deadlines for ensuring the plan is updated as needed

When you have developed a timeline and outlined criteria for when the plan should be updated, you can check this off your list and move on to the next step.

Develop a budget to support the plan

• Create a line item budget for the costs associated with creating and implementing the business continuity plan
• Analyze the costs associated with each element of the business continuity plan and create a budget to cover them
• Allocate funds to cover the cost of personnel, training, equipment, supplies, and other items needed to create and maintain the plan
• Identify and document any external resources necessary for the success of the business continuity plan
• Determine the budgetary impact of implementing the plan
• Obtain approval from the appropriate senior management personnel
• When all budget items have been identified and approved, the budget is complete and you can move on to the next step.

Identifying resources needed

• Decide which personnel and departments are critical to the continuity of your business
• Assess what resources each of the personnel and departments need to continue operations
• Identify the hardware, software, data, and other resources needed to support the plan
• Determine who is responsible for each resource

Once you have identified the resources needed to support the business continuity plan, you can move on to the next step of estimating costs.

Estimating costs

• Analyze the resources needed and the cost of each
• Determine the total cost of the plan
• Compare the cost of the plan to the potential cost of a disruption
• Set aside funds for the plan
• When costs and potential return on investment have been calculated, the cost estimating step can be checked off and the allocated funds step can begin.

Allocating funds

• Determine the amount of funds available for your Business Continuity Plan
• Allocate funds for each of the elements in your plan
• Consider the benefits, risks and costs associated with each element
• Determine the cost of each element, as well as any associated costs such as training or consulting
• Calculate the total cost of the plan and compare it to the budget
• Make adjustments to the plan, if necessary, to ensure it stays within the allocated budget
• Once the budget is finalized, move on to the next step in the process
• You will know you have completed this step when you have allocated funds for each element in your plan, and the total cost of the plan is within the allocated budget.

FAQ:

Q: How do I go about building a business continuity plan for a US-based company?

Asked by Rachel on April 5th 2022.
A: Building a business continuity plan for a US-based company requires an understanding of the US legal system, including the US state laws in which your company operates. Depending on your sector and industry, there may be additional requirements or regulations you must adhere to. You should consult with an attorney who specializes in business continuity planning to ensure that you are compliant with all relevant laws and regulations. Additionally, it is important to have a comprehensive understanding of the risk assessment process and how it applies to your specific industry or sector. Risk assessment will help you determine the most effective strategies for mitigating risks and ensure that you are prepared in the event of an emergency.

Q: What are the differences between business continuity plans in the UK, USA and EU?

Asked by Joshua on October 18th 2022.
A: The major difference between business continuity plans in the UK, USA and EU is primarily regulatory. Each country has different laws and regulations in terms of protecting businesses from risks, such as data breaches or system failures. In the UK, for example, there are specific measures companies must take when implementing a business continuity plan, such as conducting regular risk assessments and having an emergency response plan in place. In the US, there are also specific guidelines companies must follow when creating a business continuity plan, such as ensuring that all relevant data is securely stored and backed up regularly. Lastly, in the EU, companies must comply with GDPR (General Data Protection Regulation) when it comes to protecting personal data and information. Therefore, it is important to be aware of the specific laws and regulations applicable to your country when creating a business continuity plan.

Q: What should be included in a comprehensive business continuity plan?

Asked by Madison on January 13th 2022.
A: A comprehensive business continuity plan should include several key components to ensure that you are prepared for any potential disaster or disruption. First, it should identify any potential risks that could affect your company’s operations, such as cyber attacks or natural disasters. This will help you prioritize which risks need to be addressed first and how they can be mitigated or reduced. Additionally, your business continuity plan should outline an emergency response strategy that includes steps for responding to incidents quickly and efficiently. It should also include information on how to back up data and systems regularly so that you can recover quickly if needed. Finally, it should include communication protocols to ensure that all employees are notified of any potential risks or disruptions so that they can take appropriate action if needed.

Q: Are there any industry-specific considerations when creating a business continuity plan?

Asked by Elijah on November 6th 2022.
A: Yes, there are industry-specific considerations when creating a business continuity plan depending on your sector or industry. For example, if you operate in the financial services industry, you may need additional measures in place to protect customer data from potential cyber threats or data breaches. Additionally, if you operate within a regulated industry such as healthcare or energy production, there may be certain regulations that must be adhered to when creating a business continuity plan so that you remain compliant with all applicable laws and regulations. Therefore, it is important to research any relevant industry-specific considerations when creating your plan so that you can ensure you are adequately prepared for any potential disruptions or disasters.

Q: What is the best way to test my business continuity plan?

Asked by Abigail on June 3rd 2022
A: The best way to test your business continuity plan is through regular risk assessments and simulations of potential disasters or disruptions. By testing your plan regularly, you can identify any gaps or weaknesses before they become an issue during an actual disruption or disaster scenario. Additionally, conducting regular drills or simulations can help ensure that employees know what their roles and responsibilities are during an emergency situation so that they can respond quickly and effectively if necessary. Finally, testing allows you to make sure any changes made to the plan are properly implemented so that you remain prepared for any potential disruption or disaster scenario.

Example dispute

Suing a Company for Failing to Follow Their Business Continuity Plan

• The plaintiff must prove that the defendant failed to adhere to their business continuity plan and that this negligence resulted in financial losses or damages.
• The plaintiff must provide evidence to show that the defendant had a business continuity plan, that they were aware of the plan and that they failed to follow it.
• The plaintiff must also demonstrate that their losses or damages were a direct result of the defendant’s failure to follow the business continuity plan.
• The plaintiff may be able to cite relevant legal documents, regulations, and civil law that the defendant was required to comply with.
• The plaintiff may be able to prove that the defendant’s actions caused a disruption to their business operations.
• The plaintiff may be able to show that the defendant’s negligence caused them to suffer financial losses or damages.
• The plaintiff must also demonstrate that the defendant had a duty to protect their business interests.
• The plaintiff and defendant may be able to reach a settlement agreement, but if not, the plaintiff may be able to seek damages through the court.
• If damages are awarded, they may be calculated based on the financial losses or damages that the plaintiff sustained due to the defendant’s failure to follow the business continuity plan.

Templates available (free to use)

Business Continuity Contract Pro Supplier
Continuity Agreement

‍