Business continuity plans: A 6-point checklist

You’re watching Netflix during lousy weather when suddenly the lights go out.

What do you do?

If you’re like most people, you grab your (hopefully) charged cell phone, and turn on the flashlight—and check to see when the power will be back on. That’s your continuity plan for when the lights go out.

But what about when disaster strikes your business? What do you do when there are multiple systems, business processes, employee and client data, and hardware to handle?

It's critical that you have a detailed and thought-out business continuity plan that minimizes business disruption.

In just a bit, we’ll look at what real businesses are including in their business continuity plans—and also some of the best tips from Reddit’s (very generous) /r/sysadmin and /r/ITProfessionals subreddits.

Let's get started.

What is a business continuity plan?

A business continuity plan (sometimes referred to as a BCP), is a step-by-step plan detailing how a business can continue operating even during a catastrophic event, like a natural disaster or a cyberattack.

Generally, an IT business continuity plan specifically addresses information technology crises, while a general BCP will cover a wider range of events.

BCPs can help businesses get back on their feet after a crisis—but only if the plans are implemented ahead of time.

Here are a few examples of what a business continuity plan can cover:

• Hardware or automation failures

• Pandemics

• Supply chain shortages

• Natural disasters like fires or floods

Business continuity plans vs. disaster recovery plans

Business continuity and disaster recovery kind of sound like the same thing, but they’re actually very different.

A BCP details how to keep your business running in the face of a disaster. For example, if a hurricane shuts down your Miami office, a BCP should detail how your other offices or remote staff will pick up the workload until Miami is up and running again.

Disaster recovery plans, on the other hand, detail how to get your business back up and running after a disaster. So with the previous example, the question is now slightly different: “how would you get your Miami office up and running again after a hurricane has passed?”

Because of this, disaster recovery plans tend to be more specific in terms of getting data systems and business operations back online, while BCPs usually encompass a broader scope of business functions.

What does a business continuity plan typically include? 6 considerations for your checklist

So, where to start with your business continuity plan? Do you start with your cloud communications platform? Or your CRM? Here’s a 6-point checklist of what you want to include in your business continuity plan.

Potential threats analysis

Look at your vulnerabilities. Is your main office located in an earthquake zone? Next to a river prone to flooding? Make a list of your potential threats. That might include weather events, cyberattacks, hardware failures, and technical issues.

If you’re in one of these danger zones, then you should already be looking at cloud solutions as part of your business continuity plan (if you haven’t implemented it already), which can help mitigate these threats by offering a work-from-anywhere option.

For example, businesses traditionally had on-premises phone systems—which had to be stored in offices and involved quite a bit of hardware. Cloud communications providers, on the other hand, let employees take phone calls, have video meetings, and send instant messages from a desktop or mobile app:

The result: In the event of a disaster, like a tornado or earthquake, that threatens your business operations in the office, your team can still support customers and close deals while working remotely without any downtime.

Emergency contact information

Make sure you have emergency contact information for your employees, and especially your continuity team (if you have one) easily accessible, even if folks are outside the office. If there’s a power outage or the network goes down and you can’t get online, it’s critical to have other ways of accessing this information in case of emergencies.

Multi-team collaboration

A good business continuity plan isn’t the product of the IT team’s work in a silo. It impacts every other department in a company, and they should be consulted. Uptimefordays (great name) from /r/sysadmin says, “TBH our business continuity plan isn't spearheaded or led by IT, it's a multi departmental setup spearheaded by our COO. Both IT and information security send folks to COOP meetings and have designated ‘essential’ employees with specific COOP roles, but so do most other departments.”

A robust communications plan

When I say “communications plan” here, I’m not talking about just disseminating information from HR or from senior leadership to the rest of the company during a catastrophic event.

That’s part of it, but more importantly, how should employees continue communicating for their everyday work? That includes critical business functions like talking to customers and vendors, reaching out to prospects, talking to teammates about ongoing projects and tasks, or even sending out mass text alerts in the middle of a crisis.

What happens if your business phone system goes down? Do your employees have strong Internet connections at home?

Do you have a contact center team, and would your agents be able to continue handling calls and messages from customers at home? If your company does have a support or help desk team, then you should probably be looking at a cloud contact center platform that lets agents and supervisors keep working from home if they need (or want) to:

Recovery phase plan

Have a recovery phase plan in place so that you can recover as quickly as possible from any disruptions. A recovery strategy and recovery time objective detailed in full will complete your planning process.

How to create your own business continuity plan template: 6 must-dos

A quick note before we get into creating your business continuity plan: each BCP should be tailored to the business and industry. Your dependencies, IT infrastructure, and team of responders will be different from even other businesses in your industry. Use this as a starting point for your planning process.

1. Identify your big-picture goal

Think about the big-picture goal for your emergency management plans and what you envision as a successful outcome. Assess which operations are critical. For example, you might decide your IT system is a primary priority, while your human resources system is a secondary or tertiary priority.

“Treat a BCP/DR as an insurance policy. Most executives will want zero downtime and zero data loss (full coverage) for everything. Yet they don't want to pay for it. You need to ask the right questions [like] "what is really important to the business" and build a plan based on those.” - mcmNewNick, /r/ITProfessionals

Whatever you decide is fine, as long as it comes back to your big-picture goal. As you and your team put together your BCP, always keep this bigger outcome front and center.

2. Determine your critical operations

With your continuity team, go over the everyday business operations and determine which ones are essential to ensure business continuity. Beyond just continuity, you should also consider a recovery strategy—just in case.

For example, if your computer systems go down in a cyberattack, plan to have offsite data centers as a failsafe to protect your data. Or, plan how you’ll use cloud-based solutions to minimize downtime.

Fun fact: Blue Cliff College has six campuses across three states, and they were able to increase enrollment during a pandemic and achieve their best financial year—in three decades—by updating their legacy call center systems.

In fact, Jeremy, their IT Director, said their agents “took it on themselves to start text messaging students through the Dialpad app, either on their cell phones or on the desktop if they couldn’t get them on the phone. So they can get credit for all of those contacts as well, and they love it, they absolutely love it.”

2. Backups, backups, backups

One key task after doing all your risk assessments and mitigation strategies? Backups.

You may not need hard copies, but do you have data backups for business essentials like communications systems or supply chain recovery? And more importantly, is your definition of “backups” comprehensive enough? Whitedragon551, again from /r/ITProfessionals, had some detailed advice:

“A lot of people think it's just having backups. That's not the case. It's also having redundant power, generators, redundant switching/up links, redundant hosts and storage. The idea is that there isn’t a single point of failure in your primary data center. If your company has a secondary data center somewhere else, it's important that the secondary data center also doesn't have any single points of failure and that failover testing actually occurs with production.

From a backup standpoint pay attention to the 3-2-1 rule. 3 copies, on 2 types of media locally, and at least 1 copy offsite in case of disaster. It's also important to find out what are the most important servers. Some servers will have different retention policies than others. This needs to be defined before you can design your BCP. For example a file server with financial data may require quarterly full backups or year-end full [backups] for archive purposes, whereas a domain controller may only need a weekly backup.”

For example, some companies may need to store call recordings as records of conversations with customers or prospects. It’s possible to store these in the cloud, which is great because it’s convenient, but besides that, there are also compliance requirements to consider from an IT perspective:

4. Analyze every facet of the possible business impact

At this point, you can run a business impact analysis (BIA) to identify exactly what could go wrong for your business and what factors would be affected, like reputational damage or regulatory fines.

Doing a BIA can be pretty involved. Here’s how chazmosis did theirs:

“I just built a BCP for my company this past year. It was a 20+ page PDF that covered a risk analysis for basically every system, and some recommendations on how to mitigate the risk. We use a 3x3 matrix to assign a severity to the risk based on Operational Risk vs Business Impact - either Low, Medium or High for each of the 2. From there we derive a number between 1 and 9, 1 being Low Risk / Impact and 9 being High Risk / Impact.

Based on those numbers, you can determine what the "most important" stuff is to work on, and where you have gaps. These things will help Sr. Management make decisions.”

As you go through the different risks and how much damage they may cause, then you can start coming up with ideas for mitigation and beefing up your preparedness. After that, you can move on to the next step: fleshing out those plans and strategies.

5. Give your team members what they need

Other than having your own systems and infrastructure in place, you also need to make sure all your employees have what they need, like laptops and headsets, to work remotely.

Case study: Soccer club Austin FC has over 180 employees across three locations, and its VP of IT, Ryan, had a lot to consider between the team traveling to new locations for their games and the IT team working remotely during the pandemic. “... With the flexibility of moving our phone system, the phone follows you. So we were able to pick up and set down at whatever place we might be, with seamless flexibility and full connection and capabilities,” says Ryan.

Now with a cloud phone system, his team can set up new employees quickly and support stadium operations remotely:

6. Regularly review your business continuity plan

Technology evolves. Risks change. Businesses grow. Make sure to regularly review your business continuity plan to make sure it’s up to date and takes new risks into consideration. Not only that, if you work at a larger enterprise-size company, you might also decide to tackle a BCP in pieces:

“Don't boil the ocean in one sitting, but instead consider some key areas to focus on, then next year review and expand it until the entire ocean is covered,” says jakesomething from /r/sysadmin.

Think of it as business continuity management. If you’re feeling overwhelmed, start somewhere small. Pick your most critical area, focus on that, and then review it in three to six months time and move on to another area.

An essential part of any business continuity plan: communications (Does yours cover it?)

Whether you’re a small business or an enterprise-level company with dozens of stakeholders, having a business continuity plan is absolutely critical for risk management and making sure that your IT infrastructure and solution providers can support regular operations even during unforeseen disasters.

One of the most important parts of a good business continuity program is your communications system. Having backup generators and servers? Very important. But don’t forget about giving your employees the tools they need to stay in touch with not only each other, but also your customers and prospects.

If you are in the market for a communications platform that lets your team work from anywhere, take Dialpad for a test drive!