The tumultuous events of the past several years have impacted practically every business. And with the number of extreme weather events, cyberattacks, and geopolitical conflicts continuing to rise, business leaders are bracing for the possibility of increasingly more frequent impactful incidents their organizations will need to respond to.\n\nAccording to PwC\u2019s 2023 Global Crisis and Resilience Survey, 96% of 1,812 business leaders said their organizations had experienced disruption in the past two years and 76% said their most serious disruption had a medium to high impact on operations.\n\nIt\u2019s little wonder then that 89% of executives list resilience as one of their most important strategic priorities.\n\nYet at the same time, only 70% of respondents said they were confident in their organization\u2019s ability to respond to disruptions, with PwC noting that its research shows that too many organizations \u201care lacking the foundational elements of resilience they need to be successful.\u201d\n\nA solid business continuity plan is one of those foundational elements.\n\n\u201cEvery business should have the mindset that they will face a disaster, and every business needs a plan to address the different potential scenarios,\u201d says Goh Ser Yoong, head of compliance at Advance.AI and a member of the Emerging Trends Working Group at the professional governance association ISACA.\n\nA business continuity plan gives the organization the best shot at successfully navigating a disaster by providing ready-made directions on who should do what tasks in what order to keep the business viable.\n\nWithout such as a plan, the organization will take longer than necessary to recover from an event or incident \u2014 or may never recover at all.\n\nWhat is a business continuity plan?\n\nA business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether that disruption is caused by a natural disaster, civic unrest, cyberattack, or any other threat to business operations.\n\nA business continuity plan outlines the procedures and instructions that the organization must follow during such an event to minimize downtime, covering business processes, assets, human resources, business partners, and more.\n\nA business continuity plan is not the same as a disaster recovery plan, which focuses on restoring IT infrastructure and operations after a crisis. Still, a disaster recovery plan is part of the overall strategy to ensure business continuity, and the business continuity plan should inform the action items detailed in an organization\u2019s disaster recovery plan. The two are tightly coupled, which is why they often are considered together and abbreviated as BCDR.\n\nWhy business continuity planning matters\n\nWhether you operate a small business or a large corporation, it\u2019s vital to retain and increase your customer base. There\u2019s no better test of your capability to do so than right after an adverse event.\n\nBecause restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company\u2019s future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company\u2019s reputation and market value, and it can increase customer confidence.\n\nMoreover, there are increasing consumer and regulatory expectations for both enterprise security and continuity today. Consequently, organizations must prioritize continuity planning to prevent not only business losses, but financial, legal, reputational, and regulatory consequences.\n\nFor example, the risk of having an organization\u2019s \u201clicense to operate\u201d withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence.\n\nBuilding (and updating) a business continuity plan\n\nWhether building the organization\u2019s first business continuity plan or updating an existing one, the process involves multiple essential steps.\n\nAssess business processes for criticality and vulnerability: Business continuity planning \u201cstarts with understanding what\u2019s most important to the business,\u201d says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional services firm.\n\nSo the first step in building your business continuity plan is assessing your business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, or a week.\n\n\u201cThis step essentially determines what you are trying to protect and what you are trying to keep up for systems,\u201d says Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting.\n\nThis assessment is more demanding than ever before because of the complexity of today\u2019s hybrid workplace, the modern IT environment, and the reliance on business partners and third-party providers to perform or support critical processes.\n\nGiven that complexity, Goh says a thorough assessment requires an inventory of not only key processes but also the supporting components \u2014 including the IT systems, networks, people, and outside vendors \u2014 as well as the risks to those components.\n\nThis is essentially a business impact analysis.\n\nDetermine your organization\u2019s RTO and RPO: The next step in building a business continuity plan is determining the organization\u2019s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.\n\nEach organization has its own RTO and RPO based on the nature of its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives need to establish, Nocera says.\n\n\u201cWhen you meet with individual aspects of the business, everyone says everything [they do] is important; no one wants to say their part of the business is less critical, but in reality you have to have those challenging conversations and determinations about what is actually critical to the business and to business continuity,\u201d he adds.\n\nDetail the steps, roles, and responsibilities for continuity: Once that is done, business leaders should use the RTO and the RPO, along with the business impact analysis, to determine the specific tasks that need to happen, by whom, and in what order to ensure business continuity.\n\n\u201cIt\u2019s taking the key components of your analysis and designing a plan that outlines roles and responsibilities, about who does what. It gets into the nitty-gritty on how you\u2019re going to keep the company up and running,\u201d Renner explains.\n\nOne common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.\n\nAlthough the list of possible scenarios that could impact business operations can seem extensive, Goh says business leaders don\u2019t have to compile an exhaustive list of potential incidents. Rather, they should compile a list that includes likely incidents as well as representative ones so that they can create responses that have a higher likelihood of ensuring continuity even when faced with an unimagined disaster.\n\n\u201cSo even if it\u2019s an unexpected event, they can pull those building blocks from the plan and apply them to the unique crisis they\u2019re facing,\u201d Nocera says.\n\nThe importance of testing the business continuity plan\n\nDevising a business continuity plan is not enough to ensure preparedness; testing and practicing are other critical components.\n\nRenner says testing and practicing offer a few important benefits.\n\nFirst, they show whether or how well a plan will work.\n\nTesting and practicing help prepare all stakeholders for an actual incident, helping them build the muscle memory needed to respond as quickly and as confidently as possible during a crisis.\n\nThey also help identify gaps in the devised plan. As Renner says: \u201cEvery tabletop exercise that I\u2019ve ever done has been an eye-opener for everyone involved.\u201d\n\nAdditionally, they help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.\n\nTypes and timing of tests\n\nMany organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization itself \u2014 its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.\n\nCommon tests include tabletop exercises, structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.\n\nA tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.\n\nIn a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.\n\nSome experts also advise a full emergency evacuation drill at least once a year.\n\nMeanwhile, disaster simulation testing \u2014 which can be quite involved \u2014 should still be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine whether the organization and its staff can carry out critical business functions during an actual event.\n\nDuring each phase of business continuity plan testing, include some new employees on the test team. \u201cFresh eyes\u201d might detect gaps or lapses of information that experienced team members could overlook.\n\nReviewing and updating the business continuity plan should likewise happen on an ongoing basis.\n\n\u201cIt should be a living document. It shouldn\u2019t be shelved. It shouldn\u2019t be just a check-the-box exercise,\u201d Renner says.\n\nOtherwise, plans go stale and are of no use when needed.\n\nBring key personnel together at least annually to review the plan and discuss any areas that must be modified.\n\nPrior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.\n\nFurthermore, a strong business continuity function calls for reviewing the organization\u2019s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.\n\nHow to ensure business continuity plan support, awareness\n\nOne way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.\n\nManagement is also key to promoting user awareness. If employees don\u2019t know about the plan, how will they be able to react appropriately when every minute counts?\n\nAlthough plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It\u2019ll have a greater impact on all employees, giving the plan more credibility and urgency.