6 Key Components of a Business Continuity Plan (BCP) | Zerto

The Key Components of a Business Continuity Plan

Est. Reading Time: 5 minutes

You have a great disaster recovery (DR) plan, and Zerto has helped simplify that even more by allowing your IT organization to consolidate multiple point products with a single, simple, and scalable solution. You have freed up valuable time for your IT operations teams to deliver more innovation as your business transforms. You have adopted the cloud for multiple applications – maybe you’ve moved away from the data center management business and are fully capable of DR to the public cloud – but has your business continuity plan (BCP) evolved alongside your DR plan to ensure holistic success in the event of an unplanned disruption? Even if you can have all those workloads recovered in the cloud or on-premises within minutes, the business operations side needs to be ready to shift in order to mitigate the downtime.

Disaster Recovery and Business Continuity Planning

According to ISO 22301, a business continuity plan is defined as “documented procedures that guide organizations to Respond, Recover, Resume, and Restore to a pre-defined level of operations following disruption.” Disaster recovery is a subset of the overall BCP because, without your data, you are at the mercy of whatever disruption found its way into your datacenter. At Zerto, we create software that, at its core, delivers industry-leading recovery point objectives (RPOs) and recovery time objectives (RTOs), minimizing data loss and disruption time. We also go the extra mile and provide your business with orchestration, automation, and visibility – to help you meet the “four R’s” above and bridge the gap between disaster recovery and business continuity.

Having a business continuity plan in place is important because once IT has recovered the downed systems, the team responsible for executing the BCP must initiate their plan to bring operations back up as quickly as possible. Every minute counts. For every minute the business is down, there is revenue loss, brand impact, dissatisfied customers, lost productivity, and much more. So, what exactly is involved in a business continuity plan?

6 Key Components of a Business Continuity Plan

In the previous section, I mentioned that communication during a disruption is one vital aspect of a sound business continuity plan. Before a disaster was declared, there would have been key criteria and triggers before initiating the plan, so we’re off to a good start! Let’s take a closer look at several other critical components of a business continuity plan necessary for successful recovery in the event of an unplanned disruption.

Contact Information and Service Level Agreements (SLAs)

The first component of a business continuity plan is contact information along with SLAs. You will need to identify the following:

  • Stakeholders
  • Key personnel
  • Backup site operators
  • Providers (equipment, services)
  • Emergency responders
  • Third-party vendors
  • Facilities managers
  • Incident response team(s)
  • Successors in case key personnel are unavailable or become overwhelmed
  • Additional critical third-party personnel

Business Impact Analysis (BIA)

A business impact analysis (BIA) will help you identify and predict business disruption consequences and enable you to gather information to develop recovery strategies. Here are some examples of what may be covered in a business impact analysis:

  • An understanding of the changes introduced during unplanned disruption
  • Legal or regulatory repercussions of unplanned disruption
  • Inventory of all business units required for continuity of operations
  • Key personnel as well as staff required to support that personnel
  • Pre/post-disruption dependencies
  • Validation of test plan
  • Ranking of priorities & order of operations
  • Categories of the business impact:
    • Expenses
    • Legal
    • Revenue loss
    • Customer service
    • Brand/reputation damage
  • For each business unit:
    • Identify acceptable RTO
    • Identify an acceptable amount of data loss RPO to minimize the overall impact on the business
  • Recovery strategy

Risk Assessment

Risk assessment is the process of identifying, understanding and evaluating the potential risks to all aspects of an organization’s operations. Here are some examples:

Hazard Identification – Probability and Magnitude

    • Fire
    • Explosion
    • Natural Disasters
    • Terrorism
    • Pandemic
    • Utility Outage
    • Cyber Attack

Assets at Risk – Vulnerability Assessment

    • People
    • Property (buildings, critical I=infrastructure)
    • Supply chain
    • Systems/equipment
    • Reputation
    • Business operations
    • Regulatory and contractual obligations
    • Environment

Impact Analysis

    • Casualties
    • Property damage
    • Business interruption
    • Loss of customers
    • Financial loss
    • Environmental contamination
    • Fines and penalties

Identify Critical Functions

Identification of critical functions will reveal what processes are critical to maintaining and running a business in the event of an unplanned disruption. You want to identify your business critical priorities and focus recovery efforts there first. These include but are not limited to:

  • Payroll and time tracking
  • Revenue operations
  • Physical security
  • Information security
  • Core business functions
  • Data protection after recovery
  • Identity & access management

Communications

When an unplanned disruption occurs, communication with employees, shareholders, users, customers, and key personnel is critical. Human resource professionals can play a crucial role in ensuring consistent and timely communication between the organizational recovery efforts and staff. When customers are involved, social media has become a vital tool to provide timely updates, as many users turn to social media when incidents arise.

  • What is your crisis communication strategy?
  • Communication during an event is key to orchestrate personnel, providers, and third-party vendors if required.

Testing

Having a plan is one thing, but testing and practicing it is imperative. Having an inadequate plan is about as good as not having a plan at all. It is vital to develop a strategy to routinely test, and test often, to identify gaps in your plan and anticipate any changes along the way.

Having a working test plan will help you:

  • Identify gaps or weaknesses in your BCP
  • Evaluate the organization’s response to different types of disruptive events
  • Improve systems and processes based on your test results
  • Confirm that your continuity objectives can be successfully executed against and met
  • Update your plan along the way
  • Document lessons learned

In conclusion

We understand that unplanned disruptions do not just affect IT operations. They have a domino effect on your entire business! As digital transformation is in full gear, your reliance on technology to remain visible to the world steadily increases. Currently, we find ourselves in the midst of a global pandemic; the Atlantic hurricane season is just kicking off, wildfire season is on the horizon, and cyber-attacks are steadily increasing. Is your business prepared? We need to be more proactive than ever when it comes to DR and BCP; in fact, the two strategies should overlap, and both teams on the field should be playing together toward a common goal – resilience.

Learn more key considerations and where modern IT enterprises are heading in the IDC report, “The State of Data Protection and Disaster Recovery Readiness: 2022”.

Gene Torres

Gene Torres is a Technology Evangelist at Zerto with 21 years of experience as an IT Professional focusing on data center virtualization and resilience. Prior to Zerto, Gene was a Solutions Engineer before advancing to Enterprise Architect. He lives in Tacoma, WA with his wife, Rhea, and 3 daughters. He maintains his own technology-focused blog as an active vExpert and enjoys gaming, barbecue, and spending time outdoors.