How to structure your Business Continuity Plan according to ISO 22301:2019
Most businesses experience challenges in the definition and implementation of risk assessment and business continuity plans in their management systems. Here is how to implement a BCP (business continuity plan):
What is a Business Continuity Plan?
The definition of a BCP in ISO 22301 is ‘documented procedures that guide organizations to respond, resume, recover, and restore to a pre-defined level of operation following a disruption.’ (Clause 3.5)
This means that a BCP is solely concerned with developing plans or procedures; it doesn’t concern itself with the analysis that the plans are based on or how to maintain the said procedures. All these are integral parts necessary for successful contingency planning.
Example of a Business Continuity Plan
Here is a comprehensive tool for developing a BCP. It is ideal for small and mid-sized companies and details what each section should include:
Scope, purpose and users-The organization should seek to answer these questions:
- Why is the BCP being developed?
- What are the objectives of the BCP?
- Which parts of the organization does it cover?
- Who should read the plan?
- Referral Documents– during the development of the BCP, some records are needed as a referral point. Documents such as Business continuity policy, Business Impact Analysis and Business continuity Strategy are ideal.
- Assumptions- assumptions cover what needs to exist, or the framework for an effective BCP.
- Crucial contacts-One of the conditions of the BCP is to identify the person responsible for its execution and detail his contacts.
- Roles and responsibilities– Here, the organization needs to identify people who; a) Are responsible for managing disruptive incidents b) Will activate the plan either by making urgent purchases or communicating with the media.
- Communication- Details concerning how communication will be relayed to stakeholders during a disruptive incident need to be known. The company will also need to determine who is responsible for the transmission, and what the companies’ policy on communicating with media and government bodies is.
- Plan activation and deactivation– When can this plan be activated? What scenarios need to exist for the plan to be deactivated?
- Incidence response– Detail how the organization will respond to disruptive incidents to reduce its impact.
- Sites and transportation– Where are the assembly points? How do people move from the incident site to the assembly points?
- Recovery activities order– Also known as Recovery Time Objectives (RTO), this is a tabulated list of activities, and the time it will take for them to be achieved.
- Activities Recovery plans– A descriptive step-by-step action plan that details how the organization will recover the human resources, infrastructure, facilities, information and software.
- Disaster recovery plan– A plan that mainly focuses on the recovery of information and communication technology infrastructure.
- Resources required– A comprehensive list of personnel, facilities, infrastructure, information, equipment and third-party services that are crucial to perform the recovery.
- Restoration and resumption– A plan on how to restore the business status once the disruptive incident has been resolved.
Finally
A business that recognizes and diligently takes the task of writing a BPC is in a better position to recover from a calamity. Write it seriously.
