Activating Your Business Continuity Plan: The Essentials
- Home
- Blog
Categories
Latest Post
ISO 14001 Lead Auditor Course
ISO 14001 Foundations Course
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
Having a business continuity plan is crucial, but knowing when and how to activate it is paramount. Without this knowledge, the investment in your BCP is futile, and worse, you could face significant financial losses due to operational disruptions.
What is a Business Continuity Plan?
To understand activation procedures, let’s first define a business continuity plan. According to BS 25999-2, a business continuity plan is a “documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue delivering its critical activities at an acceptable predefined level.”
A business continuity plan comprises multiple parts, usually including:
Incident Response Plan: Defines immediate actions post-incident, such as evacuation procedures, emergency contacts, and containment measures.
Recovery Plan: Activated after the incident response plan, focusing on resuming critical business activities within the defined Recovery Time Objective (RTO). This can involve recovering ICT infrastructure, production sites, or business processes.
Each part of the business continuity plan is activated separately, and here, we’ll focus on the activation of the two main components mentioned.
Activation of Incident Response Plan(s)
Activating an incident response plan is straightforward. If someone notices a fire, explosive device, flood, or malicious code, they must notify the appropriate person immediately. In smaller companies, this may be a single responsible individual, while larger companies might have designated personnel for IT and non-IT incidents.
The responsible person then activates the relevant incident response plan, tailored to the specific incident, whether it be a fire or a threat letter.
Activation of Recovery Plan(s)
Deciding who should activate recovery plans requires careful consideration. Best practices suggest that top-level management, such as the Crisis Manager, should make this decision. This high-level authority ensures that the activation of recovery plans is justified and prevents unnecessary actions, such as unwarranted transportation to alternative sites, which can be costly.
The criteria for activating a recovery plan are based on whether the business disruption is expected to last longer than the RTO. If so, the relevant recovery plan must be activated. If the entire company is affected, all recovery plans are activated; if only one department is impacted, only the corresponding recovery plan is initiated.
Emergency Preparedness
For these procedures to be effective, they must be tailored to the company’s specific situation, well-known by all involved employees, and regularly practiced. Theoretical documents that no one has reviewed in years are unlikely to be effective in an emergency.
Preparing for an emergency encompasses a broad range of activities, including exercising and testing all elements of the business continuity plan. Unfortunately, activation procedures are often neglected in this context.
In conclusion, for your business continuity plan to be effective, robust activation procedures are essential. However, these procedures are futile if no one is aware of them.
