There are certain things any good BCP should cover. These are:
Purpose and scope:
You must establish the purpose of the plan and what it covers, particularly if your organisation includes subsidiaries and/or multiple locations. You may want to consider making separate plans for each subsidiary/location.
You must identify the employees who will be responsible for enacting the plan. Smaller organisations might only need a single leader, while larger organisations may need to nominate a group. You may also need to give authority to anyone who needs to handle the financial costs of disruption.
When and how will the plan come into effect? It’s not always clear whether a disruption meets the criteria, so you will need to document who starts the process and how to mobilise the response teams.
Development of the BCP:
This is where you put the meat onto the bones; the actions needed to recover from the disruptions you identify. You will need to carry out a risk assessment and a Business Impact Assessment (BIA) to identify threats and the impact they will have on your organisation. With this information to hand, you can outline the steps required for each disruption to protect people, contain the disruption and prevent further disturbance to priority activities.
Plan for how internal and external communications will be maintained. This might include how to notify next of kin if your employees’ wellbeing is at risk. You will also want to plan for communications with the media.
Stakeholders: Your BCP should contain contact details of stakeholders, as they will need to be notified immediately following a disruption.
Document owner, approver and record of changes:
The BCP is owned by the business continuity manager, who takes responsibility for reviewing and testing the procedures.
The plan should be available in both hard copy and digital formats, and all staff should have access. If changes are made, the digital and hard copy forms must be updated.