World Library  
Flag as Inappropriate
Email this Article

Business continuity planning

Article Id: WHEBN0000091099
Reproduction Date:

Title: Business continuity planning  
Author: World Heritage Encyclopedia
Language: English
Subject: Corporate security, OBASHI, IT service continuity, Recovery consistency objective, BS 25999
Collection: Business Continuity and Disaster Recovery, Collaboration, Systems Thinking
Publisher: World Heritage Encyclopedia

Business continuity planning

Business continuity planning life cycle
Business continuity planning (BCP, also called business continuity and resiliency planning BCRP)
identifies an organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive advantage and value system integrity
—Elliot et al. 1999[1]

A business continuity plan is a plan to continue operations if a place of business (e.g., an office, work site or data center) is affected by adverse physical conditions, such as a storm, fire or crime. Such a plan typically explains how the business would recover its operations or move operations to another location. For example, if a fire destroys an office building or data center, the people and business or data center operations would relocate to a recovery site.

The plan could include recovering from different levels of disaster which can be short term, localized disasters, to days long building wide problems, to a permanent loss of a building.

Examples: Office building disasters - a roof leaks in an office building, then move the people to another floor in the same building; the building loses electrical power or is flooded, then have people work from home during the outage; the building burns and is completely destroyed, then relocate the people to a recovery site until a new building is acquired.

Computer center disasters - a server breaks, then recover to a backup server; the electrical power is out, then start an emergency generator, the datacenter is destroyed by a fire, then recover to a computer disaster recovery datacenter.

In the US, government entities refer to the process as continuity of operations planning (COOP).[2]

Any event that could negatively impact operations is included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing /network resource). As such, risk management must be incorporated as part of BCP.[3]

In December 2006, the

Business continuity management is standardised across the UK by British Standards (BS) through BS 25999-2:2007 and BS 25999-1:2006. BS 25999-2:2007 business continuity management is the British Standard for business continuity management across all organizations. This includes industry and its sectors. The standard provides a best practice framework to minimize disruption during unexpected events that could bring business to a standstill. The document gives you a practical plan to deal with most eventualities – from extreme weather conditions to terrorism, IT system failure and staff sickness.[4]

This document was superseded in November 2012 by the British standard BS ISO22301:2012.[5]

In 2004, following crises in the preceding years, the UK government passed the Civil Contingencies Act 2004 (The Act). This provides the legislation for civil protection in the UK.

The Act was separated into two distinct parts: Part 1 focuses on local arrangements for civil protection, establishing a statutory framework of roles and responsibilities for local responders. Part 2 focused on emergency powers, establishing a modern framework for the use of special legislative measures that might be necessary to deal with the effects of the most serious emergency.

The Act is telling responders and planners that businesses need to have continuity planning measures in place in order to survive and continue to thrive whilst working towards keeping the incident as minimal as possible.[6]


  • Analysis 1
    • Business impact analysis (BIA) 1.1
    • Threat and risk analysis (TRA) 1.2
    • Impact scenarios 1.3
    • Recovery requirement 1.4
  • Solution design 2
  • Implementation 3
  • Testing and organizational acceptance 4
    • Tabletop exercises 4.1
    • Medium exercises 4.2
    • Complex exercises 4.3
  • Maintenance 5
    • Information/targets 5.1
    • Technical 5.2
    • Testing and verification of recovery procedures 5.3
  • See also 6
  • References 7
    • Notes 7.1
    • Bibliography 7.2
  • Further reading 8
    • International Organization for Standardization 8.1
    • British Standards Institution 8.2
    • Others 8.3
  • External links 9


The analysis phase consists of impact analysis, threat analysis and impact scenarios.

Business impact analysis (BIA)

A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:

The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.

Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information:

  • The business requirements for recovery of the critical function, and/or
  • The technical requirements for recovery of the critical function

Threat and risk analysis (TRA)

After defining recovery requirements, each potential threat may require unique recovery steps. Common threats include:

The impact of an epidemic can be regarded as purely human, and may be alleviated with technical and business solutions. However, if people behind these plans are affected by the disease, then the process can stumble.

During the 2002–2003 quarantine measures if one person in a team was exposed to the disease.

Impact scenarios

After defining threats, impact scenarios form the basis of the business recovery plan. In general, planning for the most wide-reaching impact is preferable. A typical impact scenario such as "building loss" encompasses most critical business functions. A BCP may document scenarios for each building. More localized impact scenarios – for example loss of a specific floor in a building – may also be documented.

Recovery requirement

After the analysis phase, business and technical recovery requirements precede the solutions phase. Asset inventories allow for quick identification of deployable resources. For an office-based, IT-intensive business, the plan requirements may cover desks, human resources, applications, data, manual workarounds, computers and peripherals.

Other business environments, such as production, distribution, warehousing etc. will need to cover these elements, but likely have additional issues.

Solution design

The solution design phase identifies the most cost-effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT purposes, this is commonly expressed as the minimum application and data requirements and the time in which the minimum application and application data must be available.

Outside the IT domain, preservation of hard copy information, such as contracts, skilled staff or restoration of embedded technology in a process plant must be considered. This phase overlaps with disaster recovery planning methodology. The solution phase determines:

  • crisis management command structure
  • secondary work sites
  • telecommunication architecture between primary and secondary work sites
  • data replication methodology between primary and secondary work sites
  • applications and data required at the secondary work site
  • physical data requirements at the secondary work site.


The implementation phase involves policy changes, material acquisitions, staffing and testing.

Testing and organizational acceptance

The purpose of testing is to achieve organizational acceptance that the solution satisfies the recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws or solution implementation errors. Testing may include:

  • Crisis command team call-out testing
  • Technical swing test from primary to secondary work locations
  • Technical swing test from secondary to primary work locations
  • Application test
  • Business process test

At minimum, testing is conducted on a biannual schedule.

The 2008 book Exercising for Excellence, published by The British Standards Institution identified three types of exercises that can be employed when testing business continuity plans.

Tabletop exercises

Tabletop exercises typically involve a small number of people and concentrates on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area of a business.

Another form involves a single representative from each of several teams. Typically, participants work through simple scenario and then discuss specific aspects of the plan. For example, a fire is discovered out of working hours.

The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.

Medium exercises

A medium exercise is conducted within a "Virtual World" and brings together several departments, teams or disciplines. It typically concentrates on multiple BCP aspects, prompting interaction between teams. The scope of a medium exercise can range from a few teams from one organisation co-located in one building to multiple teams operating across dispersed locations. The environment needs to be as realistic as practicable and team sizes should reflect a realistic situation. Realism may extend to simulated news broadcasts and websites.

A medium exercise typically lasts a few hours, though they can extend over several days. They typically involve a "Scenario Cell" that adds pre-scripted "surprises" throughout the exercise.

Complex exercises

A complex exercise aims to have as few boundaries as possible. It incorporates all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.

While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.


Biannual or annual maintenance cycle maintenance of a BCP manual is broken down into three periodic activities.

  • Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
  • Testing and verification of technical solutions established for recovery operations.
  • Testing and verification of organization recovery procedures.

Issues found during the testing phase often must be reintroduced to the analysis phase.


The BCP manual must evolve with the organization. Activating the call tree verifies the notification plan's efficiency as well as contact data accuracy. Types of changes that should be identified and updated in the manual include:

  • Staffing
  • Important clients
  • Vendors/suppliers
  • Organization structure changes
  • Company investment portfolio and mission statement
  • Communication and transportation infrastructure such as roads and bridges


Specialized technical resources must be maintained. Checks include:

  • Virus definition distribution
  • Application security and service patch distribution
  • Hardware operability
  • Application operability
  • Data verification
  • Data application

Testing and verification of recovery procedures

As work processes change, previous recovery procedures may no longer be suitable. Checks include:

  • Are all work processes for critical functions documented?
  • Have the systems used for critical functions changed?
  • Are the documented work checklists meaningful and accurate?
  • Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective?

See also



  1. ^ Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43–60. Here: p. 48.
  2. ^
  3. ^ Intrieri, Charles (10 September 2013). "Business Continuity Planning". Flevy. Retrieved 29 September 2013. 
  4. ^ British Standards Institution (2006). Business continuity management-Part 1: Code of practice :London
  5. ^ British Standards Institution (2012). Societal security – Business continuity management Systems – Requirements: London
  6. ^ Cabinet Office. (2004). overview of the Act. In: Civil Contingencies Secretariat Civil Contingencies Act 2004: a short. London: Civil Contingencies Secretariat


Further reading

International Organization for Standardization

  • ISO/IEC 27001:2005 (formerly BS 7799-2:2002) Information Security Management System
  • ISO/IEC 27002:2005 (renumerated ISO17999:2005) Information Security Management – Code of Practice
  • ISO/IEC 27031:2011 Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity
  • ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management
  • ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services
  • IWA 5:2006 Emergency Preparedness
  • ISO 22301:2012 Societal security - Business continuity management systems - Requirements
  • ISO 22313:2012 Societal security - Business continuity management systems - Guidance

British Standards Institution

  • BS 25999-1:2006 Business Continuity Management Part 1: Code of practice
  • BS 25999-2:2007 Business Continuity Management Part 2: Specification


  • "A Guide to Business Continuity Planning" by James C. Barnes
  • "Business Continuity Planning", A Step-by-Step Guide with Planning Forms on CDROM by Kenneth L Fulmer
  • "Business Continuity Plan Design, 8 Steps for Getting Started Designing a Plan" By Richard Kepenach
  • "Disaster Survival Planning: A Practical Guide for Businesses" by Judy Bell
  • ICE Data Management (In Case of Emergency) made simple – by
  • Harney, J.(2004). Business continuity and disaster recovery: Back up or shut down.
  • AIIM E-Doc Magazine, 18(4), 42–48.
  • Dimattia, S. (November 15, 2001).Planning for Continuity. Library Journal,32–34.
  • Exercising for Excellence (Delivering successful business continuity management exercises) by Crisis Solutions

External links

  • Business Continuity Planning (BCP) life cycle - Wikibooks
  • Department of Homeland Security Emergency Plan Guidelines
  • Glossary of Business Continuity Terms
  • CIDRAP/SHRM Pandemic HR Guide Toolkit
  • ISO 17799 Newsletter
  • 17799 Central
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.