more-arw search

Q&A Forum

How to start a Business Continuity Plan (BCP)?

Hi all, I am working in a manufacturing company, and my task now is to setup and maintain a Business Continuity Plan. This sounds to me that this is mostly related to risk management, but I really don't know how to start with it. Please advise me what I need to do to start it. Thanks.


Topic Expert
Wayne Spivak
Title: President & CFO
LinkedIn Profile
(President & CFO, |

Besides doing research (there is a tremendous amount of info on the web), a BCP has many facets. To only look at one facet (in this case risk management) is to short-change both the Plan and the organization.

A BCP has (this is a short list) :

Business Continuity
GAP Analysis
Business Impact Study
Disaster Recovery
Security (Physical/Cyber/Information)
Document Management
Policy & Management
Strategic Services
Response, Planning & Support
Exercising & Auditing
Education & Training

(Supervisor) |

Thank you, Mr Wayne. Too much information may make us difficult to focus on important and concised points. Do you have any suggestion on which source of document, or which official document that can be reliable to be referred to?

Topic Expert
Wayne Spivak
Title: President & CFO
LinkedIn Profile
(President & CFO, |

Yes, per Regis's comment, hire a BCP consultant to point you in the right direction and facilitate the process.

Remember, and this is crucial; a Plan that is never Tested, Modified, Re-Tested and Practiced is a Plan that will not work!

Topic Expert
Regis Quirin
Title: Director of Finance
Company: Gibney Anthony & Flaherty LLP
LinkedIn Profile
(Director of Finance, Gibney Anthony & Flaherty LLP) |

I find that if a business has never completed a Business Continuity Plan, and they search on the details of completing a plan via the web, they instantly become overwhelmed and do nothing, i.e. paralysis. Please look at a blog I posted on this subject - Should a business invest the time and resources in developing a Business Continuity Plan? ( There are quick no cost activities that you should address first, then grow from there. Wayne's description is 100% accurate, but you will need to evolve to that point. As soon as you start, it will naturally gravitate that way.

Good luck. It is not easy.

Gary Johnson
Title: IT Audit Project Manager
Company: Colorado PERA
(IT Audit Project Manager, Colorado PERA) |

Generally, business continuity is about taking steps to keep the business running in its core functions in spite of disruptions in external environment, internal "hiccups", or technological outages. Identify the key functions - manufacturing and getting product to the market would likely be essential to your organization - and then think through what could go wrong to disrupt that business. Some of the disruptions could happen and have a large impact on the business, others would be 'non-events' - because they aren't likely to occur, or happen so often that workarounds are in place and the impact is minimized. This is the Business Impact Analysis (BIA) part of a plan's development. The things that are likely to happen and have a big impact need to be evaluated for ways to reduce the impact. That becomes the main focus of the Business Continuity Plan (BCP).

A good BCP will require input from people throughout the organization. If management supports BCP you have an excellent chance at getting a project group in place to create the BCP. The BCP should address the activities needed for each department to recover its own functionality. In reality the BCP is really lots of BCPs and may be general, or very specific for a given threat - again based on the BIA. The overall order of events that need to occur is part of a Crisis Management Plan or an Incident Response Plan - this should identify who is responsible for getting the BCPs into effect during the chaos of crisis. As you can see, Business Continuity is really a multi-faceted task.

Here is some info I have found helpful in the Disaster Recovery/Business Continuity (DRP/BCP) world:
The current ISO standard is ISO 22301 from BSI (British Standards Institution). Here is a brief overview:

You absolutely want to look at the NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs document ( for one of the better standards to guide your BCP efforts. If there is a single standard for BCP/DRP that I would adopt, it would be the NFPA, especially since it applies to the US (and doesn’t cost any $ to get hold of it).

One of my favorite information sites is DRJ (Disaster Recovery Journal) – They have white papers and other DRP related info. They have a Generally Accepted Practices document that gives a good grounding - (may require a free registration).
The BCI (Business Continuity Institute) at has a “Good Practice Guide” that covers the general areas that a good BC plan should cover. It is available on the members section.

I used this template to help me organize a BCP effort at a prior company: (see the step-by-step guide linked off this home page). This should provide some general guidance on “what should be in a DR/BCP plan?”

Topic Expert
Wayne Spivak
Title: President & CFO
LinkedIn Profile
(President & CFO, |

For clarity sake, a fully developed BCP has as a component (and not the overriding component) Data Recovery.

As Gary stated, it is multi-faceted and needs to address those hazards most likely to impact the Business. If the business is multi-located, all hazards must be addressed.

Continuity of Operations and Leadership is also paramount. Think about it, what if the bosses can't be located; can the business proceed as usual?

Gordon Coyle
Title: CEO
Company: The Coyle Group
(CEO, The Coyle Group) |

All very good comments. I would agree that the issue of BCP and Disaster Recovery can be intimidating at best. If you look at the resources already cited, or pick up any textbook on the subject you may easily be overwhelmed, and as one contributor indicated, become paralyzed - so nothing gets done.

Stephen Covey in his Seven Habits book said: Begin with the end in mind. This could be the best advice for developing your corporate DR/BCP plan. What are the key issues that are keeping management awake at night? It could be issues around data recovery - so that may be your focal point to begin with. If you could develop your plan centered on the top 3 issues that concern your management team the most, you may be able to get through a rudimentary plan in relatively short order. Now, this obviously doesn't cover all the bases or risks your company is exposed to - but it may be a good first step.

In addition, I would recommend engaging your insurance broker into your process. Depending on their resource base, they may be able to help you work through the process and give you templates, ideas, and plans they've developed with other clients. If they are unable to assist you, ask them to reach out to your insurer's loss control department, as they may have some helpful resources.

One last point - no discussion on DR/BCP is complete without a deep dive on your business income (commonly called business interruption) insurance. Many of the catastrophic risks your company faces are likely insurable risks; coordinating the right limits of business income coverage into your plan will help fund the costs of recovery.

Good luck!

Topic Expert
Wayne Spivak
Title: President & CFO
LinkedIn Profile
(President & CFO, |

I have touched base with some of my BCP experts and none have ever seen Insurance companies become involved in a substantive way (outside business interruption insurance, which having first hand experience is a nightmare to collect on). To clarify, the amount of paperwork, spreadsheets, etc I had to provide to justify lost business took days to compile and complete. It didn't take into account the direction of our business (upward or downward)).

Having talked with my Insurance Consultant, he states categorically that the Insurance Company doesn't take into account whether you do or don't have a BCP (for non-regulated businesses).

A Business or other entity that makes a BCP is essentially "self-insuring"; in that no insurer or government can, or will take the steps necessary to make sure your business survives; but will want to know why it didn't. A catch-22, to say the least.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected]om to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.