Category
A group of coworkers sit around a conference table, holding papers, training in their company's business continuity plan
Emergency Management Jun 02, 2024

10-Step Business Continuity Plan Checklist

Your business doesn’t need to shut down when an emergency hits. With a thorough business continuity plan checklist, you can keep your people safe and stay operational through whatever crisis you’re hit with.

Business Continuity Checklist
Use this checklist to develop a comprehensive business continuity plan that supports your organization’s objectives.
Blog-CTA-Sidebar-Graphic-BusinessContinuity-Checklist

Protecting your employees and operations is a complicated issue, especially the larger and more widespread your business. Companies like Boeing, with locations in over 70 countries, know this firsthand. The only way to tackle complicated problems is with a plan.

“With such a broad geographic footprint, it really is challenging and difficult to prepare for every single type of outcome out there,” Keith Berthiaume told us on The Employee Safety Podcast. Keith is Enterprise Emergency Preparedness Program Manager at Boeing. “So having a plan that looks at what the impacts are and how we can prepare and respond to those makes it a lot easier for us to have an enterprise-level response.”

During business-critical events, having a plan for business continuity is imperative to helping emergency response leaders and key stakeholders understand what to do, who to contact, how to respond, and the necessary steps to mitigate the impact. A business continuity plan also helps accelerate response times, bolstering employee safety and protecting the company’s infrastructure.

A well-developed business continuity plan serves as an emergency checklist for all emergency scenarios that might occur. In this post, we discuss what makes for a useful business continuity plan and how you can create your own business continuity plan checklist using a template that fits your organization’s unique needs.

What Is Business Continuity?

Business continuity is your organization’s ability to maintain important business functions during emergencies or disruptions. The processes and procedures put in place through business continuity help to prevent, mitigate, and recover from threats to your operations. This way, you can maintain some level of function even when faced with potentially harmful events.

Often, larger businesses have entire business continuity management (BCM) teams or individuals whose responsibility is to develop processes and procedures. However, smaller organizations tend to rely on other internal teams, like HR, to establish and communicate these protocols. No matter what your industry or size, every organization needs a business continuity plan (BCP) to document how it will protect its people and operations.

A 10-step business continuity planning checklist, displayed on a clipboard illustration

What is a business continuity plan (BCP)?

A business continuity plan outlines business processes that will take place before, during, and after an emergency to minimize interruptions and keep things as close as possible to “business as usual.” Business continuity management means spinning a lot of plates at once, and your business continuity plan will help you stay organized and prepared. A robust plan prepares you for all significant events that could endanger your people or interrupt business operations.

Emergencies often lead to interruptions in normal business operations, and these disruptions—large and small—can create long-term issues for human resources, information technology, and other business stakeholders when organizations’ emergency response plans—or those of their providers—are inadequate. They can take people and technologies offline for hours, even days or weeks, during and after an emergency.

“Regardless of the incident type, there are four ways we as a company could be impacted: the loss of our most important resource—which is our people—our buildings, our supply chain, or our IT applications. Most incidents have the potential to impact more than one of these areas, so it’s the protection of these four groups that forms the basis for how we perform business continuity.”

—Keith Berthiaume, Boeing

The nature and impact of interruptions will vary depending on your industry, business locations, number of employees, and exposure to various types of threats. Some of the most common interruptions may include

  • Supply chains
  • Distribution channels
  • Technology operations like power or internet outages, cyberattacks, or data center failures
  • Critical machinery or equipment operations
  • Employee travel and accessibility to work locations
  • Employee accessibility to work-related systems, applications, and data
  • Customer accessibility to storefronts, websites, call centers, or customer-facing applications

A business continuity plan is an important component of risk management and emergency response. While the first objective during any crisis is to safeguard employees, the second is to safeguard the business. Planning for an unplanned emergency using a BCP checklist is critical if you’re going to stay up and running.

Leverage our Business Continuity Checklist to develop a comprehensive plan.

Your Business Continuity Plan Checklist

Your business continuity plan should include all the information necessary to coordinate an effective response to any emergency or crisis event. Typically, a BCP will include each of the following:

  • A comprehensive risk assessment
  • A business impact analysis for each risk type
  • A process for monitoring and detecting relevant threats
  • Documented recovery time objectives
  • Communication strategy and procedures

#1: Risk assessment

Business continuity stage one is a risk assessment

According to Bob Arnold, president of Disaster Recovery Journal, the key to developing a sound business continuity plan is understanding an organization’s potential risks. “Threats come at us more frequently and more violently today,” Bob told us. You may not be able to predict which risks will impact your locations and assets, but you can conduct a business threat assessment to ensure you will be prepared for threats when they inevitably arise.

  • People impact: What are the situations that would impact your employees’ ability to work? Which job functions are most critical to your organization’s business continuity?
  • Partner impact: Which partners and service providers are you most reliant on?
  • Facility impact: What are the scenarios that could cause one or more of your worksites to become unavailable?
  • Technology impact: Which systems or tools are used to deliver goods and services to customers? What systems are used to communicate and coordinate internally?
  • Brand/reputation impact: What is the impact on your brand should your business no longer operate normally?

Specific threats will vary from organization to organization based on their geographical location and surroundings. However, most companies can perform a business continuity risk assessment for common scenarios, such as:

  • Severe weather
  • Workplace and structural fires
  • Power and IT outages
  • Pandemics and other health crises
  • Physical threats from individuals
  • Cybersecurity threats from inside and outside of the organization
  • Natural disasters

By taking stock of historical events and most likely-to-occur scenarios, organizations can begin to develop an ongoing list of potential threats. This list will evolve as the company grows its employee base, the number and locations of additional sites, the locations where employees may travel for business, and its fleet/equipment/technology assets. Keeping this list fresh and adjusting the plan accordingly is a must.

“Threats come at us more frequently and violently today.” —Bob Arnold, Disaster Recovery Journal

#2: Business impact analysisBusiness continuity stage two is a business impact analysis

Once you complete the threat assessment, conduct a business impact analysis (BIA) to determine how each of these threats could influence the business. The goal of a BIA is to predict any consequences of various types of disruptions and their impact on personnel and critical business functions. You can then use this information to develop effective recovery strategies to mitigate risks and improve outcomes.

Any business disruption can have a detrimental operational and financial impact. These may include lost and/or delayed sales and income, delays in manufacturing or development, an inability to deliver goods or meet contractual agreements, increased expenses, customer dissatisfaction, and even regulatory fines.

Of course, the impact will depend greatly on the duration and timing of the disruption. A two-hour power outage will have less impact than a two-day work stoppage resulting from a hurricane. A fire in a remote and partially empty warehouse will be less of an interruption than a fire in an active manufacturing facility. By analyzing different possible scenarios, an organization can be better prepared to handle the emergency and bring operations back online more rapidly. Reevaluate this analysis regularly as new threats arise.

#3: Threat monitoring and detectionBusiness continuity stage three is threat monitoring and detectino

Once you’ve identified potential threats, you need a way to effectively monitor and assess critical events near your people and assets so you can react immediately. Monitoring events before they strike is critical to protecting your people and brand. It allows you to recognize and predict critical situations before they happen, giving you the benefit of alerting and organizing your audience in advance.

Companies like Whataburger use threat intelligence solutions to monitor threats for their thousands of locations, a feat that would be next to impossible for their small team. Automatic threat monitoring allows business continuity teams to focus on response and mitigation while trusting that they will be notified immediately about any detected threats.

Learn more about how Whataburger protects its people and business during critical events with AlertMedia.

AlertMedia_CustomerSpotlight_Whataburger_HeroBanner

#4: Recovery time objectiveBusiness continuity stage four is the recovery time objective

Once you’ve identified your risks and established a process for identification and monitoring, it’s time to set goals. Your recovery plan outlines how to get your business back to normal as quickly as possible, and a recovery timeline is a part of that plan.

Establishing a recovery time objective (RTO)—the maximum acceptable time until the business is up and running following a crisis event—is a critical component of any BCP to ensure your response plans sufficiently protect the organization against long-term damages, including data loss, financial penalties, and more. This information will also directly impact your crisis management, risk mitigation, communication strategy, and how you prioritize response efforts.

You can also include your assigned recovery team in your plan to clarify the responsibility and ownership of the RTO. This team will comprise personnel responsible for coordinating, communicating, and managing employees and stakeholders during an emergency or business interruption.

#5: Communication strategyBusiness continuity stage five is a communication strategy

A business continuity program should have a solid emergency communication strategy at its foundation. Communication is a lifeline in times of crises and critical events. Relaying information and instructions to employees and other business partners will help your people stay calm and guide them to the appropriate behavior. While some employees only need to keep themselves safe, others may be assigned as part of a skeleton crew responsible for operating and/or maintaining the business and its vital functions.

Your emergency management and business continuity teams should designate specific individuals accountable for emergency communication and at least one level of backup per function and train them accordingly. These employees will become the most critical contacts during and after an emergency and require multiple communication channels.

Additionally, the types of communication channels are equally as critical as the communications themselves. Using an emergency communication system will help ensure notifications and alerts are sent across multiple channels simultaneously so that every employee receives the message intended for them. Remember: During an emergency, IT infrastructure may be compromised, or computer systems may be inaccessible, so you should use all available channels to communicate with critical personnel. Your system should also enable two-way communication so you can confirm whether messages were received while allowing employees to verify their safety and contribute valuable information to help reduce downtime.

These channels may include

  • Text message
  • Mobile app push notification
  • Email
  • Phone call
  • Social media posts
  • Slack/Team message
  • Intranet site alert
  • Desktop alert

In today’s mobile culture, this multi-modal approach is the only way to ensure the affected employees receive the messages quickly, in real-time, and on the devices they are most likely to have with them. For instance, it would be completely ineffective to send an emergency email to every employee when a portion of employees are field workers with no access to email. According to Michelle Schutte, Managing Director of Business Continuity and Incident Management at Charles Schwab, you also need to have a method of communication that’s based on urgency. “You need something that really captures someone’s attention and makes them click it to go away,” said Schutte. You can send urgent communications via regular, day-to-day methods such as email.

What to Expect from a Business Continuity Template

You can use our business continuity plan template to streamline your planning. Here are some of the helpful elements you can line up to ensure a fast and effective response.

Roles and responsibilities — Establish a chain of command so everyone knows who to turn to when a critical decision is required. Be sure to include departments beyond the crisis team members, including internal communications, IT, and any executives who may need to communicate important information to employees and other stakeholders. Don’t forget to outline secondary contacts in case primary stakeholders become unavailable.

Emergency contact information — Make sure to have phone numbers readily available for staff, local police and fire departments, utility companies, and any other external organizations that may be able to help in the event of a threat. An emergency communication system that integrates with your HRIS can also help ensure this information is regularly updated and reflects employees’ current information.

Backup plan — Nearly all businesses today use computers to complete daily tasks, so losing those systems could mean devastation. Therefore, perform regular backups of all your computer systems and make copies of critical information to a remote location or server. Once you back it up, ensure you also record details of how to access it. Other considerations for contingency planning include

  • Backup power: Consider keeping backup generators on hand in the event of a power outage so you can quickly restore your electrical systems or computers.
  • Alternate operations site: Set up a second physical location to conduct business operations if you lose access to your headquarters. This alternate site should include all the tools and systems needed to continue work as planned and equipment to recover the primary site.
  • Essential equipment and services: Essentials include access to email, web servers, data backup sites, and any other tools your day-to-day operations require. Consider the applications and vendors you depend on, and make sure you’ll still be able to use them should an incident occur.

How to Create a Business Continuity Plan

JetBlue Airways’ 22,000 employees serve millions of customers across 26 countries. The company’s business continuity plans include dozens of possible threat scenarios, ranging from severe weather to fleets getting grounded to acts of terrorism.

Not every organization will face the same threats as JetBlue, but we can learn from their approach to business continuity. On The Employee Safety Podcast, Penny Neferis, the airline’s Director of Business Continuity and Disaster Response, shared great examples of how any organization should handle the stages of a crisis.

You can follow these same steps on your own as you go through your business continuity plan checklist. We’ve included examples from JetBlue that you can look to when building your plan.

#6: Create your teamBusiness continuity stage six is team creation

The first step in developing a business continuity plan is determining who will be responsible for updating and executing it. Business continuity and disaster recovery warrant their own team; however, the team should consider which other departments will be vital to recovery.

According to Penny, “Our small-but-mighty disaster response team [can] only work so long, and we had to learn to count on other groups to step in and help. Our teams are robust, but we felt ownership to take all emergency responses on our shoulders in the past.”

Assign one person the sole responsibility for taking charge, but assign additional recovery tasks to a variety of people across each unit of the business to guarantee no department gets left behind. True resilience management integrates various teams’ experience and awareness to ensure each strategy is as strong as it can be.

#7: Strategize for your top priority risks

Business continuity stage seven involves strategies for top-priority risks

With your team in place, now it’s time to determine what steps you will take to mitigate the impact of top-priority threats. You’ll know which risks you need to prioritize based on your risk assessment, and your business impact analysis will help you understand exactly what the impacts of your risks are—which is critical for knowing how to act.

“When a crisis does happen, we look at it from three different lenses,” said Penny. “What impact does this have on our staff and crew members? What impact does this have on our customers, and what impact does this have on our community?”

For each risk, come up with a few strategies for ways that you can manage that impact to mitigate the disruption to your business’s operations, customers, and employees.

#8: Map out your plan

Business continuity stage eight calls for mapping out your plan

Now that you have your team and you understand each threat’s impact on your business, you need to actually map out a strategy for how to keep your business running—easily the most important component of a business continuity plan. Make a list of the most critical functions of your organization as well as the disruptions that could hinder them, and develop practical recovery strategies for each scenario. Consider various “what ifs” to instill confidence among your team that they’ll be able to respond no matter the situation.

#9: Train and educate

Business continuity stage nine is to train and educate your employees

You’ve completed your plan, and now you need to train your staff on it. Conduct tabletop exercises and emergency drills so everyone knows the role they will play should a disaster occur. The more “real” the event feels, the better prepared employees will be. Include key personnel and first responders, and use these training sessions to identify missing aspects or weaknesses in your plan. Keep reading for some additional tips on practice and implantation of your business continuity plan.

#10: Analyze and update as new threats are identified

Business continuity stage ten is to analyze and update as new threats surface

The threat landscape evolves constantly, with new risks to business operations occurring every year. Before 2020, few organizations probably expected they would be dealing with an ongoing global pandemic, but they quickly learned to adapt. Business continuity requires both immediate and ongoing attention, and plans should be frequently analyzed and updated based on recent events and predictions.

For instance, we know severe weather and the effects of climate change will continue to threaten businesses across the globe, but we are seeing significant changes in how weather threats crop up. Our 2024 Threat Outlook Report breaks down changes in where weather events occur and longer seasons that may require shifts in your business continuity plan around weather threats.

Business Continuity Communication in Your BCP

Communication is a cornerstone for any effective business continuity plan, as it ensures that all stakeholders are informed, coordinated, and able to respond promptly to disruptions. During a crisis, clear and consistent communication is your most valuable asset for maintaining operational stability, addressing stakeholder concerns, and disseminating critical information. This involves not only internal communication among employees and management but also external crisis communication with customers, suppliers, and regulatory bodies.

Additionally, a well-defined communication plan ensures that all team members know their roles and responsibilities during an emergency, facilitating swift decision-making and action. Pre-established communication channels and protocols enable the organization to provide real-time updates, issue alerts, and gather feedback, which are vital for adaptive and effective crisis management. A robust business continuity communication plan within your overall business continuity plan will help mitigate confusion, reduce downtime, and maintain trust and transparency.

When it comes to what to include, here are a few ways to integrate communication into your BCP:

  • Specify communication channels for different messaging
  • Build event pages for major or ongoing events
  • Draft communication templates for different emergency scenarios
  • Assign communication responsibilities to your BC team members

Maintaining a Living Document

Your business continuity plan and BCP checklist shouldn’t be a single line-item task that you mark off and never look at again. These documents work best if they are integrated consistently through your yearly safety planning so you can keep them updated with any necessary changes and so your team keeps the processes top of mind. Here are a few tips for keeping your BCP a central piece of your broader safety culture.

Practice makes perfect

No emergency plan is complete without practice. This philosophy holds true for the business continuity plan. Every person in the company should have a solid understanding of business processes and what they are to do in case of specific incidents (such as a cyberattack) or general emergencies (such as fires, severe weather, workplace injuries, etc.). The designated skeleton crew needs to be clear on their roles and responsibilities and exactly what, when, and how the business continuity plans will be triggered.

Implementing a disaster recovery plan and BCP involves three basic steps. Not all employees will be involved in both, but all should have at least a general understanding of what will happen when the emergency plan is activated and which critical business functions will be prioritized. All employees should also have a current contact list of all those who will be in authority during an emergency.

Step 1: Align on Goals

Before a company initiates a drill, it is a good idea to gather key stakeholders and decision-makers together to carefully and methodically evaluate the emergency and business continuity plans. Review each step with a critical eye to ensure nothing is missed and every area of the business is represented.

Step 2: Train your employees

Once the plans are considered complete, it’s time to educate employees. Depending on how dispersed your employees are, you may choose to conduct on-site training sessions, tabletop exercises, or develop an on-demand training curriculum that employees can watch on their own time. Because the goal is to obtain 100% participation, design a measurement tool that can provide a current list of employees who have and have not watched the webinar.

Step 3: Practice your plans

The next step is to practice what was learned. It is recommended that regular full emergency evacuation drills be scheduled. The more “real” the event appears, meaning key personnel and first responders participate, the better-prepared employees will be should an actual critical event occur.

Those responsible for triggering the emergency plan and those involved in the skeleton crew should walk through their respective roles during a critical event. Role-playing is a successful tool that first responders often use themselves to ensure no step is missed. This role-playing will also give the organization valuable insight into how the plan actually works in a “real-life” scenario. Often, a plan will look comprehensive on paper, but when it is practiced, weaknesses appear.

Assess the success

Practicing the plan is not the end of the process. In fact, it simply provides a lens into how well (or not) the plan performed. You can gather valuable intelligence from each practiced drill and from the people involved. From the business leaders and skeleton crew to the employees who were impacted, it is important to gather feedback from every angle.

Questions to ask:

  • Did every employee in every location know what to do?
  • Was there any confusion, chaos, or panic during the drill?
  • Were the emergency communications delivered across multiple channels simultaneously?
  • What were the open rates for each mode of communication?
  • Did the message communicate the proper level of information with instructions on where to find additional information?
  • Were employees able to respond with two-way communication?
  • How long did it take to trigger the business continuity plan?
  • Was the designated skeleton crew able to keep operations going?

Of course, there could be any number of additional questions. These are just a guide, but be sure to include employees’ opinions and experiences. Their perception of how well the drill was orchestrated is as important as the actual results. The goal is not only to protect the employees but also to give them peace of mind that in virtually any situation, their company has their backs. Their perception is their reality and should be taken seriously.

Continual improvements

All the information you gathered in your questions can be used on its own or through an after-action report to make improvements to your plan and your process so that the next drill and the real response are as effective and smooth as possible. By bringing people together at least annually to review the current plan, evaluate alternative available technologies, and assess potential new threats, your organization will be better prepared for any situation. Planning is never a one-time event. It is ongoing and always has room for improvement. Be sure you have business continuity management processes in place to keep it at the forefront of your annual planning. The business continuity plan (BCP) ISO 22301 standard helps offer a clear process and an internationally vetted framework for minimizing disruptions.

At the end of the day, an effective business continuity plan must be fluid. But perhaps more importantly, it must also be consistent. Events will never happen exactly as you plan, but by remaining vigilant, you’ll steer clear of “deer in the headlights” syndrome and be prepared for any new challenges that may come your way.

Business Continuity Checklist

Please complete the form below to receive this resource.

Like What You're Reading?
Subscribe to Our Newsletter
Subscribe to The Signal by AlertMedia to get updated when we publish new content and receive actionable insights on what’s working right now in emergency preparedness.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Cookie Notice