Effective Business Continuity: Program vs Plan

By TJ Heginbotham|2019-08-08T10:32:25+00:00June 14th, 2019|0 Comments

Many organizations think that effective business continuity planning is synonymous with great plan documentation.

It’s not.

Yes, plan documentation is extremely important. BUT… many organizations fail to recognize that effective business continuity plans – and truly prepared and resilient organizations – are the result of a larger business continuity planning lifecycle that begins with requirements setting and ends with practice (and of course, the process recycles on a continuous basis).

Bottom line – plans are just one key ingredient in the development of an effective business continuity program.

Understanding Your Organization

Before an organization can document plans or determine strategies, it’s important to understand and evaluate the organization. This means having an understanding of the core products or services offered to customers (and their use of the products and services), as well as an understanding of internal and external stakeholder requirements.

Why is this the first step? Understanding priorities and stakeholder requirements provides a clear direction and an appropriate scope for the planning efforts to ensure business continuity planning processes and strategies meet stakeholder expectations.


After developing a complete picture of what business continuity planning should mean for your organization, the next step is to set up the governance structure to drive the planning process and long-term continual improvements efforts.

Like identifying the scope, implementing a governance structure allows for clarity in planning expectations and ensures business continuity planning activities are executed in alignment with the organization’s goals and strategic direction. In addition, by documenting a Policy and Standard Operating Procedures, and chartering a steering committee made up of senior leadership, the organization enables the planning process to perform in an efficient, repeatable manner.

Requirements Definition

After establishing an understanding of the organization’s business continuity priorities and a governance structure to ensure a repeatable planning process, the next step in the business continuity lifecycle is to determine business continuity requirements through a business impact analysis (BIA) and risk assessment. The goal of the business impact analysis is to identify the activities and resources (technology, equipment, suppliers, facilities, etc.) that support the development and delivery of key products and services, and the estimated impact of downtime should any of the resources become unavailable.  The outcome of the BIA is discovering business continuity requirements, including downtime tolerance, resource needs, and recovery performance criteria.

In addition to a BIA, it’s also important to perform a risk assessment to understand the likelihood of and impact associated with a business disruption caused by a loss of critical resources. This risk assessment enables the identification and analysis of business risks that may affect the organization’s ability to deliver core products and services, with a focus on identifying controls and strategies to decrease the likelihood or limit the impact of a disruption affecting products and services.

Strategy Identification

Once the organization has determined its business continuity requirements (including risk mitigation opportunities), it can then identify, evaluate, and implement risk mitigation, response, and recovery strategies to reduce the likelihood of disruption, or, if a disruption does occur, ensure an efficient and effective response and recovery effort that limits impact and aligns within stakeholder expectations.

Once again, to develop effective plans, the organization must first understand business continuity requirements and select appropriate strategies.

Plan Development

As you can see, there are critical steps that need to be completed before you dive into developing and documenting business continuity plans. These steps not only identify the resources and strategies that the plans should address, but also ensure that any created plans allow for the recovery of business activities or resources within stakeholder expectations.

After identifying, evaluating, and implementing risk mitigation, response and recovery strategies, the organization can begin documenting plans that describe how the organization will recover and operate in a contingent mode until returning to normal.  Documented plans ensure repeatability and support decision making during a disruptive event. Best practices suggest documenting plans that address resource-loss scenarios  (rather than specific threats or events), including procedures that address the loss of a facility, loss of people, loss of technology, or loss of suppliers/vendors. By documenting plans based on resource loss, management can rest-assured that response and recovery participants know what to do, no matter what “threat” actually causes the disruption.

Awareness, Training, and Exercising

The temptation organizations often face is to stop the preparedness effort after documenting plans. However, plans are only as effective as the people who use them. Because of this, it’s important to develop and implement a training and awareness program that introduces business continuity process and strategies to all of the appropriate people throughout the organization so they can properly prepare and develop response and recovery competencies.

In addition, performing business continuity exercises provides hands-on, experiential training and ensures response and recovery participants are aware of the business continuity plans and strategies and comfortable with their assigned roles and responsibilities. By performing exercises, response and recovery participants will begin to develop “muscle memory” with their plans allowing for smoother response and recovery execution during a real disruption when the stakes are high.

Bottom-line, exercises not only provide valuable training to those responsible for response and recovery, but also are essential to validate business continuity strategies in light of requirements and highlight any areas for improvement to ensure the organization can recover within recovery objectives.

Continual Improvement

Finally, one of the most important parts of creating business continuity plans is making sure the organization doesn’t “set it and forget it”. As an organization changes, so do the risks and business requirements.

Key components of a management system, designed to drive continual improvement, include program-level management reviews. Management reviews help ensure that strategies, plans, and the planning processes continue to meet stakeholder expectations and address all necessary risks and obligations. As these management reviews identify corrective actions needed to close gaps, it is also critical to assign owners to these actions and track completion. Without tracking or assigning owners to the corrective actions identified, management reviews will not provide value or enable program growth.

Further, it’s important to track program performance through the development of metrics. Metrics measure success based on priorities, requirements, and performance, and help highlight opportunities for improvement.

Final Thoughts

Effective business continuity planning is much, much more than just creating plans. As discussed throughout this article, it’s extremely important to perform each stage of the business continuity lifecycle – often leveraging management system processes and tools – to ensure plans support the response to a disruptive event and recovery of the organization’s critical products and services within business and stakeholder expectations.

About the Author

TJ Heginbotham is a consultant at Avalution Consulting, providing Business Continuity Management and IT Disaster Recovery solutions for organizations across a variety of industries. He can be reached at [email protected]

Recommend0 recommendationsPublished in Enterprise Resilience

About the Author: TJ Heginbotham

TJ Heginbotham is an Associate Managing Consultant at Avalution and joined the company in 2015.
TJ has consulted with a variety of organizations spanning a diverse range of industries. TJ specializes in creating customized business continuity solutions for each organization to ensure an efficient response and recovery during a disruption. TJ’s ability to think conceptually about organizations allows for the development of unique and valuable solutions for clients.
Over the past four years, TJ has gained extensive experience in health care and hospital systems, performing business impact analyses (BIAs) and planning sessions with several hospital systems and health clinics across the country. In addition, TJ has performed dozens of program implementations across various industries, including health care, professional services, financial institutions, insurance providers, and manufacturing.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.