What is the importance of a business continuity plan? What are essential items that should be included in this plan for any business or organization?

The Business Continuity Plan is a documented plan that depicts that the company is aware of potential risks and threats to its critical assets and processes, that the company has mitigation plans for each threat factor, and that irrespective of the threats that may occur in the future, the organization will not be brought to a halt and its critical functions will continue.

The essential items that should be included in this plan for any business or organization are-

  • Risk assessments
    Risk assessments involves-
    • Listing processes and assets of the organization and prioritizing them
    • Listing the possible risks against each asset
    • Listing mitigation techniques for each risk
  • Business Impact Analysis
    This is a documented list which weighs the impact of the risks and threats and disasters on the critical assets and process of the organization. It helps to identify what needs to be addressed as a priority. It also weighs the costs of the damages caused by risks as well against the costs involved in mitigating them. 11
  • Disaster preparedness
    Organizations develop a disaster preparedness plan (which includes disaster recovery strategies and disaster recovery plans (DRPs)) to address high priority risks. These could be risks with high probability of occurring and/or risks which will cause the most damages.
    In some cases, an organization will have multiple DRPs within a BCP, and in other cases, the organization will have a single DRP. For example, it’s possible to have individual DRPs that identify the steps to recover individual critical servers, and other DRPs that detail the recovery steps after different types of disasters such as hurricanes or tornadoes. A smaller organization may have a single DRP that simply identifies all the steps used to respond to any disruption.

Could an organization create DRPs without a BCP? Yes, but they might be misguided. If the organization hasn’t taken the time to identify what services are critical, they might end up creating DRPs for non-critical systems. Worse, they might not create DRPs for critical systems.11

  • Incident Response

An incident response plan is the step-by-step process of responding to security “incidents”. Incidents could be as varied as lost laptops, Web application hacks, insider abuse, virus attacks, phishing attempts etc. Incident response plans help minimize business risks, and they’re mandatory in today’s computing environments. A good incident response plan will outline the who, what, when, where and how to respond to data security breaches. 12