"How long should a business continuity plan be?" This is a question we often hear from our customers. My answer usually is: "As short as possible!" The truth is that the perfect business continuity plan (if such a thing exists) should be three - sometimes contradictory - things at once:
As implied above, we don't live in a perfect world, and sometimes we must create a balance between the three. Let's take a closer look at the three "golden rules of business continuity planning".
The business continuity plan must be comprehensive. Or at least adequate. Please note that I write comprehensive - not long. The business continuity plan must cover the critical processes and systems, otherwise it is worth nothing. This is one of the reasons we always recommend starting with a risk assessment.
So that's the first golden rule. The business continuity plan should include what is critical and important to our business, otherwise, it does not fulfill its sole and main function: to protect ourselves against unacceptable losses as a result of an incident.
But the business continuity plan should still be short. Very often we see business continuity plans of 150 pages or more. Although it is an impressive piece of work, some of the time spent typing it up might have been better spent.
But why is it so important to keep the plan short and simple? We have to keep in mind when and under what circumstances we will be needing the plan. In an emergency situation, the business continuity team should only be presented with the information they need in this situation. If they are handed a 150-page plan, one of two things will happen:
- Business continuity is slow, inefficient and inflexible
- The business continuity plan will be scrapped, and the situation will be handled "ad hoc".
If this happens, it is obviously wasted effort writing a business continuity plan to begin with.
Finally, our business continuity plan must be operational. Unfortunately, many business continuity plans start with page after page of general considerations, such as introduction, purpose, objectives, stakeholders, approvals, references to standards and legislation etc. As I mentioned earlier, the business continuity plan will be used in emergency situations and must be operational from page 1! This is why these kinds of general considerations, even if they are justified, should be removed from the plan. One way to do this is to create a separate "Business Continuity Policy" - or at least place these as the last part of the plan.
To make the business continuity plan operational, it is important that we give some thought to the structure and flow of the plan. We don't want the business continuity team to have to turn page after page to find what they are looking for and thus lose track. Therefore, it may be a good idea to start the plan with a flow chart so that they can always return to this in order to get an overview. I am a big believer in the "one page management" concept, where the entire business continuity flow is described on one page.
You should also consider which style and language to use in the plan. Short, clear messages, preferably, in bullet form, is much better than long, convoluted chapters. Keep in mind that there is limited time and quite an amount of stress involved when experiencing an emergency situation.
So... Remember the three golden rules and keep your business continuity plan Comprehensive, Short and Operational.
Please share your experience in creating effective, pragmatic and operational business continuity plans in the comments below.
About the Author: Jacob Holm Hansen is a Senior Security Advisor at Neupart and advises companies on ISO 27001, IT risk assessments and business continuity planning.
With Neupart's ISMS tool you can improve your business continuity planning and make sure that your plans are always up to date. Read more here