This perspective provides an overview of the Business Continuity Institute’s Professional Practice 5 (PP5) – Implementation, which is the professional practice that “executes the agreed strategies and tactics through the process of developing the Business Continuity Plan (BCP)”. As part of the business continuity planning lifecycle, Implementation activities continue following strategy selection in PP4, with the goal of documenting business continuity plans that aid the organization in recovery at the strategic, tactical, and operational levels.
PP5 OVERVIEW
PP5 provides the business continuity practitioner with guidance on two topics specific to documenting the organization’s business continuity plans. First, the Good Practice Guidelines (GPGs) provide a detailed description of a business continuity plan, including general principles, as well as concepts and assumptions for documenting plans. Second, PP5 provides guidance on developing a business continuity plan, as well as managing the plan after creation. Let’s take a deeper dive into each area.
The Business Continuity Plan
The GPGs lay the foundation for effective plan documentation by defining what a business continuity plan actually is. The key objective of a business continuity plan, as described by the GPGs, is to “identify and document the priorities, procedures, responsibilities and resources to assist the organization in managing a disruptive incident, while implementing continuity and recovery strategies to a pre-determined level of service”. The GPGs describe the audience for the plan, reminding the practitioner to keep the plans direct, adaptable, concise, and relevant. In order to further define how a plan will operate within an organization, the GPGs recommend creating business continuity plans at the strategic, tactical, and operational levels. This is similar to the approaches outlined as part of business impact analysis and strategy design activities. While the strategic, tactical, and operational level model can be applied to most organizations, the GPGs recommend using an organization’s overall structure to customize the approach based on a given organization’s unique size and structure. When applied to implementation activities, these levels include:
- Strategic Plans – A strategic level plan as defined by the GPGs “is a high-level plan that defines how strategic issues resulting from a major incident should be addressed and managed by top management”. In other words, these plans assume a more macro view of the organization, and are designed to provide guidance on the long-term direction or the “big picture”.
- Tactical Plans – Tactical level plans, as defined by the GPGs, “coordinate and manage the recovery of a defined part of an organization”. In other words, these plans are more process oriented, with a focus on the recovery of a grouping of interrelated activities that provide a critical output.
- Operational Plans – Operational level plans, as defined by the GPGs, “provide for the recovery of the business activities covered in the BCP”. In other words, operational plans assume a more micro view of the organization. Whereas the tactical level plans address a process that is comprised of multiple activities, operational plans address a specific business activity.
Developing and Managing Plans
While the first section of PP5 defines what a business continuity plan is, how it can be applied to various levels within an organization, and why it is important to the business, the second section provides guidance on how to document the plans. The GPGs highlight that the practitioner may document strategic level plans before top management selects a recovery strategy (due to the high-level nature of the plans). The tactical and operational plans, however, require set recovery strategies before plan development, as the plans are comprised of specific steps describing how to implement specific strategies and how to operate with those strategies until the organization returns to normal. Additionally, the GPGs document descriptions of what specific information the plans should cover, including but not limited to the following:
- Purpose and Scope
- Objectives and assumptions
- Incident management structure
- Response team responsibilities/membership
- Plan activation
- Contact information (for internal/external stakeholders)
- Team meeting locations
- Communications (for internal/external stakeholders)
- Key information (e.g. details of the organizations prioritized activities and timeframes)
- Action lists and procedures
The remaining sections of PP5 provide additional guidance on documenting strategic, tactical, and operational plans, including guidance on the type of information to gather depending on the level of plan, as well as guidance on how to structure recovery procedures for the different level plans.
The following table demonstrates how closely PP5 mirrors the requirements described in ISO 22301:
PP5 VALUE
Defines Plan Composition at All Levels
A great deal of the value derived from PP5 lies in its definition of what plan content at the strategic, tactical, and operational levels and how each of these plan types can apply to organizations of various sizes. By providing a high-level overview and scope of what the objective of each type of plan is, the practitioner tasked with plan creation can develop plans that provide the appropriate level of detail for the intended purpose and audience. This guidance is important as executive level management does not want step-by-step procedures to follow to recover a specific business activity. Conversely, a high-level strategic plan will not help a department manager tasked with recovering a specific business activity. By summarizing desired plan content at each of the three levels, the practitioner ensures that all plans are relevant for the intended purpose and audience.
Identifies the Type of Plans Appropriate for Different Organizations
As mentioned earlier, strategic, tactical, and operational plans are suitable for most organizations and the GPGs provide guidance for implementing each of the three in different types of organizations. This information is valuable as it ensures plan relevancy and the appropriateness of recovery procedures based on unique business requirements. For example, a small single-site organization may be able to capture all of the pertinent information in one plan, while a large multinational organization may require many different plans spanning all different levels in order to capture the appropriate level of detail. As long as an organization captures the right activities and focus at strategic, tactical, and operational levels, there is a certain level of flexibility that the GPGs provide.
Demonstrates the Basics of Plan Contents
Perhaps one of the most important things that PP5 helps clarify is what kind of information a plan should contain. The GPGs provide a framework for minimum information needs. These plan content requirements mirror ISO 22301 (Clause 8.4.4) almost identically. The Developing and Managing Plans section (mentioned above) ensures a degree of standardization among all plans, whether they are at the strategic, tactical, or operational levels. This standardization ensures that the plans are direct, adaptable, concise, and relevant, which is necessary to ensure that plans are usable at the time of disruption.
PP5 CASE STUDY
Company X is a large multinational organization headquartered in the United States that provides cleaning equipment and solvents to commercial cleaning companies. The organization has production sites in Mexico, the United States, Germany, and India. Recently, one of their largest customers required that Company X show evidence of a business continuity program as part of a contract renewal. In response to the customer request, Company X began the process of implementing a business continuity program.
After determining which departments and processes were in scope, performing a business impact analysis and risk assessment, and identifying appropriate response and recovery strategies, the organization began the process of documenting business continuity plans. Because of how the business is structured, the organization determined that it would need to implement plans at the strategic, tactical, and operational levels. Crisis management plans would exist at all three levels, with a strategic plan for the Corporate Crisis Management Team (CMT), tactical plans for the site level CMTs, and operational plans for the individual Department Recovery Teams.
The strategic plan for the Corporate CMT focused on the large risks uncovered during the business impact analysis and risk assessment, and how the corporate CMT prioritizes the recovery of their critical products and services in the event of a major disruption. For example, Company X has one product that accounts for nearly 40% of its total revenue. The Corporate CMT identified this product as the primary focus for recovery with other products being recovered secondarily based on priorities and timelines identified previously. The strategic level plan documented recovery priorities as an aid for the Corporate CMT in business-decision making during a disruptive incident affecting the organization as a whole.
The tactical plans for site CMTs focused on providing guidance and ensuring adequate resources for business process and department response and recovery. The site CMTs act as a liaison to the Corporate CMT, if additional support is needed. The tactical plan would assist the site CMTs in helping individual departments recover. In the event of a larger or more severe disruption, the site CMTs would escalate resource requests on behalf of the site and departments to the Corporate CMT, and push resources back down to the departments. The diagram below depicts this relationship between the site CMT and department recovery teams.
The operational plans for the department recovery teams focus on recovery of a specific department and subordinate business activities. During a disruptive incident, the operational plans provide the departments with procedures to follow in order to escalate information and resource requests to the site CMTs, and the site CMTs in return pushes recovery priorities and resources back down the department. The operational plans also answer two key questions:
- How does the department recover its most time-sensitive business activities when faced with a people, workplace, technology, or supplier disruption; and
- How does the department operate with these recovery strategies and resources until it can return to normal?
The result of structuring plans at the strategic, tactical, and operational levels is that Company X is now able to respond to a disruption at any level of the business with confidence. Based on GPG guidance, direct, adaptable, concise, and relevant plans will guide users successfully through a response and recovery effort.
FINAL THOUGHTS
Developing and managing business continuity plans at all levels is a critical part of implementing a successful business continuity program. PP5 provides readers with a high-level understanding of what a business continuity plan should cover, as well as how to develop and manage plans for organizations of all shapes and sizes.