How to Create a Business Continuity Plan

Estimated Reading Time: 9 minutes

Rachel Sams
Lead Consultant and Editor

By Rachel Sams

Resource Type: Articles

Topic: Business Continuity Planning, Climate Risk

As the editor of a news organization, I had backup plans for how to get our morning newsletter out every day.

We published the newsletter early in the morning, so I often edited and sent it remotely from my house. A couple of mornings, my Internet wasn’t working. No sweat: I just hustled into the office.

That worked well until the night my home Internet provider had a major nationwide outage—with my city facing a blizzard warning the next day. Our other editor had the same home Internet provider, and we couldn’t assume roads would be passable in the morning.

The fix: Since we staged our morning newsletter in advance, the editors at our company’s headquarters across the country were on stand by to hit send if we couldn’t. Thankfully, the Internet provider fixed the outage overnight, so we sent the newsletter as usual.

While it would be years before I (officially) entered the risk management field, that day was my first experience with the intersection of business continuity planning and climate change.

Business continuity planning helps keep a nonprofit’s necessary functions running when normal operations are disrupted or impossible. A business continuity plan also explains how and when other functions will be restored as soon as possible.

Direct business disruptions from climate change could range from wildfire and floods to extreme heat waves. Indirect disruptions from climate change might involve a key product or service becoming unavailable or prohibitively expensive due to a climate event.

Business continuity planning is one of a nonprofit’s most valuable tools to prepare for disruptions due to climate change. The bonus: If you make a business continuity plan, it could benefit your nonprofit during disruptions that have nothing to do with climate change.

Why Business Continuity Planning

We often find that nonprofit leaders want to develop plans for every type of disruption. But that’s not possible, or necessary.

As Frederick Funston and Stephen Wagner wrote in their book, Surviving and Thriving in Uncertainty: “…The crisis that you prepare for may not be the one you experience, but that preparation will improve your resilience, come what may.”

While you can’t anticipate every possible disruption, you can anticipate and plan for “impacts.” That’s important in an era where climate-related extreme weather events are increasing. Consider: How would a period of disruption affect your ability to staff your programs? Deliver services? Access and operate facilities?

Business continuity planning also provides insights into the roles and dependencies of key functions and important tasks at your nonprofit. And it gives you an opportunity to consider the role, cost effectiveness, and positioning of key business functions.

Business continuity planning is not exactly crisis management, nor is it disaster recovery, although all three of these things run in the same circles. Some key distinctions:

Crisis management is the act of managing an operation through a crisis, disaster or catastrophe, while business continuity is the planning process that keeps necessary functions running during a period of disruption and explains how other functions will be restored when possible.

Disaster recovery is the process of restoring data and applications if your data center, servers, or other infrastructure are damaged or destroyed. Business continuity focuses on how to keep essential operations running across your whole organization. Disaster recovery plans usually have a narrower systems focus, addressing how to manage networks, servers and other critical digital operations during a disaster.

Business Continuity Planning, Simplified

We often see organizations drag their feet on developing a BCP. We get it! It can feel like a heavy lift. But a few simple steps will make it easier to start your business continuity plan. Remember that each organization is different, and your nonprofit may need to skip or add sections or otherwise customize your BCP. Our My Business Continuity Plan app at mybusinesscontinuityplan.org, available for $149 or $29 for NRMC Affiliate Members, can help.

Before You Start: Risk Identification

Begin your business continuity plan by identifying your organization’s biggest risks during a business disruption. Also, identify a few simple objectives of your business continuity plan. Examples might be to keep essential operations running for clients, maintain staff safety, and minimize data loss during a business disruption. Select the members of your planning team, and make sure to include any departments that would face a major impact during a business disruption and team members who have expressed an interest—or worries—about disruptions.

Your Disaster Box: Virtual and Physical

The Center for Disaster Philanthropy counsels nonprofits to keep important documents and information in a safe place that’s easily accessible. For organizations with owned or leased premises, they suggest establishing a secure location for a physical “disaster box” with copies of your information stored in a plastic bin with a watertight lid. You should also establish a backup “master key,” or portable digital device like a USB flash drive or external hard drive, containing the same information. Store one copy in your disaster box and one in a secure offsite location, like a safe deposit box. Finally, store a copy of all your critical electronic digital files in a secure cloud data storage account accessible to key staff and if appropriate, officers of the board.

What documents should you include? Start with key legal documents like your articles of incorporation, bylaws, most recent IRS 990 tax forms and your IRS 501(c)3 determination letter. Next, include essential administrative documents like your up-to-date board and staff rosters, budget, leases and deeds, accounting procedures, recent financial statements, chart of accounts, and bank account and investment account information. Include an inventory of key equipment like computers and software. Also, include contact information for key vendors, funders and partners, and update that information at least twice a year. And of course, when you complete your BCP, include it here! Be mindful of privacy, as these files may contain personally identifiable information. Protect electronic files with secure passwords and find the most secure possible location for your physical disaster box.

Establish General Principles

It’s good practice to start your BCP with any general guidelines your team will want to consider in an emergency. If you provide high-need services like food and shelter and your team prioritizes keeping offices open if it’s safe to do so, note that here. If your organization works behind the scenes to connect people with resources and can easily work remotely, your goal in an emergency or disruption might be to make the safest decisions for your team rather than to keep facilities open. You’d want to note this in your BCP as well.

This is a great place to outline or remind staff of daily policies that come into play in an emergency. If you have a policy that all staff must keep cell phones activated during work hours, note that here.

If you require all staff or particular staff to be familiar with your BCP, note that here.

Note anything that would apply in all emergencies here, like your organization’s emergency notification phone chain, where emergency messages will be posted for staff, and any instructions for posting those emergency messages.

Function and Contact Information

NRMC’s Business Impact Analysis form, available at nonprofitrisk.org, is a fillable PDF that prompts you to identify your organization’s key functions and the maximum acceptable downtime for each. Next, identify the recovery timeframe and strategies for each function. What will you need to do to bring each function back online in the designated timeframe? Who will be involved?

You’ll need to list the critical functions of your organization by department and who to contact in an emergency to communicate about each function. This is arguably the most important piece of your BCP. Make sure to include office, cell and home phone numbers to enable team members to reach each other in an emergency. This information takes a bit of time to compile. It’s OK to complete it a little at a time. Put reminders on your calendar to revisit and update it regularly.

Make sure to note dependencies in your business continuity plan. Are there critical tasks that can only be completed if someone else completes theirs? Identify those links and provide for how they would happen during a disaster.

Congratulations! You’ve just completed a major part of the legwork of your BCP. The remaining steps will help you fully build it out.

Crisis Communication/Disaster Recovery Plans

If your organization has a crisis communication plan that governs the steps you will take to communicate with your team and external constituents during a crisis, incorporate it here. And if you have a disaster recovery plan that spells out how information would be recovered and technological operations restarted in a data breach or outage, incorporate that here as well.

Even if you don’t have those plans, list all external vendors you might need to contact in an emergency, from payroll to external PR counsel to IT providers. List the names, phone numbers and email addresses of contact people, and who at your organization is authorized to contact them. Include information about how your organization backs up data and how often.

Departmental BCPs

List by department the critical materials and digital access your team would need to do their work during a period when normal operations are not possible. Make sure to list the people on your team who can authorize and provide that access. Provide their contact information. List any external vendors your department contracts with here and provide names and contact information.

Emergency Procedures

If your organization has emergency procedures that provide information about when to call police, fire, hazmat or other external authorities, incorporate them here. This is also a place to incorporate lockdown procedures or other workplace violence response procedures you may have. Though you can’t and shouldn’t try to anticipate every possible type of disruption that may occur, if your organization has procedures for disasters common in your community (like wildfires or floods), incorporate those procedures here.

Practice, Train and Test

Once you have your plan, you might be tempted to stop there! You’ve done a lot of work. It’s understandable that you might want to take a break, and you should! But to ensure your plan will have the impact you want, it’s essential to train your staff on what’s expected of them. Plan a simple tabletop discussion exercise with a couple of business disruption scenarios to allow your staff to practice how they’d carry out the plan. Gathering people in cross-functional groups can be helpful.

Evaluate Lessons Learned, Identify and Fill Gaps

After any training exercise, hold a brief after-action review. What went well in the exercise? What could your team improve on for the future and how? If anything went wrong or could go better, don’t assign blame; ask open-ended questions, and emphasize that the goal is to help your whole team learn and grow. Share notes from the exercise and after-action review afterward, with any follow-up steps and responsible parties identified.

Don’t Wait – Celebrate!

It’s challenging to even begin business continuity planning. Any nonprofit organization juggles an array of deliverables, responsibilities and needs every day. It may seem impossible to devote significant chunks of time to thinking about the future. We’ve discussed why doing that will benefit you. Share that perspective with your team when you ask them to commit time to this effort. And when you complete a key step of business continuity planning, even when it feels like there’s much more to come, celebrate! You could gather your whole team to enter their key information into the plan, then celebrate with food, games and balloons. You could give your whole team a day off to thank them for the effort they put into the plan. Whatever you do, don’t give up. Each step you take toward a business continuity plan puts you one step closer to peace of mind when disruption occurs—whether it’s related to climate or not.

Rachel Sams is Lead Consultant and Editor at the Nonprofit Risk Management Center. She teaches business continuity planning to nonprofit professionals in NRMC’s twice-yearly Emerging Risk Leaders Certificate Program. Reach her with thoughts and questions about business continuity planning at rachel@nonprofitrisk.org or (505) 456-4045.

SIGN UP FOR THE RISK ENEWS!

Sign Up Risk News

Name*(Required)
Privacy Policy Agreement(Required)