How to write a business continuity plan

By Snr. Risk Consultant – Eng. Dan Mokua and Stella Makona Simiyu, Co-founder Sentinel Africa Consulting

In the heart of East Africa, a region renowned for its breathtaking landscapes and diverse cultures, businesses have flourished against a backdrop of both opportunity and adversity. However, recent years had seen a convergence of disasters that underscored the critical need for robust Business Continuity Plans (BCPs) across the region.

The first wave of trouble began with a severe drought that swept through Kenya, Ethiopia, and Somalia – the worst ever experienced in four decades. The Horn of Africa experienced its driest conditions in decades, devastating agriculture, which is the lifeblood of many communities. Crops failed, livestock died, and more than 36 million people faced food insecurity in 2022 alone. Businesses reliant on local produce faced significant supply chain disruptions, forcing them to rethink their sourcing strategies and stockpile essential goods.

As if the drought wasn’t enough, a plague of desert locusts descended upon the region, exacerbating the already dire situation. Swarms of locusts, described as the worst in 25 years, ravaged what little crops had survived the drought. The agricultural devastation was unprecedented, impacting food production and triggering an economic ripple effect across various industries. Companies had to rethink their risk management strategies and develop contingency plans for such unpredictable natural disasters.

Simultaneously, the region faces the persistent threat of political instability. Civil conflicts escalated, leading to widespread displacement and disruption of trade routes. Businesses operating in and around conflict zones found their logistics networks in disarray, unable to transport goods or ensure the safety of their employees.

This turmoil highlighted the necessity of having robust BCPs that included crisis management and alternative operational strategies. Then came the floods. Torrential rains turned roads into rivers and villages into lakes. The infrastructure struggled to cope, with bridges collapsing and power outages becoming commonplace. Businesses found themselves unable to operate as offices flooded, and transportation networks were severed. The logistics industry, crucial for delivering goods across the nation, faced unprecedented challenges, emphasizing the importance of having alternative routes and backup transportation plans.

As the region grappled with these natural disasters, a more insidious threat emerged: cyberattacks.

With increasing digitalization, regional businesses have embraced online platforms and e-commerce. However, this growth attracts cybercriminals who launch sophisticated attacks on financial institutions and corporate databases. In 2023 alone, Kenya was hit by more than 830 million cyberattack incidents as reported by Communications Authority. In July 2023, Kenya’s critical information infrastructure (e-citizen) was brought to a standstill by a Distributed Denial of Service (DDoS), paralysing services, affecting government revenue collection, and eroding customer trust. These breaches highlighted vulnerabilities and the dire need for stronger cybersecurity measures and contingency plans to protect sensitive data.

Amid these natural and man-made calamities, a global pandemic swept through Kenya. COVID-19 forced businesses to shutter their doors and send employees’ home. Remote work became the norm, but not without its own set of challenges. Companies had to quickly adapt to digital collaboration tools and ensure data security while maintaining productivity. The pandemic underscored the need for flexible working arrangements and health and safety protocols to protect employees and sustain operations.

How to write your BCP

These cascading disasters paint a clear picture: the traditional ways of doing business were no longer sufficient. African businesses need comprehensive Business Continuity Plans to navigate the uncertainties of the modern world. They needed strategies to ensure operational resilience, protect their workforce, and maintain customer trust, even in the face of adversity.

This article provides you a robust guide to developing a business continuity plan (BCP).

Introduction

A Business Continuity Plan (BCP) is an essential framework that prepares an organization to respond effectively to potential disruptions and disasters. The primary objective of a BCP is to ensure that critical business functions continue to operate seamlessly during and after unforeseen events, minimizing downtime and mitigating operational, financial, and reputational risks.

In today’s rapidly evolving and interconnected world, businesses face a myriad of potential threats ranging from natural disasters and cyberattacks to supply chain disruptions and pandemics. These incidents can occur without warning, making it imperative for organizations to have a robust, well-structured plan in place that addresses not only the immediate response but also the long-term recovery of essential services and operations.

The BCP is designed to be a living document, regularly updated to reflect changes in our business environment, operational structure, and emerging threats. It incorporates feedback from regular testing and exercises, ensuring that our preparedness measures remain effective and relevant.

This guide will equip you with the knowledge and skills to craft a comprehensive business continuity plan (BCP).  A BCP outlines the procedures for your company to respond to and recover from disruptions, minimizing downtime and ensuring essential functions continue.

Step 1: Understand the Basics

• Purpose: You need to outline why you need the BCP in the first place. This can be something like to ensure that critical business functions can continue during and after a disaster.
• Scope: You also need to define the boundary for your business continuity plan. Your BCP should mainly cover your mission critical activities depending on the nature of your business. Ex. This BCP Covers all essential aspects of the business, including human resources, IT infrastructure, and physical locations.

Step 2: Conduct a Business Impact Analysis (BIA)

• Identify Critical Business Functions: Determine which processes are essential for the survival of your business.
• Assess Impact: Evaluate the impact of disruptions on these critical functions.
• Prioritize Functions: Rank the functions based on their criticality. The output of the BIA analysis should be your mission critical activities.

Step 3: Identify Risks and Threats

Based on your context, identify specific risks and threats that you face that would necessitate you to invoke your BCP. These include.

• Natural Disasters: Earthquakes, floods, hurricanes, Pandemics etc.
• Technological Issues: Cyber-attacks, system failures.
• Human-related: Strikes, key personnel loss.
• External: Supply chain disruptions, regulatory changes.

Step 4: Develop Recovery Strategies

At this point, you should determine the following key specific metrics.

• Recovery Point Objective (RPO): You need to determine your maximum acceptable amount of data loss measured as a time unit. This is the amount of time that has passed since your last data backup.
• Recovery Time Objective (RTO): You the need to determine the maximum acceptable length of time it will take you to restore your mission critical functions. This is the point beyond which of the disaster persists, then, the disaster becomes unacceptable. This is also referred to as the Maximum Tolerable Period of Disruption (MTPD).
• Alternative Sites: Ensure you plan for temporary work locations.
• Data Backup: Ensure you perform regular data backups for your systems according to your defined RPO. Ensure you also have a disaster recovery site.

Step 5: Create the Plan

At this point, you need to document the BCP. The outline below provides an overview of the plan and the main elements contained within the BCP.

1. Introduction and Overview
   • Document the purpose of the BCP.
   • Outline the scope and objectives of the BCP.
   • Define the key definitions and terminology.
   • Identify the Plan assumptions.
2. Roles and Responsibilities
   • Identify the BCP team.
   • Define roles, responsibilities, and authorities.
3. Incident Response
   • Put down the specific procedures for detecting and assessing incidents.
   • Outline the initial response actions to the incidents. This should be in line with your incident response procedure.
4. Activation of the BCP
   • Define the criteria for activating/invoking the plan.
   • Define who invoke the BCP and the steps to activate the plan.

5. Communication Plan
   • You the outline the Internal and external communication strategies. You define the communication’s team, communication channels, communication protocols, and key messages to be communicated. 
6. Scenario based Recovery Procedures
   • Detailed steps for recovering each critical business functions based on the threat scenarios. Here you document various threat scenarios and the specific steps you would take in each scenario. 
7. Testing and Maintenance
   • You shall the prepare for regular testing schedules.
   • Do periodic reviews on the BCP and update the procedures.
   • Conduct training programs, and test drills for staff.

Step 6: Implement the Plan

• Training: Train employees on their roles and responsibilities.
• Awareness: Ensure all employees are aware of the BCP and its importance.
• Documentation: Keep a detailed record of all procedures and updates.

Step 7: Test and Revise

• Regular Testing: Conduct regular drills and simulations.
• Review Feedback: Analyse the test results and feedback.
• Update the Plan: Make necessary adjustments based on test results and changes in the business environment.

Tips for Success

• Management Support: Ensure top management is involved and provides the necessary support.
• Clear Communication: Maintain clear and open lines of communication.
• Flexibility: Be prepared to adapt the plan as circumstances change.

Conclusion

Crafting a robust Business Continuity Plan (BCP) is essential for ensuring your organization’s resilience in the face of disruptions. By systematically identifying risks, defining critical functions, and developing response strategies, you can safeguard your business against unforeseen challenges. Remember, a well-prepared business is a resilient one.

To help you get started, here is a comprehensive Business Continuity Plan template to help you get started.

At Sentinel Africa, we are ready to assist you in writing your plan and establishing a comprehensive Business Continuity Management System (BCMS). Our expertise ensures that your organization is well-prepared to maintain operations and swiftly recover from any disruption. Reach out to us today to secure your business’s future.