business continuity plan victoria

This website requires JavaScript to be turned on.

• Business continuity plan

Get cash flowing back into the business

• Assess risks
• Crisis essentials checklist
• Your finances
• Protect your investments
• Emergency planning
• Booking cancellations

A business continuity plan outlines the steps to take after a crisis event to get your business up and running as soon as possible. The quicker you can return to regular operations, the faster you can get cash flowing back into the business to fund staff wages and other overheads.

Use the Business Continuity Plan using the below template.

Completing the Business Continuity Plan

Step 1: identify actions.

Identify the actions required to get your business operating again. These could include:

• repair or replace damaged equipment and infrastructure
• relocate the business to an alternate location, or identify new sites to conduct visitor activities
• temporarily contract operations
• multi-skill staff
• upload computer systems with backed up data
• organise a range of services for staff, such as counselling and taking time off
• communicate with employees, customers and suppliers.

Refer to your risk management plan to identify what's essential in keeping your business operational. This will give you a strong indication of what you should focus on to get your business operating again. If you don't have a risk management plan, spend time reviewing the  managing risk section.

Make checklists – this can help you work out the most important actions to take.

Step 2: Assign actions

For each action you've identified, decide who will be responsible for carrying out the task.

Step 3: Know your resources

Think about the resources you may have available. Organising your responses now will help you act fast in an emergency.

This might involve:

• Developing relationships with more than one business or supplier, so that if one is affected by an incident your business can continue as per usual.
• Having backup processes in place for key business documents and information. Consider keeping copies of invoices, customer records, bank account details and insurance policies that are vital to your business.
• Locating important information, such as those listed above, at a second site and updating it regularly.
• Planning for disruptions to electricity, gas, water, sewerage and telecommunications systems. Understand the backup systems and alternatives that are available.
• Preparing for broken machinery, damaged equipment and computer systems. Know who you can call on fix them by having their contact details at hand.
• Thinking about having another site you could operate your business from.

Step 4: Rank your actions

Prioritise your actions from high, medium to low to determine which actions to take first and when to undertake them. This will assist you in being efficient and effective in an emergency.

We acknowledge the Aboriginal Traditional Owners of Country throughout Victoria, their ongoing connection to this land and we pay our respects to their culture and their Elders past, present and future.

© 2023 Department of Jobs, Skills, Industry and Regions

This page was printed at:  

Please note

The Business Costs Assistance Program officially closed on 29 October 2021. No more top-up payments will be made under this program.

The Business Continuity Fund, jointly funded by the Commonwealth and Victorian Governments, provides a $5000 payment to businesses in 24 sectors that were affected by additional capacity limits when reopening in late July 2021 under COVID-19 restrictions.

This payment is in addition to the Business Costs Assistance Program July Top-Up payments announced on 16 and 21 July 2021, and the Business Costs Assistance Program Round Three payment announced on 6 August 2021.

The payment will go to recipients of the Business Costs Assistance Program Round Two and the Business Costs Assistance Program Round Two July Extension who are in 24 sectors that were affected by capacity limits when reopening in late July 2021 under COVID-19 restrictions.

Businesses in Melbourne’s CBD that receive a Business Continuity Fund payment will receive an additional $2000 payment.

Recipients will be contacted from mid-August to confirm they will receive a payment. Business Continuity Fund payments will be processed automatically.

For further information about the Business Continuity Fund payments, please read all the information on this page, including the frequently asked questions (FAQs) .

Businesses may also be eligible for assistance through other Victorian Government programs .

Frequently asked questions (FAQs)

Read the full list of FAQs .

Who will receive the Business Continuity Fund payment?

Recipients of the Business Costs Assistance Program Round Two and the Business Costs Assistance Program Round Two July Extension who are in 24 sectors that were affected by capacity limits when reopening in late July 2021 under COVID-19 restrictions will receive a $5000 payment.

On 28 July 2021, the Victorian Government also announced that businesses in Melbourne’s CBD that receive a Business Continuity Fund payment will receive an additional $2000 payment.

Who is not eligible to receive a Business Continuity Fund payment?

Businesses that did not receive a grant through the Business Costs Assistance Program Round Two or the Business Costs Assistance Program Round Two July Extension are  not eligible to receive the Business Continuity Fund payment.

Businesses that did receive a grant through one of these programs but do not belong to one of the 24 eligible sectors are also not eligible .

Businesses may be eligible for assistance through other  Victorian Government programs .

Grant amount

Business Continuity Fund recipients will receive $5000.

Businesses in Melbourne’s CBD that receive a Business Continuity Fund payment will receive an additional $2000 payment ($7000 total).

Please note these two payments will be made separately.

Processing your payment

Recipients will be contacted from mid-August to confirm they will receive a payment. Business Continuity Fund payments will be processed automatically.

Do I need to apply?

You  do not need to apply. It is an automatic payment to all eligible recipients.

Please read all the information on this page and the frequently asked questions (FAQs) if you have questions about your eligibility.

If you cannot find the information you’re looking for, please call the Business Victoria Hotline on 13 22 15 . The hotline is open seven days a week.

• Video summary
• Data dashboard
• Interactive graph
• Interactive map
• Interactive flowchart
• Interactive time line
• Summary data

Business Continuity During COVID-19

Tabled: 23 February 2022

Did business continuity arrangements enable the continuation of essential public services during the coronavirus (COVID-19) pandemic?

Why this audit is important.

The Victorian Government delivers a wide range of services that are vital to Victorians’ economic, financial and social wellbeing. It is important that the government can keep these services running during a disruption. 

To minimise the impact of disruptions, agencies need effective business continuity frameworks and actions. The COVID 19 pandemic has tested these arrangements.

Who we examined

We examined all eight Victorian Government departments, including the former Department of Health and Human Services.

We also included Cenitex, which provides ICT services to most departments. 

What we examined

We examined each department’s business continuity arrangements to check if:

• they prepared departments for a major disruption prior to COVID-19
• departments effectively implemented them during COVID-19 to maintain prioritised services.

We did not look at the state’s emergency response to COVID-19.

What we concluded

Before the pandemic, most departments’ business continuity arrangements were inadequate. This meant that their response to restoring and maintaining their prioritised services was reactive and less efficient and effective than it could have been.

Nonetheless, departments' incident management structures allowed them to quickly set up teams, provide clear communication and make decisions. This helped them make changes and prioritise services.

The failure to adequately plan and prepare for a long-term disruption to services from a major event—and specifically, a pandemic—is compounded because for many years, a pandemic has been recorded as a state-significant risk. 

Further, tests of business continuity planning arrangements in 2018 and 2019 found significant weaknesses in them, but many of these were not addressed.

Departments can be better prepared for foreseeable major disruptions by regularly testing their business continuity plans and treating them as living documents. 

What we recommended

We made two recommendations to the Department of Premier and Cabinet and the Department of Treasury and Finance about whole-of-government business continuity arrangements. 

We made one recommendation to the Department of Justice and Community Safety, the Department of Health and the Department of Families Fairness and Housing about developing standalone pandemic plans. 

We also made six recommendations to all departments, including four about improving business continuity preparation and two about reporting following a disruption.

Video presentation

Video transcript

Note: The number of prioritised services can vary as departments review their services and undergo structural changes. Source: VAGO, based on information from departments.

What we found and recommend

We consulted with the audited agencies and considered their views when reaching our conclusions. Their full responses are in Appendix A. 

BCM is a management process that includes frameworks, planning and actions to ensure that departments can deliver prioritised services following a disruption.

Preparedness versus response

The ability of government departments to continue providing services during a disruption depends on how well prepared they are and how they respond. Good business continuity management (BCM) is key to this.

We examined whole-of-government business continuity arrangements. We also looked at departments’ preparedness for a major disruption and their response to the coronavirus (COVID-19) pandemic. 

Whole-of-government arrangements

The ‘ Risk IDC ’, which is led by the Department of Treasury and Finance (DTF), helps the government identify and manage key shared and state-significant risks.

GSRN was established in 2015 to improve the resilience of Victorian Government departments and essential state systems. It is made up of all departments and Victoria Police.

Exercising is the process of training for, testing, assessing, practising, and improving an organisation’s business continuity performance.

A BCP is a document that outlines how a business will continue operating during an unplanned disruption and resume any services that have been disrupted.

COVID-19 has caused a disruption of a scale that most people have not experienced before. Responding to a pandemic is complex. It involves private industry and the public sector, emergency management, crisis management, and a health response.

However, a pandemic was foreseeable. For many years, statewide risk plans have listed a pandemic as a risk. In 2019, the State Significant Risk Interdepartmental Committee (Risk IDC) rated this risk as ‘likely’ to occur with ‘severe’ consequences.

Prior to COVID-19, the Victorian Public Service (VPS) had mitigation strategies for managing a statewide disruption. However, its focus was on the emergency response (protecting life, assets and the environment), not business continuity. 

Business continuity planning

In October 2018, the Government Sector Resilience Network (GSRN) ran Exercise Petunia to examine what would happen if a significant percentage of the population could not work due to a pandemic. This exercise used a multi agency pandemic scenario.

Prioritised services are the products, services, processes, activities and resources that a department must prioritise to avoid unacceptable impacts to its business. They are also sometimes referred to as ‘critical’, ‘essential’ or ‘key’. services.

Whole-of-government oversight

No single agency is responsible for coordinating prioritised services from a whole of government perspective. This means that each department largely acts on its own.

During the initial stages of COVID-19, the Department of Premier and Cabinet (DPC) took on a lead business continuity role for whole-of-government matters.

While this arrangement was beneficial, it was temporary and reactive, which led to some delays in communication and setting up processes. 

The Victorian Government set up the Crisis Council of Cabinet and VPS missions in April 2020. However, these groups have understandably focused on the emergency response. 

The Victorian Government set up the Crisis Council of Cabinet to oversee its COVID-19 response. It also established core VPS missions , which were led by the relevant secretary. These missions were designed to focus on specific elements of the COVID-19 crisis, such as health, economic development and public services.

Recommendations about whole-of-government arrangements

Preparedness: departments’ individual arrangements.

The ISO standard is an internationally recognised standard that sets out the core requirements for BCM.

BCM policies and procedures

All departments had BCM policies, procedures and response structures in place prior to COVID-19. While these had some minor gaps, they were mostly aligned with the requirements of the AS ISO 22301:2020 Security and resilience—Business continuity management systems—Requirements standard (ISO standard). 

However, preparedness involves more than just having policies. It requires departments and the sector to understand the services they provide, the impact a disruption would have on these services and how they should respond. 

A BIA is the process of analysing the impact that a disruption would have on an organisation over time.

The first step to do this is through a business impact analysis (BIA).

Business impact analysis

A BIA is one of the most important elements of business continuity planning. However, there are significant gaps in this practice across the departments.

A BIA should help an organisation:

• understand how a disruption might impact its services
• understand what services it should prioritise in a disruption
• identify the processes and resources that support its services.

However, many departments' BIAs did not fully assess the impact that a disruption might have on their services. They also did not all consider minimum resource requirements and the internal and external suppliers that their services need to run. 

These gaps can impact how effectively departments respond and maintain their prioritised services during a disruption.

Despite the importance of BIAs:

• only the Department of Education and Training (DET), the Department of Environment, Land, Water and Planning (DELWP) and the Department of Justice and Community Safety (DJCS) have organisation-wide BIAs
• DPC had not undertaken a BIA since 2016
• the Department of Transport (DoT) and the Department of Jobs, Precincts and Regions (DJPR) did not undertake a BIA in 2019 after significant machinery-of-government changes. DoT stated that this is because it did not finalise its structure until December 2019.
• DET was the only department that had BIAs that included all elements of the ISO standard prior to COVID-19.

Business continuity plans

Organisations should use the information they gather through their BIAs to develop strategies to ensure they can maintain their prioritised services during a disruption. Departments document these strategies in their BCPs. However, we found several issues with departments’ BCPs prior to COVID-19, which Figure A shows.

Figure A: Gaps in BCPs

Note: *Activation criteria are a list of factors that departments use to decide if an event is likely to disrupt services and if they need to use their BCPs.  Source: VAGO assessment of departments’ BCPs prior to COVID-19.

Practising for a disruption

Departments need to exercise their BCPs to ensure they will be effective in a disruption. They also need to ensure that staff know how to respond. 

Exercising BCPs

Only DET and DJCS had a clear program of exercising and tracking recommendations for their entire BCM program.

Types of BCM exercises range from simple discussion-based, desktop exercises to familiarise staff with a BCP to complex full scale exercises that require an organisation to activate its BCP.

Departments often limited their BCM exercises to small-scale or desktop exercises, such as testing SMS functionality or testing the impact of a disruption on one or two business units. 

Limited exercising of complex disruptions means that departments have missed opportunities to train staff and identify and implement lessons learnt, such as workforce planning or large-scale communication issues. 

Staff training and resourcing

DELWP, DET and DJCS were the only departments that had dedicated training for business continuity staff. This means that business continuity personnel may not have the necessary skills and competencies to fulfill their roles during a disruption.

The Department of Health (DH) and DPC also do not have dedicated BCM resources. This further reduces their ability to take preventative action and respond to a disruption. 

Recommendations about departments’ preparedness for a major disruption

Response: individual departments, departments’ pandemic planning.

A pandemic is a unique disruption. Pandemics can affect multiple areas, such as staffing, suppliers, site availability and occupational health and safety, and therefore require specific response strategies. Only DELWP, DET and DPC had a pandemic plan prior to COVID-19. This means that departments spent valuable time developing plans during the pandemic.

During the initial stages of COVID-19, DJPR, DoT and DTF finalised their pandemic plans and DELWP, DET and DPC updated theirs. We found that departments’ pandemic plans contained varying levels of detail. For example, DJPR and DoT did not list all of their prioritised services in their plan. 

We also found that:

The Victorian action plan for influenza pandemic (2015) sets out Victoria’s strategic approach to reduce the social and economic impacts and consequences of a pandemic. It also recommends that departments develop their own pandemic plans that include plans to resume interrupted services. 

• while the Department of Health and Human Services (DHHS) (now DH) has a pandemic plan for the health sector and coordinated the development of the Victorian action plan for influenza pandemic , DH and the Department of Families, Fairness and Housing (DFFH) do not have pandemic plans for their departments.

As a result, there is a risk that departments have not planned for or mitigated the threats to their business continuity due to a pandemic.

Incident response

Incident management plans and teams form part of broader BCM. They focus on the immediate response. Key features include:

• a response group to manage the crisis
• senior-level involvement and accountability
• internal and external communication plans
• activation protocols.

Departments use incident management plans to coordinate their strategic response to a crisis. They are also known as crisis management plans. 

All departments used BCM incident response teams to respond to COVID-19, except DoT, which developed a specific COVID-19 task force, and DELWP, which used its critical incident management team. These structures were essential because they helped departments:

• quickly make and communicate key decisions
• address gaps in understanding of their prioritised services (particularly at a whole-of-department level)
• transition to remote working.

A department’s decision to activate a BCP is discretionary and based on its assessment of risks and impact.

Only DHHS, DJCS, DPC and DTF activated all of their BCPs. Other departments activated some on a group basis or none at all.

DELWP activated its critical incident management plan to manage the effects of COVID-19 on its department. Both DELWP and DET introduced specific activation criteria during COVID-19 to help staff understand when they should use their BCPs. 

Maintaining services

During a disruption, departments may need to temporarily stop some services to focus on their prioritised services. 

Most departments must deliver their prioritised services to ensure public safety or to meet their legislative obligations. 

Data on prioritised services

Organisations use MTPDs to describe the timeframes that their key products and services can be unavailable for before they deem the impact unacceptable.

Departments told us that they were able to provide their prioritised services during the pandemic. However, only DET, DELWP, DJCS and DTF have a comprehensive list of prioritised services in an organisation-wide BIA or BCP. Further, no department comprehensively tracks disruptions at an organisational level against its listed maximum tolerable periods of disruption (MTPDs).

Departments relied on staff knowledge to identify instances where a disruption to their services was likely. They then used their crisis management processes to track and report on selected services. However, all departments did not do this for all of their prioritised services. 

Following a disruption, departments assess their response through their post-incident review (PIR) process. Although COVID-19 is ongoing, DELWP, DJCS, DPC and DTF have conducted PIRs or wider reviews of their BCM. 

An RTO is how quickly minimum levels of service and/or supporting functions and resources, such as systems and applications, must be recovered following a disruption. RTOs need to be shorter than MTPDs.

However, the incident reporting processes and PIRs we reviewed did not clearly list departments’ prioritised services, their recovery time objectives (RTOs), MTPDs, and if they met them.

Without detailed data on prioritised services, we looked at departments’ other performance measures. While all departments have key performance metrics for their Budget Paper No. 3: Service Delivery (BP3) measures, they do not have BP3 measures for all of their prioritised services. As a result, we could not determine if departments:

• had service disruptions that exceeded their MTPDs
• had reduced service levels (as indicated in some BP3 measures), or 
• maintained services as normal. 

We also surveyed business continuity staff at each department. The results of our survey indicate that despite departments’ assertions, there were respondents who reported that they were not able to restore all services within their MTPDs. 

Transition to remote working

To reduce the impact of a disruption, BCPs need to cover a range of impacts, including when staff are not available or cannot work from their physical office location. 

Departments did not foresee that a pandemic would result in such a widespread, immediate and long-term need to work remotely. Many departments had to onboard additional staff to support the emergency response or backfill roles. Departments also had to change the way they delivered many services. 

DELWP, DHHS, DJCS, DJPR and DoT could not immediately transition their entire workforce to remote working due to inadequate planning in their BCPs, a lack of equipment (such as laptops or remote access), issues with technology, their size and their complexity. 

All departments, except for DET, rely on Cenitex to access ICT services. Transitioning public servants to a largely work-from-home model put significant strain on Cenitex and the network. Cenitex service requests increased from 22 104 in February 2020 to 33 389 in March 2020. Departments also reported significant connectivity issues. 

Cenitex's capacity to deliver at this scale was not tested prior to COVID-19.

Surge workforce issues

Key areas, such as health and law enforcement, needed additional staff to respond to the pandemic. This had a flow-on effect in other departments as staff were seconded to assist with the emergency response. 

Only DELWP, DJCS and DHHS considered surge workforce issues in some of their BCPs. This meant that most departments had not adequately considered surge workforce issues for their business-as-usual services. 

Further, there is no whole-of-government surge workforce policy that addresses workforce movements to fill internal vacancies during an extended disruption.

Recommendations about responding to a disruption

Back to top

1. Audit context

The Victorian Government delivers a wide range of services that are important to Victorians’ economic, financial and social wellbeing—from managing state finances to child protection, transport and criminal justice. 

Disruptions to these services can have a significant negative impact on communities, businesses and industries. Effective business continuity strategies ensure that departments can respond quickly to disruptions and continue to deliver prioritised services to the community.

This chapter provides essential background information about:

• What is BCM?
• The Victorian Government’s response to the COVID-19 pandemic
• Roles and responsibilities
• Prioritised services

1.1 What is BCM?

All businesses, whether government or non-government, need to ensure that they can anticipate, prepare for, respond and adapt to change and sudden disruptions to continue their operations. This is known as organisational resilience. Business continuity is a key element of organisational resilience. 

BCM is a management process that includes frameworks, planning and actions to ensure that departments can deliver prioritised services following a disruption. It is a continuous process that requires commitment from senior management and ongoing monitoring and reviews. Figure 1A outlines the BCM process.

FIGURE 1A: The BCM process

Source: VAGO, based on the ISO standard.

BCM standards

The ISO standard outlines what organisations should include in their BCM processes. While Standards Australia adopted the ISO standard in 2020, it is identical to the recognised international standard for BCM: ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements (ISO 22301:2019). 

Prior to COVID-19, the Standing Directions 2018 Under the Financial Management Act 1994 (Standing Directions) required agencies to align with the Australian standard on business continuity (AS/NZS 5050:2010 Business continuity—Managing disruption related risk ) or an internationally recognised standard. The international standard for BCM prior to COVID-19 was ISO 22301:2019. All departments used this standard or its earlier 2012 version. 

The response continuum

Business continuity, crisis management, emergency management and disaster recovery are interrelated and exist along a continuum to return an agency to a normal (or ‘new normal’) operating level after a disruption. Figure 1B shows this response continuum. 

FIGURE 1B: The response continuum

Source: VAGO, based on publicly available information and sources, including the Business Continuity Institute.

The incident determines what plans are activated, as Figure 1C shows.

FIGURE 1C: Different types of response plans

Source: VAGO, based on publicly available information, including the ISO standard and the Business Continuity Institute.

This audit looked at business continuity, or departments’ internal responses and ability to continue delivering their prioritised services. We did not assess their emergency response to the pandemic.

1.2 Victorian Government response to the COVID 19 pandemic

The World Health Organization (WHO) officially declared COVID-19 a pandemic on 11 March 2020. COVID-19 has caused a disruption of duration, complexity and impact that most people have not seen in their lives. 

Influenza pandemics have historically occurred every 10 to 50 years, caused high rates of illness and death and resulted in severe social and economic disruption. 

Various government bodies, such as Emergency Management Victoria, DJCS, DJPR and DHHS, have been (and still are) responsible for managing various aspects of the state’s emergency response to the pandemic, including quarantine, business grants and the health response. 

Departments continue to respond to the challenges of COVID-19, which has been the first novel coronavirus pandemic in Australia. This has meant that departments have needed to adapt depending on health advice, changing virus transmission and government policy decisions.

The pandemic has reshaped how many organisations, including the VPS, work. Tens of thousands of VPS employees transitioned to remote working in March 2020. 

Figure 1D presents a timeline of relevant events relating to the COVID-19 pandemic in Victoria.

FIGURE 1D: Timeline of relevant events 

Source: VAGO, based on publicly available information.

1.3 Roles and responsibilities

Government departments.

Legislation requires departments to plan for disruptions. The Standing Directions requires each department to:

• have business continuity planning processes that are consistent with the latest Australian standard on business continuity (this is the ISO standard)
• ensure that it reviews and tests its business continuity processes on a regular basis (at least every two years)
• annually assess its compliance with the business continuity requirements in the Instructions supporting the Standing Directions 2018 under the Financial Management Act 1994 (Standing Directions Instructions) and report any compliance deficiencies to DTF.

The business continuity requirements in the Standing Directions Instructions are issued under the Financial Management Act 1994 . As a result, DTF’s focus is primarily on business continuity matters in the context of financial risk management.

All departments had incident or crisis management processes and BCPs in place both prior to and during COVID-19. 

Machinery of government changes

In February 2021, DHHS became two new departments—DH and DFFH. We use ‘DHHS’ in this report except for in the recommendations and when we refer to actions that the new departments have taken since February 2021.

DoT and DJPR also had machinery of government changes that affected their business continuity processes. On 1 January 2019, the Victorian Government split the Department of Economic Development, Jobs, Transport and Resources (DEDJTR) into two departments—DoT and DJPR. On 1 July 2019, the government also merged Public Transport Victoria and VicRoads into DoT. DoT announced its final structure on 25 November 2019, which took effect from 9 December 2019.

Cenitex delivers a range of essential ICT services to departments and other agencies, such as network services, security and hosting, professional services, workplace computing, service management and cloud services. Cenitex’s ability to provide key ICT services during a disruption is an important element of business continuity in the VPS.

All departments, except for DET, rely on Cenitex for ICT.

We looked at how Cenitex managed remote service delivery for departments but did not review its business continuity arrangements. 

Other decision-making and business continuity groups

In response to the pandemic, the Victorian Government established the Crisis Council of Cabinet in April 2020 as the core decision-making forum for all COVID-19-related matters. New VPS missions supported the Crisis Council of Cabinet to help the state respond to and recover from the pandemic.

There are also several information-sharing groups that relate to business continuity. We outline these groups in Figure 1E. 

FIGURE 1E: Relevant information-sharing groups

Note: 1 Cenitex is not included in any of these groups. Note: 2 Meetings were put on hold in 2020 when the government established several other bodies to coordinate its response to COVID-19. Source: VAGO, based on committee meeting minutes and departmental documentation.

In addition to these groups, some departments also set up their own interdepartmental working groups. For example, DJCS, DHHS, DJPR and DELWP had business continuity working groups to share ideas and help them work through issues as they occurred.

1.4 Prioritised services

Each department develops its own list of the prioritised services it needs to deliver. Failure to deliver these services is likely to cause significant damage to the department or its reputation. 

In 2017, DPC commissioned a project on behalf of GSRN to consider services from a whole-of-government perspective. The project aimed to: 

• strengthen the Victorian Government's resilience 
• define and identify 'mission critical' departmental services
• identify services that would be critical to the Victorian community during a major emergency or disaster
• enhance the government’s ability to maintain these services during a sustained disruption. 

As a result of this project, DPC identified 28 whole-of-government prioritised services, including 20 community-facing services and eight within-government support services. As Figure 1F shows, these services centre around four key themes.

FIGURE 1F: Key themes for whole-of-government prioritised services

Source: VAGO, based on GSRN's 'Identification of whole-of-community critical services delivered by Victorian Government departments’ report.

2. Preparedness for a disruption

The VPS was not adequately prepared for the COVID-19 pandemic. 

The VPS had limited central oversight and leadership on business continuity. This meant that it was not able to harness lessons learnt across all departments, and departments did not have a clear understanding of whole of government business continuity priorities in a large-scale disruption. 

Departments had various business continuity policies, procedures, plans and structures in place. However, not all BCPs and BIAs aligned with key elements of the ISO standard and were suitable for dealing with a complex and long-term disruption. This reduced their effectiveness during the disruption. 

This chapter discusses:

• Whole-of-government business continuity preparedness
• Departments’ BCM governance
• Departments’ BIAs
• Departments’ BCPs
• Validating and improving BCM

2.1 Whole-of-government business continuity preparedness

Since at least 2018, the Risk IDC has continued to note in its risk scans that a statewide emergency (such as a natural disaster, pandemic, or health crisis) is a state-significant risk. Further, in 2019, it assessed that this risk would be of ‘severe consequence’ and was ‘likely to occur’. 

Various controls and mitigation strategies have been in place to minimise the impact of such a disruption. They focus on the state's emergency response and include:

• initiatives on emergency warnings, responding and monitoring 
• developing the National Disaster Risk Reduction Framework and the State Emergency Management Plan
• multi-agency emergency management exercises to test their preparedness, response, and recovery processes.

The mitigation strategies also involve:

• Emergency Management Victoria working with departments to develop surge workforce capacity to respond to an emergency
• planning for the Victorian Preparedness Goal across all departments, which is a long term project to:
• identify the key capabilities that departments require in an emergency
• improve staff training and skills to help departments’ response.

No department or agency is responsible for leading or delivering multi-agency exercises that specifically include business continuity. Each department is responsible for exercising and testing its own individual plans, which limits its understanding of how plans and departments interact in a large-scale disruption. 

Whole-of-government coordination

Victoria has structures for whole-of-government emergency management and coordination but not for business continuity. There is also no lead department to drive best practice for the whole sector or ensure that lessons learnt from earlier disruptions are captured and shared. 

However, there is some inter-agency collaboration on business continuity. As Figure 1E shows, this includes GSRN, the BCM—Multi-Agency Forum, ICRS (pre-April 2020) and PSAC (post-April 2020). Agencies use these forums to share lessons learnt and suggest improvements but there is no responsibility for tracking and implementing improvements. 

Understanding whole-of-government services 

In addition to central coordination, it is also important that the government understands and identifies the most important services that different departments deliver.

This helps the government decide and prioritise its resources and actions during a disruption. It also helps departments prepare for a statewide emergency.

On behalf of GSRN, DPC commissioned a project in 2017 to define and identify whole-of-community critical services across the sector. We outline these services in Section 1.4.

GSRN highlighted the importance of this work and stated that: 

‘Whilst all departments have lengthy lists of critical functions identified through 'bottom-up' business continuity processes, these lists do not necessarily reflect a strategic, whole-of-department top-down agreement as to the importance of the continuity of the services that these functions underpin’.

GSRN recommended that the government completes further work to address:

• staff redeployment in an emergency
• departments' dependencies and interdependencies, such as their relationships with other departments and third-party suppliers
• emergency management and cyber attacks.

In June 2018, ICRS approved an implementation strategy and paper on GSRN's report. It recommended that each department review its whole-of-community critical services to manage identified vulnerabilities, including:

• loss of specialist staff
• staffing resources for a prolonged emergency
• loss of access to ICT (departments noted dependencies, such as licences or specific ICT systems)
• poor communication between departments.

Departments introduced a number of strategies to address these issues, such as new ICT solutions. However, we found that weaknesses still exist, such as surge resourcing and access to technology. We discuss these issues in Chapter 3. 

Following a request from ICRS, DPC sought information on departments’ preparedness and received departments’ completed reviews in 2019 and January 2020. Some examples of vulnerabilities identified in these reviews include:

• departments' heavy reliance on third-party suppliers, such as Cenitex
• the need to redeploy staff to support service delivery during a major emergency. 

DPC advised us that there was some whole-of-government COVID-19 coordination through ICRS, and later PSAC. However, it did not provide advice to departments on the vulnerabilities identified. This was a missed opportunity to improve whole of government preparedness.

Whole-of-government training and exercising

The ISO standard requires departments to undertake exercising because it is an important part of preparing for disruptions. 

In October 2018, the then DEDJTR and DHHS led a multi-agency exercise on behalf of GSRN. This was known as Exercise Petunia and was based on a major influenza pandemic scenario. Its purpose was to understand:

• state arrangements and responses during and after a pandemic
• interdependencies and communications between the government during a complex event.

Exercise Petunia also identified that departments need to consider surge resourcing during a disruption. It observed that:

‘There will likely be a need for surge capacity during the recovery phase in order to address the backlog of works/activity resulting from the prolonged reduction in business as usual’.

While departments’ surge resourcing considerations focus on emergency response roles, there is also a need for surge capacity to backfill business-as-usual roles. This has been challenging for the VPS during COVID-19. We look at surge capacity issues further in Chapter 3.

Departments’ preparedness

Each department is responsible for having BCM systems and processes that align with the ISO standard to prepare them for a disruption. The rest of this chapter discusses departments’ business continuity governance, BIAs and BCPs prior to the COVID-19 pandemic. It also discusses how departments validate and improve their BCM.

2.2 Departments' BCM governance 

Effective BCM requires leadership and commitment from senior management and proper resourcing, reporting and monitoring. Departments detail these governance arrangements in their business continuity policies and procedures. 

Policies and procedures

A business continuity policy is a key document that outlines the purpose, context, scope and governance of an organisation’s BCM program. 

Prior to COVID-19, all departments had business continuity policies and procedures that outlined BCM roles, responsibilities and governance. While these mostly aligned with the ISO standard, we found gaps in all departments’ policies and procedures except for DET’s.

We also found that DJPR, DPC and DTF had policies and procedures that contained duplicated or overlapping information. This meant the documents were less effective and contained outdated, confusing or incorrect information. 

Accountability and reporting structures

Prior to COVID-19, all departments outlined BCM accountabilities for senior staff in their policies, procedures and/or plans. We found that DET demonstrated strong commitment to its BCM by providing regular BCM staff-wide communications and endorsing specific training programs and modules to uplift its BCM capability, which is in line with the ISO standard. However, DJCS, and DoT and DTF's secretaries did not articulate a clear commitment to BCM in their policies and procedures. 

We also found that: 

• as at January 2022, DPC and DH do not have dedicated business continuity resources
• DJPR did not set up its BCM function until late 2019 due to changes within its organisation.

This reduces their ability to focus on business continuity issues. 

Regularly reporting business continuity matters ensures that a department understands its readiness for a disruption and has recovery strategies in place that reflect its current operations. Departments report on their BCM program to their audit and risk management committee via their annual attestation under the Standing Directions and more frequently during large-scale disruptions. 

BCM training

The ISO standard requires that all staff who are involved in BCM have the appropriate level of training and experience. However, we found that prior to COVID-19, only DELWP, DET and DJCS had a dedicated BCM training program. 

We surveyed departments’ business continuity staff in August 2021 and asked them about their understanding and experience of BCM both prior to COVID-19 and at the date of the survey. Our survey results showed that prior to COVID-19:

A business continuity qualification includes a professional certification, such as from a bachelor degree or postgraduate degree, that specifically covers BCM.

• 13 per cent of respondents did not have any BCP experience
• 55 per cent of respondents experienced informal on-the-job training
• the remaining respondents reported that they received uncertified internal or external training (24 per cent) or had a business continuity qualification (8 per cent).

Most staff (64 per cent) indicated that they did not have any formal training at all or the training they received was after March 2020. Despite this, most staff reported that they understood their role in BCM. 

However, 20 per cent of staff did not know where to find their BCPs and 24 per cent did not know where to find their BCM policy prior to COVID-19, as Figure 2A shows. 

FIGURE 2A: Survey responses on staff BCM knowledge

Note: We received 194 responses to these questions. Source: VAGO survey.

2.3 Business impact analysis

Departments need to clearly understand the activities and processes they deliver and how a disruption might affect them. A BIA is a key element of this.

Assessing prioritised services

The ISO standard requires departments to undertake BIAs at planned intervals or when their organisation significantly changes. However, three departments could not demonstrate that they did this prior to COVID-19:

• DPC had not undertaken any BIAs since 2016.
• DoT and DJPR (as DEDJTR) undertook BIAs in 2018. However, they did not undertake BIAs in 2019 after significant machinery of government changes that year. DoT stated that this is because it did not finalise its structure until December 2019.

This increases the risk that these departments did not have all of their services or mitigation strategies in their BCPs.

It is also important that departments conduct and drive BIAs, not individual business units. As GSRN’s guide ‘Key Success Factors in business continuity management (2015)’ says:

‘It is often difficult for managers to objectively determine the criticality of their own business processes in terms of supporting the agreed key services. The tendency is for individuals to consider their process as more critical than it actually is, thus requiring significantly more investment in either interim workarounds or speedy function resumption than is necessary or desirable on a cost-benefit basis’.

Undertaking BIAs at a business unit level can lead to unrealistic RTO and MTPD timeframes. It also makes prioritising services in complex scenarios more difficult. 

We found that DET, DELWP and DJCS had assessed their services from a whole of organisation view and had organisation-wide BIAs prior to COVID 19. However, only DET had evidence of both executive approval for its organisation-wide BIA and BIAs that met the ISO standard. 

We also found common gaps in departments’ BIAs, which we detail in Appendix D. 

Note: *DJPR and DoT had significant machinery of government changes in January 2019. As a result, both departments had not updated their BIAs prior to COVID-19 (March 2020).

2.4 Business continuity plans

Departments should use the information they gather through BIAs to design solutions to help them respond to disruptions. Departments document these solutions in their BCPs, which can be strategic or operational.

A pandemic plan is a specific type of response plan that helps an organisation to respond to the unique challenges of a pandemic. As departments are large and complex, it is good to have a pandemic plan as well as strategic and operational BCPs. BCP triggers should direct departments to activate their pandemic plan if necessary. 

A department’s ability to understand its strategic priorities is particularly important during complex disruptions that affect multiple units or agencies. This helps the department focus its resources on its core objectives. The ISO standard does not specifically require organisations to have an organisation-wide BCP but it states that they must have plans that are appropriate to their scale and size.

While all departments had BCPs at a business group or divisional level prior to COVID-19:

• DHHS did not have a pandemic plan for its department (despite coordinating the development of the Victorian action plan for influenza pandemic)
• DJCS incorporated pandemic strategies into its BCPs
• DJPR and DoT had not approved a new pandemic plan since their machinery of government changes 
• only DELWP, DET and DTF had an organisation-wide BCP that included a consolidated view of their overall prioritised services to ensure they had considered them and had appropriate response strategies. This is helpful due to the scale and variety of BCPs and prioritised services within departments. 

Complexity and focus 

According to the Business Continuity Institute’s Good Practice Guidelines 2018 Edition , BCPs should be focused, concise, specific and easy to use because organisations rely on them in high-pressure, time-limited situations. We found that:

• except for DJCS and DJPR, departments have overly complex and/or inconsistent BCPs. Many BCPs include information that is already in their BCM procedures, frameworks and/or policies
• DTF has a BCP summary in a one-page format, which makes it easy for staff to quickly understand their key actions and responsibilities in a disruption. This is good practice, but only a small number of its group BCPs are in this format. 

Further, all departments’ BCPs focused on short-term or localised disruptions, which is a common business continuity practice. While short-term disruptions can be complex in themselves, it is also important to have flexible and living BCPs and strategies to address disruptions that affect the whole department, multiple departments or the sector over a long period of time. This is supported by Exercise Petunia in 2018, which found that departments needed to plan for more sustained disruptions and coordination across all sectors. The Business Continuity Institute's Good Practice Guidelines 2018 Edition also suggests that agencies should devise short, medium and long term strategies depending on the type of crisis.

DELWP acknowledged the importance of planning for a complex, long-term disruption following a significant fire in one of its buildings in 2018. It established its Critical Incident Management Framework in 2015 and updated it in 2019 following the fire. This framework provides integrated guidance on emergency management, business continuity, disaster recovery and crisis management. 

Assessing BCPs against the ISO standard

Prior to COVID-19, only DET had BCPs that were all up to date and aligned with the ISO standard. This is still the case. Common gaps, which we provide more detail on in Appendix D, include:

Despite Exercise Petunia’s observations before the pandemic, departments still do not have BCPs that prioritise all of their essential services and assess the scalability of their services. 

2.5 Validating and improving BCM

As highlighted by the ISO standard, departments should

Validation involves ensuring that a department has effective BCPs and a BCM program that meets its policy objectives. It includes exercising, maintenance and review activities.

validate their BCM arrangements on a regular basis to ensure they are suitable and effective to use during a disruption. During this process a department should:

• review its BCM arrangements, including policies, plans and procedures
• conduct exercises to train for, test, assess, practise and improve its business continuity performance
• conduct internal and external audits of its BCM
• complete PIRs.

Conducting exercises

Departments use many different types of exercises to test and validate their BCM performance. These exercises range from simple discussion-based desktop exercises to familiarise staff with their BCPs to live, complex, full-scale exercises where a department activates a BCP.

Despite its importance, only DET and DJCS had a clear program for exercising, validating and tracking recommendations for their entire BCM program prior to COVID-19. Appendix D contains further details about this.

Further, departments often limit their testing to desktop exercises. While desktop exercises can increase BCP teams’ awareness, they often only evaluate broad principles and may not provide a true indication of how effective a department’s BCP response will be in an actual event.

Internal and external audits and reviews

Internal and external audits and reviews can help departments assess the effectiveness and practicality of their business continuity processes. Audit findings allow departments to identify weaknesses in their BCM programs and develop action plans to uplift their capability. 

However, only DET, DHHS, DJPR, DoT and DTF had conducted audits or reviews of their BCM program in the two years prior to COVID-19. 

Post-incident reviews 

Real-life disruptions give valuable insights on how effective a department’s response to an incident was. A department should complete a PIR following a disruption to harness learning opportunities by both reinforcing strengths in its business continuity processes and identifying any gaps. Departments can also use recent disruptions as an alternative to undertaking an exercise for a similar type of event.

DET, DELWP, DHHS, DJCS and DPC completed PIRs for disruptions that occurred prior to COVID-19. These PIRs related to sustained power ICT outages, water disruptions and electrical faults. We discuss post-COVID-19 PIRs in Section 3.5.

Implementing improvements

Exercising, internal and external audits and PIRs are valuable because they help departments continuously improve their BCM capabilities. This has helped some departments address issues prior to COVID-19 and uplift their readiness to respond to the pandemic by:

• confirming that business continuity staff contacts are up to date and staff are familiar with their roles and responsibilities 
• improving staff awareness and knowledge of business continuity
• identifying and implementing process improvements
• optimising communication during a disruption.

Figure 2B provides an example of how DELWP learnt from a past disruption to improve its BCM capabilities prior to COVID-19. 

FIGURE 2B: Case study: Learning from prior disruptions

In 2018, DELWP experienced a fire at its 8 Nicholson Street building. This resulted in a significant extended disruption where approximately 1 500 staff had to relocate, some for up to eight months. 

DELWP responded by activating its critical incident management team. The team’s responsibilities included leading and coordinating the department’s response, communications, reporting and business continuity. 

This helped DELWP respond by:

• facilitating communications to all staff through multiple channels, for example, twice-daily critical incident briefings and weekly progress reports
• assisting in relocating staff to alternative work sites
• rolling out more than 500 new devices for remote working.

As staff could not work onsite, the disruption also resulted in a significant uptake of digital technologies and helped DELWP show the benefit of flexible working arrangements. 

The disruption also highlighted issues with DELWP’s BCM, including:

• communication issues 
• limited training for BCM staff
• its list of prioritised business functions was outdated. 

DELWP addressed these issues to improve its BCM and critical incident management system prior to COVID-19.

Source: VAGO, based on information from DELWP.

3. Response to COVID-19

Departments responded quickly and flexibly to COVID-19 and continue to do so. Departments’ BCM processes, structures and strategies have helped them quickly set up teams, make decisions and communicate to staff. 

However, departments were not sufficiently prepared for a complex disruption. This meant they had to invest resources into developing documents, streamlining processes, upgrading technology and transitioning to remote working during the early stages of the pandemic. 

While departments report that they continued to operate their prioritised services within their business continuity timeframes, a lack of sufficient data means that departments have limited assurance that they were able to do so.

• DPC’s role during COVID-19
• Departments’ BCM arrangements during COVID-19
• Departments’ workforce capacities
• Maintaining prioritised services
• Lessons learnt

3.1 DPC’s role during COVID-19

While various bodies were responsible for managing aspects of the state’s emergency response to COVID-19, there was limited whole-of-government focus on business as usual services. 

As there was no lead business continuity agency prior to COVID-19, DPC took on this role. However, as it is not one of DPC’s permanent functions, it has been limited to key aspects of the pandemic response, including: 

• supporting the VPS missions 
• reviewing departments’ BCPs and pandemic plans
• developing and managing whole-of-VPS communications
• helping the VPS transition to remote working.

Supporting the VPS missions 

DPC established a specific unit to oversee the VPS missions’ work programs. It also chaired PSAC, which met weekly in the early stages of the pandemic. Meeting minutes suggested that these meetings:

• considered whole-of-government issues, such as staff wellbeing and remote working 
• discussed COVID-19 initiatives underway, such as health advice and post-pandemic work reforms.

Reviewing BCPs and pandemic plans

In March 2020, DPC reviewed departments’ BCPs and pandemic plans to ensure they were prepared to manage the risk of service disruptions.

DPC found that departments needed to undertake further work on their plans and it developed a list of issues for them to address. However, DPC advised us that it has not monitored if departments have successfully addressed these issues because this is outside its role. This is a missed opportunity to improve departments’ preparedness for service disruptions. 

We reviewed departments’ BCPs and pandemic plans and assessed them against key issues (including those that DPC identified). In March 2020, DJPR, DoT and DTF finalised their pandemic plans and DELWP, DET and DPC updated theirs. However, DJCS, DH and DFFH still do not have a standalone pandemic plan. 

We also found that the remaining departments addressed some (but not all) of DPC’s improvement suggestions. For example:

Inter-agency communication

DPC coordinated whole-of-government COVID-19 communications, including information to share across the VPS. However, prior to COVID-19 there was no written guidance on how departments should: 

• communicate or escalate whole-of-government issues 
• access or share resources within the VPS to deal with surge resourcing issues
• prioritise services at a whole-of-government level. 

Several departments told us that there were initial delays and confusion about communicating whole of government issues. This included issues around the requirement to work from home, if staff could take office equipment home or communicating to staff about a positive COVID-19 case.

3.2 Departments’ BCM arrangements during COVID-19

Departments used their BCM arrangements during COVID-19 to varying degrees:

• All used their incident response structures, except for DoT, which developed a specific COVID-19 task force.
• Some activated their BCPs.
• Most developed specific COVID-19 guidance or amended their pandemic plans to assist them early in the pandemic. 

As discussed in Chapter 2, departments’ BCPs were not designed for a complex long term disruption, so departments heavily relied on their incident response structures and staff flexibility during this time. 

Incident response structures

Incident response structures help a department to clearly understand who is responsible during a disruption and how it should make decisions.

These structures, which include senior leadership and operational staff, have allowed departments to make decisions quickly during the pandemic. All departments used BCM incident management teams to respond to COVID-19, except DoT, which developed a specific COVID-19 task force, and DELWP, which used its critical incident management team. All departments’ incident management teams: 

• meet regularly
• involve key and senior stakeholders
• have enabled whole-of-department coordination and communication.

Minutes from these meetings show that departments have made many complex decisions during COVID-19. Departments have used these meetings to consider their response, reassess their prioritised services and respond to changing health advice. 

While incident response structures are an essential part of departments’ COVID-19 response, they have some limitations. For example, they:

• centralise decision-making, which resulted in some delays at a local level. For example, regional DELWP staff waited nearly six hours for its central office to authorise and issue communications about a suspected COVID-19 case
• may rely on advice from other government departments, such as the whole of government position on workforce or health issues.

Activating BCPs

A department’s decision to activate its BCPs is discretionary. While BCPs list factors that staff should consider when making activation decisions, these are broad. For example, BCPs often require a department to assess the impact of a disruption and if it is likely to affect its prioritised services or damage its reputation.

While all departments activated their crisis or incident management teams, they did not all activate their BCPs consistently. For example:

DELWP and DET had specific activation criteria to help staff understand when they should use their BCPs during the pandemic. For example, a business unit should activate its BCP if it experiences staff absenteeism between 25 to 30 per cent. 

DHHS and DJCS also considered specific mitigation strategies during staff absences of 10, 25 and 40 per cent. This is good practice because it helps business units clearly understand when they should activate their BCPs. However, most departments have not had significant levels of staff absenteeism from COVID 19.

3.3 Departments' workforce capacity

During the pandemic, the VPS workforce had to quickly adapt to non-traditional workplace arrangements and handle surge resourcing requirements. Departments’ ability to effectively respond to these changing conditions helped them to continue delivering services in a new working environment.

While departments had BCPs, they did not have strategies to prepare them for remote working and surge capacity during a long-term disruption. There also was no whole-of-government policy for staff redeployment for continuity of government services. This meant that departments responded reactively to COVID-19 and devoted their resources to developing new remote working processes and addressing surge capacity issues. 

Remote working

Remote working was crucial to departments’ pandemic responses. It helped them to continue delivering services when social distancing measures were introduced.

While some services cannot be delivered remotely, such as prison services or emergency child protection, all departments were able to transition most of their workforce to a remote working environment. This took a significant amount of time and investment. 

DELWP, DHHS, DJCS, DJPR and DoT could not immediately transition their entire workforce to a remote working environment due to their lack of preparedness, technology limitations, size and complexity. This meant that these departments had to do extra work to increase their remote working capabilities.

Departments’ technology capabilities varied, with some departments being more prepared to transition staff to a remote working environment than others. Prior to COVID-19, DET, DPC and DTF had equipped most or all their workforce with laptops and remote access, which assisted their remote working transition.

On the other hand, DELWP, DHHS, DJCS, DJPR and DoT had to source and allocate more equipment for their staff when there were global supply issues for ICT equipment. Figure 3A outlines some of the ICT-related challenges that DHHS experienced at the start of the pandemic.

FIGURE 3A: Case study: ICT challenges during DHHS’s transition to remote working

In response to the government’s work from home direction, DHHS conducted a survey in March 2020 to assess how prepared its staff were to work remotely.

As the table below shows, not all DHHS staff had access to essential equipment to transition to a remote working environment at the start of the pandemic.

As a result, DHHS introduced temporary arrangements that required staff without work laptops and phones to use their personal devices. However, 204 staff (6 per cent) reported that they did not have access to either a work laptop or a home computer with internet. 

DHHS’s lack of prior preparation and investment in technology meant that it had to allocate resources to help staff transition to remote working at the start of the pandemic.

To do this, DHHS introduced rapid change during a challenging time. For example, in late April 2020, DHHS introduced new ICT platforms to allow frontline staff and child protection staff to deliver some of their services from home. DHHS reported that it took six weeks to transition 90 per cent of its staff to remote working. 

Despite its challenges, DHHS used this major disruption as an opportunity for improvement. It fast-tracked several ICT projects to improve its staff’s remote working experience and allow teams to stay connected and productive. 

Note: *Other includes staff who did not respond to the equipment survey at the time. Source: VAGO, based on information from DHHS.

The Victorian Government’s March 2020 work from home direction required departments to immediately transition their workforce to remote working.

As Figure 3B shows, this urgent directive put stress on Cenitex and the network.

Go Connect licences allow users to work remotely by providing a secure connection from a computer or laptop to the internal corporate network.

FIGURE 3B: Number of Go Connect licences purchased by departments from Cenitex between December 2019 and June 2020. 

Source: VAGO, based on Cenitex data.

ICT disaster recovery is the process of recovering systems after a major disruption. 

Cenitex service requests also increased from 22 104 in February 2020 to 33 389 to March 2020 with a corresponding increase in average Cenitex handling times from 7 minutes 33 seconds in February 2020 to 13 minutes 37 seconds in April 2020. 

Cenitex's capacity to deliver at this scale was not tested prior to COVID-19. Further, while departments can engage with Cenitex for disaster recovery design, only DJCS uses this service.

Prior to March 2020, Cenitex was improving its outdated remote working technology to service departments. At the time, departments’ demand for Go Connect licences was low, which caused scalability issues at the start of the pandemic. Departments that use Cenitex experienced connectivity issues at the start of the pandemic due to the overwhelming demand.

Cenitex brought forward its new technology to address these connectivity issues. Departments and Cenitex also introduced workarounds, such as advising staff to log off when not using the system and stagger use. 

It took Cenitex at least four weeks after the Victorian Government’s work from home direction to stabilise its services and enable most public servants to work remotely. 

Surge resources

There is currently no whole-of-government strategy on how departments can re-prioritise VPS resources in response to a large-scale disruption. 

Prior to COVID-19, only DELWP, DJCS and DHHS had strategies in some of their BCPs to manage surge resources. However, this was limited to emergency management. For example, DELWP addresses its need for surge resources in its emergency management activities by training staff in other divisions to deliver emergency management roles. 

In July 2019, DPC launched the Jobs and Skills Exchange to make it easier for departments and staff to find internal candidates and opportunities within the VPS. The Jobs and Skills Exchange had been operational for nine months when the pandemic occurred.

Redirecting staff to emergency roles can affect other work within the department. DELWP recognised this during the 2020 bushfires and considered whole of department resourcing and strategies to address and monitor this. 

Jobs and Skills Exchange

In May 2020, the Jobs and Skills Exchange launched a ‘COVID-19 mobilisation’ program. This promoted departmental 'surge opportunities' for staff from sector agencies who were out of work due to the lockdowns. The program provided candidates from impacted agencies, for example Arts Centre Melbourne, with the opportunity to be placed into surge-related roles in departments.

The program attracted approximately 2 000 applicants. However, only 134 applicants (less than 7 per cent), successfully gained job placements in another department or government agency. This is mostly because there was a mismatch in the skills needed to fill vacant surge positions.

Departments also used the Jobs and Skills Exchange to advertise secondment opportunities and backfill roles. However, departments do not have to indicate whether advertised positions are vacancies due to COVID-19, surge capacity related or business as usual roles, which limits the ability to assess the program's effectiveness. 

3.4 Maintaining prioritised services

During a disruption, an organisation may need to temporarily suspend some of its services to allow it to focus on its prioritised services. This is an important part of the business continuity process. 

All departments reported that their prioritised services did not exceed their listed MTPDs. However, departments cannot substantiate this claim because they have limited data on their prioritised services, particularly at a whole-of-department level and against their MTPDs.

Staff views of COVID-19’s impact

Our survey asked departments’ business continuity staff if COVID-19 disrupted their prioritised services between March 2020 and March 2021. Nearly 60 per cent of respondents reported that there was no disruption to services due to COVID-19.

Of those that did experience a disruption, 43 per cent said they were not able to restore some or all of their services within their MTPDs, which Figure 3C shows.

FIGURE 3C: Staff survey responses on restoring services

Note: We received 68 responses to this question. The maximum margin of error for this question is plus or minus 11.8 per cent at the 95 per cent confidence interval.  Source: VAGO survey.

Reporting on disruptions

Most departments rely on ad hoc reporting and PIRs after a disruption to understand the impact it had on their services. They also use incident management processes to report on the ongoing impacts of a disruption. 

For example, DHHS provided regular reports to its executive staff on prioritised services during COVID-19, such as child protection. This reporting covered case loads and backlogs to help outline ongoing risks.

However, departments’ reporting through these processes is often qualitative and focused on specific services. No department systematically reports against its business continuity RTOs or MTPDs. As a result, departments are unable to determine how effective their BCM arrangements are in maintaining their prioritised services.

Quality of services during COVID-19

Business continuity focuses on ensuring that services are up and running within minimum timeframes after a disruption. It does not consider if a disruption has impacted the quality of a service.

Departments faced many service delivery challenges during COVID-19. These challenges, which departments have highlighted in their annual reports, caused a drop in VPS-wide performance in the 2019–20 and 2020–21 BP3s, which Figure 3D shows.

FIGURE 3D: BP3 performance over time for all departments

Note: This chart presents an aggregate of all the BP3 measures that departments met in each financial year. Source: VAGO, based on BP3 data.

Customer-facing services

Customer-facing services had a higher risk of being impacted by COVID-19 due to social distancing measures. Figure 3E provides an example of how COVID-19 impacted VicRoads’ registration and licensing division.

FIGURE 3E: Case study: COVID-19’s impact on driving tests

While VicRoads had a plan to transition more services to its existing digital platform (myVicRoads), approximately a quarter of its services were still paper-based or required an in person interaction in March 2020. This included services such as in vehicle driving tests, online learner permit tests and online hazard perception tests.

In response to the pandemic, VicRoads activated its business continuity arrangements and its incident management plan. It also developed a dedicated COVID-19 registration and licensing task force on 17 March 2020. The task force met weekly and continually assessed which transactions it should cease, move to digital channels or move to other modes of delivery. 

VicRoads ceased in-person transactions, such as driving tests and assessments, during stage four COVID-19 restrictions. However, it introduced hardship/compassionate grounds exemption for driving tests from 6 April 2020 for essential workers, carers and people facing domestic violence. It delivered this service, which had limited eligibility criteria, across four sites in Victoria.

To maintain its business continuity, VicRoads considered alternative ways to deliver its registration and licensing services. It prioritised online learner permit and hazard perception tests because there was a backlog of approximately 395 000 suspended services that included driving tests, hazard perception tests, learner permit tests, medical review driving tests and assessments.

The government also approved an additional $26.8 million of funding in October 2020 to make computer-based tests available online and further boost VicRoads’ testing capacity. VicRoads announced additional temporary customer service sites and licence testing officers to address the backlog.

VicRoads has used COVID-19 as an opportunity to accelerate its digital program and extend the range of services available in its online platform. It cleared its backlog by the original projected date of April 2021 with additional temporary staff and test centres and expanded digital services. However, further lockdowns have created a new backlog, which VicRoads projects to clear by April 2022.

Further digital transformation will benefit VicRoads in the medium as well as long term because it can provide more efficient registration and licensing operations. 

Source: VAGO, based on information from DoT (VicRoads’ registration and licensing division).

3.5 Lessons learnt

It is important for departments to review their response to a major disruption. This can help them replicate their successes and avoid repeating failures in similar future events.

Although COVID-19 is ongoing, DELWP, DJCS, DPC and DTF have conducted PIRs or wider reviews of their BCM program. While it did not conduct a PIR, DET discussed its COVID 19 learnings with its executive board and other internal committees.

We acknowledge that many departments are still in the middle of responding to the pandemic. However, by not reviewing their learnings to date, departments limit their ability to identify and take early action to address risks and implement improvements. 

Despite this, COVID-19 has created opportunities for departments to make positive changes, such as accelerating their digital transformation or adopting more efficient processes. 

Improving BCM policies, plans and procedures

The COVID-19 pandemic has allowed all departments to adapt and improve their business continuity policies, procedures and plans. 

We assessed departments' BCM documentation against the ISO standard both prior to COVID-19 and after March 2020. 

Sharing information with other departments

There are several cross-department information-sharing groups that relate to business continuity, including the BCM—Multi-Agency Forum. 

While the forum postponed its meetings at the peak of the pandemic in 2020, it resumed meeting on 19 November 2020. Departments have used this forum to share better-practice procedures and discuss lessons learnt from COVID-19. 

However, there is no central body to ensure that departments implement whole of government learnings from this forum or other groups.

Improving remote working technology

The pandemic has made departments rethink how they work and, in some cases, accelerated their digital transformation plans. 

Meeting minutes from departments’ incident management teams suggest that they rolled out new technology-related processes and projects, such as electronic approval processes and Microsoft Teams, within weeks during the early stages of the pandemic. This would usually take months or years.

This presents an opportunity for departments to apply some of their leanings, such as the value of streamlining processes and adopting new technology earlier, to future ICT projects.

Remote working has increased other risks though, such as:

• privacy concerns
• cybersecurity threats
• occupational health and safety risks.

Departments have advised their staff about the importance of privacy and occupational health and safety (for example, ergonomic desk set-ups) as remote working continues. However, departments need to further manage these risks as new challenges arise, such as work-life balance or security risks, that were not as common in an office-based environment.

Appendix A. Submissions and comments

Click the link below to download a PDF copy of Appendix A. Submissions and comments.

Click here to download Appendix A. Submissions and comments

Appendix B. Acronyms and abbreviations

Appendix c. scope of this audit, what we assessed.

This audit used the following lines of inquiry and criteria:

Audit scope

This audit focused on departments’ business continuity preparedness and response. We included Cenitex in the audit due to its role in providing essential ICT services. We did not look at Cenitex’s BCM processes. The audit also did not include emergency management and portfolio entities.

Our methods

As part of the audit we:

• reviewed departments’ policies, procedures, plans and BIAs and assessed if they met relevant standards and requirements (both before and during COVID-19) 
• used data from Cenitex and departments to assess if departments were able to effectively transition to remote working
• reviewed departments’ prioritised services using available data, BP3 measures and departments’ documentation
• met with relevant key staff at each department
• conducted a survey of business continuity personnel.

Survey analysis

In July and August 2021, we surveyed all nine Victorian Government departments. We did this to understand staff experiences and views about the adequacy of their department’s BCM.

We sent the survey to 493 business continuity staff across nine departments. We received 194 responses (a response rate of 40 per cent). As the survey was optional, there was a risk that respondents did not accurately represent business continuity at the whole-of-government level due to self-selection. 

We have included our survey results in this report. All survey result percentages have a margin of error of plus or minus 5.5 per cent at the 95 per cent confidence level unless we state otherwise. This margin of error does not affect the qualitative findings in this report.

We conducted our audit in accordance with the Audit Act 1994 and Assurance Engagements ASAE 3500 Performance Engagements . We complied with the independence and other relevant ethical requirements related to assurance engagements.

Unless otherwise indicated, any persons named in this report are not the subject of adverse comment or opinion.

Appendix D. Departments’ BIAs, BCPs and exercising

Bias prior to covid-19.

Figure D1 outlines our assessment of departments’ BIAs prior to COVID-19.

FIGURE D1: Our assessment of departments’ BIAs prior to COVID-19

Notes:  ✓ = Met P = Partially met (for example, evidence in some BIAs but not all) ✕ = Not met Source: VAGO assessment of departments’ documents.

BCPs prior to COVID-19

Figure D2 outlines our assessment of departments' BCPs against key elements of the ISO standard. 

FIGURE D2: BCP consistency with key elements of the ISO standard and BCP coverage of services prior to COVID-19

Note: We have assessed a department as not meeting an element if we have evidence that it did not capture all of its prioritised services in its 2019 BCPs, or if it had BCPs that were not updated in the previous two years, which would increase the risk that it had not captured all of its prioritised services.  ✓ = Met P = Partially met (for example, evidence in some plans but not all) ✕ = Not met  *This is not an ISO requirement but it is a relevant element of BCP coverage in a pandemic. Source: VAGO assessment of departments’ documents.

Exercising and validating BCM

Figure D3 shows our assessment of departments' exercising and validating process. 

FIGURE D3: Departments’ exercising and validation of BCM  

Notes:  ✓ = Met P = Partially met ✕ = Not met  N/A = Not applicable Source: VAGO assessment of departments’ documents.

Business Continuity Planning

What will you do if a key staff member suddenly becomes ill, quits or dies what if your main supplier suddenly goes out of the business what is your continuity plan in the event of natural disaster.

A business contingency plan is the key that prepares businesses to respond logically in unplanned events.

How business continuity planning can help

• Determine the main risks to your business
• Prepare an evacuation plan
• Establish a communication system
• Steps to protect your electronic data

How Taktik can help

Taktik consultants understand that it is difficult to invest time in preparing a good business continuity plan as various business operations and processes are intense and chances of such disturbance is very small. Many businesses just ignore the continuity planning, but not having such plan in the disastrous event can result into damaging or failure of the business.A business contingency plan should be comprehensive but straightforward, and it should be updated every year. Typically business contingency plan includes the following sections:

• Potential emergencies
• Role continuity details
• Business data preservation plan
• Emergency equipment
• Communications fan-out system
• Plan testing, training and exercises schedules

No matter what industry you are in, we can provide the necessary services and road-map you need to advance your business. We assess what you have done so far, what do you want to achieve and help you reach your desired milestones.

Get Started Now! Call us at 1-250-580-4372 or send us an email at to find out the right service for your business.

Taktik Consulting

612 Boleskine Rd, Victoria, BC, V8Z 1E8 Canada +1 (250) 580-4372 [email protected] www.taktikconsulting.ca

Business Plan Search Engine Optimization (SEO) Website Designing Social Media Marketing Business Continuity Plan Market Research Business Strategy Marketing Strategy Strategic Planning Business Idea Evaluation Product Development Mortgage Broker SEO

Areas We Serve

Victoria Vancouver Prince George Kamloops Toronto Ottawa Edmonton Calgary

• Skip to global menu .
• Skip to primary navigation .
• Skip to secondary navigation .
• Skip to page content .
• Return to global menu .

• Search Financial Planning
• Search UVic
• Search for people
• Search for departments
• Search for experts
• Search for news
• Search for resources
• risk & insurance
• business continuity management

Business continuity management

What is business continuity management.

The Disaster Recovery Journal defines it as "a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholder, reputation, brand and value creating activities."

What types of adverse events are we planning for?

Since types of emergencies are very difficult to predict, an all-hazard approach is being taken.  Business continuity planning on campus is most focused on building-specific events, including floods and fires, while being cognizant of the fact that we live in an earthquake zone.

Why do we do BCP?

BCP allows departments to identify university critical processes and the resources (i.e., documents/systems/equipment/individuals) required to maintain them prior to a business disruption, in order to allow a timely response in the event of a disruption.  BCP provides an opportunity to make proactive changes in advance of a disruption in order to reduce the severity of potential loss.  For example, a simple thing like moving your computer off the floor can save it in the event of a serious water leak.

A common misconception is that BCP is the same as Emergency Planning (EP). Both BCP and EP are closely related at UVic and have significant areas of overlap.  Emergency management is focused on developing an institutional framework for responding to major emergencies, whereas BCP is a  process designed to expedite recovery.

For example, in the event of a major building fire, the EM framework would be activated to manage the immediate impact of the fire (i.e., evacuation, liaising with fire departments, securing the building, etc.).  The BCP team would identify the critical functions impacted, and the resources required to restart the function (i.e., alternate teaching or office space, equipment requirements, etc.).

Who needs a BCP?

Each department on or off campus is responsible for ensuring that they have an executable BCP.  The process usually involves an administrative staff member compiling all necessary information, with the primary decision maker in the unit providing sign off.

If we don't already have a BCP, how do we start?

Please contact the manager, risk, insurance & continuity planning who will visit with your department to provide further detail on continuity planning on campus, and will get you started with the online tool.

Who is the online tool designed for?

The online tool is a user-friendly interface which takes users through the BCP process step-by-step.

Departments with existing BCP expertise will notice that several of the initial steps normally found in a BCP (i.e., hazard identification and business impact assessments including recovery time/point objectives) are not present.  Those departments with BCP expertise are encouraged to formalize their plans using traditional methodology.

Are there any resources on campus to help with planning?

Yes, the manager, risk, insurance & continuity planning is available to meet with departments to assist in BCP development, or to assist with the online tool.

How often do we update?

Every plan should be reviewed annually to ensure it is up-to-date.  Major departmental changes may require a more frequent review.

Our department isn't too large or complex - do we need to plan?

Yes.  It is recommended that every department, regardless of size or function, should complete a plan.  BCPs are stored centrally, and while certain responses may seem obvious to your department, the emergency management team may need to review your plan if an event takes place and there is no one from your department available.

We already have a thorough plan in a Word document - do we have to use the online tool?

Yes.  Plans can be uploaded directly into the BCP tool; however, we do ask that the first and second page of the tool be completed for administrative purposes. 

How do we know if our plan is executable?

One of our goals is to practice BCP on every quarter - manager, risk, insurance & continuity planning is always looking for volunteers.

• Return to primary navigation .
• Return to secondary navigation .
• Return to page content .

The Victorian Planning Authority proudly acknowledges Victoria’s Aboriginal community and their rich culture and pays respect to their Elders past and present.

We acknowledge Aboriginal people as Australia’s first peoples and as the Traditional Owners and custodians of the land and water on which we rely.

We recognise and value the ongoing contribution of Aboriginal people and communities to Victorian life and how this enriches us.

We embrace the spirit of reconciliation, working towards the equality of outcomes and ensuring an equal voice.

• Leadership Team
• Organisational Structure
• VPA Strategic Plan 2021-2024
• VPA Business Plan 2022/2023
• VPA Careers
• Metropolitan
• Interactive Status Map
• More on the Greenfields
• Infrastructure Contributions Plans
• Growth Areas Infrastructure Contribution
• Gunns Gully Road Interchange GAIC WIK
• Growth Corridor Plans
• South East Economic Corridor Strategic Context Report to 2060
• Developer Contributions in Regional Victoria
• How We Plan
• Streamlining for Growth Program
• Streamlining for Growth Library
• News & Reports
• Strategy & Guidelines
• Growth Areas Social Planning Tool
• Plan Melbourne
• Engineering Standards
• Infrastructure
• Biodiversity & Native Vegetation
• Small Lot Housing Code
• Generally in Accordance Guidelines
• Greenfield Subdivision Permits – A Model Approach
• Metropolitan Open Space Network
• Have Your Say
• Expand search Search

March 19, 2020

Business continuity plan implemented in response to coronavirus (COVID-19)

Like many of your organisations, coronavirus (COVID-19) is impacting the operations of the Victorian Planning Authority.

The Victorian Government has now declared a State of Emergency in Victoria. As a public sector agency, the VPA will be following guidelines and advice from the Victorian Government.

The VPA has implemented its business continuity plan, and we anticipate our staff will transition to working remotely over the coming days or weeks. We are also changing the nature and timing of planned face-to-face engagements with our stakeholders.

While we are working hard to ensure that any impacts are limited and that our commitments and deadlines are met to the best of our abilities, some unavoidable delays and postponements will occur.

Scheduled face-to-face workshops or community engagements for example will be cancelled indefinitely and large meetings will be replaced with video conferences. We will communicate individual disruptions to the stakeholders concerned.

We hope we can rely on your patience in these circumstances. We will do everything possible to return to a normal operating environment at the earliest possible date.

We also understand that for many of you, coronavirus (COVID-19) will be impacting upon your operations and we will extend the same patience and understanding to you as we all work to manage the impacts of the virus threat.

For more information visit dhhs.vic.gov.au/coronavirus or call the Coronavirus Hotline on 1800 675 398 for advice if you are displaying symptoms.

The VPA’s 2022-2023 Annual Report is now available. You can download the Victorian Planning Authority […]

We are past the halfway point of 2023 and I have some important developments at […]

The VPA is aware that Victoria’s Independent Broad-based Anti-corruption Commission (IBAC) has tabled the Operation […]

With the new year well and truly underway and Victoria’s growth returning to pre-pandemic levels, […]

To help us plan for a growing Victoria, the VPA regularly analyses the external economic […]

The VPA’s 2021-2022 Annual Report is now available. You can download the Victorian Planning Authority […]

Stay Connected

Subscribe to receive our newsletter and regular updates on projects

• Our offerings

Business Continuity Foundations

This session will build your confidence in understanding key business continuity management concepts..

Business Continuity (BC) Planning has become front of mind amongst all Government Departments and Agencies, particularly since pandemic and natural disaster related business disruptions.

Effective BC planning is an important risk control and will support your organisation in minimising the consequences of a disruption to your critical functions and activities.

This session will build your confidence in understanding key business continuity management concepts, applying impact-based decision making and how to use relevant BC management tools.

We aim to deliver interactive workshops utilising different activities and engaging tools to support the content. Two tools we use are Miro and Menti. Please find some guidance below if you have not used these tools before.

• Tools – Miro Support & Help Centre
• Working on the board - Miro Support & Help Centre
• How to make interactive presentations - Mentimeter

Learning outcomes

By the end of the workshop, you should be able to:

• Understand key Business Continuity management concepts and how they relate to managing enterprise risk
• Apply impact-based decision making
• Use relevant BC management tools

This session is suited to those who are in risk related roles and are interested in business continuity management with limited or no expertise and knowledge.

What's next

Register by selecting for your preferred date in the side panel.

If you require closed captions, register for an event and let us know before it starts at [email protected]  

If none of the featured sessions suit, submit your expression of interest to be the first to know when new sessions are available. If you have any questions or need some assistance, please reach out to [email protected]

What Is A Business Continuity Plan? [+ Template & Examples]

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

• Business Continuity Types
• Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

• Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

7. Security

You want your employees to be safe. You also want your employees and business assets to be secure as well. Security breaches can cause major harm to your operations, safety, and reputation. Continuity in this realm means prioritizing employee security and safety of important business information, and plans of action if the information were to become compromised.

8. Reputation

Customer satisfaction and a good reputation can fuel your flywheel and result in increased revenue. The flip side of this coin, however, is that a tarnished reputation can cause great harm.

Reputation continuity means continuously monitoring conversations about your brand or business, prioritizing customer satisfaction, and coming up with action plans for rectifying situations if your reputation is called into question.

Business Continuity vs. Disaster Recovery

The difference between disaster recovery and continuity plans lies in that disaster recovery plans are technical plans focused specifically on recovering from failures, while business continuity plans manage relationships during a crisis. Disaster recovery plans are created as part of an overarching business continuity plan.

Don't forget to share this post!

Related articles.

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

What Is Reputational Risk? [+ Real Life Examples]

10 Crisis Communication Plan Examples (and How to Write Your Own)

Top Tips for Working in a Call Center (According to Customer Service Reps)

Top 5 Crisis Management Skills for Business Leaders (& How to Apply Them)

Manage, plan for, and communicate during a corporate crisis.

404 Not found

Ecommerce Business Continuity Planning: 7 Steps to Assess Risk and Plan for the Unexpected

Victoria Fryer

Get The Print Version

Tired of scrolling? Download a PDF version for easier offline reading and sharing with coworkers.

A link to download the PDF will arrive in your inbox shortly.

In 2018, a ransomware attack  hobbled the City of Atlanta. The disruption to their computer systems impacted city services including police and court records, parking, and utilities. Workers were forced to complete paperwork by hand.

In the end, the cyberattack cost the City of Atlanta $17 million — even though the ransom was only $52,000.

The City of Atlanta was caught off guard, with out-of-date software and a number of other IT vulnerabilities.

A story about a German telecom business , however, shows what happens when a plan goes right. When workers discovered a fire inching closer to one of their crucial facilities, they engaged their incident management system to notify and mobilize employees and emergency responders.

The German company’s fast reaction time — facilitated in part by a solid business continuity plan — along with a redundant network design had the facility back in service in just hours.

A solid business continuity plan (BCP) left the German company with better emergency management and the ability to bounce back quickly.

What is a Business Continuity Plan?

A business continuity plan details processes and procedures that will help keep operations up and running — or restore them as quickly as possible — in the event of a major disaster, whether it be a physical disaster (e.g., extreme weather event) or a technological one (e.g., cyberattack).

Whether you’re a small business owner or work for a large enterprise, business continuity planning will help you respond faster when disruption strikes and minimize the negative impact on your business.

Without a plan in place, you run the risk of being unable to continue selling  and shipping products during unplanned disruptions. Your ability to recover from these unplanned disruptions will be much slower and less effective — potentially impacting both your revenue and your brand reputation.

A business continuity plan is not a disaster recovery plan. Disaster recovery planning is part of a business continuity program, but the latter has a much broader scope.

Top Threats to Business Continuity

Depending on your particular business and level of risk, every brand will have different primary threats to business as usual. That’s why risk assessments prior to assembling a business continuity plan can be so helpful.

While you’ll need to have a plan in place for every possible outcome, the following threats are the most common business disruptors to watch.

1. Global pandemics.

Pandemics can throw a wrench in your business plans from all angles and directions. With citizens forced to stay home and do as much work from there as possible, to increased demand for certain items, and decreased supply due to  manufacturer shut-downs or disruptions across the supply chain.

One of the most important plans to put in place if you fear a global pandemic is how your people will communicate with each other and conduct necessary business offsite. It’s also important to have options when it comes to supply in case your supply chain  is disrupted.

2. Natural disasters.

A natural disaster refers to anything weather related — tornados, hurricanes, tsunamis, etc. — or other natural phenomena like earthquakes, wildfires, and volcanic eruptions. Some of these types of disasters are difficult to predict and can onset in seconds. They could cause grave damage to physical structures and anything inside, as well as disrupt supply chains through affected areas.

3. Utility outages.

A loss of power generation, communication lines, or water shutoffs can cause severe disruption to day-to-day operations, potentially damaging physical assets, and losing productivity and service.

4. Cybersecurity.

A cyberattack is any computer-based attack on a technical asset. Examples of cyberattacks include ransomware attacks, data theft , SQL injections, and distributed denial of service ( DDoS ) attacks. At best, your technical infrastructure will be at limited functionality until the issue is resolved. At worst, if you don’t have a data backup , you could potentially lose access to all your business data.

4 Characteristics Guiding Your Continuity Planning

You may be able to avoid some major disruptions, but there’s always room for the unexpected. That’s why you need a solid plan to restore your business after disaster strikes.

1. Comprehensive.

You may never be able to plan for every single possible disruption — or the combinations thereof — but it is worth trying. Don’t assume your first plan is going to work. You’ll need to make sure you have backup plans, and backup plans for your backup plans. Consider every single factor that could play a role, and assume that everything will go wrong at some point.

2. Realistic.

You don’t want to get into a disaster situation and find that your best laid plans actually cannot be carried out as planned. Be realistic about the plan you’ve laid out and make sure that it has as many contingency plans built in as possible.

3. Efficient.

Business is complex, so we won’t sit here and say your business continuity plan needs to be simple. But it needs to be able to be executed efficiently and with the resources you have at hand. The extra stress and expectations in a time of disaster or disruption can make even regular tasks more difficult to accomplish. Make sure this is accounted for in your plan.

4. Adaptable.

Nothing on paper could ever compare to the curveballs that nature or other unexpected forces may throw at us. Leave lots of room in your plan to adapt to the moment, as circumstances change — sometimes minute to minute. The plan should account for constant monitoring of the situation and provide a good foundation from which to pivot to addressing the issue at hand.

Benefits of Business Continuity Planning

Business continuity planning isn’t just a nice-to-have; it’s essential to every business, and disruptions can be costly. We’re talking anything from a DDoS attack taking your site offline for an afternoon, to a warehouse fire resulting in mass loss of product, to a supply chain disruption that keeps your products from making their way to you in a timely manner.

Lacking a plan for initiating emergency response can lead to financial loss, loss of consumer (and team member) confidence, and impact your brand reputation. Here are some of the primary benefits of having a continuity plan in place.

1. Maintain business operations.

If you can keep your business operations running through a crisis, you can mitigate financial loss and send a message of stability to your team members and your customers. Having a strong partnership with your human resources function will be important here.  

2. Build customer confidence.

Your customers want to know that you can respond to anything, so they can keep expecting the service from your brand that they’re accustomed to. In disaster situations, consumers often look to their favorite brands to see how they’re reacting on the public stage and how they’re able to weather the internal storm.

3. Preserve your brand and reputation.

Large-scale disasters and disruptions are likely going to be media fodder, so it’s unlikely you’ll get a chance to follow your plan quietly. The world will be watching. Brands that seem prepared and able to rise to the occasion with strength, consistency, and grace will prove their resiliency to their consumers.

4. Protect your supply chain.

Supply chain is a great example of the maxim, “Don’t put all your eggs in one basket.” Supply chain disruptions are common because there are so many ways they could happen. A pandemic could shutter manufacturing facilities, for example. Or a natural disaster could cripple transportation in an important geographic area. A good plan will set out already-vetted options for circumventing  supply chain  issues.

5. Gain a competitive edge.

In cases where many businesses are affected by a disruption, your ability to get business moving again will go a long way in showing consumers that your brand is among the best. In disaster times, too, consumers watch brands closely to see how they’ll react. Quick but poised action will build trust in your brand, giving you an edge on your competitors.

6. Mitigate financial risk.

Knowing what to do quickly in case of a business disruption is an important piece of risk management. The longer the downtime, the more potential for financial loss. But with the right plans to pick up quickly and restore functionality where you need it most, you can keep your loss as minimal as possible.  

Creating Your Ecommerce Business Continuity Plan

Creating a business continuity plan is, admittedly, probably not the most fun day you’ll have at work. But it is a critical piece of running a resilient business, and it’s important that you, your business continuity team, and the rest of your staff take this seriously.

1. Identify objectives and goals of the plan.

Business continuity management extends beyond your information technology department and related IT systems — it applies broadly to all critical business functions, including human resources, operations, public relations, and more. At the highest level, the objective of creating a business continuity plan is to keep essential business processes running or minimize disruption.

But every business is different — so you’ll need to identify the goals and objectives most important to the way you operate. Those goals will guide your risk assessment, the business continuity planning process, and potential recovery strategies.

2. Establish an emergency preparedness team.

Select a few cross-functional managers or leaders, and anyone else you identify who may bring something valuable to the table. Make sure someone is designated as the leader to keep things moving forward and make decisions when necessary.

3. Perform a risk assessment and business impact analysis (BIA).

Here’s where you’ll identify the biggest potential threats to your business, then research and analyze them thoroughly. Discuss with the team what would happen if you have to reduce, modify, or eliminate essential services or functions. Be sure to document all the identified issues and related business impact.

4. Identify essential ecommerce business functions.

You’ll have to determine how your organization will maintain essential services/functions in the event of an emergency. Here are some of the essential services and functions that you’ll need to have a plan for.

Inventory management and supply continuity.

Think about what happens when you encounter a product shortage. Supply chain issues are common in disasters like major weather events or pandemics. During a disaster, will you have enough inventory? Do you have an inventory management tool or system to help manage inventory? Do you have a plan for times with low or no inventory ?

Order fulfillment and shipping deadlines.

If a crisis hits, can you still fill orders and meet shipping deadlines? It may be helpful to diversify shipping providers. If you use a 3PL , ask them about the steps they take toward business continuity to gauge whether they’ll be able to fulfill and ship in disaster conditions.

Ecommerce platform functionality.

If a crisis were to happen, can you adjust your ecommerce platform  to show out-of-stock items? Can you handle an influx of customers in a situation where supply is greatly increased? Do you have strong cybersecurity and all of your data backed up?

Maintaining customer service.

During a crisis, customers need transparency and empathy. You’ll need to provide a communications plan for your marketing/communications teams and your customer support team. You may need to bring on more personnel to answer customer questions.

5. Prepare a plan for each essential function/service.

Your ecommerce engine runs as a combination of parts, including:

Team members.

Suppliers/ subcontractors.

Each of these parts has to have its own plan. How will you address the situation with your customers? Does that  communication plan  change when it’s the kind of disruption that may have also put their lives in danger? (E.g., as we deal with pandemic conditions, our customers are dealing with that too — and we have to be empathetic as well as informative in every interaction.)

Will you be prepared to switch to another supplier to make sure you don’t run out of inventory? Do you know what your options are if your shipping partner experiences a disruption?

6. Review and make sure every business function has been addressed.

Leave no business function out of your plan, but that doesn’t mean that one doesn’t become more important as you look for ways to operate during disruption. You’ll want to make sure you’ve documented the following:

Level of business risk.

Impact on employees and customers, and how you’ll communicate with them.

Emergency policy creation.

Financial resources that can be tapped into in the event of a disaster.

External organization or community partners who can work together with you to be mutually beneficial.

7. Train staff, test, revise, and update the plan.

Present the plan to all your stakeholders, and suggest being proactive by performing trial runs — for a gut check that each part of the plan works as it should. This will help you identify any missing aspects or weaknesses. Then, once you’ve made any updates based on the feedback, begin to train all staff accordingly.

Nothing is ever certain. Maybe you’ll never encounter a major disruption to your business. But the chances are just as good — if not better — that you’ll have your fair share of challenges.

Being fully aware of your level of risk and what needs to be done to keep the business moving is where you want to start. That alone will give you a competitive edge and help mitigate any financial risk involved.

Then, creating your whole plan will help you rest easier at night. Once everyone in your business is fully comfortable with and trained on implementing this plan, you will have the peace of mind to know that if disaster strikes, not all will be lost.

Victoria is a content marketing writer, researcher, and content project manager at BigCommerce. Specializing in writing and web content strategy, she previously spent eight years in public relations and marketing for Tier I research universities. She holds a B.A. in English Writing and Rhetoric from St. Edward’s University and a Master of Liberal Arts from Lock Haven University of Pennsylvania.

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Pete Rathburn is a copy editor and fact-checker with expertise in economics and personal finance and over twenty years of experience in the classroom.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How to Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be identified and corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ," Pages 15 - 17. Accessed Sept. 5, 2021.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

• Our Approach
• Our Programmes
• Our Members
• Find a Group
• Become a Member
• CEO Coaching Qualifications
• Meet our CEO Coaches
• Become a Chair
• Research Papers and Videos
• Superheroes

What is a business continuity plan?

We’ve all heard the saying ‘fail to plan, plan to fail’. While it rings true in most aspects of life, it’s perhaps most pertinent in business. 

As we know only too well in our current climate, life is unpredictable. Your business might be growing rapidly, your profit margins might look amazing, everything could be rosey - but it can all change in an instant. So, how do you prepare for the unexpected? How can you give your business the best chance of survival in the most tumultuous of times?

• Visit our Coronavirus Resource Centre for accurate and reliable information on the pandemic

While there’s no way of controlling external events, there is a way of mitigating disaster, and ensuring your business is resilient: business continuity planning. A business continuity plan is effectively the difference between steering a rowing boat or a ship; a rowing boat is fine as long as the seas are calm, but as soon as the water gets choppy, you’ll wish you had something sturdier. 

Here’s why you need a business continuity plan, and how to create one…

Why you can’t afford to ignore business continuity planning

Business continuity planning is something which every business needs. Irrespective of size or industry, every business needs a tailored plan in order to navigate difficult times and help them bounce back quickly. If you lose 50% of your customer base or 50% of your staff, will you even be able to recover?

"The challenge for all businesses is to remain competitive."

Rain or shine, the challenge for all businesses is to remain competitive - no matter what’s happening in the world. In order to survive, businesses need to retain customers, maintain their output, and, ideally, continue to grow their customer base. 

In 2001, The Business Continuity Institute defined business continuity management as:

‘A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’

So how do you do it?

Identify the scope of the plan

What are you preparing for? While there are events that we may not even be able to imagine, there are plenty which we can. Try to be specific about the scope of your plan. What types of events could create problems for your business? 

In order to answer this, you need to fully understand all of the operations within your business. What types of interactions take place within your organisation? What about the interactions between your business and your customers? What about the complex network of suppliers?

• You may like:  Vistage 2020 business priorities - Business operations

The best way to ensure you have all the facts is to speak to individuals across your business, in all the various functions. Once you’ve examined the workings of your business, you can assess the risks. An effective way of doing this is by asking the right questions. 

‘What if…’ questions are a good place to start. For example, ‘what if our telephones went down?’ Or ‘what if our documents were destroyed in a fire?’ ‘What if we had staff casualties?’ ‘What if there was a terror attack?’

Each of these questions raises two further questions: how likely is it to happen, and what effect will it have on your business? Answering these questions will help you determine the scope of your plan: what you need to include and how to prioritise the threats.

Identify key business areas & critical functions

Every business is different, and that’s why you need a specific, tailored plan. If you’re a tech or IT company and your IT goes down for a week, what are the implications? If your business has a huge telesales department and your telephone networks fail, what will you do? How much money will you lose, and how long can you survive?

Identifying your key business areas and functions will allow you to see exactly what the worst possible incidents could be for your company. Once you’ve identified your critical functions and key areas, you can create the best possible protection for them. What has the potential to bring your operations to a grinding halt? Which areas of your business are paramount to survival? What could threaten them?

Thinking of the worst-case scenario is an effective technique for creating a robust business contingency plan. If you have a plan that can help you deal with the worst possible situation for your business, it will help you navigate lower impact events much more easily. 

And what about your people? Who is indispensable? This isn’t about ego, seniority or profile. While everyone’s role is important, in a crisis, some roles may be more vital than others in helping the business survive - and it may not be the ones you think. Determining which functions and individuals need to be up and running as a priority, is a crucial part of creating an effective continuity plan. 

Identify dependencies between various business areas and functions

Preparing for the very worst will also help you identify potential chains of events. Although we delineate departments and functions within businesses, as soon as something goes wrong, we become acutely aware of how interlinked they are. Ultimately, no business function is an island.

What may look like an incident that affects one aspect of your business, could in fact be something that causes a catastrophic series of events. 

To use a close to the bone example: a pandemic = market uncertainty, lockdown and self-isolation = breakdown of supply chain, fewer staff = unable to supply your customers = loss of customers = financial loss and bad publicity = damaged reputation = an exploitable situation for your competitors. 

• You may like:  Getting mental health right in the workplace

In this scenario, the pain point is the breakdown or loss of the supply chain and reduction of staff. But of course, it has a knock-on effect on the entire operation.

An effective business continuity plan should clearly set out how you would deal with each part of the domino effect - and how you can anticipate rather than react. What alternatives do you have for your supply chain? How quickly can these alternatives be set up? How will you share the workload if you suddenly lose 30% of your staff? What are the fundamental areas that need to be covered? Are your employees cross-trained and able to work across functions? 

It’s easy to see from the chain of events how addressing these issues (which come after the initial shock of the event), is critical for the survival of a business.

Determine acceptable downtime for each critical function

A big part of continuity planning is accepting that you will take a hit. When an unforeseen event or incident takes place, some functions within your business might be temporarily halted. 

"Identify who needs to do what, where, and when in the immediate aftermath of an incident."

Determining an acceptable amount of downtime for each of your critical functions will help you ascertain which ones are priorities, and how to get them back up and running as quickly as possible. It will also help you identify who needs to do what, where, and when in the immediate aftermath of an incident.

Creating a time/function matrix is a simple way to illustrate how quickly different functions need to be up and running after an event. This matrix should also include what each person needs to do and when. 

For example, if your business cannot function at all without IT, it’s likely you would set the acceptable downtime for IT at hours, rather than days. Conversely, you might decide your acceptable downtime for payroll or HR is weeks or even months. In the meantime, there’s little point in the marketing team being on site until your IT problem is fixed. 

Again, the downtime for critical functions will depend on the particulars of your business and industry.

Create a plan to maintain operations

Ultimately, the point of a business continuity plan is to maintain operations as best as possible. Your business is unlikely to look structurally identical or function in the same way as it was pre-crisis, but your plan should facilitate its maintenance and survival throughout the turbulence.

One of the most important things to remember is that your plan needs to be accessible to everyone within the business. Make your language unambiguous and non-technical to ensure everyone can understand it. Here are some key elements to consider when creating your plan:

• Write clear, detailed instructions about what needs to happen in the first hour after an incident. This time is crucial if you want to mitigate disaster as much as possible. Who needs to do what? Who takes responsibility for each action? 
• Apart from stipulating who needs to do what, ensure you have deputies for each key role as a back-up.
• An easy way for people to ensure they’ve done everything they need to do is by including an easy-to-follow detailed checklist. 
• Keep instructions clear. If people have to trawl through pages of instructions in an emergency, valuable time will be lost. 
• Plan for the very worst-case scenarios. You can’t plan for every eventuality so it makes sense to prepare for the worst. If your plan details how to handle a full blown crisis, it will help you navigate smaller incidents with relative ease.

A business continuity plan is as crucial as a five year business plan. In an increasingly unpredictable and globally connected world, you should always expect the unexpected and prepare for hard times, even - and especially - in the midst of success. When the unimaginable happens, having a continuity plan that was carefully and strategically created to cater to your business’ needs will be a life saver.

Images via AdobeStock (Brian Jackson), Unsplash

Our gift to you...

Apply now for your personal leadership consultation with a Vistage Chair. They'll help you assess areas of strength of your business and identify areas of potential growth.

Subscribe to Vistage Insights

The Federal Register

The daily journal of the united states government, request access.

Due to aggressive automated scraping of FederalRegister.gov and eCFR.gov, programmatic access to these sites is limited to access to our extensive developer APIs.

If you are human user receiving this message, we can add your IP address to a set of IPs that can access FederalRegister.gov & eCFR.gov; complete the CAPTCHA (bot test) below and click "Request Access". This process will be necessary for each IP address you wish to access the site from, requests are valid for approximately one quarter (three months) after which the process may need to be repeated.

An official website of the United States government.

If you want to request a wider IP range, first request access for your current IP, and then use the "Site Feedback" button found in the lower left-hand side to make the request.

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations., conquer cloud chaos with vmware cross-cloud services.

VMware is addressing cloud chaos with our portfolio of multi-cloud services, VMware Cross-Cloud services, which enable you to build, run, manage, secure, and access applications consistently across cloud environments. With VMware Cross-Cloud services, you can address cloud chaos and shift to a cloud smart approach – one where you can choose the best environment for every application, without multiplying your complexity.

Anywhere Workspace

Access Any App on Any Device Securely

App Platform

Build and Operate Cloud Native Apps

Cloud & Edge Infrastructure

Run Enterprise Apps Anywhere

Cloud Management

Automate and Optimize Apps and Clouds

Desktop Hypervisor

Manage apps in a local virtualization sandbox

Security & Networking

Connect and Secure Apps and Clouds

Run VMware on any Cloud. Any Environment. Anywhere.

On public & hybrid clouds.

On Private & Local Clouds

Anywhere Workspace Access Any App on Any Device Securely

App platform build and operate cloud native apps, cloud infrastructure run enterprise apps anywhere, cloud management automate and optimize apps and clouds, edge infrastructure enable the multi-cloud edge, networking enable connectivity for apps and clouds, security secure apps and clouds, by industry, vmware ai solutions.

Accelerate and ensure the success of your generative AI initiatives with multi-cloud flexibility, choice, privacy and control.

For Customers

For partners, working together with partners for customer success.

See how we work with a global partner to help companies prepare for multi-cloud.

Tools & Training

Marketplace, blogs & communities.

• Topics 
• VMware Glossary 
• Content 
• Business Continuity Plan

What is a Business Continuity Plan (BCP)?

A  Business Continuity Plan (BCP)  is a detailed strategy and set of systems for ensuring an organization’s ability to prevent or rapidly recover from a significant disruption to its operations. The plan is essentially a playbook for how any type of organization—such as a private-sector company, a government agency or a school—will continue its day-to-day business during a disaster scenario or otherwise abnormal conditions.  

Examples of such disruptions include a fire, a major earthquake or other a natural disaster, a disease outbreak, a cyberattack and many other scenarios that could upend “business as usual.” When such events significantly disrupt an organization’s normal routines, it turns to its business continuity plan for instructions, processes and tools it needs to continue to operate or to quickly recover from downtime. 

The Virtual Floorplan: New Rules for a New Era of Work

Hindsight is 2020 - The Pandemic Provides a Wakeup Call

Why is a business continuity plan important.

Risks can be managed, but they can’t be eliminated. Business continuity planning is critical because without it, an organization faces downtime and other problems that could damage its financial health. In major disasters, a lack of a business continuity plan could cause irreparable financial harm that might ultimately force a company to permanently close. 

How to create a Business Continuity Plan?

There are many frameworks for creating an effective business continuity plan. Most of them cover three overlapping phases: 

• Analysis : In this phase, you identify and evaluate the various functions of your business and its operations. Then, you determine how those different functions will be affected by a disaster. This phase usually entails prioritizing different areas or departments in terms of how important they are to your operation, so that your plan ultimately ensures the continuity of your most critical functions first. Business continuity  professionals often conduct a Business Impact Analysis (BIA) at the outset of developing a new plan. A BIA estimates the consequences of different disaster scenarios in terms of lost revenue and other business-specific metrics.
• Planning : Once an initial analysis is complete, the next phase entails all facets of developing an actual plan for continuing to operate in a disaster, or rapidly recovering from a disruption to normal operations. During the planning phase, organizations:  
• Develop protocols for potential needs such as a rapid relocation or shift to  remote work . 
• Strategize temporary staffing changes or needs. 
• Implement  IT disaster recovery  tools to ensure continuity of critical systems. 

A key part of this phase is to name a continuity or crisis management team, comprised of executives and stakeholders who will lead the plan’s implementation if necessary. 

• Training and Testing : Even the most robust BCP must be put through regular testing to ensure it will work if needed. This includes educating employees on their roles and responsibilities in these scenarios, as well as conducting trials of various elements of the plan. An example would include a short-term rollout of a remote work scenario to identify issues and opportunities for optimization.  

Key features of a business continuity plan

Some features of a BCP will be industry or business-specific, but there are components that are common to almost any plan: 

People : A BCP will clearly define roles and responsibilities, not just for the crisis management leadership team, but also for any units responsible for implementing different pieces of the plan in a disaster scenario. Some BCPs will also define “essential personnel”—for example, people whose job requires them to report to work even in periods of heightened risk. 

Technology : Almost all modern business continuity plans will also clearly outline the role that information technology will play in ensuring critical data, applications and services remain available or are quickly restored after an interruption. These include: 

• Data backup and recovery tools 
• Cloud computing infrastructure  and services 
• Remote work platforms

Service Delivery : A BCP should also describe which services are most critical and how they will continue to be delivered to customers, employees, partners, the public and other stakeholders. 

Health & Safety : Finally, a strong business continuity program will include criteria and guidelines for ensuring the health and safety of all people involved—employees, customers, partners—as the plan is implemented and managed. 

Business Continuity Plan checklist

Many organizations create a checklist as part of their business continuity planning. This is a list of all of the key steps in the BCP. It can be used in two ways:  

• Conception : First, it can be used as part of the initial creation of the plan. In this context, the BCP checklist would describe in detail the steps necessary to develop the plan, from analysis through testing.  
• Implementation : Second, a BCP checklist can be used for testing and/or actually implementing the plan. In this context, the BCP or crisis management team would use the checklist to ensure that it addresses all of the plan’s tools and processes and communicates them effectively throughout the organization. 

Business Continuity and Disaster Recovery Planning

Business continuity planning and disaster recovery planning are often mentioned in similar contexts, but they are not interchangeable terms. A business continuity plan is an overarching strategy for operating in disaster scenarios or recovering from a major disruption. 

A disaster recovery (DR) plan refers more specifically to the IT processes and tools you can rely on to retain or restore access to mission-critical data, applications, and services in these scenarios. A DR plan would detail, for example, how you could restore access to a revenue-generating web application in the event of a flood in the data center that powers that service. 

How often should a Business Continuity Plan be reviewed?

Most experts recommend that business continuity plans be reviewed regularly and updated as needed. This helps ensure that the plan will still meet the organization’s needs in the face of evolving risks and threats. 

The frequency with which you review a business continuity plan depends on many factors, including the nature of the organization, its industry and its particular risks. As a general rule of thumb, such plans should be reviewed annually or at least every other year. However, there are multiple scenarios where an organization may want to consider more frequent reviews, including: 

• Significant changes to the business or its operations 
• Location in a region at greater risk for natural disasters or other potentially disruptive events 
• Any organization or agency that provides essential services to the public 

Recommended for You

• Business Continuity
• Business Mobility
• Disaster Recovery
• Business Continuity Application

Related Solutions and Products

Remote work solutions.

Connect Your Distributed Workforce with Remote Work Solutions

Anywhere Workspace Solutions

Enable employees to work from anywhere with secure, frictionless experiences.

Assure Experience & Productivity

Support an agile, remote workforce with seamless and secure access.

• What is Disaster Recovery? - Definition & Benefits
• What is Business Continuity Application?
• What is Disaster Recovery as a Service (DRaaS)