How to Create a Business Continuity Plan for your Church or Charity in 6 Steps

Introduction

When a major disaster strikes, churches and charities are often some of the first responders.

They provide vital services to their communities, including food, shelter, spiritual and emotional support.

But what happens when a church or charity is also affected by the disaster e.g. widescale flooding in a town?

What if the adverse event is localised to the church or charity, such as a cyber-attack?

How can it develop resilience and continue to run its necessary services when faced with unplanned disruptions or major disasters?

The answer lies in Business Continuity Planning.

Business Continuity Planning helps organisations ‘keep their doors open’ and continue to deliver their services during and after a crisis.

Whether it’s a natural disaster, financial crisis, data breach or man-made crisis, having a business continuity plan (BCP) is essential to keeping all essential functions running in your church or charity, despite the disruptive event.

This article takes you through what a Business Continuity Plan is, it’s benefits, pre-requisites, and the steps to creating a viable Business Continuity Plan for your church or charity.

Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above. 

Scene Setting

The Learning & Development Committee have come together for their pre-meeting with Coach Emmanuel before the masterclass.

Elder Sam: Oh no!  I think this laptop is due for retirement!  It has been from one issue to another and now I can’t access our IT systems at all!

Sister Jane: The IT team should be able to sort it out for you.  They are quite good at troubleshooting even while you wait.

Elder Sam: I know, but no one is there!  I learnt that the IT manager got a higher paying job and left, her assistant is gone on maternity leave, one junior staff is on leave and the only person left couldn’t diagnose the problem.

Brother Badtrus: Really!  How did we let that happen?  We are so reliant on the IT manager and assistant.  What if there is an IT disruption and all servers go down?

Sister Mary: I have always said that we should contract out our IT services and move our data to the cloud. 

Brother Badtrus: Impressive IT knowledge! Even then, we will still need our own IT personnel to manage the contracted service and our IT infrastructure.

Sister Jane: We need to raise this as a risk, but then what do we do about it?  It takes ages to recruit IT skills especially at non-profit sector pay rates.  How do we keep our IT running in the meantime?

Coach Emmanuel: Indeed! Sudden loss of key personnel or skills can cause disruptions in essential business operations.  That is one of many reasons why you need a viable business continuity plan. 

The structured process for creating a business continuity plan will help you identify such risks, analyse the impact, and develop continuity and recovery strategies that you can activate in events like this.  

Let’s make that the topic for today’s masterclass!

What is a Business Continuity Plan?

A business continuity plan (BCP) is a document that outlines how a business will continue to function during and after a disruptive event.

The goal of a BCP is to minimise downtime and disruption to the business, and protect its critical functions.

Business continuity is defined as “the capability of an organisation to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident”.

Why does your Church or Charity need a Business Continuity Plan?

A business continuity plan helps churches and charities anticipate and prepare for disruptions, whether they be natural disasters, financial crises, pandemics or cyber-attacks.

Impacts of disruptions include loss of income, increased expenditure, and reputation damage, which can get worse, the longer it takes to recover from the disruption.

A well-developed and executed business continuity plan will minimise the impact of disruptions and help your church or charity to continue operating even in the face of an unexpected event.

It can mean the difference between a minor disruption and a major catastrophe.

Threats and natural disasters are becoming more and more common in this day and age.

Holding valuable data brings the increasing threat of cyber-attacks from cybercriminals looking to exploit the data and disrupt operations.

Inflation, energy and cost of living crisis is also a reality impacting financially and on supply chains that organisations rely on to function or deliver their services.

Natural disasters, such as fires, floods and consequent power outages, is also a constant threat.

Some areas with no previous history of certain natural disasters, are experiencing them for the first time in living memory.

The Covid-19 pandemic was a wakeup call for organisations across the world.

It was a real test of the strength of business continuity planning across churches, charities and organisations worldwide.

Some organisations experienced financial and operational losses along the way, others stopped operating, some just made it through, and a lot are still in the recovery phase.

Organisations that survived the pandemic would have developed valuable experience in responding to major disruptions and recovering from them.

Lessons from that experience need to be harnessed and fed into proper preparations for any future disruptions.

Your church or charity provides essential services that people need and rely on, give towards, and want to see continue.

Disruptions do happen, ranging from the minor to the catastrophic!

Be prepared with a viable business continuity plan so you can continue to operate regardless of disruptions, adverse events or major disasters.

Business Continuity Planning Prerequisites

Before you embark on creating a business continuity plan, there are certain prerequisites that must be in place to enable success.

To be effective, business continuity planning requires leadership from the top, to drive, champion and genuinely support it.

It is good practice for top leadership to appoint a BCP champion to own and lead the BCP development.

They can be supported by a team depending on the organisation size and extent of work required.

Top leadership should also set the tone and scope in a business continuity planning policy to demonstrate their commitment and to guide the development.

To understand and assess the scope to be covered in the BCP development, you need to clarify your mission and the overall services and/or products that are critical to your church or charity’s mission, and its legal and regulatory environment.

For example, a charity that runs a souvenir shop as an ancillary activity may deem it non-critical in the face of major disruptions and therefore exclude it from their business continuity planning scope.

A church may consider the ability to hold church services on a Sunday as the most critical to them.

Your church or charity should have good document management systems in place that the BCP development can dock into.

The documentation created through the BCP development needs to be stored in an easy to access system.

Risk assessments drive business continuity planning, so having established risk management practices in place will ensure good integration with business continuity planning.

Steps to creating a Business Continuity Plan

Taking a structured approach to BCP development guarantees a successful outcome.

Following these 6 steps should help you create a comprehensive and viable BCP.

Step 1. Conduct a Risk Assessment

With the prerequisites in place including your overall mission, products and services clarified, the first step in creating your BCP is to assess the risks that could potentially disrupt them.

This involves identifying and assessing the threats that may impact your church or charity.

Examples are of threats are:

• Natural disasters – floods, earthquakes, landslides etc.
• Extreme weather – heavy prolonged rain, high winds, severe storms.
• Fire outbreaks
• Power outages.
• Cyber-attacks
• Supply chain disruption
• Loss of access to site or offices
• Loss of key people or skills
• Loss of water / sewerage
• Terrorist incidents
• Pandemics
• Health or Safety incidents

Each risk is then assessed as to the likelihood of occurrence and the severity of the impact if it happens. The risk assessment results help to prioritise the risks to be covered in your BCP.

Step 2. Complete a Business Impact Analysis

With threats identified and risk assessed, the second step is to complete a Business Impact Analysis (BIA).

Completing a Business Impact Analysis consists of 3 stages:

1. Identify your business critical processes and analyse the impact of a system disruption to the processes.

This requires you to identify the business functions, processes or activities that are essential to your church and charity.

These are the processes that must continue even if there is a disruption.

Examples of essential business processes include payroll, paying for goods and services, fulfilling contractual payments, holding church services, delivering core charitable functions, finance function, HR services, data management and IT services.

You then assess how vulnerable your processes are to the threats you identified in the risk assessment step.

For example you may be more vulnerable to flooding if your site is located in a known flood risk area.

Or you may be reliant on a single supplier for a particular product or service, thereby making you more vulnerable to supply chain disruptions.

Look also for dependencies between processes to avoid overlooking any key processes.

You then need to determine the timing and for how long you can realistically continue without each, before the loss becomes unsustainable.

For example, a power outage during a church service can be tolerated for say, 5 minutes, but not for one hour.

Your Business Impact Analysis (BIA) should identify various timing and duration of disruptions, also known as recovery time objectives, and the operational and financial impacts resulting from the disruptions.

Impacts to consider include loss of income, reduction in church attendance, reputation damage, increased expenses, inability to operate, project delays, contractual penalties, regulatory non-compliance.

An easy way to obtain all this information is to ask leaders with good business knowledge across your church or charity structured questions via a questionnaire to gather the required information, assess gaps and compile the output.

2. Identify the resource requirements for recovery

You need to determine the resources that will be required to successfully recover from a disruption, such as staff, office space, supplies and IT infrastructure, and any third party services.

3. Identify the priorities for recovery

The business impact information gathered should be analysed to prioritise the order in which functions / activities should to be restored, starting with those with the greatest operational and financial impacts.

The output from the BIA provides the information required for developing the recovery strategies.  Here is a Business Impact Analysis template with an example.

Another by-product of the risk assessment and BIA is that it enables you to identify actions that you can take now to improve resilience in vulnerable areas and further reduce any impact from disruptions.

For example, you may decide to stop hosting IT servers on site and move your data and software applications to a cloud-based service.

This should be fed into your risk management processes as risk mitigating actions.

Step 3. Create Business Continuity Recovery Strategies

The third step is to develop recovery strategies showing how to restore critical business operations to a minimum acceptable level when a disruption occurs.

The recovery timings and durations in the BIA is used to inform the priority for recovery.

Resources required to implement the recovery strategies should be identified and analysed so that any gaps can be addressed.

Recovery strategies could include using another office location of your church or charity if your usual location is inaccessible.

This would mean analysing the resource requirements to make this happen, such as the people, space in the facility, IT and supplies required.

Reciprocal arrangements with other churches or charities or with third party suppliers could be considered where you don’t have alternative locations of your own.

In such cases, ensuring data protection, privacy and information sensitivity should be considered as part of the recovery strategy.

Remote working is another strategy to keep staff working when a physical office location cannot be accessed.

This was common practice during the Covid-19 pandemic.

It required the ability to connect securely into office systems, mobile IT equipment and effective online meeting and communication systems.

Manual workarounds should be considered for threats that may affect automated processes. E.g. use of manual forms to authorise purchases that is otherwise automated.

Recovery strategies should be robust and take a holistic view of business operations including people (staff, members, stakeholders), business processes, site & facilities, suppliers and third party service providers.

Once the recovery strategy options have been developed and documented, the BCP champion should obtain top leadership approval for the recommended options.

The approved strategies are then taken forward into the next steps.

Step 4. Develop and Communicate your Business Continuity Plan

The fourth step is to create a detailed business continuity plan that outlines the steps that will be taken to continue essential operations in the event of a disruption.

It is important that the documented plan is easy to access, understand and to quickly activate.

Therefore use checklists and concise guidelines rather than lengthy text.

Additionally, your focus should be on the recovering from the impact of disruptions rather than the type of disruption.

So for example, you would develop your recovery checklists for the inability to access your site, rather than for flooding (the cause).

The documented BCP should include:

Introduction

• What business continuity planning is all about, the scope and relevance of the BCP to your church or charity.
• Top leadership endorsement of the plan.

Organisation

• Structure, roles and responsibilities for the BCP team.
• The emergency response team required to lead, activate and manage the implementation of the business continuity plan.
• A contact list of all relevant personnel with roles and responsibilities in the implementation of the business continuity plan.
• Contact details and arrangements for contacting relevant third party providers such as managed IT service providers and relevant suppliers.

Recovery Actions

• The results of the business impact analysis (created in step 2) prioritising the order in which business processes should to be restored including recovery times for each.
• Guidelines, checklists, procedures, people and resources required to implement each of the recovery strategies identified in step 3.
• Any arrangements for use of alternative sites and resources required.
• Information Technology disaster recovery procedures covering data, networks, servers, desk computers, laptops, software, and data (or a reference to any separate document containing these).
• Manual workarounds agreed as part of recovery strategies, and the resources required.
• How to maintain health and safety through the recovery operations.

Incident management

• How to raise incidents
• How to activate the business continuity plan
• How to set up the emergency response operation
• Emergency response communications plan

Training, Testing and Exercising

• How often the BCP will be tested, types of tests/exercises and how test results should be applied.
• BCP training available and arrangements including frequency, who must be trained, and how often training should be refreshed.

BCP maintenance schedule

• Arrangements for continuous review and update of the BCP to ensure it remains viable.

You should communicate the BCP to everyone who will be impacted by it in your church or charity.

This includes staff, suppliers and stakeholders, so they know that you have a plan for continuity in the event of disruptions, and what to do when a disruption occurs.

Step 5. Carry out Training, Exercise and Test the BCP

The fifth step is to test and exercise the Business Continuity Plan to ensure that it will be effective in the event of an actual disruption.

By testing your BCP, you can identify any weaknesses and take steps to correct them. This will help ensure that your BCP is effective and can be relied upon when needed.

Staff and volunteers who have a role in the continuity of operations in the event of a disruption should be trained in their roles with regards to implementing the BCP.

Frequent exercising helps people subconsciously remember key elements of what to do, making real life activation easier.

To test your BCP, you can conduct regular exercises and simulations such as table-top exercises.

Real life testing is also crucial especially where recovery strategies involve using an alternate location or IT systems cutover.

The testing and exercising should have clear objectives.  Such objectives could include:

• Making sure roles and responsibilities are clear and work together effectively.

• Getting feedback from test participants to address any gaps and improve the BCP.

• Reinforcing the BCP requirements and associated resources; also a good means of reinforcing participants training.

• Confirming resources such as people, IT and supplies needed for effective response and recovery.

• Ensuring compliance with regulations and with safety requirements for people, premises, information and the environment.

• Confirming that the BCP continues to effectively respond to threats scenarios that your church or charity is exposed to.

• Demonstrating the effectiveness of the BCP and investment in developing it to top leadership.

The outcome of testing and exercising should be reviewed to identify strengths and weaknesses so that the BCP can be amended accordingly to ensure it remains viable.

Step 6. Maintain and Review

The final step is to regularly review and update the Business Continuity Plan to ensure that it remains relevant, viable and effective.

Maintaining your BCP is just as important as testing it.

Make sure to keep all contact information up-to-date and ensure that everyone involved in the plan knows their roles and responsibilities.

Conclusion

Churches and charities play a major role in the world economy, offering services to benefit humanity in a way no other sector of business or society does.

As the world becomes increasingly complex, the importance of being prepared for anything and everything has never been greater.

Churches and charities must have a plan in place to ensure continuity in the event of an unforeseen disaster.

By following the six steps to developing a solid business continuity plan, they can be reasonably assured of preparedness to weather any storm.

Read our other articles on

• why risk management is necessary in churches and charities ,
• 6 Steps to risk management in churches and charities
• 6 steps to developing a positive culture for effective church administration;
• good governance in church administration – 9 areas to get right.