Be Prepared: A Step by Step Guide to Creating a Business Continuity Plan

May 01, 2020

In the aftermath of 9/11, many businesses realized that they needed to address their plans for keeping business operations up and running in the wake of a disaster. The current coronavirus crisis is even more widespread, and no person or organization is unaffected. If you’re not thinking about disaster recovery and business continuity for your nonprofit, don’t miss this chance to capture what you’ve learned in the immediate scramble. Completing a business continuity and disaster recovery planning process might be a silver lining in a pretty significant COVID-19 cloud.

Business continuity planning takes a lot of forms. For example, just because you’re a nonprofit doesn’t mean you’re not a significant operation—think about the volume and dollar total of the gifts you receive annually, or the number of gift annuities you administer for your donors. Consider the value of the services you provide, and the size of your audiences. Your planning and preparation should be commensurate with the scope of your fiduciary responsibility and mission.


It can seem overwhelming to consider all the ways things can go wrong, but following a methodology can break it down into a more manageable task. The first step is to conduct a business impact analysis. This involves taking an in-depth look at your operations to take an inventory of essential business processes and activities. These are the things that, if you weren’t able to do them you would no longer be around. Consider activities that are time sensitive, as well as those that are mission-critical. For nonprofits, this might be receiving gifts, submitting grant proposals, keeping up with grant deliverables to continue the flow of awarded grant revenue, running a weekly food bank distribution, or other vital operations.


Once you’ve identified the essential business activities, drill down into each activity and identify the people, systems, outside vendors, locations, and beneficiaries of those activities. Anything that touches the process, from the post office delivering checks, to the bank receiving the deposit, to the person who opens the mail, to the database that you record the gift in, is in scope.

Now comes the fun part (if thinking about the worst possible scenarios is your idea of fun!). Contemplate the various ways that your essential business processes could be interrupted. You don’t have to be grimly specific on this assessment. Typical considerations include: loss of key personnel, loss of access to facilities, loss of access to systems, loss of data, loss of systems, loss of facilities, changes in key constituencies, and so on. You may also want to consider other kinds of emergency situations that might arise. Unfortunately thinking about an active shooter, a fire while your employees are in the building, tornado warnings, or other urgent situations, is an important part of your planning.


With a list of the people, systems, and activities that you’re trying to protect and sustain, and a list of the disasters that might befall them, you’re ready to think through how you will address your risk. In each case you should have plans that will prevent, mitigate, and/or restore those functions. These plans need to be really detailed—for example, if a person with basic knowledge of your operations was placed in front of a brand new computer straight from the factory, what steps would they need to follow to be processing gift transactions? Who would they need to call within your organization, your vendors, the off-site backup storage facility, the post office, or anyone else who has a role to play in your vital business operations?


After you’ve written down your detailed instructions, it’s time to test. For example, if your plan says that you’ll restore access to your core fundraising database by restoring it from backup, your testing should follow the step by step instructions in the plan for obtaining the backups, working with your hosting vendor, setting up the software, restoring the data, determining what the restore point is, and then re-entering the transactions between the restore point and today, and so on. Your testing strategy should be like a game of “Simon Says”—and your plan is Simon. If the plan doesn’t include the specific steps to complete a business function, then those steps need to be added. Your first few test runs will uncover things that your initial impact analysis didn’t consider.

A business continuity plan is a living document that requires maintenance and testing. You should test it at least semi-annually. Your core disaster response team should each have a PAPER copy of the plan offsite, and those paper plan documents need to be updated after every testing round so that everyone always has the latest version of the document.

Like any form of insurance, you hope you never need to use your business continuity plan. But when you do need it, you’ll have the advantage of a roadmap to return you to whatever “normal” is on the horizon.

If you have any questions about creating a Business Continuity Plan, please email us at We are here to help.

Sabra Aaron has worked in nonprofit technology for more than 20 years, and managed the initial disaster recovery and business continuity planning, documentation, and testing activities for a top-five higher education fundraising organization in the wake of 9/11.