BCP Steps: Objectives, Implementation, and Recommendations Services Suitable for All Types of Businesses

BCP Steps: Objectives, Implementation, and Recommendations Services Suitable for All Types of Businesses

A Business Continuity Plan (BCP) is an essential component of enterprise risk management. A BCP helps companies deal with emergencies such as natural disasters, fires, pandemics, cybersecurity crises, and so on. The main objective of a BCP is to ensure that the business can continue to operate or recover quickly after an interruption.

Today, all companies, including small and medium enterprises, must have a BCP in risk management. Preparing for disasters that may occur soon is a must. Here, we will explain the purpose of the BCP (Business Continuity Plan) which must be formulated in preparation for emergencies such as disasters, essential points that need to be considered, and concrete formulation methods using case examples.
 

What is BCP?

Business Continuity Plan (BCP) is a comprehensive strategy designed to ensure that company operations continue or recover quickly in the event of an emergency or disaster. BCP is not just a guideline but a holistic approach covering various business aspects.

In Indonesia, no independent body is tasked explicitly with tackling business crises. The existence of an independent body authorized to handle business crises is significant.

For example, in the United States there is the US Federal Reserve Board, and Singapore has the Monetary Authority of Singapore as an independent body that aims to develop strategic measures to tackle crises, which become guidelines for business people.
 

BCP and Disaster Management: What's the Difference?

The BCP (Business Continuity Plan) and disaster prevention objectives have fundamental differences. Disaster prevention focuses on protecting life and property, with plans emphasizing initial emergency response.

On the other hand, according to its definition, the BCP (Business Continuity Plan) aims to 'prevent business disruption'. Therefore, a BCP includes emergency response and a business recovery and continuity plan. Nevertheless, BCP and disaster prevention are closely related. Business continuity depends on protecting employees and company assets, which is a significant focus of disaster prevention.

Also, because BCP (Business Continuity Plan) aims for business continuity, there is a slight difference in the targeted threats. As the name suggests, disaster prevention seeks to prevent threats such as natural disasters or pandemics, but BCP is slightly different. This is because the factors that complicate business continuity are not only natural disasters. In recent years, in particular, small and medium enterprises have faced the threat of cyber-attacks, and we must also prepare for supply chain disruptions due to system failures and so on.


 

BCP and BCM Comparison: Scope and Focus

Business Continuity Management (BCM) is a strategic activity at the management level that includes routine activities such as formulating, maintaining, and updating BCP, securing budgets and resources to realize business continuity, implementing follow-up actions, conducting education and training to disseminate initiatives, inspections, and continuous improvement.

The above definition shows that BCP measures are part of BCM, a management strategy the company implements during normal conditions. BCM is a management strategy focusing on contingency planning related to business activities.

For example, in choosing critical operations, management needs to understand the nature and fundamentals of the company's operations. Securing human resources and budgets for business continuity in an emergency also requires reviewing the company's management resources and increased operational efficiency. This process also sharpens management leadership. Therefore, BCM, which includes BCP measures, should not be considered merely a 'disaster prevention plan'.


 

Main Objective of the Business Continuity Plan (BCP)

Companies face various challenges every day. As a result, the Business Continuity Plan (BCP) is often neglected, even though it is considered necessary. BCP is often postponed with the excuse that it will be done later. BCP requires a significant investment, so, unsurprisingly, many SMEs feel that it is impossible to achieve this.

This section will thoroughly explore the purpose of BCP and help you understand why BCP remains crucial for companies, even with large budgets.
 

Ensuring Employee Safety, Ensuring Business Continuity

In business management, the primary resources are people, money, goods, and information. However, of all these resources, people have the central role. Funds, equipment, and information would be meaningless without human resources capable of mobilizing and utilizing them. Therefore, employees are the most critical asset of a company.

Therefore, BCP is critical. The goal is to protect employees, because business continuity is directly related to their safety and welfare and business partners.
 

Building Competitive Advantage through BCP

Increasing the company's value in the long term requires various steps, such as increasing profitability, investment efficiency, and good financial management. However, one of the important keys that should not be overlooked is the existence of the right BCP measure. The right BCP measure can give investors’ confidence and increase employee engagement, ultimately increasing the company's value. The company's value is measured through the combined equity and debt values listed on the balance sheet, and is expressed in real numbers.


 

The Main Reason Why BCP Should Not Be Ignored

The importance of BCP measures is clear, but a survey reveals that small companies still lack BCP measures.

A survey by the Institute for Economic, Trade and Industry Research in Japan (April 2019) found that only 2% of companies with 20 employees or less have BCP. This figure increases to 11.3% for companies with 21 to 50 employees, 43.7% for companies with 301 to 1,000 employees, and 69.5% for companies with 1,001 or more employees.

The fact that most companies that went bankrupt due to the spread of the new coronavirus were small and medium-sized enterprises (SMEs) should not be related to whether or not they had a BCP. Here we highlight three reasons why SMEs in particular should have a BCP.
 

Minimize the Financial Impact of Disasters with Effective BCP

As mentioned earlier, BCM, including BCP, is part of a risk management strategy. By formulating a BCP, companies increase their preparedness for risk and awareness of risk management in their daily activities.

Therefore, the absence of a BCP reflects a lack of preparation for disasters, a lack of structured management under normal conditions, or the absence of a long-term vision. Small and medium enterprises (SMEs) often depend on their managers' leadership, where risk management may only be the responsibility of senior leaders. If this condition continues, crucial management issues will arise and cause business decline, even without a disaster.
 

Designing a Strong System for Emergencies

BCP (Business Continuity Plan) is not just a temporary measure to recover from a disaster. After the Great East Japan Earthquake in 2011, many Japanese companies began to develop Business Continuity Plans (BCPs). However, a Tokyo Shoko Research survey (2023) showed that up to 2022, eleven years after the earthquake, there were still 21 cases of earthquake-related bankruptcy, averaging 1.8 cases monthly. This figure indicates that even though some businesses were able to survive shortly after the disaster, weak management foundations eventually forced them to go out of business.

As in Japan, awareness of the importance of BCP in Indonesia increased after significant disasters, such as the 2004 Aceh earthquake and the 2006 Yogyakarta earthquake. However, many small and medium enterprises (SMEs) in Indonesia still have limitations in developing and implementing BCP.

By formulating and periodically reviewing the Business Continuity Plan (BCP), companies can continue to analyze their management and capital structures. This creates a solid foundation, is capable of withstanding emergencies, and guarantees long-term sustainability.


 

BCP's Value Add in Maintaining Company Reputation

One factor that can increase a company's value is CSR (Corporate Social Responsibility), which refers to the behavior of a company that is responsible to stakeholders, such as the community and shareholders.

The above survey reveals that one of the main reasons for the low implementation of Business Continuity Plans (BCP) among Small and Medium Enterprises (SMEs) is the belief that they will not be required to continue business operations after suffering severe damage due to disasters or other events. This perception reflects the lack of SME awareness of corporate social responsibility (CSR).

Failure to continue business activities does not only impact managers. Investors are naturally reluctant to invest in companies that do not have a business continuity plan in the event of a disaster. Furthermore, employee motivation will decline without management's commitment to maintaining business continuity.

On the other hand, companies with a strong Business Continuity Plan (BCP) will gain the trust of stakeholders. This trust can open access to loans with favourable terms, enabling companies to invest in capital to maintain operational continuity.


 

Disaster Priorities in BCP Planning

The purpose of the BCP (Business Continuity Plan) is to prepare companies to face various types of disasters, which can threaten physical (goods and people) and non-physical (information) assets. The following section will explain the three main types of disasters that need to be anticipated in the BCP.
 

Natural Disasters

• Earthquakes

The Meteorology, Climatology and Geophysics Agency (BMKG) has recorded a significant increase in the frequency of earthquakes in Indonesia in recent years. Since 2018, seismic activity has increased to more than 11,000 times per year, compared to an average of 4,000-5,000 events per year before 2016. In 2023, there were 219 earthquakes with a magnitude above 5.0 and around 10,570 small earthquakes.

Companies must consider the potential for widespread damage that earthquakes can cause to transportation infrastructure and lifelines in their BCP.

• Floods

Climate change has caused an increase in extreme rainfall in Indonesia, which has led to a spike in the frequency of major floods. The Meteorology, Climatology and Geophysics Agency (BMKG) has recorded a five-fold increase in the last decade, with the highest daily rainfall in Jakarta reaching 377 mm/day. The BMKG predicts that the intensity of rainfall will continue to increase, exacerbating the impact of flooding on communities and businesses.

In this digital era, many business activities depend highly on Information Technology (IT) systems. IT support infrastructure, such as electricity and water supplies, can be damaged when flooding occurs. As a result, networks and servers go down due to flooding and power outages.

• Pandemi

The COVID-19 pandemic has had a significant economic impact, especially for restaurants, accommodation, and tourism sectors, which have experienced a drastic drop in consumer demand. In addition, infection prevention measures, such as quarantine, disrupt supply chains in the manufacturing and other sectors, forcing restrictions on business operations, especially for small and medium enterprises (SMEs).
 

Threats from Human Actions

Human actions can cause various company disasters, including supplier bankruptcy, operational system failure, and cyber terrorism. Cyber terrorism is an act that damages a brand's reputation by spreading bad behaviours on social media or a cyber-attack that disrupts the company's operational system.
 

Cyberattack

The global socio-economic landscape has undergone significant changes, especially with the rise of large-scale teleworking in response to the COVID-19 pandemic. As the government-driven acceleration of digital transformation continues, the risk of cybersecurity attacks also increases exponentially.

The Indonesian government has formulated a National Cybersecurity Strategy (SKSN) to strengthen cybersecurity. This SKSN is a reference for all stakeholders in protecting the national digital ecosystem and improving cybersecurity capabilities. The Head of the National Cyber and Cipher Agency (BSSN), Hinsa Siburian, emphasized that cybersecurity includes policies that all government agencies and the private sector must implement.

The implementation of cybersecurity measures in Indonesia faces a significant challenge, namely the public's lack of understanding of the urgency of this issue. In addition, there is still a lack of trained cybersecurity professionals. To address this problem, the government has issued several policies, including the Personal Data Protection Act and the Government Regulation on the Implementation of Electronic Systems.


 

BCP Implementation on an International Scale

Companies worldwide increasingly realize the importance of Business Continuity Plan (BCP) measures. In the United States, BCP promotion efforts have been stepped up since the 2001 terrorist attacks, under the leadership of the Department of Homeland Security (DHS). One initiative is the 'Ready Business' program launched in 2004, which provides necessary BCP information and templates.

In addition, the global outbreak of the new coronavirus has also triggered awareness of the importance of BCP. For example, in February 2020, the Singapore Companies Authority published BCP guidelines called Business Continuity Planning Guidelines for COVID-19 at the pandemic's start. These guidelines cover various aspects, including personnel management, business processes, and supplier and customer management.


 

Implementation of BCP in Indonesia

Implementing the Business Continuity Plan (BCP) in Indonesia is increasingly crucial in facing various natural and non-natural risks. The main aspects of BCP implementation include regulation, operational independence, risk identification, and mitigation.

Regarding regulation and operational independence, the health sector is regulated by Regulation of the Minister of Health No. 75 of 2019, which requires hospitals to have operational continuity plans in emergencies, including risk management and robust IT infrastructure. The Ministry of Finance also implements BCP for treasury services, ensuring that budget disbursement continues even in the event of disruptions, through automation systems and reasonable service procedures.


Referance: https://djpb.kemenkeu.go.id/portal/id/berita/berita/nasional/3370-dengan-business-continuity-plan


Risk identification and mitigation are other essential steps. Implementing BCP involves analyzing potential risks, such as natural disasters or cyber-attacks, assessing impact and developing mitigation measures. Many institutions, including banks, conduct simulations and employee training on emergency response and post-disaster recovery procedures to test the effectiveness of their BCP.


 

Effective Steps for Developing a BCP

Once you understand the purpose and importance of the Business Continuity Plan (BCP) steps, you will realize the urgency of developing a BCP as quickly as possible. This is true even for Small and Medium Enterprises (SMEs) with limited resources and personnel. Although SMEs may face challenges in developing a BCP that is as comprehensive as a large company, they can still get started by following these basic steps.
 

Policy Decision Making

In developing a Business Continuity Plan (BCP), the top priority must be established, which is employees' physical safety and well-being. Although the main objective of BCP is business continuity, the humanitarian aspect should not be ignored. Employee safety is not only a moral obligation, but also a strategic move. Employees are a company's most valuable asset, and ensuring their safety will increase engagement and strengthen its overall value. By prioritizing employee safety in BCP measures, companies demonstrate a commitment to their welfare, ultimately positively impacting business continuity.
 

Designing an Effective Organizational Structure

The next step is to develop an effective organization and system based on established policies. This includes establishing an organizational structure that can work synergistically with various related departments. In this context, it is important to formulate a clear chain of command and define the roles and responsibilities of each department in detail, especially in emergencies. Management must take on the role of the main party responsible for coordinating the response to an emergency.

Although it is difficult to accurately predict every detail of an emergency, preparing a structured management chart is very important. This chart should divide the response into two main phases: 'initial response' and 'business continuity response'. The initial response focuses on quick and responsive action to minimize the immediate impact of the emergency. In contrast, the business continuity response aims to ensure that the organization's operations continue after resolving the emergency. Each entity and step implemented must be arranged chronologically in the management chart, making coordinating and implementing the necessary actions easier.
 

Understanding the Actual Conditions

In an emergency, business continuity cannot function as it would under normal conditions. Infrastructure damage and limited human resources are major obstacles. Therefore, the SME Agency in the Operational Guidelines for the Preparation of BCP (Business Continuity Plan) recommends identifying the core business as a top priority. This step is crucial to ensure the company continues operating with limited resources. The company needs to analyze the main focus that can be maintained as a practical guide, even if it only has 30% of normal resources. This analysis will help the company determine which services or products are most important to continue, making recovery efforts more effective.
 

Damage Impact Evaluation

The crucial first step for a company is to conduct an in-depth analysis of potential damage and the risks it may face. After identifying various disasters, companies must prioritize their readiness to deal with them, starting with the most likely ones. This priority can be determined by two main factors: the frequency of the possibility of a disaster occurring and the severity of the risk posed if the disaster occurs. This allows companies to focus on preparing for the most relevant and significant threats.


 

Countermeasures to Consider

Several concrete countermeasures are recommended in formulating and operating a Business Continuity Plan (BCP), especially for Small and Medium Enterprises (SMEs). First, set a realistic recovery time target for the core business in an emergency. Second, proactive discussions should be held with customers about the level of service that can be maintained during an emergency. Third, identify and prepare alternative measures that include business locations, production facilities, and supply procurement. By considering these aspects, SMEs can build effective and resilient BCPs.

Formulating a Business Continuity Plan (BCP) is not a one-time action. Rather, it is a continuous cycle that requires repetition for diagnosis, maintenance, and renewal. Even a BCP formulated at the management level will be nothing more than a “picture” if employees do not understand it or are unaware of its existence. Therefore, effective communication with employees is very important. Ideally, the company should create opportunities to make employees aware of the BCP, but also make the BCP an integral part of the organizational culture.
 

 

Outsourcing BCP: Service Provider Considerations and Choices

Among small and medium business owners, there may be those who do not know where to start in formulating BCP. Small and Medium Enterprises and other government agencies provide guidelines and templates for BCP formulation. Although using it as a reference is one way, asking an external party is also possible. Here, we will explain the parties that can be asked for BCP formulation if you want to ask an external party, the benefits and disadvantages, and the cases in which external requests are suitable.
 

Outsourcing Options for Business Continuity Plans

In preparing a BCP (Business Continuity Plan), companies can choose between professional BCP consultants and legal experts. BCP consultants offer specialized services with cross-industry experience, providing in-depth professional support at a higher cost. On the other hand, notaries, as legal experts, understand government policies and regulations, and offer more affordable costs. However, their expertise in the system may be limited. Therefore, companies must consider their needs before choosing the most suitable service provider.
 

Pros and Cons of Outsourcing

Outsourcing BCP preparation offers significant time-saving benefits, especially for SMEs often hampered by the busyness of day-to-day operations. By handing this process over to an external party, companies can overcome the time constraints that often delay BCP development.

However, it should be noted that outsourcing also has its drawbacks, namely the costs incurred. Nevertheless, various service providers are available, so companies can adjust their budgets and needs. It is essential to research and understand the services and cost-effectiveness of each provider before deciding to outsource BCP preparation.
 

Ideal Situation for Using BCP Outsourcing Services

Outsourcing BCP preparation is ideal for companies facing time or resource constraints. For companies busy with daily operations, outsourcing BCP allows them to speed up the preparation process and anticipate the risk of unexpected natural disasters or cyber-attacks.

In addition, companies that lack experts or in-depth knowledge of BCP measures can also utilize outsourcing services to ensure plans are developed comprehensively and effectively. Although costs are involved, this investment is worth the long-term security and business continuity.


 

Important Steps in Effective BCP Preparation

For small and medium enterprises (SMEs), preparing a BCP independently is often a challenge, especially amid the busyness of daily operations. However, effective BCP implementation can still be achieved with the right strategy. Here are three main points to consider
 

Evaluate Your Company's BCP Readiness

The crucial first step for a company in dealing with any issue, including BCP preparation, is understanding current conditions. A thorough evaluation is needed to identify the steps the company has taken. In particular, pay attention to the readiness of human resources, infrastructure, and risk mitigation measures against losing funds, information, and data.
 

Standardize Documentation with BCP Templates

Although BCP measures need to be tailored to the specific needs of the company, not all elements have to be developed from scratch. Given the similarity of measures in certain industries and business categories, companies can save on BCP preparation costs by utilizing available templates. Small and Medium Enterprises and Business Continuity Promotion Organizations provide guidelines and templates that can be accessed online for reference.
 

Focus on the Top Priorities of BCP

The main obstacle in preparing a BCP is the tendency to pursue perfection from the start. Especially for SMEs with little experience, attempts to immediately implement a comprehensive BCP often end in failure. A more effective approach is to start with simple and easy-to-implement steps. For example, backing up data to the cloud can be a significant first step in preventing data loss and forming the basis of a BCP. To help you get started, the next section will discuss recommended cloud services and backup tools.


 

Essential Steps After Formulating the BCP

Formulating the BCP is not the end of the process. An effective BCP requires continuous evaluation and renewal. Please don't be complacent with the BCP that has been created; review its contents periodically and adjust it to changing conditions. Also, ensure all employees and customers understand the BCP so it can be implemented smoothly in an emergency. Here are three important points to consider after formulating the BCP.
 

Detect and Fix Problems with Continuous Testing

Periodic testing of the Business Continuity Plan (BCP) is carried out to verify its effectiveness and identify potential problems. This process is based on the PDCA (Plan, Do, Check, Act) cycle, which ensures a systematic and continuous approach.

• Plan: BCP is formulated by identifying potential risks and developing mitigation strategies.
• Do: BCP is implemented through simulations or exercises, such as disaster evacuation drills.
• Check: Test results are evaluated to identify problems or deficiencies in BCP.
• Act: Corrective actions are taken based on the evaluation results, and BCP is updated as needed.

For example, in testing a disaster evacuation plan, the effectiveness of the evacuation method and route is checked. The identified issues are then used to update the BCP. After the update, the information is shared with all relevant parties to ensure readiness and a common understanding.
 

Continuous Training for Employees

Even a great Business Continuity Plan (BCP) will not be effective if only management knows it. Regular training is essential to ensure that all employees are prepared for disasters. This training familiarizes them with the guidelines and trains them to act calmly and quickly in emergencies.
 

Open Communication Strategy with Customers and Suppliers

Business continuity in a disaster depends on the company's internal efforts and close cooperation with customers and suppliers. Especially for large companies, collaboration with the entire supply chain is the key to success. Therefore, after compiling a Business Continuity Plan (BCP), sharing this information with customers and suppliers is very important. More than just sharing documents, try to communicate directly if possible, and build strong trust continuously.


 

Cloud Computing Best BCP Solution for SMEs

Small and Medium Enterprises (SMEs) often have difficulty implementing a Business Continuity Plan (BCP) due to limited resources. However, that doesn't mean SMEs can't do anything. The key is to focus on the core of the business and start with simple steps.

One effective first step is to use a cloud-based data storage solution. This solution helps ensure business continuity by minimizing the risk of data loss due to disasters. Implementing a cloud solution is relatively easy and affordable, requiring no large investments, special expertise, or complicated configurations. Thus, SMEs can start their BCPs gradually without having to achieve perfection right away.
 

Cloudmatika Cloud Backup as an Essential Service for Business Continuity Planning (BCP)

An effective business continuity plan (BCP) includes protection for two key assets: employees and information. Cloudmatika Cloud Backup is a comprehensive data protection solution designed to provide businesses with peace of mind from the various risks of data loss.

Cloudmatika Cloud Backup offers a comprehensive approach to data protection with the concept of “protecting and using data,” going beyond conventional backup functions. Through the “image backup” method, Cloudmatika replicates your entire system, including applications, files, user accounts, settings, and operating systems, enabling instant recovery in the event of data loss. This technology not only saves important files, but also the entire system, ensuring fast and efficient recovery in the event of a disaster, minimizing downtime and business losses.

The Disaster Recovery (DR) option allows direct switching to virtual machines in the cloud, ideal as a BCP measure for business continuity, with a free “failover trial” for regular backup plans. Data security is guaranteed with military-grade encryption (AES-256) before upload and during transfer, as well as AI-based Active Protection that detects and prevents ransomware attacks, both known and unknown.



With prices starting from IDR 220,000 per month (including tax), Cloudmatika Cloud Backup offers exceptional flexibility. You can easily adjust the storage capacity according to your business needs, and choose between a monthly or annual contract. Various additional licenses are also available to meet your specific needs.

With Cloudmatika Cloud Backup, you get a data backup service and invaluable peace of mind.

24/7 customer support and a 99.98% SLA guarantee further strengthen Cloudmatika's commitment to reliable service. With Cloudmatika Cloud Backup, businesses can focus on growth without worrying about the risk of data loss.