Business Continuity Planning Checklist

List the operations the store cannot lose for more than a few hours: POS and payment authorization, e-commerce fulfillment / BOPIS, receiving and replenishment, loss prevention CCTV/EAS, scheduling and timekeeping. Tie each to a comp-sales impact estimate so leadership can rank them.

Cover the scenarios retailers actually hit: POS database corruption, payment processor outage, internet/WAN loss at store, ransomware on back-office, hurricane/wildfire closure, organized retail crime spike, DC fire, key supplier bankruptcy. Score each on probability × dollar impact per day of downtime.

Include fitting-room and stockroom sweeps, designated assembly points in the parking lot, and a manager headcount procedure. Reference state OSHA emergency action plan requirements and post the diagram in the back-of-house.

Rotate drills across opening, mid-day, and closing shifts so every key holder participates at least once per year. Document who attended in the training log; LP audits this annually.

For Lightspeed, NCR Counterpoint, Heartland, or whichever platform: confirm nightly database backups run, are encrypted at rest, and replicate offsite. PCI DSS scope requires retention and access logging — document both.

When the processor or WAN drops, cashiers fall back to store-and-forward mode or manual imprinter for high-value sales. Write the exact register prompts, the dollar cap, and the reconciliation steps once connectivity returns — cashiers will not improvise this correctly.

Restore last night's backup to a test environment, log in, run a test transaction, and verify the price book and tax tables loaded cleanly. Unverified backups are the most common reason a retailer discovers their recovery plan never worked — only at the worst possible moment.

Capture personal phone, secondary phone, and email for every store manager and ASM in Beekeeper, Reflexis, or whichever store-comms tool you use. Test annually — turnover invalidates ~25% of contacts each year.

One named spokesperson plus one alternate. Store managers and associates redirect all press, social, and breach inquiries to the spokesperson — written into the BCP and reinforced in training.

For the SKUs that drive the most comp sales, document a secondary vendor with confirmed lead times and minimums. Single-source dependency on overseas suppliers is the single most common BCP gap retailers find when they audit.

If your DC goes dark, who picks up the ship-from-store volume? Get written response-time commitments from your 3PL and a backup carrier (UPS ↔ FedEx ↔ USPS) so e-commerce continues during a DC outage.

One 45-minute session per district. Cover the first-hour actions: stop the bleeding, count people, notify the IC, switch to offline procedures if applicable. Managers leave with a laminated card kept at the safe.

Every new key holder, ASM, and store manager completes a short module within their first 30 days. The associate-level version covers evacuation and active-threat only; managers get the full plan.

Use a realistic scenario — ransomware encrypts the POS database on Black Friday morning, or a hurricane closes 12 stores for a week. Two hours, role-played, with a facilitator capturing decisions and gaps.

Pick a low-traffic Tuesday at one pilot store. Kill the POS network connection at 10 AM and observe: do cashiers switch to offline mode? Does the manager call the right number? Time how long until first transaction recovers.

Annual review with Director of Operations, VP Stores, IT, LP, and HR. Walk every section; mark sections that need rework before next year's run.

New POS platform, new DC, new e-commerce channel, new predictive-scheduling jurisdiction, new PCI DSS version — any of these invalidates parts of last year's plan. Sweep the diff and rewrite the affected sections.