Business Continuity Planning
A business continuity plan is essential to help you prepare for any serious incident or emergency that could prevent your business from operating normally. A good plan will help you work as effectively as possible if a serious incident occurs, such as a flood, fire or IT systems failure.
In this guide, we look at why you need a business continuity plan, how to create one, and how you can test how your business might cope in an emergency.
Why do you need a business continuity plan?
Business continuity management is a process that identifies potential threats to your business and the impact that these threats would have on your operations if they were to occur.
If you have a continuity plan in place, you will be better prepared to cope in a crisis and should be able to minimise disruption to your business and your customers. A robust plan will also help increase resilience within your business, as well as protect your interests, brand and reputation.
Several potential emergencies could have an impact on your business. For example:
- Failure of IT systems as a result of cyberattacks.
- A personal data breach.
- Loss of key staff.
- Problems caused by extreme weather conditions.
- Employee health and safety incident.
- Theft of equipment or stock.
- Terrorist attack.
Assessing the risks to your business
Before designing a continuity plan, you should look at the likelihood of particular incidents occurring and how often this could happen.
Make a list of potentially serious incidents or points of failure that could affect your business, no matter how remote the chances are of them occurring.
Next, assess how each particular occurrence may affect your business. This will help you to determine what you would need to do if one of these things actually happened.
You will need to review which operations are essential for the day-to-day running of your business. You will need to plan for how you will ensure these vital functions keep going.
As well as reviewing your plan regularly, you should also review the risks your business faces. For example, if you change your system to enable staff to work from home, having remote network access may increase the risk of a cyberattack.
What should be in your plan?
There are two critical parts to the planning process:
- The incident management phase (who does what to protect lives and property when the business interruption happens).
- The business recovery phase (who does what to get the business back on its feet again).
Your plan should include details of:
- Immediate actions that you should take, for example contacting the emergency services and key members of staff.
- How staff will communicate, including who will be responsible for contacting who, and how often they will share updated information about the situation.
- A map of the layout of your premises to help the emergency services. This should show fire escapes, extinguishers, sprinklers and so on.
- Which business functions you need to get up and running, in which order and how you will achieve this.
- What resources you will need to get priority functions operating.
- What each individual’s role will be if there is a disaster or emergency.
- Alternative premises that you can use in case of emergency.
- Where and how you back up critical data and information, and instructions for how to access those backups.
- Contact details of anyone that needs to be notified, such as insurance companies, customers, suppliers, the local council and utilities providers.
- Service providers that can help in the event of an emergency, including plumbers, electricians and locksmiths.
The plan should be written down and kept securely. To ensure that it can still be accessed when IT systems on the premises are unusable, copies of the plan (and other essential documents) should be stored off-site, for example by using a cloud-based backup service or by keeping them on a smartphone or a hard drive at your home. You should also make sure your employees are aware of the plan.
In addition to the plan, you could keep an emergency pack that contains other essential items that you might need after an emergency. This should be kept off-site by a key member of staff with designated responsibility for business continuity.
The emergency pack could contain:
- Your business continuity plan.
- A list of employees and their contact details.
- An inventory of business equipment.
- A camera (to photograph any damage to property in case evidence is required by your insurance assessors).
- Spare office keys and access codes.
- Business stationery, letterhead and business cards.
- A first-aid kit and any safety equipment you might need after an incident, such as high-visibility vests and hazard warning tape.
Testing and reviewing your plan
Business continuity plans should be tested regularly and at least annually. This could involve a simple paper exercise, including a run-through by the people involved. Think about the emergencies that are most likely to affect your business and run through the plan for each type of event.
A full test may involve the simulation of an emergency. This may be costly and will probably disrupt your normal activities, so if you decide to carry out such a test, you should carefully plan and budget for it.
Suppose your business’s circumstances change, for example you move premises or increase in size. In that case, you must review the plan and ensure that it still contains the correct steps to deal with an emergency.
Preventing emergencies and minimising their impact
There are several things you can do to minimise the impact of potential disasters:
- Keep essential paper documents in reinforced metal filing cabinets to prevent fire damage. Try to minimise paper use, and keep copies of important documents off the premises.
- Protect your IT systems by installing antivirus software, regularly backing up your data and maintaining IT equipment.
- Reduce dependence on single members of staff.
- Make health and safety a priority. Ensure that equipment is maintained and that you carry out regular safety checks on business equipment.
- Make sure you have a qualified first-aider on the premises.
- Make sure your business is adequately insured.
Hints and tips
- Consider whether any of your staff will need special training to be able to fulfil their responsibilities in an emergency.
- Contact your customers as soon as you can after an incident to reassure them and keep them updated about when the business will be operational again.
- As well as reviewing your plan regularly, you should also review the risks your business faces. For example, if you change your system to enable staff to work from home, having remote network access may increase the risk of a cyberattack.
DISCLAIMER While all reasonable efforts have been made, the publisher makes no warranties that this information is accurate and up-to-date and will not be responsible for any errors or omissions in the information nor any consequences of any errors or omissions. Professional advice should be sought where appropriate.
Business Ready Podcast
A new series of podcasts focused on business resilience.
Cybersecurity and Preventing Phishing Attacks
Advice and tips on spotting and preventing phishing attacks.