Business Continuity Planning
Introduction All businesses face the risk of experiencing sudden disruptive events that prevent them from carrying out their normal operations. Examples include extreme weather, cyber incidents, supply chain failures and the loss of a key employee. Some businesses fail because they are unable to recover from the disruption caused by a single event.
Business continuity planning is a way for a business to increase its ability to survive and recover from disruptive events. It involves identifying the types of event that potentially threaten the business and developing step-by-step procedures and checklists for dealing with these events, so that the business can continue to operate as effectively as possible.
This factsheet provides an introductory explanation of business continuity planning, including how to identify and assess potentially disruptive events, and what to include in a business continuity plan. It also explains the importance of regularly testing and reviewing the plan.
Identifying possible disruptive events
The first step in making a business continuity plan is to carry out a comprehensive assessment aimed at identifying possible events that may threaten the continuity of the business. The assessment also involves working out what impacts these events are likely to have on key business operations and determining the steps that need to be taken to reduce these impacts.
To carry out the assessment, it can be useful to list all of the key areas in which the day-to-day running of the business could be vulnerable to disruption.
For example:
Premises.
Employees.
Customers.
Suppliers.
Finances.
IT equipment and communication networks.
Other equipment, such as vehicles, tools and machinery.
Legal compliance.
Examples of possible disruptive events Common threats that may be revealed by the assessment include, for example:
Cyberattacks leading to failure of IT systems.
A personal data breach, such as accidental disclosure of customers' names, addresses or payment methods.
Loss of key employees through resignation, death or sudden illness.
Legal issues, for example being taken to an employment tribunal or facing enforcement action from a regulatory body.
Flood or fire damage to premises and equipment.
Utility outage (broadband, gas, electricity or water).
A break in the supply chain - for example, a main supplier goes out of business.
Health and safety incident.
Loss of an essential business licence or professional accreditation.
What to include in the plan The contents of a business continuity plan will vary widely, depending on the particular threats that each business faces, and on the size and complexity of the business.
However, business continuity plans typically include the following information:
A list of the potentially disruptive events that have been identified during the assessment.
For each of these possible events, information about the procedures that must be followed to enable the business to survive and recover. This information normally includes:
A checklist of all the actions that need to be taken.
The roles of key staff members in carrying out these actions.
The timescales that need to be followed.
Contact details of anyone that needs to be notified, such as insurance companies, customers, suppliers, the local council and utilities providers.
Service providers that can help in the event of an emergency, for example plumbers, electricians, IT support services and solicitors.
A logbook to record actions taken and expenses incurred. This will be helpful if an insurance claim needs to be made, and will provide useful information for reviewing and improving the plan in future.
Testing the plan Business continuity plans should be tested and reviewed regularly. This could involve a simple paper exercise, for example checking and updating contact details included in the plan. Alternatively, it could involve a run-through of the main actions required in the plan, involving all employees who have responsibilities for these actions.
If the plan is ever used to deal with a real incident it is important to learn as much as possible from the experience and use it to improve the plan where necessary.
If the circumstances of the business change, for example moving into new premises, it is important to review the plan and ensure that it still covers the correct steps.
Contact Ashored for more information and support on Business Continuity Planning.