Any business can experience a serious incident, emergency or disaster that prevents it from continuing its normal operations. Examples include floods, fires, electricity failures, broadband and communication network failures, terrorist attacks and major disruptions or suspensions to local transport networks.
This article explains how to make a continuity plan to ensure that a business can operate as effectively as possible if a serious incident occurs. It looks at why you need a business continuity plan, what the plan should contain, how to identify risks to your business and prepare for an incident, and how you can test how your business might cope in an emergency.
What is a business continuity plan?
Business continuity management is a process that identifies potential threats to a business and the impact that these threats would have on its operations if they were to occur. It provides a framework for increasing resilience within the business and creating an effective, planned response to threats in order to safeguard the interests of its key stakeholders, its brand and reputation.
A business continuity plan describes the practical steps your business needs to follow if a particular problem arises.
The planning process involves:
- Identifying your critical activities.
- Identifying potential threats, disasters or emergencies.
- Looking at how you can minimise risks.
- Deciding how you plan to react if a disaster or emergency occurs.
Why do you need a plan?
If you have a continuity plan in place, you will be better prepared to cope in a crisis, and should be able to minimise disruption to your business and your customers. In addition, it may reduce the costs of your business insurance.
There are a number of potential emergency situations that could have an impact on your business, for example:
- Failure of IT systems as a result of cyberattacks or faulty equipment.
- Pandemics such as COVID19
- A personal data breach, such as theft or accidental disclosure of customers' names, addresses or payment methods.
- Loss of key staff, for example through death or sudden illness.
- Problems caused by extreme weather conditions (including flood damage to premises and equipment).
- Utility outage (gas, electricity or water).
- Negative publicity.
- A break in the supply chain for any reason - for example, a main supplier goes out of business.
- Employee health and safety incident.
- Theft of equipment or stock.
- Terrorist attack disrupting local transport and access, particularly if the business is located in a city centre.
It is also important to think about emergency situations that could arise in the neighbourhood of your business and in the local infrastructure. How would a fire in neighbouring premises affect your daily operations? If most of your staff rely on a certain train station to get to work, what would you do if the station was closed or the service was disrupted for a significant period of time?
Assessing the risks
Before designing a continuity plan, you should look at the likelihood of particular incidents occurring and how often this could happen.
Make a list of potentially serious incidents or points of failure that could affect your business, no matter how remote the chances are of them occurring.
Next, assess how each particular occurrence may affect your business. This will help you to determine what you would need to do if one of these things actually happened. You will probably need different plans for different circumstances, and the detail and contents of the plans will depend on the likelihood of the event occurring and its potential impact on your business.
You will need to review which operations are essential for the day-to-day running of your business. Although all parts of your business serve an obvious function, some operations are critical to keep it trading, and you will need to plan for how you will ensure these critical functions keep going.
Set a series of 'recovery point objectives' for these functions to assess how critical they are and how you might deal with losing them. For example, if access to your IT systems is one of your critical recovery points, consider issues such as:
- Which IT systems are essential to your business operation?
- How long can you be without them?
- What are the methods of restoring access to these systems?
- What are the risks and timescales associated with these methods?
This is a useful way of identifying which of your business operations are critical, and putting into perspective the importance of implementing systems and procedures to resurrect them.
To decide what impact an incident might have on your business, think about some worst-case scenarios and how they might affect you.
Look at the impact that a disaster would have from the point of view of the customer. How would they expect you to react? Would they turn to your competitors instead?
Assessing the risk of a data security breach
Any business that handles personal data (such as employee or customer records) faces the possibility that the data may be accessed without permission, for example during a cyberattack. Depending on the type of personal data that a business handles, it
may be legally required under the General Data Protection Regulation (GDPR) to carry out a data protection impact assessment to identify and minimise the risks to individuals whose data the business holds.
For more information about when a data protection impact assessment is legally required and what it should involve, go to https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/.
Even where an impact assessment is not legally required, it is good practice for a business to carry one out as part of its continuity planning. Key objectives to plan for include making the data secure again, providing information to the people whose data has been affected, and dealing with the reputational damage that may result from the data breach.
Some serious personal data breaches must be reported to the Information Commissioner's Office within 72 hours. For more information, go to https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/.
What should your continuity plan contain?
There are two key parts to the planning process:
- The incident management phase (who does what to protect lives and property when the business interruption happens).
- The business recovery phase (who does what to get the business back on its feet again).
In a very small business, these tasks may be carried out by the same person. However, the activities are still different.
Your plan should include details of:
- Immediate actions that should be taken, for example contacting the emergency services and key members of staff.
- How staff will communicate, including who will be responsible for contacting who, and how often they will share updated information about the situation.
- A map of the layout of your premises to help the emergency services. This should show fire escapes, extinguishers, sprinklers and so on.
- Which business functions you need to get up and running, in which order and how this will be achieved.
- What resources you will need to get priority functions operating.
- What each individual's role will be if there is a disaster or emergency (Who will be responsible for dealing with any media enquiries? Who will deal with the insurance company? etc. )Define the role of each member of staff involved in the plan and appoint a deputy for each key person named in the plan.
- Alternative premises to be used in case of emergency. Can you make reciprocal arrangements with other local businesses to share premises temporarily if a disaster occurs?
- Where and how key data and information is backed up, and instructions for how to access those backups.
- Contact details of anyone that needs to be notified, such as insurance companies, customers, suppliers, the local council and utilities providers. These details should be checked and updated regularly.
- Service providers that can help in the event of an emergency, including plumbers, electricians and locksmiths.
A checklist approach will be helpful as key steps can be easily identified and this will enable you to tick things off once they have been done. Set key milestones to achieve and a time limit for each milestone. Remember that your plan should cover what will happen in each different set of circumstances.
The plan should be written down and kept securely. To ensure that it can still be accessed when IT systems on the premises are unusable, copies of the plan (and other essential documents) should be stored off-site, for example by using a cloud-based backup service, or by keeping them on a smartphone or on a hard drive at the business owner's home.
A printout of the plan can be kept on your premises in a fireproof safe, and there could also be printed copies kept away from the premises by key members of staff.
Make sure that all staff are aware of, and familiar with, the plan. You could keep a copy in your staff handbook, on a noticeboard or in a part of your computer network that is accessible to all staff.
In addition to the plan, you could keep an emergency pack that contains other essential items to be used after an emergency. This should be kept off-site by a key member of staff with designated responsibility for business continuity.
The emergency pack could contain:
- Your business continuity plan.
- A list of employees and their contact details.
- An inventory of business equipment.
- A camera (to photograph any damage to property in case evidence is required by your insurance assessors).
- Computer backup drives.
- Spare office keys and access codes.
- Business stationery, letterhead and business cards.
- A first-aid kit and any safety equipment that might be needed after an incident, such as high-visibility vests and hazard warning tape.
Testing and reviewing your plan
Business continuity plans should be tested on a regular basis and at least annually. This could involve a simple paper exercise, including a run-through by the people involved. Think about the emergencies that are most likely to affect your business and run through the plan for each type of event.
A full test may involve the simulation of an emergency. This may be costly and will probably disrupt your normal activities, so if you decide to carry out such a test, it must be carefully planned and budgeted for. Try to reproduce authentic conditions
as far as is feasible. Record the procedures and results of the plan and use this to review and fine-tune it if necessary.
If your plan is ever used to deal with a real incident, learn as much as you can from the experience and refine your plan to reflect improvements that could be made.
Change of premises or increase in size, you must review the plan and ensure that it still contains the correct steps to deal with an emergency.
- Preventing emergencies or disasters and minimising their impact
- There are several things you can do to minimise the impact of potential disasters:
- Keep important paper documents in reinforced metal filing cabinets to prevent fire damage. Try to minimise paper use, and keep copies of important documents off the premises.
- Protect your IT systems by installing antivirus software, regularly backing up your data and maintaining IT equipment. Keep backup data away from your business premises or pay an IT service provider to back up your data to an off-site server.
- Reduce dependence on single members of staff.
- Keep records of your business's systems and procedures. The ideal situation is to have each key process supported by a standard operating procedure, which names a second contact to carry out the task if a member of staff is unavailable.
- Review stock levels and alternative suppliers.
- Make health and safety a priority. Ensure that equipment is maintained and that regular safety checks are carried out on business equipment.
- Make sure you have a qualified first aider on the premises.
- Make sure your business is properly insured. Consider taking out 'key person' insurance.
Hints and tips
Consider whether any of your staff will need special training to be able to fulfil their responsibilities in an emergency.
If your business is involved in an emergency, you could consider hiring an insurance assessor. These are independent from insurance companies and will negotiate with insurers to get you a better settlement. In return, they receive a percentage of the insurance payment.
Contact your customers as soon as you can after an incident to reassure them and keep them updated about when the business will be operational again.
As well as reviewing your plan regularly, you should also review the risks your business faces. For example, if you change your system to enable staff to work from home, having remote network access may increase your risk of being infected by a cyberattack.