How do I create a Business Continuity Plan?
Business Continuity Plans (BCPs) come in all shapes and sizes depending on the size and type of organisation, and the response plan they choose to follow, but they all start from the same basic principles.
The Business Continuity Institute (BCI) has recently published a set of Good Practice Guidelines which can be helpful in contingency planning for any type of organisation. The Institute explains this as a ‘lifecycle’ which is a continuous process and should change as your business grows and develops. This lifecycle (taken from the international standard ISO 22301) looks like this:
You can find out more about the lifecycle from the Business Continuity Institute, but at the very least, a small business should start by identifying the critical or time-sensitive areas of your business which, if affected, would cause huge disruption.
This is called a Business Impact Analysis and should focus on the effects, rather than the cause. This can generally be narrowed down to five types of effect; loss of:
- People – What minimum staff levels, skills or expertise must you maintain?
- Premises – What buildings, facilities or equipment are essential?
- Processes – What IT, documentation or communications could you not do without?
- Providers – Do you have any reciprocal agreements or external suppliers?
- Profile – Who are your stakeholder, what are you legal duties and are you responsible for any vulnerable groups?
Speak directly to each area of the business and get your colleagues and employees to tell you what they think is important in their area of expertise, as you may not know everything which could be important.
To successfully define all of your time-sensitive areas, ask yourself and your colleagues questions like; what if…
- The electricity supply failed?
- Our IT networks went down?
- Our telephones when down?
- Our key documents were destroyed (e.g. in a fire or flood)?
- Our customers could not contact us?
- Suppliers could not supply us?
- Our customers could not pay us?
- We could not pay our suppliers?
- We could not access our premises?
- Our staff suddenly walked out (e.g. from industrial action or a lottery win)?
How long would it take for one of these to really damage your business; minutes, hours, days, or weeks? For example, you may need your IT or telephones back up within minutes, but you may be able to cope for a few weeks if your customers could not pay an invoice.
Within this process you should decide the minimum level of service you want to return to following a disruption (known as “business as usual”), and how quickly you need to get there (before things start to really go wrong!)
Define your strategy
Whatever kind of business you are, once you have identified your risks, you need to choose a strategy for each one. In general you have four options, known as TEAM:
- Transfer - pass on responsibility to a 3rd party supplier or with insurance;
- Eliminate - remove risk altogether by changing the way you do business;
- Accept - just deal with it, as sometimes you can’t change anything or it costs too much;
- Mitigate - change your practices or process, e.g. implement data backups or new safety measures to reduce the risk.
This part of your plan your plan should explain your response if any area of business is affected by a disaster. Keep it simple and focus on the response to the effect (e.g. loss of premises) and not the cause (e.g. flood).
Maintaining your plan
Your plan must be communicated to everyone in the organisation and not just kept on a shelf to gather dust. The first time someone reads the plan should not be once a disaster has occurred!
If you need some more guidance on where to begin, Harlow Council's Property and Facilities team can point you in the right direction on 01279 446655, or visit some of the many online resources under external links to help you develop your BC plan.