Business continuity and crisis management
Create a business continuity plan
A business continuity plan is a document that sets out how business processes will continue during a time of emergency or crisis. It is a blueprint for restoring vital business activities appropriately, and in good time, if disruption occurs.
How do you write a business continuity plan?
The basis for business continuity planning are often two linked, but distinct practices:
- the risk assessment - which shows you what kinds of incidents you might face
- the business impact analysis (BIA) - which identifies recovery times for key activities
The BIA sets the priorities and deadlines for the activities in the plan. The risk assessment, on the other hand, defines the possible scenarios, their impact and likelihood.
Their outputs give you reliable information upon which you can build your continuity plan.
What should a business continuity plan include?
You should aim to cover the following areas:
- Emergency response - focus on the welfare of people before containing and controlling the disruption. Consider the different emergency scenarios and develop incident response flowcharts or checklists, evacuation guidelines and procedures, list of relocation sites, working from home procedures, etc. Once any health risks to people are mitigated, you can shift the focus on containing the damage to your business.
- Crisis management - determine how information will flow to media, stakeholders, staff, etc. Agree communication protocols, decide how you manage the loss event, and consider resources you will need to support the recovery. Set out how you'll deal with possible media interest in an incident. Appoint a company spokesperson to handle questions and try to be positive in any statements you issue. If at all possible, inform your staff, customers and suppliers about the incident before they find out about it in the media.
- Business recovery - set out detailed operational plans for critical functions and assets, as recognised in the BIA. Identify the resources and personnel needed to restore critical operations. Agree clear strategies and responses that you can follow for different loss scenarios and identify responsibilities for carrying out disaster recovery actions, including systems recovery, stock and supplier recovery, resources and equipment recovery, etc. The first hour after an emergency occurs is critical in minimising the impact. Your plan needs to clearly outline the immediate actions you will take. Consider giving staff specific training to enable them to fulfil their duties in an emergency. Ensure all employees are aware of what they have to do.
- Key contacts - create a list of internal and external people and organisations whose support you may require, and their designated roles in an emergency. For example, provide details of key staff, critical suppliers, local councils, neighbouring businesses or emergency responders like police, utility providers, landlords or insurers. It's also worth including details of service-providers such as glaziers, locksmiths, plumbers, electricians, and IT specialists. Include maps of your business premises' layout to help emergency services, showing fire escapes, sprinklers and other safety equipment.
Keep in mind that different disruptive situations will require different responses. Keep your plan broad enough to address different disaster scenarios - from worst-case events that shut down your facilities or operations completely, to partial outages.
Business continuity plan templates and tools
You can build your business continuity plan from scratch or use one of the many templates or software tools available online to help you get started. Keep in mind that the best plan will be the one that is customised and specific to your business.
GOV.UK's business continuity management toolkit (PDF, 569K) can help you create a plan and tailor it to the particular circumstances of our business.
Difference between disaster recovery and business continuity
A disaster recovery plan creates a blueprint for responding to a variety of technological incidents. It aims to help you restore the data and applications that run your business if your data centre, servers, or other IT infrastructure get damaged or destroyed.
A disaster recovery plan works alongside the business continuity plan to give you an essential strategy for managing the risk of disruption. See more on IT incident response and recovery.
Business continuity and insurance
Continuity planning relates very closely to business insurance. Most insurers now expect business continuity as a basis for providing cover. For more information, see business insurance: the basics.
IRM Enquiry Line020 7709 9808