IT risk management

Business continuity planning is an essential part of managing IT risks. Planning can help you set out steps to minimise the potential impact of a business disaster - be it an equipment failure, a cyber attack or a simple power outage.

You may also need a business continuity plan to:

• reassure customers that you take risk and security issues seriously
• show effective risk management to insurers, helping to lower premiums
• meet regulatory requirements in certain industries, eg financial services

How to write a business continuity plan?

Your plan should take into account any disruptive events that could affect:

• your people
• premises
• IT systems and networks
• services such as power and telecommunications
• critical business processes

The plan should identify how you will know when to put the plan into action, what steps to take and what individuals' responsibilities are.

Measures that you may need to include in your business continuity plan are:

• a backup and data recovery strategy, including off-site storage
• the development of a resilient IT infrastructure with spare capacity in case of failure - eg mirrored central server computers sited in different locations
• the elimination of single points of failure, such as a single power supply
• secondary manual systems to use until you are able to restore IT services
• agreeing with another business to use each other's premises in the event of a disaster
• arranging to use third-party IT services and accommodation until yours are restored

Keep your plan clear and concise, so that people understand it. It is essential that everyone is aware of their responsibilities.

Remember to test your business continuity plan periodically. Review and update the plan as necessary - eg when people leave the business or you start using new IT systems.