Business continuity and crisis management
Unplanned events can devastate businesses. Crises such as fire, flooding or power faults - or outbreaks of flu and other viruses - can make it difficult to carry out the usual business operations. At worst, they could see you losing important customers and even going out of business altogether.
Business continuity planning can help you maintain - or quickly resume - critical business functions following an incident. Planning can help you prepare for disruption, minimise the potential impact and return to 'business as usual' in the quickest possible time. The foundation of such contingency planning is the business continuity plan.
This guide will help you to identify potential business crises and carry out a business impact analysis. It will also tell you how to create a business continuity plan, prepare for emergencies and test how your business is likely to cope in a disaster.
Potential business crises
A business crisis is an event, or a series of events, that causes major disturbance for a business. A crisis typically occurs suddenly and poses intense difficulty or danger for the business, usually in a situation where time is short and decisions have to be taken quickly.
Many different types of business crisis exist, including:
- Natural disasters - these are typically unpreventable environmental crises. For example, flooding due to heavy rains or wind damage following storms.
- Technological disasters - these can include IT system failures, corrupt software, faulty hardware, or malevolent cyber attacks. They typically affect access to critical resources such as data, or employees' ability to work effectively.
- Accidental disasters - these usually happen unintentionally. Common examples include fires, gas leaks, power cuts, etc
Other examples of potential business disasters are:
- Theft or vandalism - theft of computer equipment could prove devastating. Similarly, vandalism of machinery or vehicles could be costly and pose health and safety risks.
- Power cut - loss of power could have serious consequences. Would you be able to operate without IT or telecoms systems, key machinery or equipment?
- Fuel shortages - temporary shortages in fuel supply could prevent staff from getting to work and affect your ability to make and receive deliveries.
- Restricted access to premises - how would your business function if you couldn't access your workplace (for example, due to a gas leak)?
- Loss or illness of key staff - how would your business cope if a key member of staff were to leave or was incapacitated by illness?
- Outbreak of disease or infection - an outbreak of an infectious disease among your staff, in your premises or among livestock could present serious health and safety risks.
- Terrorist attack - consider the risks to your employees and business operations from a terrorist strike, either where you are located or where you and your employees travel.
- Crises affecting suppliers - how would you source alternative supplies?
- Crises affecting customers - will insurance or customer guarantees offset a client's inability to take your goods or services?
- Crises affecting your business' reputation - how would you cope, for example, in the event of a product recall or a social media post gone wrong?
Read more about the different types of crisis.
Although some of these scenarios may seem unlikely, it's still wise to consider them. Advance planning is key to overcoming crises. See how to carry out a business impact analysis.
The process of managing and dealing with crises is known as crisis management. It involves dealing with threats before, during, and after they have occurred, focusing on minimising the damage and enabling the business to recover quickly. Crisis management can be especially important in the area of public relations.
Find out how to minimise the potential impact of crises.
Business impact analysis
Business impact analysis, or BIA, is typically one of the first steps in developing a business continuity plan. It is a process of understanding which functions are critical to your business and how a disruption could affect them.
How to conduct a business impact analysis
To carry out a business impact analysis, you will typically follow several steps:
- identify all business processes and functions
- prioritise those that are critical to your business operations
- analyse the potential losses
- select recovery solutions
- determine if any interdependencies exist - eg with IT systems
- evaluate operational impacts of disruption - eg on people, processes and technology
- evaluate financial and legal impacts
- develop recovery time requirements
The output of this work is the business impact analysis report. This report:
- assumes worst-case scenarios
- considers the amounts your business stands to lose in a crisis event
- recognises the magnitude of financial and operational impacts from disruptions
The types of impact you can expect from a potential business crisis or the loss of business functions include:
- lost sales or income
- higher costs and expenditures - eg overtime, outsourcing, etc
- regulatory fines or contractual penalties
- loss of customers and greater customer dissatisfaction
- decline in business reputation
What is the purpose of a business impact analysis?
The BIA will help you understand how your business would cope during downtime. It will also help you calculate recovery time objectives for your services and understand the resources you need to keep those functions running. This information will form the basis of your disaster recovery and will help you create your business continuity plan.
Difference between business impact analysis and risk assessment
Both BIA and risk assessment are business continuity tools. However, BIA doesn't focus directly on the likelihood of events. Instead, it assumes worst-case scenarios.
Risk assessment analysis, on the other hand, helps you to map out the potential internal and external risks and threats, the likelihood of them happening and the possible impact they can cause.
While you can carry out a BIA without risk assessment, you generally can't conduct a risk assessment without some form of business impact analysis. Risk assessment should use BIA to quantify and prioritise the risks it finds. See how to evaluate business risks.
Minimise the potential impact of crises
Risks and uncertainty are part of everyday business, but not all crises have to become business disasters. It is possible to mitigate against some dangers to reduce losses and lessen their impact.
Here are some crisis-mitigating strategies that will help you prepare and prevent minor risks from escalating into full-blown catastrophes.
Effective flood planning can minimise the flood risk to your business and prevent potential flood damage to your premises. See how to protect your business from flooding.
Good electrical and gas safety could help protect premises against fire. Installing fire and burglar alarms also makes sense. See how to carry out fire safety and risk assessment.
Create a contingency plan for an event where you can't use your premises. For example, you may want to:
- share premises with another business temporarily if a crisis affected either of you
- use a business continuity supplier that offers alternative premises at short notice
Make sure that you consider the benefits and costs of each possible solution.
IT and communications
Installing anti-virus software, backing up data and ensuring the right maintenance agreements are in place can all help protect your IT systems. You might also consider paying an IT company to regularly back up your data offsite on a secure server.
Printing out copies of your customer database can be a good way of ensuring you can still contact customers if your IT system fails. See best practices on IT risk management.
Try to ensure you're not dependent on a few staff for key skills by getting them to train other people. Consider whether you could get temporary cover from a recruitment agency if illness left you without several key members of staff. And take health and safety seriously to reduce the risk of staff injuries. Read about managing the welfare of people.
Document how each member of staff gets to work. Consider establishing a car sharing scheme or providing staff with transport to and from work. Encourage the use of public transport. Provide IT support systems to facilitate home working should the need arise. Read about workplace travel planning.
Equipment, machinery, materials, etc
If you use vital pieces of equipment, you may want to cover them with maintenance plans guaranteeing a fast emergency call-out.
Consider stockpiling mission critical supplies and materials. Create a list of alternative supplies should your main supplier be unable to deliver the goods and materials you require.
Create a business continuity plan
A business continuity plan is a document that sets out how business processes will continue during a time of emergency or crisis. It is a blueprint for restoring vital business activities appropriately, and in good time, if disruption occurs.
How do you write a business continuity plan?
The basis for business continuity planning are often two linked, but distinct practices:
- the risk assessment - which shows you what kinds of incidents you might face
- the business impact analysis (BIA) - which identifies recovery times for key activities
The BIA sets the priorities and deadlines for the activities in the plan. The risk assessment, on the other hand, defines the possible scenarios, their impact and likelihood.
Their outputs give you reliable information upon which you can build your continuity plan.
What should a business continuity plan include?
You should aim to cover the following areas:
- Emergency response - focus on the welfare of people before containing and controlling the disruption. Develop incident response flowcharts or checklists, evacuation guidelines and procedures, list of relocation sites, etc. Once you are sure that lives are not in danger, the focus can shift on containing the damage to your business.
- Crisis management - determine how information will flow to media, stakeholders, staff, etc. Agree communication protocols, decide how you manage the loss event, and consider resources you will need to support the recovery. Set out how you'll deal with possible media interest in an incident. Appoint a company spokesperson to handle questions and try to be positive in any statements you issue. If at all possible, inform your staff, customers and suppliers about the incident before they find out about it in the media.
- Business recovery - set out detailed operational plans for critical functions and assets, as recognised in the BIA. Identify the resources and personnel needed to restore critical operations. Agree clear strategies and responses that you can follow for different loss scenarios and identify responsibilities for carrying out disaster recovery actions, including systems recovery, stock and supplier recovery, resources and equipment recovery, etc. The first hour after an emergency occurs is critical in minimising the impact. Your plan needs to clearly outline the immediate actions you will take. Consider giving staff specific training to enable them to fulfil their duties in an emergency. Ensure all employees are aware of what they have to do.
- Key contacts - create a list of internal and external people and organisations whose support you may require, and their designated roles in an emergency. For example, provide details of key staff, critical suppliers, local councils, neighbouring businesses or emergency responders like police, utility providers, landlords or insurers. It's also worth including details of service-providers such as glaziers, locksmiths, plumbers, electricians, and IT specialists. Include maps of your business premises' layout to help emergency services, showing fire escapes, sprinklers and other safety equipment.
Keep in mind that different disruptive situations will require different responses. Keep your plan broad enough to address different disaster scenarios - from worst-case events that shut down your facilities or operations completely, to partial outages.
Business continuity plan templates and tools
You can build your business continuity plan from scratch or use one of the many templates or software tools available online to help you get started. Keep in mind that the best plan will be the one that is customised and specific to your business.
GOV.UK's business continuity management toolkit (PDF, 569K) can help you create a plan and tailor it to the particular circumstances of our business.
Difference between disaster recovery and business continuity
A disaster recovery plan creates a blueprint for responding to a variety of technological incidents. It aims to help you restore the data and applications that run your business if your data centre, servers, or other IT infrastructure get damaged or destroyed.
A disaster recovery plan works alongside the business continuity plan to give you an essential strategy for managing the risk of disruption. See more on IT incident response and recovery.
Business continuity and insurance
Continuity planning relates very closely to business insurance. Most insurers now expect business continuity as a basis for providing cover. For more information, see business insurance: the basics.
Advantages of business continuity planning
Unpredictable events happen regularly. From natural disasters to wilful and accidental damage, potential business crises can significantly disrupt your operations. This is especially true if you don't prepare to deal with emergencies.
This is where business continuity planning comes into play. As part of your recovery strategy, it allows you to prepare in advance the processes and procedures to help you cope with the unexpected. Planning can also help you realise many other important benefits.
Key benefits of business continuity planning
Business continuity planning can help you:
- keep your business trading during and after an incident
- recover operations more quickly after interruptions
- reduce costs and duration of any disruption
- mitigate risks and financial exposure
- build customer confidence and trust
- safeguard company reputation
- develop confidence within the business
- comply with regulatory or legal requirements
- insure against otherwise unacceptable risks
- save lives, if dangerous events (such as fire) occur
If you don't have a business continuity plan in place, start by carrying out a business impact analysis. This assessment will help you to understand your business - including assets, people and processes that are critical to run it - and the likelihood and potential impact of potential business crises.
Why have a business continuity plan?
A carefully thought-out business continuity plan will make coping in a crisis easier. It will also enable you to minimise disruption to your business and customers, often at the expense of competitors. It is a way of proving to customers, insurers and investors that your business is robust enough to cope with anything that might occur.
See how to create a business continuity plan.
Importance of business continuity planning
Failure to plan could be disastrous for any business. At best, you risk losing customers while you're getting your business back on its feet. At worst, your business may never recover and may ultimately cease trading.
A clear, comprehensive business continuity plan will give you the best chances of overcoming a business disaster. Once you create a plan, remember to test it rigorously - you will want to make sure that it fulfils its purpose. Find out how to test your business continuity plan.
See also how to minimise the potential impact of crises.