Business continuity planning

Read time : 8 mins        Added:  12/06/2023

The risks businesses face are hard to anticipate and constantly evolving. In the past, there were concerns about the possibility of office fires or IT outages, but recently we’ve seen the impact of disruption due to lockdowns, supply chain breakdowns and soaring energy costs.

This isn’t just an issue for large businesses; smaller businesses can also be disrupted by a hacked computer or a local power cut. However, if you identify and plan for these risks, your business has a better chance of surviving them. It starts with a robust business continuity plan.

5 things you’ll learn from this guide:

1. Why you need a business continuity plan

2. How to create a business continuity plan

3. How to create an IT business continuity plan

4. The main risks you need to consider

5. How to make sure your plan continues to meet your needs

Why you need a business continuity plan

Disasters and serious incidents such as flooding, fire, IT failure or the death of a key employee are relatively rare. But, as the saying goes, you should always ‘hope for the best, plan for the worst'.

A business continuity plan can provide a backup operational structure to get you through an unexpected crisis.

It can help you:

  • identify and manage threats to your business
  • reduce the impact of serious incidents
  • minimise downtime and improve recovery time.

Contingency planning can also protect your reputation if events take a turn for the worse. By responding promptly, you can reassure everyone that you are in control, your core business operations will continue, as will your communication with customers, the media and other stakeholders.

The benefits don’t end there. If your business is part of a supply chain, effective contingency planning is a competitive advantage.

Key risks to your business

There are different types of risk to identify as you make your contingency plans, you’ll need to consider these and other examples specific to your business:

  • Denial of people – pandemic, strikes, single point of failure
  • Denial of premises – fire, flood, police closures
  • Denial of supplier – administration, supply chain issues, cyber attacks
  • Denial of systems – cyber attack, mechanical failure.
 

Of course, some threats are impossible to quantify. Bloomberg UK report that the coronavirus pandemic caused business closures in the UK to jump by 14%  from the previous year. No business can prepare for every type of threat, but you need to be as ready as possible if you want to survive it.

Back to top

How to put together a basic Business Continuity Plan

Start by listing all the possible risks to your business, however unlikely.

  • Physical risks – including fire, flooding or a terrorist incident.
  • Equipment failure – any machinery essential to your operation from computers to delivery vehicles.
  • Product failure – if they cause injury or have to be recalled.
  • External issues – such as a transport strike.
  • Supplier problems – difficulties involving your major suppliers that adversely affect your business.
  • Staff problems – a pandemic or the death or serious illness of a key employee.
  • Negative publicity – in the press or on social media.
  • Radical changes in the business environment – perhaps a new and disruptive competitor.
  • Legal threats – from liability claims to copyright issues.
  • Cyber attacks – such as malware, hacking, loss of data or ransomware attacks on your website.

Create a matrix outlining the risks, scoring them on:

  • The probability of it happening
  • The business impact of resolving it
  • Any regulatory or legal impact
  • The financial impact (fines/ penalties/cost of resolving it/ lost revenue)
  • The potential customer impact.

Decide who and what will be affected by each eventuality and explain how.

Categorise your key facilities and processes, and prioritise recovery plans for those operations that are key to your business.

Make a list of all the people and organisations you will need to contact in the event of a serious incident. Include names and contact details of staff, customers and the following suppliers:

  • Financial services companies, such as your bank and insurers
  • Facility contractors, such as plumbers and electricians
  • IT and broadband service companies
  • Utilities, such as water and heating companies.

Ideally, this list should be cloud-based or accessible off-site.

Back to top

Draw up a separate IT continuity plan

Cyber attacks and other IT outages present a major threat to most businesses. Malicious attackers can cripple systems with ransomware until payment is received. Or hackers can steal card details from the online forms your customers complete.

Cyber insurer Coalition recently claimed that smaller businesses have become bigger targets for cyber attacks. Atlas VPN suggests that the “financial and reputational loss from successful cyber-attacks are becoming ever more significant – 37% of companies lose almost £90,000 per attack on average".

For all these reasons, you need a separate continuity plan template for your IT systems. In particular, you need to make sure you can securely back up and run your systems off-site, if necessary. Other steps you can take include:

  • Make sure staff are trained to minimise risks from email, apps, portable devices and so on, especially at a time when many people are working from home.
  • Think about ‘people risks’ too, such as loose talk about your information security or allowing access to your premises.
  • Prevent system administrators from using system privileges for reading email or web access. This reduces the chance of hackers accessing accounts with wide system access.
  • Equip your team to deal with outages and maintain details of all key service suppliers.
  • Encourage staff to report any cyber security problems immediately.
  • Avoid single human points of failure with regard to IT knowledge and access.

Learn more about cyber risk and what you can do to protect yourself on our Lloyds Bank Cyber Risk hub. You’ll find plenty of insight and practical guidance to help you avoid or limit the impact of cyber attacks.

Insure your systems

Cyber Insurance can provide cover if your IT systems suffer a data breach or a cyber-attack. It could reimburse you for:

  • Loss of revenue
  • Fines and penalties
  • Legal expenses
  • Data restoration.

How to build resilience into your IT systems

  • Use a reputable antivirus software product and keep it updated.
  • Implement a firewall. This creates protection between your network and external networks such as the internet. Most operating systems now include one, so make sure it’s activated.
  • Make sure staff apply all updates to software and firmware promptly. Replace any unsupported systems.
  • Introduce strong guidelines so staff know what is expected.
  • Make sure staff use strong passwords and update them frequently.
  • Ensure staff take particular care with the origin of: 
    • Apps
    • Website links or URLs
    • Plugins
    • USB drives.
  • Restrict system access. All users, including staff and third-party suppliers, should have enough access to do their jobs and no more.
  • Use multi-factor authentication for key systems, so you don’t rely on one password.
  • Carry out vulnerability scans and penetration tests – for example, by sending mock-phishing emails. Many providers support this.
  • Put warning systems in place to alert you to attacks at an early stage.
  • Check for any dependencies or single points of failure – particularly in business-critical systems. For example, ensure your web servers can cope with surges of traffic or have spare equipment readily to hand in case of breakdown.

Back to top

Create a business continuity timeline

Your continuity plan should cover several stages:

  • What will happen immediately after a serious incident?
  • How your business will respond and continue.
  • How it will get back to full strength and how long it might take.

For each stage, focus on what you will need to do at that point considering the following:

  • Management
  • Financial resources
  • Logistical and technical issues
  • Supply chain
  • Customers
  • Premises
  • Communications and coordination.

Set out the order in which business functions will be resumed and who will be responsible in each case. You may need specific recovery plans for different functions, such as the main office, IT and key staff.

Draw up appropriate communications plans

These can range from getting in touch with staff to briefing the press. Nominate a spokesperson in case the incident is newsworthy. Reinforcing confidence in your recovery is essential to managing major incidents.

Make sure your plan is fully documented and agreed upon so everyone can return to normal promptly. It should align with your strategy and objectives and be correctly focused and credible.

Back to top

Test and review regularly and improve your systems where possible

Following any business continuity incident:

  • Review what took place and how your recovery plan worked.
  • Make any updates to improve the speed and effectiveness of recovery.
  • If you can identify the root causes of the disruption, see what steps need to be taken to avoid repetition, if possible, and to mitigate the risk of a similar event in future.
  • Keep a record of your activity, so that there is a log of the incident, the response and the lessons learned.

Even if you are lucky enough to avoid any disruption, your plan still needs to be tested and reviewed regularly.

  • There are many levels of testing – from full backup recovery to desktop walkthroughs – to make sure the plan makes sense and is usable.
  • Set a schedule to review and test it regularly – you may have updated or changed your IT system or added new software or new staff members in that time. Remember too that contact details for suppliers for support are also likely to change.
  • Post-testing – update your plans with any learnings.

Back to top

Other considerations

Keep your plan safe

Store copies of your plans away from the workplace to keep them safe. Make sure they stay up to date, note any new risks and keep contact details updated. For example, if major legislation changes affect your business, update your plans accordingly.

Make sure you’re fully insured

When getting your business back on track after an incident, it helps to be insured against the major threats – from building damage to the loss of key staff.

Find out about more about Business Insurance

Back to top

Useful links

The Business Continuity Institute

ISO 22301 Business Continuity Management

HM Government Business Continuity Management Toolkit (PDF, 569KB)

National Cyber Security Centre