Developing your business continuity plan
A Business Continuity Plan (BCP) should record how you will respond to an emergency or a disruption.
Although you need to be aware of specific risks and deal with any serious ones, your planning should focus on the outcomes of disruption not its causes. The list of scenarios that could affect your business is endless, so your plan would need to be huge to cover all the different responses.
Regardless of the cause, a business continuity incident generally means you have lost one of more of the following things:
- Loss of key staff or skills e.g. through sickness or severe weather events
- Loss of critical systems e.g. ICT failure
- Denial of access, or damage to, facilities e.g. loss of a building due to a power cut
- Loss of key resources e.g. specialist supplies you depend on to deliver your business
It is helpful to identify other ways of working to manage the different outcomes of a possible disruption.
Imagine your ICT network was affected by a virus.
- Is your key data backed-up?
- Do you have digital data stored elsewhere as a hard copy?
- How would you recover data? Would you need third party support?
- Could you continue to work without ICT to maintain your most time-critical activities?
- Who would you need to inform that you have been affected by a virus? How would you do this? What would you say?
- Would your staff know what to do?
For this scenario, good risk management would be about checking your anti-virus, firewalls and network security arrangements and identifying whether they are good enough to protect your systems?
SMEs are a potential goldmine for hackers, and serve as a playground for 'newbie' hackers; just think of the reputational damage caused by the theft of personal customer data. Could you be doing more to ensure that your data is safe?
Responding to disruption
As well as recording the different ways of working in your plan, you also need to know who will lead your response and who has the authority to make important decisions.
Much of your incident response will be about good communication and information sharing e.g. with staff, customers, suppliers and anyone else with an interest in your business, so it is also sensible to include a communications strategy as part of your plan.