Risk management and business continuity planning

Business continuity planning can help you keep your business operating during a major disaster, incident or crisis.


5 min read

1. Overview

As we have all seen since the COVID pandemic, unplanned events can have a devastating impact on small businesses.

Global crises (such as pandemics or financial crises) and business specific crises (such as fire or cyber-attacks) can all make it difficult or even impossible to carry out your normal day-to-day activities. In the worst case scenario they could force you to go out of business altogether.

This is why creating a business continuity plan that identifies potential risks and details your response to them is critical to your business.

This guide will help you to identify potential risks, make plans and preparations for emergencies, and test how your business is likely to cope in a disaster or another crisis.

2. Why you need to plan for possible crises

It's essential to plan thoroughly to protect yourself from the impact of potential crises.

As part of the planning process you should:

  • Identify the most likely potential crises that might affect your business
  • considering both global crises (such as pandemics, financial crises, energy crises, global conflict, supply chain disruption, civil unrest, etc.) and business specific crises (such as fire, flood, damage to stock, illness of key staff, cyber-attacks, IT system failure, etc.)
  • for example implementing strict fire prevention measures, adopting strong cyber security practices, etc.
  • for example your ability to store and sell stock, your IT systems, etc.
  • including all the steps to follow, roles and responsibilities and key people to contact.

Depending on your business' circumstances, there are many possible events that might constitute a crisis. See Ready Scotland for advice and information on how to safeguard your business.

3. Assess and minimise the impact of risks on your business

As part of your continuity planning, you need to analyse the probability and consequences of any and all crises that could affect your business. This involves assessing the likelihood of a particular crisis occurring (and its potential frequency) as well as determining its possible impact on your operations.

As part of this analysis, identify which business functions are essential to your day-to-day business operations. You're likely to conclude that certain roles within the business - while necessary in normal circumstances - aren't absolutely critical in a disaster scenario.

4. Protect your business

Once you have identified the key risks your business faces, you need to take steps to protect your business functions against them.


Good electrical and gas safety could help protect premises against fire. You should also install fire and burglar alarms.

Think what you would do in an emergency if your premises couldn't be used due to an incident. For example, as in COVID, you may be able to operate remotely (with staff working from home, selling online, etc.) Or, in the case of damage to premises, you might suggest an arrangement with another local business to share premises temporarily if a crisis affected either of you. You may consider using a business continuity supplier, which can make alternative premises available at short notice, but this can be expensive.


If you use vital pieces of equipment, you may want to cover them with maintenance plans guaranteeing a fast emergency call-out.

IT and communications

Having off-site servers, backing up data and ensuring the right maintenance agreements are in place can all help protect your IT systems. You might also consider paying an IT company to regularly back up your data offsite on a secure server.

Printing out copies of your customer database can be a good way of ensuring you can still contact customers if your IT system fails.

As with COVID, provide and maintain software to facilitate home working should the need arise.

Cyber security

Implementing strong cyber security procedures can help protect your business from malware, hacking and other cyber-threats. The government-backed Cyber Essentials scheme from the Scottish Business Resilience Centre can help you implement measures to secure your business and protect your IT networks from attack.


Try to ensure you're not dependent on a few staff for key skills by getting them to train other people.

Consider whether you could get temporary cover from a recruitment agency if illness left you without several key members of staff. Take health and safety seriously to reduce the risk of staff injuries.


Consider stock piling critical supplies and materials. Create a list of alternative suppliers should your main supplier be unable to deliver the goods and materials you require. Plan for increasing costs of supply due to rising inflation and spiraling costs, and keep reserves if possible.


Insurance forms a central part of an effective risk-management strategy. You should ensure that you get the right insurance for your business.


During financial crises and times of spiraling costs and inflation, the risks to your business and your outgoings could be significant. It is important to protect and effectively manage your cashflow. Run regular cashflow forecasts and take steps to ensure you get paid promptly. Keeping reserves if possible is a prudent move.

5. Plan and test how you'll deal with an emergency

You should draw up a business continuity plan setting out in writing how you will cope if a crisis does occur.

Think about the things that would cause most disruption and that are most likely to happen to your business. Then make sure that your plan covers each of the risks.

It should detail:

  • the key business functions you need to get operating as quickly as possible and the resources you'll need to do so
  • the roles of individuals in the emergency

Making the most of the first hour after an emergency occurs is essential in minimising the impact. As a result, your plan needs to explain the immediate actions to be taken:

  • how call trees will be used to contact all staff
  • consider whether you'll need to give staff specific training to enable them to fulfill their responsibilities in an emergency situation and ensure all employees are aware of what they have to do
  • arrange the plan in the form of checklists to make sure that key steps are followed - Get advice and information for you and your staff to help safeguard your business.
  • include contact details for those you're likely to have to notify in an emergency such as the emergency services, insurers, the local council, staff, customers, suppliers, utility companies and neighbouring businesses
  • include details of service-providers such as glaziers, locksmiths, plumbers, electricians, and IT specialists
  • include maps of your premises' layout to help emergency services, showing fire escapes, sprinklers and other safety equipment
  • set out how you'll deal with possible media interest in an incident to protect your reputation during a crisis
  • make sure hard copies of your business continuity plan are lodged at your home and with your bank and at the homes of other key members of staff.

Test your business continuity plan

Once your plan is in place, you'll need to test how well it's likely to perform in the event of an emergency.

You should test your plan regularly (at least annually), even if your business hasn't undergone significant changes.

This is likely to involve testing your chain of communication across the business, using your planned “call trees” and actually ensuring your teams can work remotely at short notice or can adapt to a loss of internet connection for example, as opposed to just talking about it. An important task is carrying out a debrief after the test so your plan can be updated with any learnings.

Keep your plan updated

Remember to update your plan regularly to take into account your business' changing circumstances.

If you move into new premises, for example, you could face an entirely new set of risks. You'd need to draw up new maps for the emergency services and amend any contact numbers necessary.

Business Gateway can offer you advice on other areas of managing a business. Find your local office and contact us below.

Get the support you need right now

You can connect with us through the contact form, call us or contact your local Business Gateway office.

You might also be interested in

Understanding cashflow

It’s not just profit that's important to your business, you need to make sure you have enough money coming in to pay any suppliers or salaries or your business will falter. This is your cashflow and you need to manage it carefully.

Cut your operating costs

As businesses are facing significant cost increases across energy, staffing, materials and distribution, many are looking at ways to cut operating costs to protect margins and stay solvent.

Cashflow: Managing your invoicing to get paid faster

Ensuring your customers and clients pay you promptly is important for maintaining cashflow. There are a few simple but important steps you can take when you are invoicing to make this process a little smoother.