Guide

Business continuity planning

Business continuity planning can help your business develop resilience so you can continue operating during a major incident and then recover.

In this section

  1. 1. What is business continuity?
  2. 2. Types of crisis that could affect your business
  3. 3. Plan how you'll deal with an emergency
  4. 4. Test your business continuity plan
  5. 5. Keep your plan updated

Guide 5 min read

1. What is business continuity?

Unexpected events can have a devastating impact on small businesses. Global crises (such as geopolitical instability or global IT outages) and business crises (such as fire or cyber-attacks) can all make it difficult or even impossible to carry out your normal day-to-day activities. In the worst case scenario they could force closure of your business.

Business continuity planning is vital for building your business resilience to ensure it can continue operating during a crisis and then recover as quickly as possible.

A business continuity plan: 

  • identifies potential crises that might cause business interruption

  • determines how you will minimise the risks of these crises occurring

  • sets out how you'll react in the event of an incident 

  • details how the plan will be reviewed and tested regularly.

2. Types of crisis that could affect your business

Events that could constitute a crisis for your business may vary according to your location, sector, business model, size, and reliance on key customers or suppliers.

There are two main categories of crisis and you need to consider the probability, potential frequency and possible impact of both.

  • incidents which can be anticipated and may be preventable (or the impact reduced) with appropriate management of internal risks within your control

  • crises involving external risks outside your control that are impossible to avoid.

Crises which may be prevented or their likelihood reduced

All businesses should consider risk management which involves maintaining a risk register that:

  • identifies possible risks

  • considers the likelihood of them happening

  • evaluates the possible impact on your business

  • identifies how they could be prevented. 

Each risk should be assigned to a specific person to oversee prevention and monitoring.

Risks that might be identified include:

  • fire, vandalism and theft affecting premises

  • technological incidents such as opportunistic cyber attacks, IT system failures

  • people issues such as human error, malpractice, and fraud

  • legal and compliance infringements, such as data breaches or health and safety issues.

Procedures, policies and training may be put in place to reduce the likelihood of many of these, along with physical interventions such as security measures.

Unavoidable external crises

It’s impossible to anticipate or prevent many types of crises. For example:

  • natural disasters and extreme weather such as storm damage and floods restricting access to property

  • international external issues such as geo-political instability and global pandemics leading to supply chain disruption

  • global IT outages preventing transactions or normal operations

  • staff issues such as illness or unavailability of key staff impacting service delivery.

For incidents that you cannot prevent, you can look for ways to spread risk as far as possible, but there are far fewer factors within your control. Therefore your business continuity plan is particularly important to build resilience.

3. Plan how you'll deal with an emergency

Once you understand your risks, you should draw up a business continuity plan setting out how you will cope if a crisis does occur. 

As part of this analysis, identify which business functions are essential to your day-to-day business operations. You're likely to conclude that certain roles within the business - while necessary in normal circumstances - aren't absolutely critical in a disaster scenario.

Create your business continuity plan

Think about the things that would cause the most disruption and that are most likely to happen to your business. Then make sure that your plan covers each of the risks.

It should detail the key business functions you need to get operating as quickly as possible as well as the resources you'll need to do so. It must also detail the roles of individuals in the emergency.

This business resilience 10 minute plan from Ready Scotland can give you an idea of what to cover.

Given the increasing cyber security risks faced by businesses, you should have a specific section covering a plan for cyber incidents.

Making the most of the first hour after an emergency occurs is essential in minimising the impact. Therefore, your plan needs to explain the immediate actions to be taken.

Key considerations

When creating your plan, consider including:

  • checklists - to make sure that key steps are followed 

  • call trees - detail how they will be used to contact all staff

  • contact details - for those you're likely to have to notify in an emergency such as the emergency services, insurers, the local council, the authorities, staff, customers, suppliers, utility companies and neighbouring businesses

  • service providers who can help - such as glaziers, locksmiths, plumbers, electricians, and IT specialists

  • premises map and layout - to help emergency services, showing fire escapes, sprinklers and other safety equipment

  • communication plan - detailing how you'll communicate with customers and deal with possible media interest to protect your reputation

  • paper copies - of your business continuity plan lodged at your home and with your bank and at the homes of other key members of staff

  • staff training - so they are aware of and can fulfil their responsibilities in an emergency.

4. Test your business continuity plan

Once your plan is in place, you'll need to regularly test how well it's likely to perform in the event of an emergency. Do this annually at least, even if your business hasn't undergone significant changes.

This may involve testing your chain of communication across the business and using your planned “call trees”. Rather than just talking about it, you should ensure your teams can actually work remotely at short notice or, for example, can adapt to a loss of internet connection or digital access.

An important task is carrying out a debrief after the test so your plan can be updated with any learnings.

5. Keep your plan updated

It’s important to keep your plan up to date and update it regularly to take into account your business' changing circumstances.

As your business evolves or grows you will need to ensure your plan reflects this. This could include changes to key staff, staff contact details, new IT platforms or systems or new equipment. 

For example, if you move into new premises, you could face an entirely new set of risks. You'd need to draw up new maps for the emergency services and possibly amend contact numbers.

Business Gateway can offer you advice on other areas of managing a business. Find your local office and contact us below.