More than a tenth of UK businesses fail each year, according to government figures. While this is often the result of cashflow issues, some companies fail because they’re unable to recover from an unforeseen event that suddenly devastates their business.
Such events can include a premises fire, flood, burglary, a serious act of vandalism or arson. According to government estimates, 43% of UK firms have suffered a cyber breach or attack, which can also prove fatal.
Some UK firms have their survival threatened by customer or employee fraud (reportedly at its highest level in 15 years), while others must face the consequences of breaking the law or legal action brought by clients or customers for alleged negligence. Few events are more devastating than a workplace fatality, of course – there were 144 in 2017-18 in Britain – while terrorist attacks have also affected many UK businesses.
Often events can be much less dramatic but still impactful. Examples can include losing a major customer or one going bust without paying their bill. A key staff member can leave; a business owner can suddenly become seriously ill; a main supplier can suddenly go bust.
Moreover, technical problems can suddenly result in the loss of business-critical data that hasn’t been backed up and stored elsewhere. Businesses also need to consider power cuts, losing telephone/internet use and serious disruption caused by extreme weather.
Whatever the event, having a robust business continuity plan can minimise damage and make all the difference between survival and failure.
What is a business continuity plan?
As the name suggests, a business continuity plan can enable your business to continue to operate following a significant event, emergency or disaster. Crucially, a business continuity plan can minimise disruption, thereby limiting cashflow impact.
Sometimes the term ‘disaster recovery plan’ is confused with business continuity plan. A disaster recovery plan sets out the steps a business should take in the immediate wake of an emergency or disaster such as a fire, loss of power or burglary to prevent further damage and get up and running again as soon as possible.
A business continuity plan refers to the wider and longer-term objective of ensuring that a business can continue to function, while protecting its revenue and rebuilding sales where relevant.
Why do you need a business continuity plan?
Thankfully, bad events are rare. But, they do happen, and having a well-considered business continuity plan can provide owners, managers and employees with a reliable way to react and recover in the event of a business disruption. Taking the right action at the right time can mean the difference between recovering quickly or not at all. Any disruption will impact your cash flow so it’s vital to quickly act on your plan.
Having a disaster recovery/business continuity plan offers no guarantees of recovery. However, you’re more likely to survive if you’ve taken time in advance to identity risks and have worked out how best to respond. You may not have the time or ability to think clearly and make good decisions in times of emergency, disaster or crisis. How you react immediately afterwards is vital.
How to create a business continuity plan
Step 1: The process begins with understanding just how critical it is to have a robust business continuity plan. Your business revenue and the wages of your staff depend on it.
Step 2: Carry out a comprehensive risk assessment to identify potential threats to your ability to operate successfully. These may exist across any area of your business operation including:
- Premises/place of work
- Business partners
- Systems and processes<
- Legal compliance
Involve your staff in your risk analysis as they may be able to identify risks of which you’re unaware. Budget permitting, you can also find professional support by talking to business continuity planning specialists.
Once you’ve identified where you may be vulnerable – focus on how. What are the specific potential threats/risks? How could they affect your business and its ability to operate? Consider different scenarios and key “what if?” questions (eg “What if our premises were flooded?” or “What if a customer sued us?”).
Now think about how you could limit damage, continue to operate or recover quickly should the worst happen. You must design your responses and create reliable recovery strategies. Mitigate risk where possible, for example, try not to rely too heavily on too few customers, employees or suppliers.
Step 3: Write a short but effective task checklist in key areas for different scenarios, detailing what should be done, by whom and when. All team members should know their responsibilities in the event of a crisis or emergency. The person with overall responsibility should be clearly stated in your plan.
Stick to plain English in your plan – the shorter and simpler the checklists, the better. Prioritise key tasks and detail who must do what and what information/equipment/tools they need, and make sure they are properly resourced.
Step 4: Include the name and home/work contact landline and mobile telephone number of key people, both internal and external to contact following an event or emergency.
Step 5: Set out clear steps for informing everyone who works for the business, as well as customers and suppliers where relevant. Good communication is essential.
Step 6: Everyone who works for your business should read and understand your business continuity plan before it’s introduced. Provide training where required.
Step 7: To test your plan’s effectiveness, rehearse your responses to events and emergencies. Iron out any issues that could prevent or delay continuity.
Business continuity top tips
Business continuity plan scenarios
- Creating a robust business continuity plan is a team game. Involve everyone who works for your business.
- Identify all risks – internal and external. For example, if you focus purely on the risk of a fire breaking out in your premises, you ignore the risk of a fire at someone else’s premises spreading to yours.
- Make provision for events occurring during and after normal working hours.
- At least two people should be assigned responsibility for actioning your business continuity plan and ensuring it remains fit for purpose.
- Keep it simple. Business continuity plans can be much less complex for newer and smaller businesses, because they usually have fewer people and resources, as well as less-complex systems and processes.
- If your business operates from more than one site, create a specific business continuity plan for each.
- Don’t ignore the risks arising from employees working from their home or at a customer’s premises or home.
- Although there’s nothing wrong with hoping for the best, plan for the worst. Then you won’t be left flat-footed.
- Key people should keep copies of your business continuity plan at home, in their car or accessible via their mobile phones. They should be able to read it no matter where they are.
- Revisit your business continuity plan at least every year. Things change and effective business continuity planning is an ongoing challenge.
- If used in a real scenario, assess how well your plan worked and make improvements where necessary.
What steps and recovery strategies might you include in your business continuity plan? Here are two example scenarios and actions that seek to ensure business continuity to illustrate how a simple business continuity plan could be structured.
Example one: Data breach (response checklist)
- Inform all staff immediately.
- Confirm nature of the attack.
- Identify what has been compromised.
- Urgently prevent further breach/damage.
- Change affected passwords.
- Contact issuer if payment-card numbers are stolen.
- Repair data and systems if required.
- Call in external support.
- Understand how the breach happened.
- Notify those affected without delay, such as customers and suppliers.
- Notify the ICO if required without delay.
- Inform other agencies where necessary.
- Work out the full impact and cost of the breach.
- Create an incident report.
- Evaluate and strengthen security.
- Assess and improve response.
- Raise staff awareness and provide training.
Example two: Premises burglary (response checklist)
- Phone police immediately.
- Keep all staff outside premises.
- Fully assist the police on arrival.
- Exchange contact details with police.
- Get crime reference number.
- Contact insurance company.
- Allow staff back into premises.
- Find out if IT security has been compromised.
- Action IT security recovery plan if so.
- Make premises clean and safe again.
- Reinforce premises security.
- Let customers know if you’re not open.
- Operate as normal where possible.
- Identify precisely what’s been stolen/damaged.
- Pay special attention to cash, keys or credit cards (contact bank if so) or documents that could be used by criminals.
- Get fully operational again – thank staff and customers.
- Replace items that are business-critical.
- Create an incident report.
- Communicate regularly with insurance company.
- Review your response and security.