Business continuity and disaster recovery
First published 19 February 2019 • Updated 16 October 2019
To survive, your business must be resilient. This of course means growing and adapting to changes in the market. But it also means being able to survive the unexpected.
Besides the obvious challenges like competition and the economy, there are a whole range of other hazards that could harm or even end your business. Accidents, theft, fire, flood, tech failures and cyber-attacks are just some of the mishaps you need to safeguard against. This is why every business needs a business continuity plan – also called a disaster recovery plan or resiliency plan.
What is a business continuity plan?
Business continuity planning is about ensuring that your business can pick up again after a damaging incident. Remember that even in the event of a disaster, debts, bills and taxes still need to be paid. Some customers may be patient and understanding if their orders are delayed – however, some may not. What’s more, if you can’t meet your obligations, you could quickly find the businesses becoming insolvent.
Your priority is therefore to get back up and running as quickly as possible – or at least to ensure that the most vital parts of the business are restored in good time, while you work to rebuild the rest of it.
At the very least, having a disaster recovery plan in place will reassure creditors and other stakeholders that you are taking steps to get back on your feet. In the best cases, a good plan properly executed can mean that there is little or no real disruption to the business.
What should a business disaster recovery plan cover?
There are three main types of events to plan for:
- Physical disasters (e.g. flooding)
- Malicious acts (e.g. burglary)
- Data-related disasters (e.g. cyber-attack or data breach)
A fire or flood may do serious damage to your place of work, potentially making it unusable for months. This means you need to think about having a back-up base of operations. This may involve remote working, or you may need to find temporary office space (or a combination of both). The problem will be compounded if key equipment is destroyed or damaged, so think about how these could be replaced or substituted. Rarely, a disaster may result in the injury or even death of staff members. As well as being tragic in itself, this can have a double impact on the business if senior people are involved. In this scenario key person insurance can help to reduce the damage to the business.
With an incident like a burglary or vandalism, your priorities are different. Your workspace may still be usable, but you need to ensure that you and your customers are protected from any further consequences, such as data theft via stolen IT equipment.
As with malicious acts, data security is of paramount importance. You need to be able to reassure your customers and stakeholders that their data is safe. A cyber-attack may also shut down your IT system or delete vital data. Think about what alternative IT arrangements you could use, and how you can back up your data securely so that it will survive any such incident.
Any of these scenarios could also result in a PR crisis, for which you may need a separate response.
Creating a business continuity plan
Your business continuity plan should grow out of the specific needs, vulnerabilities and setup of your business. For instance, your employees typically work remotely from multiple locations, your needs will be very different from a business based entirely on one small site.
The first step in creating your plan is to make a list of the top 10 disasters that could theoretically affect you. Next, rank the disasters according to
- How likely they are
- How damaging they are
Each disaster will now have two scores – likelihood and damage – which will be a number from 1 to 10. For each one, multiply the two scores together to get a ‘risk score’ out of 100. Now you can list the disasters in order of risk, starting with the highest score.
Now go through the list one by one and imagine each disaster has just happened. What would you need to do first? Write down your priorities.
As you proceed down the list, you will find that certain priorities keep repeating. These will form the basis of your disaster recovery plan.
A template for your disaster recovery plan
Regardless of the cause of the crisis, your disaster recovery procedure will generally follow the same basic steps. You should therefore create a master document which sets out this process in detail, so that when trouble strikes everyone knows exactly what to do and how to do it.
The following template should help you to build your own bespoke business continuity plan.
What your business continuity plan needs to include
Your plan will probably need at least the following sections (it may have more).
Start by setting out the purpose of this document. Is it a general disaster recovery plan, or one that focuses on a specific area (e.g. IT)? Make sure readers can identify quickly that they have the right plan to hand.
Key personnel contact information
Provide a list of the key people responsible for each area of disaster recovery, clearly indicating their role along with their contact details.
It is a good idea to have private social media groups (e.g. WhatsApp) set up in advance, but do not rely on these. An old-fashioned telephone tree makes a good backup solution.
There will be a variety of essential contacts outside your business whom you may need to call upon in an emergency. Depending on the circumstances you may need to contact your:
- Landlord / property manager
- Power company
- Phone / internet providers
- IT provider
- Major customers / clients – you will want to alert and reassure them as soon as possible
- Key suppliers / distributors / warehouses
- Preferred plumber / electrician / heating engineer
- PR company (if applicable)
- Temporary office space provider (useful if your premises will be unusable for a time)
- Any other external contacts who may be essential to the running of your business
Plan triggering events
After the key contact information, include a short list of events that justify triggering your disaster recovery plan. Focus on those judged to be high risk or most likely.
Now set out the actual tasks required for disaster scenarios. You should have a core section covering general business continuity – i.e. what is needed to keep things running in a range of circumstances – linking to more specific sections that cover your highest-risk disaster scenarios.
Assign each task to a specific person, with backup personnel to stand in if the designated individual is not available.
In the appendices, place all other information relevant to your disaster recovery plan, such as notification procedures, the location of essential resources, alternative work locations, insurance policies etc.
Refining your business continuity plan
As your disaster recovery plan develops, make sure it addresses these key areas.
- Your objectives – are you aiming to protect your data, serve your customers or protect important equipment?
- The scope – do you need an individual plan for each site or will a single plan cover the whole business?
- A list of contacts – who will need to do what? Whom will you call, both internally and externally, and in what order?
- What are the key response actions for each type of incident?
- Who is responsible for executing each part of the plan? Who will stand in if they are unavailable?
- Where will you work if your usual location is unusable?
- How will you communicate with employees and customers?
- What insurance policies do you need?
Remember too that your business will change over time, so review your plan regularly.
Executing your business continuity plan
Once you have a resiliency plan ready, don’t just put it aside until you need it. You may need to take regular actions to make sure it works effectively at the right time. Here are some ways to keep your plan effective.
- Conduct disaster recovery drills to make sure everyone knows what their role is
- Ensure your disaster recovery plan is accessible instantly, from anywhere
- Regularly review your insurance policies
- Make sure your IT security is up to date
- Conduct risk assessments
- Give your employees business continuity training
- Back up your data off-site
One of the greatest benefits of business continuity planning is that it prevents panic setting in at the worst possible time. If you have a plan to hand, then no matter how grim the circumstances, having a practised set of activities to execute will help to keep you focused, and maximise your chances of surviving the crisis intact.
Let us match you to your