The purpose of a Business Continuity Plan (“BCP”) is to ensure that a business can continue to operate in the event of a major disaster, such as a pandemic, a terrorist attack, an economic crisis, a fire, etc. To do so a thorough understanding of the business is necessary. This entails gathering information and establishing risks and priorities before drawing up the plan itself.
Below we have broken down the components of a business continuity plan into three stages:
Stage 1: Risk assessment and evaluation
Before writing the plan itself, it will be necessary to conduct a risk assessment and evaluation of the likely impact on the business:
What are the critical business functions necessary for continued service?
What are the events that can adversely affect the business?
What damage will such events cause?
What controls are needed to prevent or minimise the effects of such events?
Identify the following:
Recovery time frame
Functions absolutely essential to remain operational
[e.g., Up to 48 hours after declaring disaster]
Functions that are critical and should be performed in a timely manner following the completion of priority “A” functions
[e.g., 3 to 7 days after declaring disaster]
Functions that enhance operations but are less time-critical for the company to remain operational.
[e.g., 8 to 90 days after declaring disaster]
The above are examples of what needs to be identified but priorities and timeframes will of course be specific to the business. The impact of various scenarios should be quantified in order to understand what risks are acceptable and the areas that need more focus.
Stage 2: Detailed information gathering
Depending on the outcome of Stage 1, more specific detail will need to be pulled together, for example:
Briefly describe what/who is located at each of the business’ physical locations.
If something happens at one location, can business be maintained from the others?
Understand relevant insurance provisions and processes.
Where is data hosted?
If using a third party (e.g., AWS), what are their disaster recovery arrangements?
What are the records vital to the continuity of the business (e.g., records of staff, clients, suppliers, insurance, operations etc)?
Where are such records kept?
Do staff store records, work, work in progress centrally?
Is this central store accessible and by whom?
Is this central store backed up? How often? Where are back-ups kept?
Are there detailed inventories – e.g., hardware, software, list of suppliers, critical telephone numbers?
Who is in the BCP team (see below)?
Who needs to be contactable during an emergency?
Who is needed to perform critical functions?
Have any key personnel been identified?
If so, is there key person insurance in place?
Is there a system for covering the duties (especially client facing work) of staff unable to attend?
Where are contact details for these people?
Establish forms of communication available in the event of an emergency, for example what if telephone lines and/or internet are down?
Understand the internal communications network, identify third party suppliers.
Process for identifying a disaster.
Authority to put BCP into action.
Stage 3: Creating the Plan
Is there a recovery team in place? The detailed plan should ideally be created by the team who will be responsible for carrying it out.
Who will be in the team? This would include:
Communications team (to staff, clients, suppliers, regulatory bodies, e.g., Information Commissioner’s Office, Financial Conduct Authority, Solicitors Regulatory Authority etc.).
Facilities and operations team.
Health and safety team.
IT recovery team.
Legal & Compliance team.
Responsibility for managing the plan will need to be clearly established within the business and the people in this team will need to have sufficient authority and resource to take action when the need arises.
The plan will need to cover incident control procedures and reinstated busines procedures. The plan needs to cover worst case scenario. Then individual elements can be utilised when less serious incidents occur. The plan will need to be tested, approved, implemented, maintained and reviewed on an ongoing basis.