Developing your business continuity plan
A Business Continuity Plan (BCP) should record how you will respond to an emergency or a disruption.
Although you need to be aware of specific risks and deal with any serious ones, your planning should focus on the outcomes of disruption not its causes. The list of scenarios that could affect your business is endless, so your plan would need to be huge in order to cover all the different responses. Regardless of the cause, a business continuity incident generally means you have lost one of more of the following things:
So, instead of focusing on all the 'what if's', it is more helpful to identify alternative ways of working to manage the different outcomes of a disruption listed above.
Imagine your ICT network was affected by a virus....
- Is your key data backed-up?
- Do you have digital data stored elsewhere in hard copy?
- How would you recover data? Would you need third party support?
- Could you continue to work without ICT to maintain your most time critical activities?
- Who would you need to inform that you have been affected by a virus? How would you do this? What would you say?
- Would your staff know what to do?
For this scenario, good risk management would be about checking your anti-virus, firewalls and network security arrangements - are they good enough to protect your systems? SME's are a potential goldmine for hackers, and serve as a playground for 'newbie' hackers. Just think of the reputational damage caused by the theft of personal customer data...could you do more to ensure that your data is safe?
So, as well as recording the different ways of working in your plan, you also need to know who will lead your response and who has the authority to make important decisions.
Much of your incident response will be about good communication and information sharing e.g. with staff, customers, suppliers and anyone else with an interest in your business, so it is also sensible to include a communications strategy as part of your plan.