Close

We use cookies to give you the best possible online experience. If you continue, we'll assume you are happy for your web browser to receive all cookies from our website. See our cookie policy for more information on cookies and how to manage them.

Knowledge store

Knowledge store general enquiry form
Submit enquiry

Contact us

Call our customer services team on:

0345 366 6666

Email - riskadvice@aviva.com

Guidelines for Business Continuity Planning [Hardfacts]

Introduction

Business Continuity Planning should be regarded as a priority for any business and is equally critical for small and medium sized companies as it is for large organisations. Every year, around 20% of all businesses across the United Kingdom face an event that is unplanned, unwanted and sometimes challenges their very survival. That threat may come as a result of fire or flood, theft or fraud, or potentially even terrorist action, but no matter what the cause, businesses that successfully recover to thrive again are those that have:

  • Assessed the likely impact on the business of significant events
  • Planned their response in advance
  • Tested the effectiveness of the plan and revised it where needed
  • Invested time, thought and, where necessary, money in managing risk.

All businesses are different and it is not possible to specify a generic template that can be applied to every business, however the following steps provide an outline approach that can be adapted for use in most businesses.

Preparing a Business Continuity Plan is not just a necessary evil for most businesses. Many businesses realise that there can be side-effects of disasters that cannot be covered by insurance such as reputational risk and staff retention. However, a well developed plan can address these factors. A plan can also be used to gain an advantage over competitors who cannot include evidence of a plan in their tender documents.

Preparing a Plan

Developing and implementing a plan are best done as team activities. The Disaster Recovery Team should be made up of managers and staff together with deputies to cover for illnesses. The team members should, between them, have a good understanding of all the business areas. It is important, at the outset, to ensure that the team has a common understanding of the company's primary business objectives.

A Disaster Co-ordinator should be appointed to lead the team and to decide when it is necessary to invoke the Business Continuity Plan.

Remember when selecting the members of the Disaster Recovery Team that there will need to be others outside the team who can continue to manage the parts of the business that have not been affected by the disaster.

When you have selected your team they can follow the 5-step process below to create a Business Continuity Plan.

STEP 1 - Service Levels
STEP 2 - Risk Analysis
STEP 3 - Emergency Action Planning
STEP 4 - Business Recovery Planning
STEP 5 - Testing and Maintaining the Plan

External Influences

A Business has many external influences that can affect its mission critical process and functions. These can include government departments, regulators, competitors, trade bodies and pressure groups. It is important to identify these at an early stage and take their influence into account. Some or all of the following may apply to your business:

  • ISO/IEC17799 - Information Security Management
  • Corporate Governance and Investor Relations - Turnbull or Combined Code
  • Mandatory Industry Regulation e.g. Prudential Regulation Authority (PRA) or Financial Conduct Authority (FCA)
  • ISO9000 - Quality Management
  • The Cabinet Office - business participating in publically funded projects

Preparing a Business Continuity Plan will give you a better understanding of the risks facing your business and may be required as part of your compliance regime.

The Disaster Recovery Team

Developing a plan and implementing a plan are best done as team activities. The Disaster Recovery Team should be made up of managers and staff together with deputies to cover for illnesses that are able to work effectively in challenging circumstances and adapt to a changing situation. The team members should, between them, have a good understanding of the business areas including operations and processes, legal, finance, HR, IT, premises, publicity, health & safety and fire and security precautions. It is important, at the outset, to ensure that the team has a common understanding of the company's primary business objectives. This common understanding can avoid disputes over priorities between team members at a later stage in the planning process.

A Disaster Co-ordinator should be appointed to lead the team and to decide when it is necessary to invoke the Business Continuity Plan.

Remember when selecting the members of the Disaster Recovery Team that there will need to be others outside the team who can continue to manage the parts of the business that have not been affected by the disaster.

Preparing a Plan

When you have selected your team they can follow the 5-step process below to create a Business Continuity Plan.

STEP 1 - Service Levels

The business must understand its "desired level of service" i.e. what it aims to deliver to its customers and stakeholders every day. A business must also understand what its "minimum acceptable service" is i.e. the essential service it has to provide to avoid immediate permanent loss of custom and to fulfil its primary contractual obligations. Your plan is how you will get from your minimum service level to your desired service level in the shortest possible time.

STEP 2 - Risk Analysis

This is the process of recognising the risks that face your business (risk mapping), understanding what the consequences of these risks occurring would be (business impact analysis) and then putting protection and mitigation measures in place to ensure that you will always be able to provide your minimum level of service whatever happens (risk reduction). Risks that face the business may include:

  • Fire including denial of access to your own premises
  • Environmental impact including flood and pollution
  • Theft and vandalism
  • Terrorism or action by pressure groups
  • Industrial relations
  • Cyber attack 
  • Machinery or IT systems breakdown

Consider what effects these risks would have on:

  • Each of your premises, in whole or in part
  • IT equipment and data
  • Machinery and plant
  • Vehicles used by the business
  • Public utility supplies (electricity, gas, water, telecommunications)
  • Premises of a major supplier

STEP 3 - Emergency Action Planning

This should deal with the immediate aftermath of any incident. The Emergency Action Plan should be implemented by a Disaster Recovery Team. Decide how the business would deal with issues such as:

  • Personnel
  • Immediate damage limitation
  • Site security
  • Damage assessment and salvage
  • Invoke emergency arrangements (IT recovery contracts, workplace recovery contracts)
  • Maintain a "Disaster Recovery Log" to record details of their actions, losses identified and expenses incurred
  • Communicate with press, stakeholders, suppliers and important customers
  • Decide which member of the team will be responsible for which actions

Don't forget to decide where the team will meet as your own premises may be damaged or you may be denied access to your premises.

STEP 4 - Business Recovery Planning

The Disaster Recovery Team should also prepare a Business Recovery Plan. This should state how the business would deal with issues such as:

  • Implementing alternative working practices such as subcontracting
  • Identifying and equipping temporary premises perhaps using second hand machinery so the business can relocate
  • Monitoring the progress of the reinstatement work at the damaged premises, ensuring that this goes to plan and that machinery etc is ordered at the appropriate time
  • Keeping in contact with customers and trying to win back the lost business as capacity improves
  • Keeping the "Disaster Recovery Log" up to date by recording details of their actions, losses identified and expenses incurred

STEP 5 - Testing and Maintaining the Plan

The plan needs to be tested to ensure it will work. It is a bit like having a fire drill but without the need for everybody to stop work. You could simulate a disaster with a desktop exercise, or you could test the plan on different parts of the business at different times. Change the plan from what you learn from these tests. The plan also needs to be kept up to date as the business develops over time. Even small changes to the business can have a big impact on the operation of the plan. Try and incorporate the need to update the plan in as many business change processes as possible such as HR, IT, premises, supply chain and operations management. After a major change it will be necessary to test the plan again.

Further information sources

British Standards Institute ISO 22301  www.bsi-global.com

The Business Continuity Institute www.thebci.org

Home Office http://www.homeoffice.gov.uk

The British Damage Management Association www.bdma.org.uk

Continuity Insurance and Risk www.cirmagazine.com

Continuity Central www.continuitycentral.com/

Specific advice on counter terrorism measures can be found from:

UK Security Service http://www.mi5.gov.uk

The Counter Terrorist Security Advisor available from your local police force.

Next Steps:

  • Source discounted products, available to Aviva insured customers and brokers only, via our Preferred Supplier Scheme - click here to find out more about the savings you could make
  • View our Tools and Templates
  • Call our Risk Helpline on 0345 366 66 66
  •  Email us at riskadvice@aviva.com

Please Note
This document contains general information and guidance and is not and should not be relied on as specific advice. The document may not cover every risk, exposure or hazard that may arise and Aviva recommend that you obtain specific advice relevant to the circumstances. AVIVA accepts no responsibility or liability towards any person who may rely upon this document.

Rate this entry

Was this helpful to you?