1. General
  2. Operational resilience

What is a Business Continuity Plan?

A BCP outlines how your company will continue operating and who to contact during an unplanned disruption to service.

A BCP outlines the processes in place to effectively contain, respond, recover, resume, and restore normal “business as usual” operations following disruption. The disruption could affect one or many of the Company’s key resources, including offices, computer systems, application, services, solutions, or individuals becomes unavailable.

The disruption could be caused by any number of reasons, including poor weather, flooding, power/internet outage, equipment failure, illness, equipment failure or other reason.

Being prepared enables you to minimise the probability and impact of business interruptions by integrating safeguards into your business operations.

How does BCP differ from Disaster Recovery?

Disaster Recovery (DR) is focused specifically on the process, policies and procedures taken to recover our technology infrastructure after a disruption.

Risk Analysis

Potential threats to the critical processes include the following: poor weather, flooding, power/internet outage, equipment failure, a pandemic, cyber attack, office fire, or data centre fire.

The below guidance can be used for assessing those threats:

Probability - What is the probability of the threat occurring and causing a disruption to normal business?

  • Low: unlikely to occur.
  • Medium: it is possible it may occur and/or has not occurred recently.
  • High: Likely to happen and/or has happened recently.

Impact (Confidentiality) - Rate the potential impact on data confidentiality if the incident occurred.

  • Low: No associated fines or prosecutions.
  • Medium: Prosecutions and penalties but fines are not punitive.
  • High: Complete compromise of data and information assets resulting in shutdown. Loss of several major customers. Fines greater than 20% of turnover.

Impact (Integrity) - Rate the potential impact on data confidentiality if the incident occurred.

  • Low: Likely to create ill feeling with one or two low value clients. Loss does not have commercial implications.
  • Medium: Damaging to the organisation, its reputation and confidence. Jeopardise relationships with several medium value clients.
  • High: Severe threat to the business, may result in a loss of 50% or higher of business clients. Extreme almost irreparable damage to the company’s reputation and confidence of customers. Loss of several major customers.

Impact (Availability) - Rate the potential impact on data confidentiality if the incident occurred.

  • Low: Little effort to restore or correct data issues.
  • Medium: Commercial information is affected and may have an effect on the business.
  • High: Complete compromise of data and information assets resulting in shutdown.

Business Impact Analysis (BIA)

The BIA process is covered in this article

BCP Team

Whilst all Staff should be aware of the role they play in identifying and responding to incidents, there should be a formal BCP team who oversee business continuity planning and in the event of a disruption, are responsible for invoking BCP and incident management and response.

Incident management

The BCP outlines the actions that need to be taken for initial assessment, invoking BCP, communications, overseeing any alternative working arrangements and managing the incident.

BCP contacts

It is important to include a comprehensive and up to date list of contacts that may need to be informed if BCP is invoked. Having this information in one place ensures that everyone has access to the relevant contact details and time is not wasted trying to find this information when time is critical.

The list of contacts should include:

  • Insurance companies 
  • Key stakeholders - whilst the BCP Team is captured in a separate section, there may be other key stakeholders who should be informed.
  • Key suppliers - this could include hosting providers and office space. This article provide some useful links.
  • Commercial partners - are any key processes outsourced?
  • Regulatory bodies including the ICO for a data breach