Planning for large businesses
This is a five-step guide to get you started on business continuity planning for a large organisation. Use the links below to go to each section, or you can download and print a more detailed strategy for big businesses.
- Step one: Analyse your business
- Step two: Assess the risks
- Step three: Develop your strategy
- Step four: Review your plan
- Step five: Train your staff
Step one: Analyse your business
This step, also known as a business impact analysis, determines which area of the company's activities are crucial to running the business. During this phase you should focus on:
- Mission critical activities
- Internal factors
- ‘What if?’ scenarios
- Worst case scenario
- Specialist services/activities
- External influences
A. Mission Critical Activities
To assess mission critical activities consider which operations are crucial to the running of your business. Use the table below as an example for you to grade the importance of different areas.
| Grade on a scale of 1 to 5 | What is essential to the running of the business? |
|---|---|
| Employees? | |
| Products? | |
| Services you provide? | |
| Location? | |
| Major Client(s)? | |
| Main Supplier(s)? | |
| Specialist equipment? | |
| Unique premises? | |
| Time sensitive processes? | |
| Shareholders? |
B. Internal factors
What internal factors will influence the impact of an incident on your business? Consider how vulnerable you are in different areas. We have compiled a sample list of questions for you to consider as a starting point for this exercise.
| Here are some questions to consider with regards to your staff: | Answer: |
|---|---|
| Grade departmental importance - which department is most/least vital? | |
| When is the departmental function most essential? | |
| Which people are most essential and when? Consider different timescales of a few hours, 24 hours, 5 days etc. | |
| Do you have contact details at another location for all your staff and key employers? Are they up-to-date? | |
| Do you have a plan of who needs to do what in case of an incident? | |
| Do you have a crisis team? | |
| Have you nominated deputies for the members of the crisis team in case they are not available? |
C. ‘What if?’ scenarios
| Grade on a scale of 1-5 | Define | Suggest preventative action: | |
|---|---|---|---|
| If you could not deliver an order to a customer? | e.g. broken van |
Tel No for hire firm | |
| e.g. road blocks | Alternative route | ||
| If your staff could not get to work? | |||
| If your suppliers or customers could not get access to your premises? | |||
| If your IT system was damaged? | |||
| If your telecoms were down? | |||
| If you could not get access to your building? | |||
| If you could not operate from your location? | |||
| If you became ill over a long period of time? | |||
| If you are unable to pay your staff/ suppliers? |
D. Worst case scenario
| What would be the worst-case scenario for your organisation? | Define | Suggest preventative action: |
|---|---|---|
| How long before your business would be severely affected: hours days months |
||
| Would it survive the disruption? | ||
| Do you have insurance against this eventuality? | ||
| Do you have copies of insurance papers off-site? | ||
| How much can you afford to lose if unable to run your business for days weeks months |
||
| What do you need to do to stay operational? | ||
| Do all heads of departments agree that this is the worst-case scenario? |
E. Specialist services/activities
An activity may be unique to your business or have a unique aspect due to its complexity. This could leave you especially vulnerable in an emergency, so take time to consider probable implications and solutions
F. External influences
What external factors are likely to affect your business during a crisis? Use the table below and think of more influences that maybe specific to your organisation/area.
| Aspect affecting you | The way it's affecting you: | Preventative Action: |
|---|---|---|
| Local community | Mixed opinion about what you manufacture | Community project/local help |
| Competitors | Do they have an emergency strategy? | Research |
| Government | New legislation | Need to comply? |
| Transport | Cancelled public transport | Have a list of employees with their own transport/ organise shuttle bus/ organise accommodation etc. |
| War in a different country | Reduced customer confidence affecting imports/ exports | Have money in reserve for special advertising campaign etc. |
Download a Business Impact Analysis Matrix - it will assist you in identifying the impact an incident will have on your business and what type of risk it carries for you.
Before proceeding to the next stage, ensure a senior member of staff/ board member agrees with the business impact analysis. This stage should involve a senior member of staff and co-ordinators.
Step two: Assess the risk
Your next steps are to look at the most likely and greatest risks to your business. This stage should involve a senior member of staff and co-ordinators. When running through these hazards, ask yourself the following three questions:
- Internal and external threats, liabilities and exposure
- How vulnerable is your organisation to various types of incident
- Your attitude to risk
- How long can your business last during/ after an incident?
A. Internal and external threats
Use the table below as an example to create a similar checklist for your company. You are looking at the likeliness of something happening and your preparedness. This will show your current strengths and weaknesses in disaster management.
| Grade 1-5 most/ least prepared | Grade 1-5 least/most likely | |
|---|---|---|
| Does your plan work if the power fails? | ||
| Does it work when there is a fire? | ||
| What if your customers/ suppliers cannot contact you? | ||
| What if your suppliers cannot get to you due to floods/ cordons? | ||
| What if your customers cannot pay you? | ||
| What if your employees cannot get to work for a few days in a row? | ||
| Does your plan cover criminal damage? Are you insured? |
B. How vulnerable is your organisation to various types of incident
Now you need to think about how different elements of your business will be affected by different risks. Again, use the table below as an example and create your own to suit your organisation.
| How will your customers be affected? | |
|---|---|
| If there are delays in delivering the goods/services? | |
| If you cannot contact them? Will they switch over to your competitors? | |
| If it's a company-related incident, will this damage your reputation? Do you have a planned PR response? | |
| Have you reassured them that you have a business continuity plan in place? Is your PR department aware of its content? | |
| How will other stakeholders be affected? | |
| Staff - have you assured them that you have a business continuity plan in place and that their jobs will be secure in case of an incident? | |
| Are your staff aware of the role they have to play in case of an incident? | |
| Suppliers - have you assured them that you have a business continuity plan in place and that you will be able to pay them on time in case an incident occurs? | |
| Shareholders? | |
| Local community? | |
| Business neighbours? | |
| If you share your premises with other companies in the building: | |
| Have you thought about working with your neighbours to create a joint business continuity plan? | |
| What's the nature of their business? | |
| What will happen if you are denied access to the building due to another company's accident? | |
| Can you do anything to mitigate the risk from another's business? | |
| Does your landlord have a BCP? | |
| Is your landlord complying with their responsibilities under law? | |
| How will your financial systems be affected? | |
| Do you have financial company details off-site? Back ups of recent transactions? | |
| Do you have an extra copy of your chequebook? | |
| Will you be able to pay your staff/ suppliers? | |
| Other issues to consider | |
| Will you be able to get hold of your vital papers - do you have copy details of your insurance cover off-site? | |
| Do you keep staff trees/ lists off-site? | |
C. Risk appetite: How risk averse are you?
Establish how long your business can bear functioning at reduced capacity and what level that is. What needs to be done to make sure it can function at minimum capacity? Here are some different strategies you could take:
- Accept the risks - change nothing, e.g. close the office/ plant down for while and have a disaster recovery plan in place to sweep up the damage and get your business fully operational after some time has passed.
- Accept the risks, but make a mutual arrangement with another business or a business continuity supplier to ensure that you have help after an incident. This business could be a competitor, but it is common that for business continuity purposes they become a 'buddy'.
- Attempt to reduce the risks, e.g. by for instance changing or ending 'risky' processes or by taking out insurance. Although do note that insurance provides financial recompense and support in the event of loss, but does not provide protection for brand and reputation.
- Attempt to reduce the risks and make arrangements for help after an incident.
- Reduce all risks to the point where you should not need outside help, e.g. through implementing broad continuity management principles in case of an incident.
D. How long can your business last during/ after an incident?
Some companies can function for a long time during a crisis; others are more at risk and can suffer from the smallest of incidents.
You need to establish how long your business could function at a reduced level and what that level is: Consider how much you can afford to lose if you are unable to run your business for days/ weeks/ months. i.e. should your business be forced to run at only 50% its normal activities, 20%, 80% etc? Make sure you know your break-even point!
For more help in assessing your risks, use our quick interactive risk assessment tool and download the risk assessment checklist.
Step three: Develop your strategy
From the beginning of creating your emergency strategy, aim to embed a business continuity management culture throughout the organisation to ensure that business continuity management becomes an integral part of the organisation's strategic day-to-day business.
Your plan should be clearly written, so everyone in the organisation can understand the parts relevant to them. As a guide, each business continuity plan should aim to contain the following:
- Statement of clear purpose of the plan
- The structure of the crisis team(s)
- Business recovery
- Work area recovery
- Technology recovery
- PR
- Staff focus
- A description of the premises
A. Statement of clear purpose of the plan
The statement should outline the direction the plan will take in case of an incident and include a clear statement on how risk averse you are. At this point you should also include a statement of support by senior management to install confidence amongst employees.
You might find it helpful to classify what you consider to be a disaster within your statement, for example a standard definition may be: "any unwanted significant incident which threatens personnel, buildings, or the operational structure of an organisation which requires special measures to be taken to restore things back to normal". (Definition taken from part 2, 'How Resilient is Your Business to Disaster', Home Office publication, 1997).
B. The structure of the crisis team(s)
It must be clear when emergency plans are to be implemented and who has the authority to implement them. The plan should include all persons responsible for initiating the plan's implementation, both junior and senior.
If you have nominated a team to create, co-ordinate and deliver the plan, it might be helpful to divide the personnel involved in the plan into three different categories:
- Gold - the thinkers responsible for the strategy, such as the CEO.
- Silver - the planners and co-ordinators that will deal with the tactical aspects of the plan. These will include a senior management team of experts within your business. They are involved in specific planning and are responsible for co-ordinating and directing the resources of the business to ensure that the plans are being properly implemented. Silver people will link with Gold and keep them updated on the developing situation.
- Bronze - the doers who will be responsible for recovering/ restarting crucial business functions. They are responsible for ensuring that their specific business continuity plans are implemented. They take direction from the Silver people and keep them updated.
You may decide that you will need a set of plans for each of the Gold, Silver and Bronze teams, or a set of different plans for different Bronze teams, such as a separate IT department plan, which will, for instance, include more technical jargon and specific data.
Allocate a list of suitable locations where your business continuity team should meet, if an incident occurs. This should consist of a room on-site, a place in a public building, e.g. a local pub, someone's house or a meeting room at your alternative fall back site.
If an incident occurs, meet with everyone from the business continuity team as soon as you can, probably after the first planned emergency procedures have been implemented, and then continue meeting every 24 or 48 hours.
C. Business recovery
Develop practices and procedures needed to mitigate risk and reputation if business operations have been affected. It includes the priority tasks that must be addressed if the business has to relocate and needs to communicate with clients and service providers during the period of disruption.
It is essential that such lists are updated regularly, at least quarterly, and preferably monthly, and they must recognise the likely availability of staff 'out of hours' and weekends and during holiday periods.
The members of the 'crisis team' should be supplied with a simple check list of the actions they must take during and after an incident. Using brightly coloured cards or paper is a cheap and way of ensuring that people know they are using the most up-to-date version. The lists should be accessible and available at all times and in several locations, electronically and in hard copy.
D. Work area recovery
This could be the key aspect of your plan. If you intend to work from another site, there are several options to consider:
- You might decide some staff can work from home temporarily.
- You might have made arrangements with another company to use their facilities.
- Choose a 'cold site' agreement, this is usually provided by a business continuity supplier and involves erecting a temporary building. You will usually be able to move in after about 12 days.
- Or a 'hot site', also usually provided by a specialist continuity company, makes desks available within about 4 hours. This option is easy to rehearse, but relatively expensive.
E. Technology recovery
Most businesses nowadays have complex IT, telecommunications and utilities' structures in place and your emergency strategy should take this into account.
- IT: It is imperative to keep inventory lists of software and hardware, as well as suppliers so that you can replace equipment immediately if needed. Download a PDF of software and hardware inventory lists. Customise inventory lists according to your needs. It is worth checking in advance if your insurance covers the replacement of damaged items immediately, or whether you need the insurance company's consent.
- Telecommunications: Make a list of all the access numbers and keep them safely on and off-site. Check whether you can access your telephone system remotely or set up re-directs to other lines.
- Utilities: Have a list of all of your utilities' providers, their contact details and your account numbers.
F. Public relations
The PR process can make or break a company's reputation. PR will influence how existing and potential customers, suppliers and all other stakeholders will react to the incident.
Nominate a company spokesperson, and ensure that all staff know who it is. For resilience, make sure more than one staff member is nominated and that they have some training in media handling. Key points to remember are:
- Make certain that the story is the same from all sources: if the emergency services are involved, co-ordinate your information with them.
- Possibly hire a PR consultant
- Consider the production of an emergency newsletter to staff. If it is a seriously disruptive incident and you cannot keep all your staff on site during recovery, it is essential to keep them well informed about progress.
- Have a pre-prepared list of facts on the organisation's functions, safety record, etc.
- Place advertisements in local or national papers if needed.
G. Staff focus
Consult your staff when drawing up the plan. This will ensure that they feel part of the plan and will be willing to participate fully when something does happen. Be sensitive how you communicate your plan: the phrasing 'essential staff' or 'vital departments' suggests that some of your staff are not as important as others.
Make sure that you have plans in place to take care of your employees once an incident does occur. Petty cash to help everyone get home safely is important, and in the longer term be prepared to organise counselling for traumatised staff.
H. A description of the premises
This is important for evacuation purposes. Clearly mark where the emergency exits are on plans of your premises. Also, include lists of the contents of your premises for any insurance claims.
Step four: Review your plan
In the process of developing your plan, make sure you have consulted all the decision makers in the business and involved your staff. Do a checklist like the one below, and regularly review your plan against the different points:
| Check your business continuity plan against the following: | Tick off |
|---|---|
| Does your organisation have a clearly defined, up-to-date business continuity plan for its entire weakest links, mission critical activities and their dependencies? | |
| Does your plan reflect the most up-to-date business impact analysis and risk analysis? | |
| Does your plan clearly define the role of the accountable business owner of the plan? (This could be the MD, CEO or business owner...) | |
| Has your plan been approved and signed off? | |
| Is it clear who is responsible for the plan's maintenance? | |
| Is the plan regularly reviewed in terms of its mission critical activities by the agreed person, such as the legal rep? | |
| Does the plan establish a clearly predefined response if an incident occurs until the point of full operation? | |
| Does the plan clearly define how to recover critical activities within the specified time frame? | |
| Does your plan clearly define personnel roles, their accountability, responsibility and authority? | |
| Have you established an appropriate time frame for review of the plan? | |
| Does the plan provide and define clear aims and objectives? | |
| Are there clear instructions on how to use your plan? | |
| Does the plan contain a diagram of the business continuity management structure? | |
| Does the plan clearly state the appropriate responses according to the emergency? | |
| Do you have clear details regarding purchasing, expenditure, and authority? | |
| Do you have a list of contents? | |
| Distribution list? | |
| Glossary of terms? |
Large organisations often consult with outside organisations who may be able to provide assistance when drawing up the plan. Key people/organisations to consider are:
- Find out what emergency services need to know in case of an incident. They also offer security and evacuation advice.
- Find out from your local authority emergency planning officer what they would do in response to a major incident or terrorist attack.
- Keep in touch with neighbouring businesses. How can you help each other?
- Find out what information utility companies will need in case of an incident.
- What information will your insurer need from you?
- Ask key customers and suppliers how they would like information communicated to them if an incident occurs.
- The Fire Protection Association, www.thefpa.co.uk, has published a useful guide: 'Safety at Scenes of Fire and Related Incidents' which also covers problems of chemicals, biological hazards and building safety.
Additional help
For those seeking more analysis tools and techniques to help you develop your emergency strategy, take a look at the 'Business Continuity Management - Good Practice Guide', published by the BCI, 2002.
There are organisations who specialise in business continuity and experts who can provide help in backing up your IT systems, to find out about them, take a look at our page of useful contacts and links.
Step five: Train your staff
Once the plan has been developed, it has to be subjected to rigorous testing. You may believe this is costly or unproductive but it is a practical investment for your company's survival: should an incident happen for real you will be better able to cope with it.
There are numerous ways in which you could test your plan. Here are a few simple examples:
- Paper-based exercises
- Read through the plan, questioning each action
- Test the plan using ‘what if?’ scenarios
- Telephone Cascading: this involves testing your Staff Contact Tree – initiate the process of phoning or texting people at the top of the tree. Measure the time it takes for the last people to receive the message. This also allows you to test the whole communication structure (are there any people on the list who have left the company?).
- Full rehearsal: If it's carried out in similar conditions to a real incident, it will show you how the different elements of the plan fit together. This may be expensive, especially if it involves changing sites, but planning will reduce costs and the efforts might pay off in the future.
Your plan will need a full rehearsal at least once a year and will also need to be maintained and updated regularly by an appointed person(s).
For more details on this aspect of perfecting your strategy, read our section on practising your plan and communicating your strategy.
To see how other UK businesses have coped with real emergency situations, take a look at these case studies.
