Business Continuity

Helping to keep your business in business

  1. What is business continuity?
  2. Why is business continuity important?
  3. How to develop business continuity arrangements
  4. What should a Business Continuity Plan contain?
  5. Reviewing, testing and implementing your business continuity arrangements
  6. Coping with Disruption: Business Continuity Support Service

1. What is Business Continuity?

Business Continuity is the ability of an organisation to maintain essential functions during and after an incident has occurred. The most basic business continuity requirement is to keep essential functions up and running during period of disruption and to recover with as little downtime as possible.

For example, if your premises were affected by a flood or loss of power, how would you carry on your critical activities.

Resilience is a measure of how quickly your organisation is able to respond and recover to disruption and return to business as usual within an acceptable time fame.

2. Why is Business Continuity important?

Effective Business Continuity planning helps to ensure during times of disruption your business continues to maintain their essential functions and supporting the prioritised recovery of your most time-sensitive objectives. Nearly one in five businesses suffers a major disruption every year. If you invest in insurance cover, it makes sense to invest in Business Continuity planning too.

3. How to develop Business Continuity arrangements

A key first step before you develop your Business Continuity plan is to identify your critical activities and assets through a business impact analysis.

Critical activities can be defined as those activities which need to be performed to deliver key products and services that enable your business to meet its most important and time-sensitive objectives.

A Business Impact Analysis (BIA) is a process of identifying your critical activities, determining the impact that a disruption to these activities would have on your business and what resources you need to maintain them to an acceptable level.

Consider what risks your business faces and how they could impact your critical activities and assets.

Possible incidents:

  • Electricity supply failure
  • IT networks outage
  • Telephones outage for a day or longer
  • Key documents destroyed in a fire
  • No access to the office building for days, weeks or months

Consider if:

  • Customers could not contact you
  • Suppliers could not supply you
  • Customers unable to pay for your services
  • Unable to pay suppliers?

The BIA estimates the impacts of disruption over time to establish the organisation's response, recovery priorities, and the resource requirements.

The Risk Assessment identifies the disruption risks level to the organisation's critical activities and essential resources.

Once organisations have identified their critical activities, the organisation should identify the Recovery Time Objective (RTO) and the Maximum Tolerable Period of Disruption (MTPD). The RTO is the period of time following an incident within which a product or an activity must be resumed, or resources must be recovered. This time should be less than the MTPD. And the MTPD is the time it would take for adverse impacts, which might arise as a result of not performing an activity, to become unacceptable. You therefore want to recover it before this point.

Once you have carried out your Business Impact Analysis, you can start developing your Business Continuity Plan.

Source: Lacey, D. (2012) Business Continuity Management for Small and Medium Sized Enterprises: How to survive a major disaster or failure. British Standards Institution

To find out further information on hazards like fire and cyber attacks, please see:

4. What should a Business Continuity Plan contain?

A Business Continuity Plan (BCP) sets out the parameters and pre-defined thresholds for the activation of this plan. The plan identifies risks to the organisation, the maximum tolerable period of disruption and the recovery time objective. Preparation and planning activities can take place based on the assessment of these risks. The critical activities of the organisation and the contingency arrangements to allow them to continue during a period of disruption will also be detailed in this plan in reference to your organisations BIA. The BCP will also detail alternate working arrangements requirements, which should have been identified in advance with alternate arrangements detailed to ensure that the critical activities can be maintained.

As an overview, business continuity plans should generally contain the following details:

  • Document management information such as a document owner, version control or distribution list
  • Roles and responsibilities
  • How will the plan be activated – when, by whom and how?
  • Key contact details – internal and external
  • Critical functions / activities to be recovered, timescales and recovery levels needed
  • Resources available to deliver critical activities during the first 24hrs and up to 2 weeks from the event, and processes for mobilising resources
  • Actions to be carried out, in what timescale and who will do these
  • Clear communication processes – who reports to whom or cascades information
  • Process for standing down and returning to normal business.

5. Reviewing, testing and implementing your Business Continuity arrangements

Make sure you regularly review your business continuity arrangements and ensure staff are fully aware of their role in an emergency.

Start with a minimal plan and test it by running a short exercise to ensure it is fit for purpose. The plan can then be carried out through a tabletop exercise with key staff involved in managing the response to an incident. Consider your main risks and produce an exercise which will affect a high risk in minimal, moderate, significant disruption

All plans should be reviewed whenever there are any major changes to premises, processes or services, or when a new threat emerges that threatens to disrupt your business activities.

Essential contact details should be tested regularly on at least a six-monthly basis.

Evacuation exercises can be carried out to test back up arrangements, as part of scheduled fire alarm evacuation drills.

6. Coping with disruption: Business Continuity support service

If you want to provide assurance to existing and potential new clients that your organisation can cope effectively with disruption and continue to deliver your critical services when incidents occur, the Surrey County Council Emergency Management and Resilience Team can deliver a cost effective, bespoke solution for you. The team will be able to provide advice, planning, training and exercising support to development, review and validate resilience arrangements against recognised industry and good practice standards. To find out more please see contact email us at sccemt@surreycc.gov.uk

Useful websites

Business Continuity Institute - The Business Continuity Institute (BCI) | A global institute for business continuity and resilience | BCI

BCI Good Practice Guidelines - Good Practice Guidelines (GPG) Edition 7.0 | BCI

The Cabinet Office (UK Resilience) - Emergency preparation, response and recovery - GOV.UK

Protect UK - ProtectUK | Home

Did you find this information helpful?

Rating Did you find the information helpful?

We aren't able to reply to individual comments, so please don't include any personal details.

Subscribe to our newsletters for latest news and events.