Greenwich

Emergency planning for businesses

Business continuity management

If you manage or own a business, you should have a robust, comprehensive and validated business continuity management (BCM) plan for unexpected emergencies.

This increases the chances of your business surviving a major incident. It'll help you to minimise the likelihood and/or impact of any disruption on your business or organisation.

What is business continuity management?

BCM is about planning to ensure an organisation has a quick and painless return to 'business as usual' in the event of a major interruption. This is regardless of the cause of the underlying incident (be it man-made, natural, accidental or deliberate).

The business continuity management cycle

Creating a BCM plan is best thought of as a cycle of activities, each leading to the next (and improving) stage of the process.

Each stage is described below and these and the supporting documents, which you may download and use, take you through the process:

Stage 1: Understanding your business critical activities

As the owner or manager of a business, you'll know everything there is to know about it. Understanding how everything fits together is essential to allow you to identify the critical functions and activities of the business.

In an emergency, you need to concentrate on the activities you must do to continue the business. These could be the areas that:

  • generate the greatest profit, or
  • provide the information on which the whole company relies, or
  • would cause the worst possible loss of reputation or credibility if it stopped.

Key processes and resources

To complete this analysis, you'll want to look at how your processes and procedures work. This should be both within your business and outside, with your customers, suppliers, regulators and other stakeholders.

You'll want to identify the key resources for the business. This could include:

  • the people working for you (think about the skill and knowledge required to keep the business going)
  • the premises where you work (this can include satellite sites and remote or home working)
  • vehicles and other specialist equipment
  • your data and systems
  • communications.

These are the activities and resources you'll want to protect as far as possible. You'll need plans in place should they be denied to you, either in full or in part.

Hazard analysis

Another stage of this process is to assess the risks and hazards to the business, and the likelihood of them happening. These could be general risks to the whole community, such as severe weather, or relating to your local area, for example if you're in an area that could flood.

There are many risks that could impact on a business. These include:

  • data loss or systems failure
  • serious widespread illness
  • flooding or other severe weather events
  • transport problems or fuel shortage
  • utilities failure resulting in the loss of power, heating, telephones or water supply
  • deliberate or accidental man-made incidents such as chemical spills
  • or the impact from a nearby major incident in which you aren't affected.

All these risks could:

  • reduce the number of staff able to work
  • deny you access to key buildings or equipment on a temporary or permanent basis
  • or stop you using key information needed for the business to continue.

Our booklet 'Minding Your Own Business?' is a guide for businesses on what they could expect if a major incident or emergency affects them.

Download the 'Minding Your Own Business?' booklet

Stage 2: Business continuity management strategies

Once you understand the risks that could harm your business, you can decide on what strategies to use. These could either remove the likelihood of them happening, or could help to mitigate the impact if they did.

It's generally considered that there are four broad options available. You could:

  1. Accept the risk and do nothing - this might be appropriate if the cost of doing something to reduce the risk was greater than the potential damage from the risk
  2. Accept the risk but seek mutual aid - you could achieve this by having a 'buddy' agreement with another business you'd share facilities and resources with if one of the businesses were affected by an incident
  3. Reduce the risk by taking mitigating actions - an example would be having tried and tested backup and recovery arrangements for IT data
  4. Remove the risk by stopping the activity or changing a process that carries too much risk to one that is more manageable

Stage 3: Developing the response

Once you've decided on your strategy (and remember you're more likely to have different strategies for each of your critical activities), it's important to understand how you can determine the impact of the incident on your business, as well as how and when you'll know to activate your plan.

Activation planning

There are many areas to consider at this stage. It's best to identify in advance:

  • how you'll understand the scale of disruption to the business, especially by being able to determine the impact on critical functions
  • who would decide to activate your BCM plan, who would be assisting them, and what specific roles and responsibilities they would fulfil
  • what resources you need to maintain your critical activities in an emergency, and how you'll make these available
  • who you'll need to communicate with - staff, customers, suppliers, partner organisations, regulators, investors and other stakeholders

Action planning

You can now write a timetabled action plan for use in an emergency.

This must concentrate on the critical 'must-do' activities, rather than the things we would enjoy doing or are the easiest to do.

It should cover at least the following:

  1. The decision-making process. Who makes the difficult decisions? Ensure this process is clear and understood and there are deputies nominated
  2. Communications strategy. Who should be contacted, and by whom? Make sure the plan includes a list of key contacts, including staff, suppliers, building firms (for repairs), and customers
  3. A time-driven and prioritised recovery process. When should specified processes be complete, and in what order of importance?
  4. Actions and activities. Ensure the plan shows how the business will continue to operate, which members of staff and external contractors are required, what other resources (IT, premises, transport, and so on) are needed, and from where you'll get these resources

Some helpful templates

To help you complete your BCM plan, we have produced templates and guidance documents you're welcome to use.

These are:

  1. a template for a simple BCM plan, in which you can fill in the blanks to get the process started. This is accompanied by a set of guidance notes
  2. a suggested starting list for an emergency pack, which contains essential information and equipment for responding to an emergency. You should keep one pack on site, which you'll remove with the staff if they evacuated the building. Another pack should be kept away from the workplace, for responding to an incident outside of normal working hours
  3. a template for a site plan document, which gives details of the location of key items on your business premises. The London Fire Brigade would use this in dealing with an incident on your premises - for example, the location of utility supply shut-off switches or hazardous materials

Stage 4: Establishing the continuity culture

Once you've completed your BCM plan, you now need to make sure the right people know about it.

You'll need to train those, who have roles in an emergency, in applying the plan. All staff within the organisation will need to know it exists and have a general idea of what to expect - even if it's to go home and wait for further instructions. Board meetings and staff training sessions are useful forums for this activity.

You should inform a range of stakeholders about the general provisions within the plan. Investors will want to know how they're protected in an emergency, and your insurance company will also be interested as this may reduce your premiums.

Key suppliers will appreciate knowing about your arrangements, so they understand how you'd operate in an emergency.

Stage 5: Exercising and plan maintenance

You need to treat the plan as a living document which changes with circumstances and the needs of the business. You should review the plan at least yearly and also if there are significant changes in the organisation, whether they are changes in staff or processes.

You also need to check and exercise the plan to ensure it's still valid and those with emergency response roles can rehearse their activities.

If those trained to use the plan don't rehearse their roles and responsibilities, it's likely they won't be effective in an emergency.

How to check and exercise your plan

There are many ways to do this, including:

  • reading through and reviewing the plan, or asking someone else to read the plan
  • you could also do a quick assessment of your current arrangements against our 20-minute BCM checklist
  • desk-top walk-throughs: Set staff the task of reviewing the plan against a set scenario (for example, the reaction to a loss of an important piece of equipment or being unable to access their normal workplace)
  • staff awareness training: Ensure everyone in the business knows their role should an emergency occur. You could combine this with fire evacuation training, by asking staff what they would do if they couldn't return to their usual workplace
  • component testing: Check a part of the plan to ensure it works. For example, you could test the recovery of your IT systems, or check all the emergency telephone numbers are correct
  • 'live' testing - This could be a full recovery exercise where you set up your critical activities elsewhere, or have one part of the organisation move to confirm the arrangements

Download business continuity plan documents