It is a good first step to establish a disaster recovery plan which is a subset of a business continuity plan and covers the technology components of maintaining your organisation’s operations.
The primary steps for business continuity planning include:
1. Management buy-in
Business continuity is an organisational initiative and requires support, input and resource commitment from management and key stakeholders in an organisation.
2. Conducting a business impact analysis
Analyse activities undertaken by the organisation and the impact that a disruption might have on these activities. The steps involved in conducting a business impact analysis include:
Identification of products and services delivered by the organisation's activities
Consideration of the types of impact or losses an organisation may face if these activities are disrupted. For example, legal, regulatory or financial impact (similar to an impact reference table, from a risk management framework, with impacts to an organisation across different categories of impact)
Assigning criticality and prioritisation to the organisation's activities, for example, core services that must continue to operate, whereas supplementary services could be suspended until the resumption of regular operations. To assist with prioritisation, the time period before losses or impacts to the organisation could occur should be used
Determine if these products or services depend on external products or services
Quantify resources required to maintain the critical organisational activities at a level required to ensure continuity of operations. Resources refer to data, applications, IT infrastructure, physical locations, suppliers and people's skills and knowledge.
3. Performing a risk assessment
Identify and analyse risks that could cause disruption to the organisation.
The risk assessment should be focused on the critical activities identified in the business impact analysis.
Some examples include loss of staff, loss of access to IT systems and telecommunications, loss of utilities, loss of key suppliers or loss of access to premises.
The likelihood of the risk occurring together with the impact to the organisation (from the business impact analysis) provides a ranking of risks that require action in terms of resource requirements and action plans. With these plans in place and contingencies identified, the organisation is better placed to continue operations after experiencing a disruption.
It is important to test aspects of a business continuity plan on a regular basis. The plan should be reviewed when there are changes to the operating environment that affect the organisation's key activities or on an annual basis.
Download the Business Continuity Plan template and customise it to meet your organisation’s needs.