BEST PRACTICE GUIDE
BUSINESS CONTINUITY BEST PRACTICE
BUSINESS CONTINUITY
1
�WHAT IS BC
BEST PRACTICE?
Every organisation is unique. Therefore, Business Continuity
Planning (and the Business Continuity Plan it creates) must
be unique too.
But the concepts, methods and principles required aren’t.
This Best Practice Guide outlines the key components for
sound Business Continuity Planning.
*For detailed guidance – the Business Continuity Institute publishes the Good Practice
Guidelines (GPG). This guide isn’t intended to replace that document. The GPG tells you how
to go about creating and managing your Business Continuity Management Programme. This
guide summarises what you need.
2
�Create the Business Continuity Policy
BUSINESS CONTINUITY BEST PRACTICE
Business Continuity Planning starts with a statement of the
intention and direction from top management. The policy must
be short, clear and define the priorities for Business Continuity
and how they relate to the overall business strategy.
Carry out a Business Impact Analysis (BIA)
The core of good Business Continuity Planning is the Business
Impact Analysis. The BIA looks at the specific ways your
potential risks could disrupt your activities. There are several
specific types of BIA you can use:
• Initial or Overview BIA
• Product and Service BIA
• Process BIA
• Activity BIA
These different views or approaches should be used or
combined however is best suited.
The BIA should be reviewed and updated at least annually.
3
� Create & maintain a Risk Register
BUSINESS CONTINUITY BEST PRACTICE
The Risk Register is a list of the risks for your organisation.
Publicly available national and city-wide registers are available
to help get started, but you should adapt for your specific
risks. Give each risk a score for the likelihood of occurrence
and impact. Once risks are scored, plot them on a matrix to
identify which need most attention.
Low High
High
3
Impact
2 Low
1 2 3 4
Likelihood
4
�Design your Risk & Threat mitigation solutions
BUSINESS CONTINUITY BEST PRACTICE
After identifying risks, disruptions and the effect on the
organisation, you now need to plan how you will mitigate
those effects.
Options for your ‘solutions’ include:
• Diversification
• Replication
• Standby
• Post-incident acquisition
• Do nothing
Think about the effect on key aspects of
the business:
People Resources
Dispersed personnel Alternative technology
minimises the risk of to ‘fail-over’ to in the
incidents affecting all event of an issue with
staff or have external staff primary systems.
agencies ready to call in
when needed
Premises Suppliers
Alternative locations Alternative suppliers in
from when the primary the event of a failure or
site is available or remote insolvency
working facilities
5
�Write & maintain the Business Continuity Plan
BUSINESS CONTINUITY BEST PRACTICE
The Business Continuity Plan is the document that details
how to respond to and recover from disruptions. Depending
on the size and complexity of the organisation, you may need
several plans. Ranging from strategic overviews to tactical and
operational plans.
IT DR CRISIS EMERGENCY
PLAN COMMS EVACUATION
PLAN PROCEDURES
FIRST AID STAFF
AND WELFARE RELOCATION
MEASURES PLAN
A good plan is concise, direct and action orientated. It needs
to be useful and usable in time of high stress and urgency.
Name your Crisis Management & Response Teams
Your Crisis Management Team will vary, depending on the size
of your organisation and number of sites and/or business units.
The team should include senior management, Operations IT,
PR and other key management.
You should also name the individuals required for the response
and [Link] factor in deputies to account for absence or
unavailability of primary members.
6
�Name the person(s) responsible for
BUSINESS CONTINUITY BEST PRACTICE
Business Continuity
Responsibility, accountability and authority are vital to ensure
planning actually happens and mitigation solutions are in place.
The person ultimately in charge of BC sends a message to
the organisation about its approach and how seriously it is
regarded by the business.
There is always a risk of BC activities being overlooked in favour
of conflicting, more urgent priorities. A person of appropriate
seniority should be responsible and able to direct resources
and activities.
Assign sufficient resource to manage
Business Continuity
This is particularly relevant to smaller organisations without a
dedicated Business Continuity Professional. In these cases, BC is
likely to be just a part of that individual (or teams) responsibility.
Without sufficient time and budget it won’t be possible to
adequately manage BC. If it is not possible to adequately
resource BC internally, get third party support.
7
�Test and Exercise your plan
BUSINESS CONTINUITY BEST PRACTICE
Create a Testing and Exercise schedule, including success
criteria and KPIs. Exercise plans at least once per year. Full-
scale BC exercises require a significant time-commitment, so
should be supplemented by more frequent, smaller exercises.
This will help maintain a level of organisational preparedness.
These include:
• Individual IT systems and server recovery tests
• Remote working exercises (these can be planned to
coincide with known events like transport strikes)
• Tabletop exercises where the recovery is ‘walked
through’ and discussed but not enacted
Your recovery times should be set out in your planning and BIA.
Translate these times into KPIs. Measure your Exercises against
your KPIs to track if your recovery efforts are adequate and
improving over time.
Review the Programme
ISO22301 for Business Continuity recommends the Plan, Do,
Check, Act model (PDCA). The model is a simple cycle to
review and improve your Business Continuity Planning.
In addition to reviewing the plan, the entire programme should
be reviewed each year. Is the team still right? Is there enough
internal resource, or are external resources needed?
8
�GLOSSARY
99
� BUSINESS CONTINUITY BEST PRACTICE
Maximum Tolerable Period The maximum amount of time a company’s
of Disruption (MTPD) or key products or services can be unavailable
Maximum Acceptable before unacceptable/intolerable
Outage (MAO) consequences happen.
Recovery Time Objective The length of time a recovery takes before a
(RTO) system is operational. I.e. The recovery starts at
2pm and lasts until 4pm. The RTO is therefore
2 hours.
Recovery Point Objective The RPO is determined by the frequency
(RPO) that you back up or replicate your systems. A
single daily backup means the maximum RPO
is 24 hours.
Business Impact Analysis The analysis of your business activities and the
(BIA) effect a disruption would have on them.
Risk Register A register/list of your risks
Risk Matrix Your risks, individually scored by likelihood and
impact. Plotted on a matrix diagram.
Risk Assessment Identifying and analysing your business risks.
Test An exercise that has a measurable, pass/fail
result. I.e. you can “Test” if a generator works.
Exercise Practicing and testing activities that do
not have a pass/fail result. E.g. practicing
evacuation procedures.
Business Continuity Plan One of the outputs of Business Continuity
Planning is the document, The Business
Continuity Plan itself. The plan details how to
respond to and recover from disruptions.
Incident The escalation of an event that could cause
disruption.
Organisational Resilience The capability of an organisation to adapt and
maintain operations.
10
�0800 033 6633
BUSINESS CONTINUITY BEST PRACTICE
contact@[Link]
[Link]
Databarracks,
1 Bridges Court, London, SW11 3BB
11