Last reviewed 3 April 2013

Mike Sopp discusses business continuity response planning and the various guidelines that are available to assist.

According to BS ISO 22301, business continuity management is a “holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause’ that among other matters, ‘provides a framework for building organisational resilience”.

How a business copes with unwanted events is often down to the level of pre-planning that has taken place. Increasingly, businesses and public organisations are being required, either through regulatory requirements or insurance demands, to have suitable plans in place to cope with any foreseeable disruption and to ensure continuity of the business or services provided.

Response planning and implementation is concerned with the development and implementation of appropriate plans and arrangements to ensure continuity of critical activities, and the management of an incident.

Planning principles

The Business Continuity Institute (BCI) Good Practice Guidelines (GPG) state that the key requirements for an effective response are:

  • a clear procedure for the escalation and control of an incident

  • communication with stakeholders

  • plans to resume interrupted activities.

A crucial element in response planning is having in place an incident response structure that allows the management of unwanted events at strategic, tactical and operational levels. This is commonly known as the gold, silver and bronze hierarchy and it allows an organisation to confirm the nature and extent of the incident, take control of and contain the situation, and communicate with stakeholders.

Within the management framework, it is essential that the roles and responsibility of the people and teams having authority (both in terms of decision-making and authority to spend) during and following an incident are clearly documented.

Another important element in the response phase is the procedures for invocation of plans. This process should be documented and allow for the relevant plans or parts thereof to be invoked in the shortest possible time. The invocation process may require the immediate mobilisation of organisational resources and should include a clear and precise description of:

  • how to mobilise the team(s)

  • immediate rendezvous points

  • subsequent team meeting locations and details of any alternative meeting locations.

Although the term “business continuity planning” is often used, planning, in reality, covers a number of different activities and will usually consist of multiple plans. Indeed the BCI defines a business continuity plan as “a documented collection of procedures and information that have been developed, compiled and maintained in readiness for use in an incident, to enable an organisation to continue to deliver its important and urgent activities, at an acceptable predefined level”.

When developing a plan, it is vital that an owner is appointed and a planning team developed. This team can then:

  • define the purpose, objectives and scope of the plan

  • develop and approve a planning process and timetable programme

  • decide the structure, format, components and content of the plan

  • determine the strategies that the plan will document.

Having determined the above, the next stage is to gather the necessary information to populate the plan. It should then be circulated to relevant stakeholders and amended, based on feedback received. The final version can then be agreed and validated with stakeholders. All plans should be accessible to those with responsibilities defined therein.

Types of plans

The incident response structure selected, the BCM strategy, and the size and diversity of the business will determine the number and type of plans to be put in place.

As already noted, plans can be developed so as to manage various phases of an incident. This can include emergency response plans for immediate response, incident management plans to manage response to an incident (eg incident communication plan), continuity plans for business response to ensure essential activities operate to minimum acceptable level, and recovery/resumption plans to resume operations to normal level.

The development of planning will be very much dependent on the culture and structure of the organisation. In smaller establishments, it may be feasible for plans to be self-contained in a single document, while in large, diverse organisations, it may be necessary to define the scope and range of plans with the various elements being separated. For example:

  • an Incident Management Plan (IMP) may address the strategic (acute) issues of a crisis and how they are immediately managed

  • a Business Continuity Plan (BCP) could be a tactical document that enables activities to be maintained from the incident inception to the point at which normal business operations are resumed

  • individual response plans based on departmental or business unit requirements (HR, facilities, IT, etc) can be developed that link in with the tactical BCP.

BS ISO 22313 notes that the purpose and scope of each specific plan should be defined, agreed by top management and understood by those who will put the plan into effect, with relationships to other plans/documents within the organisation being referenced.

The BCI GPG also reflect on the three main levels of planning. They note that strategic planning will, in particular, be responsible for protecting the organisation’s reputation and media management response.

Tactical plans are utilised to pull together the response of the whole organisation to a disruptive incident by facilitating the resumption of business activities, while operational plans will be for the response and recovery of an individual business unit.

Plan contents

The GPG highlight that plans should “identify, as far as possible, the actions that are necessary and the resources which are needed to enable the organisation to manage an interruption whatever its cause”.

The detailed content of plans will vary considerably, depending on the development style adopted; there is no defined template for plans. However, all plans will require:

  • roles and responsibilities of individuals and teams to be documented and made known to relevant stakeholders

  • plan invocation procedures to be developed, including who can invocate, when and how

  • up-to-date contact information for key stakeholders

  • accommodation, facilities and resource requirements to be detailed.

Both BS ISO 22313 and the GPG provide further guidance as to the content that could be set out in plans. As an example, in terms of an IMP this will include:

  • task and action lists to address basic issues such as safety and those that prevent further loss (evacuation procedures and salvage procedures)

  • emergency contacts and communication procedures with, for example, emergency services, next of kin, key clients and suppliers

  • media response plans that detail the strategy for communications

  • annexes to record and provide information relevant to the organisation.

The components and content of a business continuity plan will vary from organisation to organisation and will have a different level of detail based on the culture and the technical complexity of the solutions. There are many commercially available templates that can be adopted.

However, any plan should reflect the strategies that have been developed for each essential resource that is needed to keep key activities operating at a minimum level over a given period of time, so as to ensure continuity of service or business during or following an incident. In other words, it should list a series of contingencies that enable key business activities to continue based on people, premises, information, technology, supplies and stakeholder requirements.

Further information

The following British Standards are available from BSI Group.

  • BS ISO 22313: Societal Security. Business Continuity Management Systems. Guidance

  • BS ISO 22301: Societal Security. Business Continuity Management Systems. Requirements

The Business Continuity Institute offers the following guidance document.

  • Good Practice Guidelines 2010 Global Edition