Business Continuity
Frequently Asked Questions

What is business continuity?

Business continuity is the ability of an organisation to maintain its operations and services during and following a disruptive event.  It involves the development of a comprehensive strategy to ensure that essential functions can continue to be performed during and after a disaster or significant incident.

What is the main goal of business continuity?

The main purpose of business continuity is to ensure that your organisation is well placed to maintain the delivery of its key services and products to its customers and clients both during and after a disaster/disruption/incident has occurred.

What does business continuity include?

Business continuity includes the development of plans and procedures to ensure the continuity of operations, the protection of personnel and assets, the restoration of services, and the recovery of operations.  It also includes the development of strategies to mitigate the impact of a disruptive event.

What are examples of business continuity?

Examples of business continuity include the development of backup systems, the implementation of disaster recovery plans, the establishment of alternate sites, the use of redundant systems, and the implementation of security measures.

Further examples of business continuity within an organisation, whether public or private sector, are planned responses to events and incidents such as:

• A cyber attack, such as ransomware
• A pandemic, such as COVID
• A fire or natural disaster (such as a flood) that results in a partial or total loss of your organisation’s premises/offices/records
• Loss of network communications.  This could be a service interruption from the provider or a malfunction or failure of your organisation’s network equipment
• Staff shortage due to major incident such as adverse weather, transport strike, denial of access to premises, etc.

What are the 5 components of a business continuity plan?

In order to ensure that a business continuity plan achieves its designed objectives, it needs to incorporate the following five key components:

• Risk identification and assessment and business impact analysis
• Planning an effective response
• Defined roles and responsibilities
• Communications plan – both internal and external including managing the media
• Regular plan exercises and training.

URM can assist you in developing and implementing your business continuity plan (BCP) or plans.

What is in a business continuity plan?

A business continuity plan typically includes an assessment of risks and an analysis of the impact of a disruption, the development of strategies to mitigate identified risks, the identification of essential personnel and resources, the development of procedures to ensure the continuity of operations, a plan for communicating internally and externally, and the development of strategies to restore operations.

URM can assist you in developing and implementing your business continuity plan (BCP) or plans.

What is a business continuity plan and how is it used?

A business continuity plan is a document that outlines how your organisation will continue to operate during and after a disaster or disruption.- It includes strategies for maintaining or restoring critical operations, processes, and systems, as well as plans for communicating with stakeholders and customers.  IT is responsible for ensuring your technology infrastructure is resilient and can be quickly recovered in the event of a disaster.

Following your BIA and strategy discussions, URM can advise what plan or plans are best for you.

Why is a business continuity plan (BCP) important?

Business continuity plans are important because they provide you with a roadmap for how to respond to and recover from disruptive events. They help you minimise the impact of disruptions, reduce downtime, and ensure that critical operations and services are maintained.

What should a business continuity plan (BCP) include?

A business continuity plan should include an assessment of risks, a plan for responding to disruptions, a plan for recovering operations, a communication plan, and a testing and maintenance plan.

URM can advise what plan or plans are best for you.  We will ensure that your plans are bespoke to your specific needs as well as being practical, robust and consistent.

What are the four Ps of business continuity planning?

When planning for business continuity, the four Ps which need to be considered are:

• People - persons working for the organisation and customers
• Processes – technology and the processes required to manage and deliver the required technology services both internally and externally, as appropriate
• Premises – offices, buildings, storage facilities, manufacturing facilities, etc.
• Providers – suppliers or service providers and partners, if relevant.

What are advantages or benefits of having
a business continuity plan?

The key benefits of having a business continuity plan include the ability to:

• Keep your organisation operating to an acceptable level during and after an incident
• Recover critical business operations more efficiently and effectively after interruptions
• Reduce the costs and duration that your organisation may experience because of a disruption
• Mitigate identified risks and possible financial exposure that your organisation may endure from a disruption
• Build customer confidence and trust in your ability to continue to operate
• Provide a practical means for your organisation to manage its reputation during and after a disruption.

Watch the recording of the webinar How to Develop and Maintain Robust Business Continuity Plans to receive practical guidance on not just developing effective business continuity plans (BCPs), but how to continually improve and test them.

What are the 3 elements of business continuity?

The three core elements involved in ensuring effective business continuity are:

• Identify your critical or key business services/processes/products
• Identify and manage the risks to your organisation
• Establish and maintain plans to manage disruptions and ensure the ongoing delivery of key business services/processes/products.

Watch the recording of the webinar How to Develop and Maintain Robust Business Continuity Plans to receive practical guidance on not just developing effective business continuity plans (BCPs), but how to continually improve and test them.

What are the 3 main areas of business continuity management?

The three main areas of business continuity management are:

• Crisis/emergency management to respond effectively to an event or incident
• Business resumption or recovery planning to enable the effective recovery of critical/key business functions and processes that deliver services or product to customers/clients
• IT disaster recovery to ensure that the necessary IT services are recovered to support the key/critical business services/products delivered to customers.  This includes all IT assets, systems, applications, data and communications/networks services to ensure delivery of the required IT services to your organisation.

What are the key elements of business continuity management?

The key elements of business continuity management include risk assessment, business impact analysis, strategy development, plan development, plan testing and maintenance, and crisis communication.
‍
Learn more about Abriska 22301 software compliant with the requirements of ISO 22301, the International Business Continuity Management Systems (BCMS) Standard.

What is the difference between BCP and BCM?

Business continuity planning (BCP) is the process of creating a plan to protect human life and to ensure that an organisation can continue to operate in the event of a disaster or disruption.  Business continuity management (BCM) is the overall process of managing and maintaining the organisation's BCP and ensuring that it is up to date and effective.

What is the difference between business continuity
and disaster recovery?

Business continuity is primarily focussed on keeping your organisation operational to an acceptable level of performance during a disaster or disruption, whereas disaster recovery is focussed on recovering and restoring the IT infrastructure, network and data after a disaster to support business operations.

What is a business continuity business impact analysis (BIA)?

It is an assessment of the impact or effect that would be experienced if specific business processes or activities could not be carried out for whatever reason.  The impacts are determined over a number of different timescales relevant to the organisation.  These impacts are used to establish a number of key aspects, i.e.,

• The time by which each activity should be recovered
• The maximum time period after which the outage for an activity becomes unacceptable
• The maximum amount of data loss that can be sustained
• The resources required to support the activity during recovery
• Any dependencies on which the activity is reliant.

Why do I need to conduct a business continuity business
impact analysis (BIA)?

It is essential to conduct a BIA, as it provides the organisation with an overview of the essential activities and processes necessary to be recovered in the event of a disruption.  This information provides invaluable input into the development of the business continuity plan and helps prioritise the recovery of activities and processes in the immediate aftermath of a disruption.

How do I conduct a business continuity business
impact analysis (BIA)?

There are a number of basic steps that you need to carry out when conducting a BIA.  Your organisation needs to

• Establish and agree the scope of the BIA, i.e., what is included and what is excluded
• Ensure that senior management is fully aware of the benefit and value that conducting a BIA brings to your organisation
• Prepare for the BIA interviews.  Primarily, this involves ensuring that you have thought about what questions you want to ask to obtain the appropriate level of information – think quality over quantity!  Be sure to include a risk assessment of threats that may result in a disruption to the delivery of services and products
• Schedule the interviews with the relevant persons, ensuring that the persons identified are at the optimum level within your organisation to be able to provide appropriate impact and risk assessments
• Conduct the BIA interviews
• Analyse the information gathered and document the outcomes in individual BIA reports
• Consolidate the reports into a summary that identifies the critical business activities/processes and those high risks which require mitigation.

Learn more about Abriska 22301 software designed to support organisations conduct a BIA, which fully complies with the requirements of ISO 22301, the International Business Continuity Management Systems (BCMS) Standard.

Do you need one business continuity plan (BC Plan),
or a number of plans?

This depends on the size and location(s)of your organisation.  If your organisation has a single location, it may be practical to have a single BC Plan.  However, if the location provides for a significant number of departments with a large personnel contingent, then it may be more appropriate to have BC Plans for each department, with an overarching plan to coordinate the multiple BC Plans.

Similarly, if you have multiple locations, you may want to consider having a BC Plan for each location.

There is also a heavy dependency on the resources that your organisation has available to develop, implement and maintain the BC Plans.  This includes the need to exercise the BC Plan(s) at regular intervals to ensure that they are still appropriate to your organisation in terms of its activities and business strategy.

How do you produce effective business continuity
plans (BC Plans)?

There are a number of aspects that you need to take into consideration when producing an effective BC Plan.  These include:

• Identify the greatest potential risks to your organisation that could prevent you from delivering services and products  to your clients/customers
• Establish what your organisations power requirements are.  Do you need power backup systems such as UPS, generator set, etc.?
• Develop and implement a communications plan to keep your employees, stakeholders and customers informed and updated on the progress of your recovery following a disruption.  This could involve using one or more of the following:
  - Email
  - Telephone
  - Social media
  - Mobile phone
  - Bespoke emergency notification service.
• Review your supply chain and identify alternate suppliers, where possible. This includes identifying any lead time issues for replacement of specialised equipment and whether your suppliers have robust BC plans
• Ensure that your insurance cover is appropriate and sufficient to cate r for the possible financial losses and costs of effecting recovery following a disruption
• Ensure that if you are using Cloud services, your critical data and systems are adequately protected.  This includes the security of these aspects, regular backups of critical data and systems, etc.
• Conducting regular exercises of the BC plan(s) to ensure that they are accurate and relevant to the way your organisation operates when recovering its critical activities following a disruption.  This includes ensuring that the IT services are capable of being recovered within the required timeframes to support the delivery of business-critical services and product.

Learn more on how to develop and maintain robust Business Continuity plans.

Who should be involved in developing your business
continuity plan (BC Plan)?

In most organisations, there will be an individual who is designated as the Business Continuity Manager.  This person will be responsible for leading the planning and preparedness process, as well as executing the BC plan during a disruption.  One of their primary tasks will be to assemble a team of people appropriate to deliver the project and to also develop and implement a governance programme.

In order for this to succeed. it is essential that buy-in for the programme is obtained at the executive level of the organisation and has board-level representation.

Other persons who need to be involved are those persons who have a responsibility for:

• The activities and processes that deliver products and services to customers
• Ensuring the infrastructure that supports the organisation’s activities is maintained, operated and can be recovered in line with business requirements
• Managing the relationships with customers, suppliers, stakeholders
• Managing the requirements of the business to meet legal, regulatory and contractual obligations
• Managing the activation of the BC Plan
• Managing the recovery teams who will actively carry out the recovery activities

Learn more on how to develop and maintain robust Business Continuity plans.

What are the essential ingredients of a business
continuity plan (BC Plan)?

The fundamental components or ingredients of a BC Plan are:

• Specifying the strategy for workspace recovery
• Identifying the requirements for IT resilience and recovery.  This includes ensuring that the information security aspects are appropriately addressed
• Specifying the information backup, replication and recovery requirements and procedures.  This includes:
  - The specification of any work-around procedures,
  - Procedures required to access any off-site or archive backup facility.  This should include both electronic and hard copy versions.
• Identifying those persons who will be actively required in the invocation of the BC Plan.  This should include the identification of the relevant roles and associated responsibilities and deputies for primary contacts.
• Listing all key third party service providers and suppliers
• Defining what telecommunications and network requirements will be needed in recovering from a disruption
• Ensuring that the necessary power/utility services are available and appropriate for recovery at the designated recovery location(s)
• Ensuring that appropriate change management procedures are in place to ensure that any changes are documented, approved and implemented in a controlled and timely manner
• Specifying the necessary procedures and supporting information necessary to ensure communications and notifications are carried out in accordance with the requirements of the target audience.  This includes:
  - Media
  - Personnel
  - Stakeholders
  - Customers
  - Suppliers
  - Regulatory and other relevant authorities
  - Utility and other support services (e.g., post)
• Where appropriate, contact lists.

How do you test/exercise your business continuity plans
(BC plans) and keep them updated?

BC plans can be exercised in a number of different ways.  These include:

• Walkthrough exercises
• Desktop scenarios
• Simulations
• Full interruption

In each of the above, it is essential that the exercise is planned with specific objectives defined and the criteria against which the achievement of the objectives can be measured.

During the exercise, all issues, improvements, changes and omissions should be documented and included in a post-exercise report.  These will then form the basis for BC Plan changes that ensure that plans remain capable of meeting your organisation’s recovery requirements in the event of a disruption.

Watch webinar recording How to Develop and Maintain Robust Business Continuity Plans.

How often should you be exercising your business
continuity plans (BC plans)?

There are no strict requirements in terms of exercising the BC Plans and keeping them up to date.  The frequency of exercises depends on the nature of your organisation and the expectations of your customers in terms of service and product delivery.  There may also be other external exercising/testing requirements, e.g., regulator or conformance to ISO 22301.

As a minimum, the organisation should consider exercising the BC Plans at least annually, but this also driven by the outcome of the business impact analysis (BIA).

In general, it is expected that the BC Plans for all critical business processes and activities are exercised at intervals that ensure that they can be recovered in a manner that meets the defined recovery requirements as established during the BIA.

What are the benefits and drawbacks of certifying to ISO 22301?

There are a number of benefits in achieving and maintaining certification to ISO 22301.  These include:

• Gaining competitive advantage over other companies which are not certified
• Providing extra reassurance to your customers and stakeholders of your organisation’s resilience and capability to deliver products and services in the event of a disruption
• Enhancing your organisation’s ability to meet legal, regulatory and contractual obligations
• Improving the resilience of your organisation in terms of managing disruptions
• Enhancing your organisation’s reputation for reliability and resilience
• Eliminating or minimising the operational vulnerabilities and improving operational processes
• Avoiding possible insurance premium loadings as your organisation has taken appropriate steps to minimise the impact of a possible disruption and possible insured financial losses, both direct and indirect

Drawbacks to gaining and maintaining to ISO 22301 include:

• Cost of certification audits.  This is both internal audits and those carried out by the certification body.  These are required to be conducted at planned intervals, usually annually with a full re-certification audit conducted every three years
• The cost of lost productivity for persons required to be available for both the internal and external audits
• The cost of maintaining your business continuity management system (BCMS) to ensure that it remains appropriate to meet your organisation’s requirements, strategic, tactical and operational.

Learn more about Abriska 22301 software designed to support organisations conduct a BIA, which fully complies with the requirements of ISO 22301, the International Business Continuity Management Systems (BCMS) Standard.

‍

‍