What’s in a business continuity plan?
Your business continuity plan will form part of your business plan.
Your business continuity plan should contain all of the information you need to get your business running again after an incident or crisis.
The size and complexity of your business continuity plan will depend on your business. It will typically include the following sections:
- an introduction, with a distribution list, executive summary, objectives, and glossary
- a risk management plan with business impact analysis
- an incident response plan, with plan activation, incident response team, communications, and contact list
- a recovery plan
- a test, evaluate and update schedule.
The introduction section of a business continuity plan includes information on the distribution of your plan, its objectives and a summary of common terms used in the plan.
The following are some of the key aspects of the introduction section.
The distribution list details:
- where copies of the plan are stored (including e-records stored off-site), in case your original copy is destroyed or unreachable in an incident
- who needs a copy of the plan
- any other associated documents and plans (e.g. an evacuation plan) and checklists for specific incidents (e.g. natural disasters, pandemics).
The executive summary provides an overall picture of your business continuity plan. It includes information on your priorities and an overview of what you will need to do to continue if your business is affected by an incident. The executive summary section is often written last, when you have assessed the potential risks to your business and developed some strategies for dealing with them.
The objectives section outlines what you hope to achieve with your business continuity plan and helps your staff understand what is expected of them in the event of an incident.
The glossary explains terms, definitions, and acronyms used throughout your business continuity plan.
Risk management plan
The risk management plan identifies your critical business activities. It assesses the risks to your business and the strategies needed to minimise the impacts they could have.
Your risk management plan:
- lists the potential risks for your business
- analyses the likelihood of the risks happening
- evaluates the consequences of the risk happening
- ranks the risks that need to be dealt with in order of priority
- identifies ways of managing risks.
Business impact analysis
A business impact analysis identifies the activities in your business that are key to its survival, also known as critical business activities. It also helps you identify:
- the resources needed to support each activity
- the impact of ceasing to perform these activities
- how long your business could cope without these activities.
Incident response plan
Your incident response plan contains all the information you will need to respond immediately before and after an incident or crisis. The plan may also have associated documents or plans attached to it (e.g. an evacuation plan).
Depending on the size of your business, your incident response plan may include the following sections.
The opening section of your incident response plan should include a clear statement of the circumstances when the plan will be activated, such as a natural disaster. It also includes details of which staff are authorised to activate the plan.
Incident response team
Putting together an incident response team will depend on the number of staff you have and the types of incidents you may need to respond to.
If you have enough staff members, you should identify who will be critical in responding to an incident, and, if possible, a suitable backup in case they are unavailable. For smaller businesses, you may find that all your staff will be needed if an incident occurs.
The communications section of your incident response plan lists the key communication methods and timings needed to keep everyone safe and get your business running again in the event of an incident.
The contact lists section includes details of all the people you will need to communicate with in an incident, such as:
- internal staff and their families
- emergency services
- external contacts (e.g. suppliers, customers).
The recovery plan outlines the steps you will need to take to get your business running again after an incident or crisis. It includes a realistic time frame in which you can get your operations back on track to minimise financial losses.
Test, evaluate and update schedule
The testing and maintenance section includes details about how you will test the reliability of your business continuity plan and keep it up to date. It includes:
- strategies and a schedule for testing the plan
- review and update timetables and deadlines
- a detailed revision history.
Source: Queensland Government