Business continuity plan template
Use this business continuity plan template to identify risks and improve your chances of success.
There are different types of risks: staff risk, physical risk, IT risk, operations risk, legal/financial risk, PR risk, etc. Try to understand their impact and to find ways of detection, recovery, and prevention.
Add your team member’s name in the template, ensuring that you have representation for many departments.
Choose a critical staff member. He should be prepared with recovery strategies in case of a major incident.
Add a core service or function and a critical supplier.
Add a communication audience to whom you will communicate your plan in case they will need to take action.
Think about ways to train your employees in order to be prepared in case an incident occurs.
Add a milestone for your business continuity plan.
Where to next?
Where to next?
Download this mind map to keep track of your business continuity planning project.
Organization Name
Type in your organization's name
Critical suppliers
Supplier
Add a critical supplier for your organization
Where would failure in the supply chain cause significant problems?
These suppliers should be referenced in the risks section, and you should have a recovery strategy to cope with problems with your suppliers.
Core services
Service
Add a core service or function
Core services are the ones that are critical to the survival of your organization - the ones without which you would not have customers or business.
These services or functions should be the first to be recovered in the event of a disaster.
Critical staff
Add a critical staff member
Critical staff members are the ones on whom you will depend when a major incident occurs.
You will need to ensure that your critical staff members are trained and can be easily contacted.
Make sure that a copy of the contact list is kept off-site.
Planning team
Team member
Add a team member
Ensure that you have representation for:
- Personnel
- IT systems and information security
- Core processes (e.g. manufacturing)
- Workplace safety
- Site security
- PR
Milestones
Milestone
Add a milestone for your business continuity planning project, and set dates.
Think about:
- Establishing a business continuity planning team with executive backing
- Identifying all foreseeable risks to your business or organization
- Having a written recovery procedure for all significant risks
- Communicating relevant parts of your plan to the people and organizations involved
Training and testing
Trainee
Who needs to be trained in your emergency procedures?
Consider:
- People who are in a position to detect incidents early
- The key staff who will lead recovery procedures
- People likely to be around when an incident occurs and affected by it
- People with relevant skills (e.g. First Aiders)
- People responsible for communicating with emergency services, staff, customers, suppliers or other stakeholders
What action will you take to train 'Trainee'?
Consider:
- Seminars and classroom sessions
- 'Table-top' exercises and discussion of scenarios
- Live exercises, simulating an emergency situation
- De-briefing, follow-up and learning from exercises
Communication
Audience
Add a communication audience
Who will you need to communicate parts of your plan to? Who needs to take action, stay informed or be reassured?
Consider:
- Your employees
- Visitors and subcontractors
- Your customers
- The emergency services in your area
- Specialist services
- Other companies or buildings nearby
- The local community
- Your suppliers
- Other stakeholders, e.g. insurers or banks
Action
What action will you take to communicate with 'Audience'? What will they need to know?
Think about:
- What you expect and them to do
- Preparing and sharing contact lists
- Preparing and sharing checklists for emergency procedures for the people responsible for managing them
- Issuing bulletins and advisory notices
- Establishing a communications network to manage an incident
Locations
Location
Add a location where you have people, assets, and operations that will be covered by your plan.
Risks and responses
Other risks
Are there any other risks not covered above?
What is the impact of "Other risks" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed
Incident detection and notification
- How will "Other risks" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Add recovery procedures
If the impact from "Other risks" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
Add prevention measures
- What measures could be taken to prevent "Other risks"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
Public relations
PR risk
Add a PR risk that may affect your business
Also think about things that your customers will notice, even if they are not widely publicized:
- Negative PR following incidents involving the environment, vulnerable groups, poor service or poor inspection results by officials or regulators
- Trending criticism on social media
- Negative PR following a breach of customer data
- Leakage of internal information, e.g. redundancy plans or known problems
What is the impact of "PR risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed
Add prevention measures
- What measures could be taken to prevent "PR risk"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
Add recovery procedures
If the impact from "PR risk" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
Incident detection and notification
- How will "PR risk" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Legal & financial
Legal / financial risk
Add a legal or financial risk that may affect your business.
Think about:
- Compensation claims for negligence or damage
- Lawsuits over copyright, patents or contracts
- Employment tribunals or court action
- Abnormal warranty claims
- Product recalls
- Loss of an essential license to operate or export
- Breach or default of a major contract
- Default or collapse of a major debtor
- Financial fraud
Incident detection and notification
- How will "Legal / financial risk" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Add prevention measures
- What measures could be taken to prevent "Legal / financial risk"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
What is the impact of "Legal / financial risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed
Add recovery procedures
If the impact from "Legal / financial risk" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
Operations
Operations risk
Add a operations' risk that may affect your business.
Think about:
- Failure of critical equipment or plant
- Unexpected loss of major customers or partners
- Processes that cannot be controlled
- Shutdown by an official agency (e.g. food hygiene or medical cleanliness)
- Supply chain failure: suppliers unable to provide adequate goods and services
- Loss of utilities - electricity, water, gas, telephone, cell / mobile phones, broadband, radio network
- Indirect effects of other industrial action
Add prevention measures
- What measures could be taken to prevent "Operations risk"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
What is the impact of "Operations risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed
Add recovery procedures
If the impact from "Operations risk" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
Incident detection and notification
- How will "Operations risk" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Information security
IT risk
Add a IT risk that may affect your business.
Think about:
- Cyber-attack on an online presence
- Unauthorised access to confidential data through a security breach
- Theft or loss of equipment containing confidential data
- Loss of services or data due to hardware failure
- Loss of services or data due to computer viruses
- Loss of media (e.g. software installation disks)
- Loss of communications capability
- Loss of cloud services or data
What is the impact of "IT risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed
Incident detection and notification
- How will "IT risk" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Add prevention measures
- What measures could be taken to prevent "IT risk"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
Add recovery procedures
If the impact from "IT risk" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
Physical security
Physical risk
Add a physical risk that may affect your business.
Think about:
- Fire or explosion
- Chemical hazards or biological hazards
- Unsafe or unusable buildings
- Unsafe working conditions posing risks to personnel
- Floods, storm damage, earthquakes or other natural disasters
- Civil commotion, riots or terrorism
- Intruders accessing your premises
Add recovery procedures
If the impact from "Physical risk" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
What is the impact of "Physical risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed
Timeframe
How quickly will "Impact" happen?
How quickly will this impact materialize? Faster responses are needed for fast-acting impacts.
Estimate a timeframe by clicking an icon below.
Short term - hours or days
Medium term - days to weeks
Longer term - weeks to months
Add prevention measures
- What measures could be taken to prevent "Physical risk"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
Incident detection and notification
- How will "Physical risk" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Staff
Staff risk
Add a business risk that may originate from your staff.
Think about:
- Key people leaving or moving to competitors
- Death or long term illness of a key staff member
- Key staff unable to get to work, e.g. due to weather, epidemics, or transport issues
- Unauthorised disclosure of confidential information
- Negligence, fraud or theft
- Sabotage
- Industrial action
Prevention
Add prevention measures
- What measures could be taken to prevent "Staff risk"?
- Can alternatives or backup facilities be prepared?
- Can a "fail-safe" mode be engineered?
- How can these measures be put in place?
- Would these measures introduce any new risks?
Recovery
Procedure
Add recovery procedures
If the impact from "Staff risk" is not minor:
- What steps are needed to recover control?
- Who can carry out these procedures?
- How will they be carried out?
- Where will they be carried out (e.g. from a remote location)?
- What needs to be done in the first hour, the first day or the first week?
- What resources, contacts or authority are needed?
Detection
Incident detection and notification
- How will "Staff risk" be detected?
- What are the early signs?
- What will trigger handling of the incident?
- Who needs to be notified?
- How will they be notified?
- Who will authorize the recovery procedure?
Impact
What is the impact of "Staff risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?
Rate the impact by clicking an icon:
Major- poses a critical risk to business
Survivable - causes problems that can be fixed
Minor - no recovery action needed