Business continuity plan template

Business continuity plan template

Use this business continuity plan template to identify risks and improve your chances of success.

There are different types of risks: staff risk, physical risk, IT risk, operations risk, legal/financial risk, PR risk, etc. Try to understand their impact and to find ways of detection, recovery, and prevention.

Add your team member’s name in the template, ensuring that you have representation for many departments.

Choose a critical staff member. He should be prepared with recovery strategies in case of a major incident.

Add a core service or function and a critical supplier.

Add a communication audience to whom you will communicate your plan in case they will need to take action.

Think about ways to train your employees in order to be prepared in case an incident occurs.

Add a milestone for your business continuity plan.

Where to next?

Where to next?

Download this mind map to keep track of your business continuity planning project.

Organization Name

Type in your organization's name

Critical suppliers

Supplier

Add a critical supplier for your organization

Where would failure in the supply chain cause significant problems?

These suppliers should be referenced in the risks section, and you should have a recovery strategy to cope with problems with your suppliers.

Core services

Service

Add a core service or function

Core services are the ones that are critical to the survival of your organization - the ones without which you would not have customers or business.

These services or functions should be the first to be recovered in the event of a disaster.

Critical staff

Add a critical staff member

Critical staff members are the ones on whom you will depend when a major incident occurs.

You will need to ensure that your critical staff members are trained and can be easily contacted.

Make sure that a copy of the contact list is kept off-site.

Planning team

Team member

Add a team member

Ensure that you have representation for:

• Personnel
• IT systems and information security
• Core processes (e.g. manufacturing)
• Workplace safety
• Site security
• PR

Milestones

Milestone

Add a milestone for your business continuity planning project, and set dates.

Think about:

• Establishing a business continuity planning team with executive backing
• Identifying all foreseeable risks to your business or organization
• Having a written recovery procedure for all significant risks
• Communicating relevant parts of your plan to the people and organizations involved

Training and testing

Trainee

Who needs to be trained in your emergency procedures?

Consider:

• People who are in a position to detect incidents early
• The key staff who will lead recovery procedures
• People likely to be around when an incident occurs and affected by it
• People with relevant skills (e.g. First Aiders)
• People responsible for communicating with emergency services, staff, customers, suppliers or other stakeholders

What action will you take to train 'Trainee'?

Consider:

• Seminars and classroom sessions
• 'Table-top' exercises and discussion of scenarios
• Live exercises, simulating an emergency situation
• De-briefing, follow-up and learning from exercises

Communication

Audience

Add a communication audience

Who will you need to communicate parts of your plan to? Who needs to take action, stay informed or be reassured?

Consider:

• Your employees
• Visitors and subcontractors
• Your customers
• The emergency services in your area
• Specialist services
• Other companies or buildings nearby
• The local community
• Your suppliers
• Other stakeholders, e.g. insurers or banks

Action

What action will you take to communicate with 'Audience'? What will they need to know?

Think about:

• What you expect and them to do
• Preparing and sharing contact lists
• Preparing and sharing checklists for emergency procedures for the people responsible for managing them
• Issuing bulletins and advisory notices
• Establishing a communications network to manage an incident

Locations

Location

Add a location where you have people, assets, and operations that will be covered by your plan.

Risks and responses

Other risks

Are there any other risks not covered above?

What is the impact of "Other risks" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon:

Incident detection and notification

• How will "Other risks" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Add recovery procedures

If the impact from "Other risks" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

Add prevention measures

• What measures could be taken to prevent "Other risks"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

Public relations

PR risk

Add a PR risk that may affect your business

Also think about things that your customers will notice, even if they are not widely publicized:

• Negative PR following incidents involving the environment, vulnerable groups, poor service or poor inspection results by officials or regulators
• Trending criticism on social media
• Negative PR following a breach of customer data
• Leakage of internal information, e.g. redundancy plans or known problems

What is the impact of "PR risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon:

Add prevention measures

• What measures could be taken to prevent "PR risk"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

Add recovery procedures

If the impact from "PR risk" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

Incident detection and notification

• How will "PR risk" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Legal & financial

Legal / financial risk

Add a legal or financial risk that may affect your business.

Think about:

• Compensation claims for negligence or damage
• Lawsuits over copyright, patents or contracts
• Employment tribunals or court action
• Abnormal warranty claims
• Product recalls
• Loss of an essential license to operate or export
• Breach or default of a major contract
• Default or collapse of a major debtor
• Financial fraud

Incident detection and notification

• How will "Legal / financial risk" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Add prevention measures

• What measures could be taken to prevent "Legal / financial risk"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

What is the impact of "Legal / financial risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon:

Add recovery procedures

If the impact from "Legal / financial risk" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

Operations

Operations risk

Add a operations' risk that may affect your business.

Think about:

• Failure of critical equipment or plant
• Unexpected loss of major customers or partners
• Processes that cannot be controlled
• Shutdown by an official agency (e.g. food hygiene or medical cleanliness)
• Supply chain failure: suppliers unable to provide adequate goods and services
• Loss of utilities - electricity, water, gas, telephone, cell / mobile phones, broadband, radio network
• Indirect effects of other industrial action

Add prevention measures

• What measures could be taken to prevent "Operations risk"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

What is the impact of "Operations risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon:

Add recovery procedures

If the impact from "Operations risk" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

Incident detection and notification

• How will "Operations risk" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Information security

IT risk

Add a IT risk that may affect your business.

Think about:

• Cyber-attack on an online presence
• Unauthorised access to confidential data through a security breach
• Theft or loss of equipment containing confidential data
• Loss of services or data due to hardware failure
• Loss of services or data due to computer viruses
• Loss of media (e.g. software installation disks)
• Loss of communications capability
• Loss of cloud services or data

What is the impact of "IT risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon:

Incident detection and notification

• How will "IT risk" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Add prevention measures

• What measures could be taken to prevent "IT risk"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

Add recovery procedures

If the impact from "IT risk" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

Physical security

Physical risk

Add a physical risk that may affect your business.

Think about:

• Fire or explosion
• Chemical hazards or biological hazards
• Unsafe or unusable buildings
• Unsafe working conditions posing risks to personnel
• Floods, storm damage, earthquakes or other natural disasters
• Civil commotion, riots or terrorism
• Intruders accessing your premises

Add recovery procedures

If the impact from "Physical risk" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

What is the impact of "Physical risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon:

Timeframe

How quickly will "Impact" happen?

How quickly will this impact materialize? Faster responses are needed for fast-acting impacts.

Estimate a timeframe by clicking an icon below.

Add prevention measures

• What measures could be taken to prevent "Physical risk"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

Incident detection and notification

• How will "Physical risk" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Staff

Staff risk

Add a business risk that may originate from your staff.

Think about:

• Key people leaving or moving to competitors
• Death or long term illness of a key staff member
• Key staff unable to get to work, e.g. due to weather, epidemics, or transport issues
• Unauthorised disclosure of confidential information
• Negligence, fraud or theft
• Sabotage
• Industrial action

Prevention

Add prevention measures

• What measures could be taken to prevent "Staff risk"?
• Can alternatives or backup facilities be prepared?
• Can a "fail-safe" mode be engineered?
• How can these measures be put in place?
• Would these measures introduce any new risks?

Recovery

Procedure

Add recovery procedures

If the impact from "Staff risk" is not minor:

• What steps are needed to recover control?
• Who can carry out these procedures?
• How will they be carried out?
• Where will they be carried out (e.g. from a remote location)?
• What needs to be done in the first hour, the first day or the first week?
• What resources, contacts or authority are needed?

Detection

Incident detection and notification

• How will "Staff risk" be detected?
• What are the early signs?
• What will trigger handling of the incident?
• Who needs to be notified?
• How will they be notified?
• Who will authorize the recovery procedure?

Impact

What is the impact of "Staff risk" on your business? What level of resources is appropriate for dealing with it and recovering from it?

Rate the impact by clicking an icon: