BUSINESS CONTINUITY GUIDE - ASIS · • Successful Business Continuity Planning 12 ... Organisations that have a business continuity capability are far more likely ... Think about

BUSINESS CONTINUITY GUIDEFor Small Businesses

22

Contents

• Introduction 3

• Demystifying Risk Analysis 5

• Frequently Asked Questions 6

• Case Study Scenarios 8

• Successful Business Continuity Planning 12

• Sample Business Continuity Plan 221221

These documents and any discussion surrounding them (the "Material") are providedwithout responsibility. They are provided on an informal basis for the information only of thenamed intended recipient only (the "Intended Recipient") as an example of howAXA Services Limited ("AXA Services") approaches its own contingency business planning.The Material has been prepared by AXA Services in accordance with its interpretationof contingency business planning practice for its own internal purposes. The Material isconfidential and may not be passed by the Intended Recipient to anyone else.

The Intended Recipient is not entitled to rely on the Material, but must take the advice of itsown professional adviser as to the suitability of the Material for the purpose for which it is tobe used. AXA Services cannot accept any responsibility for any loss incurred by theIntended Recipient or any other person arising out of the use of the Material whether suchloss arises by reason of the negligence of AXA Services UK plc or its servants or agents orotherwise howsoever.

CONTENTS Business Continuity Guide for Small Businesses

3

Business Continuity Guide for Small Businesses INTRODUCTION

Organisations that have a business continuity capability are far more likelyto survive the effects of a major incident than those that don’t. Two majorincidents in Manchester alone serve to highlight this and the vulnerability ofSME’s. The Manchester city centre bomb in 1996 had a devastating effectwhilst the recent BT tunnel fire, again in Manchester, left many businesseswithout any communications for nearly a week.

Think about the effects on your customers and business if your buildingcaught fire. What might the effects be of another fuel crisis, a major utilitiesfailure such as loss of power or the effects of severe weather conditionsincluding floods? What if your neighbours’ building suffered a major fire thatresulted in you having no access to your offices for days, possibly weeks?

All of these events could have an impact on the survival of your business. Ifyou’re unable to satisfy your customers’ needs then how confident are you thatthey will wait for you to recover? Sympathy and loyalty will last for only so long.

Being prepared is the name of the game. Your plan needn’t be complicatedand doesn’t have to cover every eventuality or every business process, justthose that are most critical.

Why wait for something to happen?

Steve Mellish FBCI, Vice Chairman, The BusinessContinuity Institute

www.thebci.org

Introduction

Whether you are a large ‘corporate’ or an SME (Small to MediumSized Enterprise) the ability to respond swiftly and effectively to amajor incident has never been more important.

““

INTRODUCTION Business Continuity Guide for Small Businesses

4

More information onbusiness continuity isavailable on:www.axa4business.co.uk

As one of the largest insurers of small businesses in the UK,AXA knows all too well the disasters that can affect SMEs –driven by issues ranging from crime, fire and flooding, tocomputer failure and legislation. We have seen first hand thelong-term effect of business disaster – as 80% of businessesaffected by a major incident either never re-open or closewithin 18 months.

It is essential that you have a Business Continuity Plan in placeand your employees are aware of it. A continuity plan fits inwith your business so it need not take a lot of time to complete.We have produced this guide to help you write your owncontinuity plan.

Douglas BarnettRisk Control Strategy Manager, AXA

5

Business Continuity Guide for Small Businesses DEMYSTIFYING RISK ANALYSIS

Businesses are operating in a worldfull of risk and uncertainty, yetidentifying and managing risk is stilloften poorly understood. Mostcompanies will survive if they ensurerisk management is central to theirbusiness ethos and updated in lineregularly with their business plan andmission.

Any number of incidents can bringbusinesses grinding to a halt, andsimply getting back up and runningis not where it ends. For this reason,when planning for serious incidentslike fire and flood it is critical to lookbeyond the basics. Effective businesscontinuity planning should look atevery possible impact on thebusiness, from stock losses, impairedtransport and communication links todamaged customer relationships.

For small businesses, the impact ofthe potential risks mentioned is likelyto be more destructive as the majorityoperate in specialised markets andany short interruption to normalbusiness can have a disproportionateeffect – totally halting output andletting customers down. In addition,it is more difficult to absorb thefinancial impact of businessinterruption, making it hard to recovereven after returning to normaloperations.

AXA understands that many smallbusinesses don’t have easy accessto basic information on businesscontinuity planning.

We’ve addressed the most commonlyasked questions on the next page.

Demystifying Risk Analysis

Businesses are operating in a world full of risk and uncertainty, yetidentifying and managing risk is still often poorly understood. Mostcompanies will survive if they ensure risk management is central totheir business ethos and updated in line regularly with theirbusiness plan and mission.

FREQUENTLY ASKED QUESTIONS Business Continuity Guide for Small Businesses

6

What is business continuityplanning?

Put simply, business continuity isabout anticipating the crises thatcould affect a firm and planning forthem, to make sure that the businesscan continue to function in the eventof an emergency.

What is a business continuityplan?

A Business Continuity Plan sets outclear roles and responsibilities, forexample those assigned to manageall liaison with customers, employeesand the emergency services. It listsa series of contingencies that enablekey business activities to continue inthe most difficult circumstances, suchas when a vital computer system orother equipment is unavailable.Importantly, it also details clearemergency procedures to ensurethat the safety of employees is a toppriority.

Because it requires an assessment ofall critical areas of a firm, businesscontinuity planning is a valuablemanagement tool.

Why should small firms care aboutbusiness continuity planning?

Business success is as much aboutprotection as growth. In an uncertainworld, that means creating a businesswith the flexibility to prosper in

changing conditions and strongenough to survive should a disasterstrike. The ability to withstand seriousincidents like flooding and fire, andquickly re-open for ‘business as usual’is critical. There is also thecommercial benefit to consider, ascompanies with business continuityplans are more attractive to dobusiness with. For example, largebusinesses that rely on theoutsourced services of third partieswill prefer to work with suppliers whohave a Business Continuity Plan inplace.

How does business continuityplanning differ from a disasterrecovery plan?

Disaster recovery plans traditionallyfocus on the IT recovery of thebusiness such as tape backupsystems, storage systems, and hotsites.

A Business Continuity Plan willaddress all the requirements essentialto keeping the business running andincludes processes to keep disruptionto customers and employees toa minimum. In short, it is aboutensuring that a crisis is managedeffectively before it escalates to adisaster.

Frequently Asked Questions

7

Business Continuity Guide for Small Businesses FREQUENTLY ASKED QUESTIONS

Isn’t my business too small to havea business continuity plan in place?

Protecting the future of a businesswhatever the size has to be thenumber one priority for everybusiness leader. The smaller yourbusiness the more important it is tohave a contingency plan in place. Anyincident, no matter how small iscapable of impacting your businessand profitability. The size of anycontinuity plan will depend on therisks facing each business – it will beas large or small as needed.

Doesn’t it cost a lot of money toimplement continuity planning?

It does not need to be a costlyexercise. The continuity plan will fityour business as it accounts for yourkey risks and outlines how yourcompany will manage them. Planningfor the future is essential in anybusiness, the price of not doing socould be a lot higher than manycompanies anticipate.

Later in the guide there is an exampleof a Business Continuity Plan for youto refer to when drafting your own.

CASE STUDY SCENARIOS Business Continuity Guide for Small Businesses

8

1. Sector: Retail Risk: Telecom/IT Failure

Company A is a busy independenttravel agency relying on telephoneand IT systems to provide itscustomers with the same service asthe major travel groups. In Januarylast year, a key trading period fortravel agents, the telephone and ITsystems failed due to a power cut.The council was resurfacing a roadnear the premises and cut through apower supply cable affecting one sideof the high street for three days.

Company A relies on phone and ITsystems to confirm prices, checkavailability of holidays and flights andcomplete currency exchangetransactions for its customers.As a result, the travel agency lostconsiderable business to competitoragencies including one contract fora business account with a largemanufacturing business in the town.

Customer loyalty and repeat businessare very important in what is now an

extremely competitive business.Company A suffered from negativecustomer experiences and lost itsmost profitable customer.

Douglas BarnettRisk Control strategy Manager,AXAThis is a classic example of not beingprepared and thinking that ‘it won’thappen to me’. This scenario showshow planning before an event canallow a business to react quickly tointerruption. Having the foresight todiscuss reciprocal agreements withother independent travel agencieswould have allowed for staff to utilisetheir mobile phones to checkavailability of flights/holidays andprocess bookings through thealternative agency in the short period.

Company A was lucky that this wasnot a long-term disaster, and thatpower was restored after a few days.Had it been a fire or flood thebusiness may have lost considerablymore customers. The travel company

Case Study ScenariosPutting Business Continuity Planning into Context

The first step in creating a sensible business continuity process isto consider the impacts of any potential disaster and the effect ofeach on your business – this is critical if you are to plan properly. Ifyou have little idea of the likely impact on your organisation then itis impossible to be prepared. Below are a series of scenarios andhypothetical situations to give you an idea of what can go wrong ifyou do not have a plan in place.

9

Business Continuity Guide for Small Businesses CASE STUDY SCENARIOS

did suffer seriously from its reputationbeing damaged and this might neverbe restored. If company A hadthe foresight to make reciprocalarrangements with local travel agentsits key customers could havecontinued to make bookings andpassing trade would not have beenlost to the national travel chains.A disaster can happen to anycompany, big or small, and it isimportant to be prepared for everyeventuality.

2. Sector: Manufacturing Risk: Fire & key equipmentfailure

Fifteen years ago a food-processingcompany was ravaged by fire, but theowners were lucky enough to be ableto rebuild and start again. Thebusiness went on to tradesuccessfully for many years in atraditional brick building. Changes inenvironmental health regulationsforced the company to improve itsprocess and storage areas. Theguidelines stated that the businessneeded to create a ‘food safe’structure within the factory, by usinginsulated sandwich panels. Thesandwich panels comprised of twothin sheets of metal with a coreconsisting of a combustible insulationmaterial – to form rooms within theoriginal building. A few weeks later, acontractor was employed to fit asafety handrail to an elevated

platform. While welding, sparksignited in the combustible core of asandwich panel adjacent to the workarea. The fire spread rapidly throughthe combustible insulation within thepanels, causing the internal structureto collapse and the building wascompletely destroyed. This time, theowners lost a major retail customerand the business never reopened.

Douglas BarnettRisk Control Strategy Manager,AXAThe alterations to meet revisedenvironmental health requirementschanged the physical structure ofthe factory considerably. The ownersmade one very large and fatal error –they forgot to align their riskassessment intelligence with thenewly built factory. The risks facedby a business are transformed asthe business changes. Every time youupdate your business or premises,make sure your plans and processesreflect these changes. For example,consult with insurers whenundertaking structural changes toyour business premises – they maybe able to assist in the specificationof appropriate materials that in thelong term will protect the businessand control premium levels.Understand and control the risksposed to your business by third partycontractors – hot-work permits can beused to control contractors. Re-evaluate your overall risks regularly

CASE STUDY SCENARIOS Business Continuity Guide for Small Businesses

10

to ensure you stay one step ahead at all times.

3. Sector: Service (Sales Industry)Problem: Unable to access business premises

Company X is a market research firm that relies on itstelephone systems to conduct business and communicatewith clients. On a day-to-day basis employees are constantlyon the telephone conducting market research surveys to fulfilclient requirements. In October 2003 a fire broke out in thebuilding next door to Company X on the industrial estatewhere it is based. The fire caused considerable damage tothe adjacent building and because of the fire brigade need toensure the area was safe, all the company’s employees weredenied access to the building. As all the information andmaterial needed to run the business were held in the office,the company had to send all employees home. The companycould not access their telephone systems, databases, keytelephone numbers and had nowhere for a core team to work.It took them the better part of the day to alert their key clientsand they failed to meet a large deadline with a very importantclient.

Douglas BarnettRisk Control Strategy Manager, AXAHere is an example of the need to have a plan in place withpreparations for all eventualities. Company X did not have theessential off-site Business Continuity Plan which would includethe disaster recovery pack and access to an off-site locationwhere important data was stored, including key contact detailsof all customers and suppliers. The plan would also include adesignated recovery site with telephone and IT systems thatcould quickly be up and running so it could resume a ‘businessas usual’ status to meet client demands and expectations.Company X needs a Business Continuity Plan to ensure thisdoes not happen to them in the future. It is then essential forseveral key members of the senior team at the company toknow about the plan and be clear of their individualresponsibilities in terms of implementing it when needed.

A BusinessContinuity Planwill address all therequirementsessential to keepingthe businessrunning andincludes processesto keep disruptionto customers andemployees toa minimum. In short,it is about ensuringthat a crisis ismanaged effectivelybefore it escalates toa disaster.

11

Business Continuity Guide for Small Businesses CASE STUDY SCENARIOS

4. Sector: ServiceProblem: Health issue

Company Y is a medium sized,regional, graphic design companybased in Manchester with50 employees. In March 2004,one of its managers unknowinglycontracted Tuberculosis (TB) andcame into work feeling unwell. Afterbeing diagnosed by his doctor, themanager was advised to immediatelyinform anyone with whom he’d beenin contact with over the past threedays of the infection. He was told thathis team must be tested straight awayas he had been working with them invery close proximity over the pastweek on a project that was due tolaunch that week. After taking medicaladvice that confirmed that TB ishighly contagious and potentially verydangerous, the MD of the companywas forced to quarantine and sendhome key team members who hadbeen in contact with the manager withimmediate effect. Temporaryemployees were bought in to coveressential work requirements on theproject but they could not access thesystems used at Company Y. Therewas no one to show them how to usethe systems and as key members ofthe team were not in the office it soonbecame clear that there were certainaspects of the project that only they

knew about. The client did not reactpositively to having to deal with newcontacts unfamiliar with their needsand requirements. Consequently workwas delayed and the company wasunable to deliver the project on time,which seriously affected itsrelationship with the client and theprospect of future work forCompany Y.

Douglas BarnettRisk Control Stratgey Manager,AXAThis scenario shows the importanceof having a plan in place to react tokey employees being unavailable. Thecompany needs a manual on how tooperate all the systems so anytemporary or new member can jointhe team and start work quickly.This would form part of any continuityplan. It is also important that all teamsbe updated on all the workin progress so they can join criticalprojects when needed and clientdeadlines are met on time. There willalways be a varying degree of skillswithin any team. We advocate crossskilling your teams to ensure the workcontinues to flow in the absence ofone or more team members. Theseactions will serve to protect andpreserve the company’s reputationwhen it is needed most.

SUCCESSFUL BUSINESS CONTINUITY PLANNING Business Continuity Guide for Small Businesses

12

The main objective of the plan is torecover all business critical processesand minimise the impact for youremployees, customers and yourreputation.

Implementing a plan is essential toevery business, but many don’t knowwhere to start. It requires carefulpreparation and planning. Appointing abusiness continuity project manager,who will ensure that a BusinessContinuity Plan is created, developedand maintained is the best approach.

The business continuity projectmanager’s role is to ensure all thesteps outlined in this guide are followedand the plan is updated on a regularbasis.

Step one: Basic emergencyprocedures

Before you begin work on a BusinessContinuity Plan check that you havein place the following emergencyprocedures. Please note: these are allpart of essential Health and SafetyLegislation and are a legalrequirement for any UK business.

It is essential that all businesses haveand follow basic emergencyprocedures to ensure safety at alltimes:

• Make certain your employeesunderstand the evacuationprocedures

• Make sure your employees reallyknow what to do if a fire breaks out

• Ensure your employees know whatto do if a colleague is injured

• The key to a sound emergencyprocedure is clear process, rolesand responsibility and employeeawareness. In the case ofevacuation, a clear evacuationprocess should be in place, withteam members from eachdepartment given responsibility forensuring a smooth and orderlyprocess.

All employees must receive trainingon your defined processes, withregular updates and refreshercourses on this. It is also importantthat your workforce know where toaccess a ‘guidelines and procedures’document to ensure that they arealways fully aware of what isexpected of them.

A Guide to Successful BusinessContinuity Planning

Spending time developing a Business Continuity Plan will not onlyincrease the likelihood of your survival from a crisis or businessinterruption, but will also ensure the safety and protection of yourbiggest asset, your people.

13

Business Continuity Guide for Small Businesses SUCCESSFUL BUSINESS CONTINUITY PLANNING

Step two: Define your disasters and assess your risks

It is vital to remember that a disaster could happen to any company – nomatter the business size, be it a multinational company or a small business.Before looking at risks in individual areas of the business, it is important todetermine what would constitute a disaster. In simple terms, a disaster is anincident that has serious consequences for the business.

Common small business disasters include:

• Fire/flooding• Computer/telecoms failure• Key equipment failure• People issues such as illness/resignations/maternity leave • Denial of access to the premises• Product defects• Bomb/terrorism threat• Legal/regulatory action• Utilities failure.

It is critical that you understand the disruptions that would be disastrous to therunning of your business when writing your plan. Take the time to identify allthe risks your business faces and then rank them in order of likelihood andimportance.


14

Step three: Secure your business,bit by bit:

Thoroughly assessing the disastersthat could threaten your firm will giveyou a clear idea of the businessareas that are most important tosecure. Usually, these will be theareas on which your business reliesthe most, and which are exposed tothe greatest degree of risk. This is themost important part of your plan.

The following check points areessential when writing this stage ofyour plan. You need to systematicallygo through each of the followingareas and take a practical approachto tackle each of the threats that yourbusiness may face. Follow the sameprocess for each:

1. Assign ownership

2. Identify threats and resources

3. Develop contingency plans andpolicies.

Premises and key equipmentClearly, your premises arefundamental to your business. Somuch so that you probably take themfor granted. But have you everconsidered the long-term impact thatdamage to or destruction of yourpremises would have on yourbusiness?

The same applies to business criticalmachinery. If a vital piece ofequipment is destroyed, damaged orstolen, what impact would it have onyour business? Ask yourselves thefollowing questions:

• Would you be able to inform youremployees and customers ofdisruption to the business?

• What would happen to customerorders due during the time thatyour premises were closed?

• Would you be able to makealternative arrangements forregular orders, to keep loyalcustomers happy?

15


PeopleThe loss of key people and injury toemployees is a risk that manybusinesses overlook. In the end, thesuccess of any company isdetermined by the skills of its people.Your people are your most valuableasset. Think about how your businesswould cope in these situations:

• If three members of your team wentto work for your major competitor,how would your business survive?

• If several key female employeeswent on maternity leave around thesame time – who would cover forthem?

• Are there provisions in place forpost incident counselling in yourwork place?

• When was the last time youreviewed health and safetyprocedures in your work place?

From product development toproduction, sales, marketing, financeand management, every companycan identify a set of key peoplewithout whom its operations would beseverely disrupted.

• Key people – Identify people thatare critical to the immediateoperation of the business and workhard to reward, challenge andprotect them

• Skill sharing – Make sure thatspecialist skills are not held by justone person. Develop understudiesand teams of specialists so peoplecan step into specialist roles atleast temporarily should the needarise

• Keep an eye on localcompetitors – If they arerecruiting, make sure your peoplein relevant positions are happy

• Assess workplace risks –Identify employees that areexposed to particular risk of injuryand ensure they are equipped withand use relevant safety equipmentand procedures. Ensure that allemployees are aware of workplacehazards and follow good safetypractice.

Protect your employees and yourbusiness – Employers’ Liabilityinsurance is a legal requirement inthe UK. It will enable you to pay formedical treatment and compensateyour employees should the worsthappen.

IT/TelecomsThese days, most businesses rely oncomputers to some extent. Somecompanies may only use them foraccounting and email, but othersbase their entire business on them.Telephone systems are equallyimportant.


16

The chances are that most companies would soon findthemselves facing a disaster if computer or telecom failure wasnot properly planned for and managed. To be ready you mustask yourself the following:

• Would your business still function if your computer ortelephone systems were unavailable for three days?

• Would you be able to contact your customers?

• Would it hold up production?

• What alternative arrangements would you be able tomake and how long would it take?

• What could you do to make certain you have access tovital data, even if your computer system is destroyed?

• If your computer systems are stolen could sensitiveinformation fall into the wrong hands?

• What would happen if your competitor got hold ofsensitive information?

• Are your computer systems robust?

The BusinessContinuity Plan willensure you areprepared for theworst situation thatwould keep yourbusiness from beingoperational.

Review the plan atleast every sixmonths. Check tosee the plan includeall the correctcontact details foremployees,suppliers etc.

17


The environmentThe experience of recent years hasclearly illustrated the impact thatnatural disasters can have onbusiness. Flooding in the south ofEngland, the Midlands and Yorkshirehas affected thousands of firms,putting many out of business.

Climate change is likely to have otherimpacts on business. Increased greentaxes for instance could have asignificant impact on heavymanufacturers, whilst water shortagesand rising bills could put pressure ona wide range of firms.

• Would your business survive aserious flood?

• How would electrical circuits,computer systems, stock andmachinery be affected?

• How long would it take torecover from a flood? How wouldyou keep customers happy andpay your employees in themeantime?

• Some businesses were out ofaction for over twelve monthsfollowing flooding in 2002. Wouldyour creditors be patient for thatlong?

• Are you up to date withenvironmental legislation thatcould affect your business andincrease costs over the next fewyears?

• How reliant is your business ona large and relatively inexpensivewater supply?

Businesses should familiarisethemselves with changing EUlegislation which will affect employersover the next 10 years.

Here are a few examples oflegislation that could have an impacton your business in the future:

• Directive on the Physical Agents(noise): this is an EU Directivewhich will be enacted in the UK inFebruary 2006 and will introducenew Noise at Work Regulationswith lower noise exposure limits.The new regulations will apply tobusinesses previously outside thescope of the existing legislation, egthe leisure industry including pubsand clubs. These businesses willhave to conduct noise assessmentsand record the results – as well asissue hearing protection to allemployees affected

• New Work at Height Regulations:this legislation is due to beintroduced later this year or early2005 in order to stem the rising tollof deaths from work at height. Workfrom ladders is a prominent featurein these proposed regulations andcertain new requirements will beintroduced curtailing activities suchas work involving ladders

SUCCESSFUL BUSINESS CONTINUITY PLANNING Business Continuity Guide for Small Busineses

18

• Passive smoking: this is likely to become a controversialissue for employers as the move towards a total ban onsmoking in public places becomes more likely. The Healthand Safety Commission (HSC) issued a consultativedocument in July 1999 including a draft ACOP (ApprovedCode of Practice) on passive smoking in the workplace. Itinvestigated whether people would support greater control ofpassive smoking and which form this control should take.The findings were considered by the HSC on 5 September2000 and it was decided that an approved code of practicewould be issued under the provisions of the Health andSafety at Work Act . The recommendation for its introductionis awaiting final approval from Ministers. The emphasis ismore on the need to protect workers, rather than enforcing aban on smoking in every workplace

• EU regulatory framework for chemicals: the EuropeanCommission adopted this proposal on 29 October 2003.Under the proposed new system called REACH(Registration, Evaluation and Authorisation of Chemicals),companies that manufacture or import more than one tonneof a chemical substance per year would be required toregister it in a central database. The proposal is beingconsidered by the European Parliament and the EU’sCouncil of Ministers for adoption under the co-decisionprocedure. This legislation would therefore affect SME’s whouse chemicals (particularly in the manufacturing sector)

• New Disability Legislation: from October, failure to makepremises disabled-friendly in accordance to the 1995Disability Act. The Federation of Small Businesses estimatesthat 42% of its 185,000 members have still done nothing tocomply with the Act. But with some 200 disability-accessgroups monitoring compliance, firms will need to take theirresponsibilities seriously. There are simple steps small firmscan take to show they are complying with the legislation –changes required by the act include widening doors forwheelchairs, introducing ramps and hand-rails, andproviding disabled-friendly lavatories.

Thoroughlyassessing thedisasters that couldthreaten your firmwill give you a clearidea of the businessareas that are mostimportant to secure.

19


Step four: Writing your ownBusiness Continuity Plan

The Business Continuity Plan willensure you are prepared for the worstsituation that would keep yourbusiness from being operational. Theplan only need include the businessprocesses that are most critical tokeeping your company running. Forthis reason the plan has beenpresented in a generic form so it canbe adapted as needed.

To assist you to write your own planwe have included a sample BusinessContinuity Plan, refer to sample onpage 22. As a plan of this kind istailored to suit your business pleaseremove and add sections as needed.It is to be used as a reference point tohelp get you started.

Here is a checklist of items to includein any Business Continuity Plan. Theyare all included in the sample plan:

• Business continuity projectmanager’s name and contactdetails

• Structured management team thatwill make the key decisions

• Contact details to enable the teamto be brought together

• Nominated control centre as ameeting point

• Identification of business criticalprocesses

• Details of how a recovery would bephased

• Telephone divert arrangements

• Emergency contact number foremployees to obtain the latestinformation

• Resource requirements (people,work area, IT, telecommunications)

• Details of recovery resources

• Contacts for internal and externalagencies committed to supportingthe recovery efforts

• Address of the recovery site

• Contents and storage location of adisaster pack

• List of key customers, suppliers,third parties and their contactdetails

• Comprehensive team cascade list

• Details of the vital records’ storecontaining backup computer dataand any critical paper records heldoff-site

• Network diagrams and othertechnical information

• Precautions to be taken in theevent of an incident.


20

Step five: Test the plan

Once the plan has been agreed itshould be communicated to yourteam/teams. This will expose anyflaws in the plan and will also ensureall the roles and responsibilities areunderstood. It is worth completing atest simulation of the plan to ensureits smooth running if the time comesto use it.

Step six: Regularly update theplan

Review the plan at least every sixmonths. Check to see that the planincludes correct contact details for therecovery site, vital records, suppliersand the team.

Distribute the plan to all peopleassigned responsibility and advisethem to keep copies off site. You canalso use your team meetings toremind all employees of the processto follow.

Start now

The essential safety net for anyorganisation is a Business ContinuityPlan. Investing the time and energyin the short-term will benefit yourbusiness in the long run.

The message is simple – it’s nevertoo early to take steps to assess yourbusiness risks and set the internalrecovery procedure. Make your planas detailed as your business needsit to be and take the time tocommunicate this with your team.Regularly review the plan in tune withthe changing needs of your company.

A well thought out BusinessContinuity Plan will adapt to anyincident or crisis for your company.This guide is written to help you doexactly what your business needs, tobe ready to recover at any time.

21

Business Continuity Guide for Small Businesses BUSINESS CONTINUITY PLAN

<< Insert Company Logo>>

<<Insert company name>> Business Continuity Plan Page 1 of 3

Business Continuity Plan

Business Continuity Project Manager

<<insert name>>

Contact

1. Office:

2. Mobile:

3. Home:

The maintenance of this document is the responsibility of the Business Continuity Project Manager.This plan will be updated on a regular basis and includes the key details and actions needed tocontinue all business operations.

Business Continuity Team

This team will comprise the key decision makers in the company. Ideally they should congregate in apre-designated location. They will be in close contact with the Business Continuity Manager and willauthorise any variations to the recovery plan.

<<insert name>> 1. Home 4. Mobile

2. Work 5. Pager

Business Owner/Leader 3. Internal 6. Other


2. Work 5. Pager

Deputy Business Continuity Project Manager 3. Internal 6. Other


2. Work 5. Pager

Finance or HR Manager 3. Internal 6. Other

Business critical processes (in order of priority)

Agree on the most important function to be restored first. This function is critical to keeping thebusiness running. For example:

1. Sales2. Order fulfilment3. Banking

Initiate Recovery Log

In all instances it is the Business Continuity Project Manager’s responsibility to ensure a recovery logis kept. This will track all decisions that are made and the actions taken. The log will include thefollowing activity:

• Time and date• Description of the activity and the reason for it• Name of person initiating the action• Names of those instructed• Dependencies (e.g. people, resources)• Other persons who need to be kept informed• Expected time task will be complete• Time task is completedActivity checklist during the incident

This checklist provides a number of actions for the Business Continuity Project Manager to complete.

BUSINESS CONTINUITY PLAN Business Continuity Guide for Small Businesses

22



Note: This plan is based on the scenario having the biggest impact on the business, which isdestruction of the premises. The plan can be adapted for less severe incidents - as all the tasksappropriate in the worst scenario might not always be needed.

1. Alert the Business Continuity Team

2. Agree with Business Continuity Team the recovery activities to be followed and implementRecovery Action Plan

3. Initiate recovery of disaster pack from the off site location

4. Advise relevant staff to report to the designated recovery at appointed time

5. Advise remaining staff who are not required immediately to remain at home until contacted

6. Obtain essential items/records from the off-site location

7. Notify critical contacts (e.g. customers & suppliers)

8. Establish immediate business needs and necessary actions

9. Establish operations at designated recovery site

10. Assess last known status of workload and the extent of work lost or outstanding

11. Maintain a log of actions taken

12. Refer to the telephone directory of all employees (includes work and home telephone), keep noteof the team’s whereabouts

13. Obtain authorisation from Finance Manager for business recovery expenditure

14. Consider shift patterns and overtime requirements

Designated Recovery Site

Some companies may make arrangements for an alternative site from which to continue theirbusiness. It is usual that a recovery site has access to telephone, internet and computers. Again, thiswill depend on the needs of your business.

Recovery Site Location Contact Name Contact Tel

<<insert address>> <<insert name>> OfficeHomeMobile

(attach map)

Vital Records

All your important records and material to run the business will be stored at an off site locations sothey can be retrieved in times of an emergency.

Back-up Computer Records stored at: <<insert name, address & contact number>>

Critical paper records stored at:<<insert name, address & contact number>>

Disaster Pack stored at: <<insert name, address & contact number>>

Critical Contacts

The following list contains names of important business contacts, where it is considered that personalcontact is appropriate. This will include key customers and suppliers.

23

Business Continuity Guide for Small Businesses BUSINESS CONTINUITY PLAN



Company Contact Name/Department Telephone

Client 1

Client 2

Supplier 1

Supplier 2

Recovery Action Plan

Here is an example of how the recovery action plan is structured. It should be easy to follow so thatany member of the team can action – in the case that the Business Recovery Project Manager isabsent.

� Contact BT to switch phone lines to <<designated recovery site>> telephone/s. Telephone BT on<<insert number>> account number <<insert company account number>>

� Contact IT Consultants <<insert number>>� Load 6 PCs stored at <<designated recovery site>> with software and back-up data� Purchase additional PCs from <<insert PC supplier and telephone/address>>� Back up server stored <<designated recovery site>>� Additional office equipment can be purchased from <<insert PC supplier and

telephone/address>>� Manual workaround process guides and order forms stored at current location and duplicates

stored at <<designated recovery site>>

Team Cascade List

This list will ensure that every member of the team is contacted about the incident and instructed onwhat they need to do. If the cascade is activated, be sure to keep a record of those members of staffnot contacted.

Mr. X will notify: Sales Team

Name Home Mobile

Mr Y will notify: Order Fulfilment Team

Name Home Mobile

Debrief

After the incident it is important to meet with the team and evaluate how the plan worked. All agreedimprovements should be added to the Business Recovery Plan.

Appendices

May include, for example, plans for a specific, highly probable, incident or detailed IT recoveryrequirements and procedures.

www.axa.co.uk

09/0

4 (T

1404

)

AXA Insurance UK plcRegistered in England No 78950. Registered Office: 107 Cheapside, London EC2V 6DU

A member of the AXA Group of companies. AXA Insurance UK plc is authorised and regulated bythe Financial Services Authority.

In order to maintain a quality service, telephone calls may be monitored or recorded.

Welcome to the expertise andquality of the AXA Group

AXA is one of the world's largest insurance and asset managementcompanies and in the UK and Ireland occupies leading positions in itsmain markets: life insurance, health insurance and general insurance.

AXA’s combination of size and financial strength means that it is wellequipped to cope with changes in market conditions without it having animpact on the service we offer our 50 million customers worldwide.

AXA is commited to delivering an unbeatable service and our products andservices are either available direct or from our network of distributionpartners. For details on our unrivalled distribution network please go to thesection ‘where to go for help’ on the website www.axa4business.co.uk.

AXA employs 117,000 staff and tied agents and, as of 30 June 2004,had U827 billion in assets under management. AXA reported total revenuesfor first half 2004 of U37 billion and unlying earnings of U1,436 million.

Please visit www.axa.co.uk

Documents

BUSINESS CONTINUITY GUIDE - ASIS · • Successful Business Continuity Planning 12 ... Organisations that have a business continuity capability are far more likely ... Think about