Once a strategy has been agreed, work can start on the detailed Business Continuity plan. This will take into account risk evaluation and impact analysis. (To see how prepared your business is see our try our business continuity healthcheck)
Incident Response Structure
The first stage in Business Continuity planning is defining an appropriate incident response structure: that is the team, or teams, who are responsible for coordinating the organisation’s response to a disruption. Smaller organisations may only need a single Incident Management Team (IMT) but many larger organisations apply the Emergency Services model of having a hierarchy of teams as follows:
- Gold / Strategic
- Silver / Tactical
- Bronze / Operational
Whatever structure is decided upon, roles and responsibilities must be clearly documented. Further information on the composition of Incident Management Teams is available in our Downloads section.
The value of Business Continuity planning will only be realised if the appropriate plans are invoked in a timely fashion. It is therefore essential to provide clear guidance, including:
- Who is authorised to invoke specific plans;
- What the triggers are for invoking; and
- How the invocation is effected.
There should also be a clear method of standing down teams once the incident is over.
Incident Management Plan
Developing a robust Incident Management Plan is a vital part of the overall Business Continuity planning process. Typically the Incident Management phase will last for a few days after a disruption but, for example in a ‘flu pandemic, it could continue for several weeks. The core of the Incident Management Plan is a series of checklists and aides-memoire to assist with decision-making in the early stages of an incident; these should include guidance on:
- Safety and welfare of staff and visitors;
- Locations where Incident Management teams and other critical staff can work from;
- Manual workarounds to mitigate the effect of loss of IT services; and
- Communicating with stakeholders and the media.
Business Recovery Plan(s)
The final stage of Business Continuity planning concerns the compilation of the detailed plans for the restoration of different areas of the organisation and resumption of business as usual. The plans should give details of the recovery priorities, resources required, locations to be used and the people involved in managing the recovery. It should be borne in mind that business recovery may take a considerable period of time – possibly many months in the case of a serious disruption.
Once again, it is important to stress that Business Continuity planning must be supported by appropriate training and exercising. We operate in compliance with ISO 22301: Societal Security – Business Continuity Management System
Follow the link to read details of a recent Business Continuity planning project with an SME client.