Business continuity planning

Risks to your business can be unpredictable and they don’t just affect big companies. A hacked laptop or local power cut can disrupt smaller businesses too. The good news? With a business continuity plan, you’ll be better prepared to handle whatever comes your way. This guide explains why it matters and how to create a plan that works for you.

Read time: 8 mins  Added: 03/10/25

" "

Benefits of a business continuity plan 

A business continuity plan can provide a backup operational structure to get you through an unexpected crisis.

It can help you:

  • identify and manage threats to your business
  • reduce the impact of serious incidents
  • minimise downtime and improve recovery time.

Contingency planning can also protect your reputation if events take a turn for the worse. By responding promptly, you can reassure everyone that you are in control, your core business operations will continue, as will your communication with customers, the media and other stakeholders.

The benefits don’t end there. If your business is part of a supply chain, effective contingency planning is a competitive advantage.

Risks to your business

You need to identify different types of risk as you create your contingency plans. Consider these risks and examples specific to your business:

  • denial of people – pandemic, strikes, single point of failure
  • denial of premises – fire, flood, police closures
  • denial of supplier – administration, supply chain issues, cyber attacks
  • denial of systems – cyber attack, mechanical failure.

Creating a business continuity plan

Start by listing all the possible risks to your business, however unlikely

  • physical risks – including fire, flooding or a terrorist incident
  • equipment failure – any machinery essential to your operation from computers to delivery vehicles
  • product failure – if they cause injury or have to be recalled
  • external issues – such as a transport strike
  • supplier problems – difficulties involving your major suppliers that adversely affect your business
  • staff problems – a pandemic or the death or serious illness of a key employee
  • negative publicity – in the press or on social media
  • radical changes in the business environment – perhaps a new and disruptive competitor
  • legal threats – from liability claims to copyright issues
  • cyber attacks – such as malware, hacking, loss of data or ransomware attacks on your website.

Create a matrix outlining the risks, scoring them on:

  • the probability of it happening
  • the business impact of resolving it
  • any regulatory or legal impact
  • the financial impact (fines/ penalties/cost of resolving it/ lost revenue)
  • the potential customer impact.

Decide who and what will be affected by each eventuality and explain how

Categorise your key facilities and processes, and prioritise recovery plans for those operations that are key to your business.

Make a list of all the people and organisations you will need to contact in the event of a serious incident. Include names and contact details of staff, customers and the following suppliers:

  • financial services companies, such as your bank and insurers
  • facility contractors, such as plumbers and electricians
  • IT and broadband service companies
  • utilities, such as water and heating companies.

Ideally, this list should be cloud-based or accessible off-site.

Draw up a separate IT continuity plan

Cyber attacks and other IT outages present a major threat to most businesses. Malicious attackers can cripple systems with ransomware until payment is received. Or hackers can steal card details from the online forms your customers complete.

Cyber insurer Coalition recently claimed that smaller businesses have become bigger targets for cyber attacks.  Additionally, a recent Government report highlights that UK companies have lost approximately £44 billion (around $55 billion) over the past five years. This averages out to nearly £9 billion per year due to cyber attacks.

For all these reasons, you need a separate continuity plan template for your IT systems. In particular, you need to make sure you can securely back up and run your systems off-site, if necessary. Other steps you can take include:

  • make sure staff are trained to minimise risks from email, apps, portable devices and so on, especially at a time when many people are working from home
  • think about ‘people risks’ too, such as loose talk about your information security or allowing access to your premises
  • prevent system administrators from using system privileges for reading email or web access. This reduces the chance of hackers accessing accounts with wide system access
  • equip your team to deal with outages and maintain details of all key service suppliers
  • encourage staff to report any cyber security problems immediately
  • avoid single human points of failure with regard to IT knowledge and access.

Learn more about cyber risk and what you can do to protect yourself on our Lloyds Cyber Risk hub. You’ll find plenty of insight and practical guidance to help you avoid or limit the impact of cyber attacks.

Insure your systems

Cyber Insurance can provide cover if your IT systems suffer a data breach or a cyber-attack. It could reimburse you for:

  • loss of revenue
  • fines and penalties
  • legal expenses
  • data restoration.

How to build resilience into your IT systems

  • use a reputable antivirus software product and keep it updated
  • implement a firewall. This creates protection between your network and external networks such as the internet. Most operating systems now include one, so make sure it’s activated
  • make sure staff apply all updates to software and firmware promptly. Replace any unsupported systems
  • introduce strong guidelines so staff know what is expected
  • make sure staff use strong passwords and update them frequently
  • ensure staff take particular care with the origin of: 
    • apps
    • website links or URLs
    • plugins
    • USB drives.
  • restrict system access. All users, including staff and third-party suppliers, should have enough access to do their jobs and no more
  • use multi-factor authentication for key systems, so you don’t rely on one password
  • carry out vulnerability scans and penetration tests – for example, by sending mock-phishing emails. Many providers support this
  • put warning systems in place to alert you to attacks at an early stage
  • check for any dependencies or single points of failure – particularly in business-critical systems. For example, ensure your web servers can cope with surges of traffic or have spare equipment readily to hand in case of breakdown.

Create a business continuity timeline

Your continuity plan should cover several stages:

  • what will happen immediately after a serious incident?
  • how your business will respond and continue
  • how it will get back to full strength and how long it might take.

For each stage, focus on what you will need to do at that point considering the following:

  • management
  • financial resources
  • logistical and technical issues
  • supply chain
  • customers
  • premises
  • communications and coordination.

Set out the order in which business functions will be resumed and who will be responsible in each case. You may need specific recovery plans for different functions, such as the main office, IT and key staff.

Draw up appropriate communications plans

These can range from getting in touch with staff to briefing the press. Nominate a spokesperson in case the incident is newsworthy. Reinforcing confidence in your recovery is essential to managing major incidents.

Make sure your plan is fully documented and agreed upon so everyone can return to normal promptly. It should align with your strategy and objectives and be correctly focused and credible.

Test and review regularly and improve your systems where possible

Following any business continuity incident:

  • review what took place and how your recovery plan worked
  • make any updates to improve the speed and effectiveness of recovery
  • if you can identify the root causes of the disruption, see what steps need to be taken to avoid repetition, if possible, and to mitigate the risk of a similar event in future
  • keep a record of your activity, so that there is a log of the incident, the response and the lessons learned

Even if you are lucky enough to avoid any disruption, your plan still needs to be tested and reviewed regularly:

  • there are many levels of testing – from full backup recovery to desktop walkthroughs – to make sure the plan makes sense and is usable
  • set a schedule to review and test it regularly – you may have updated or changed your IT system or added new software or new staff members in that time. Remember too that contact details for suppliers for support are also likely to change
  • post-testing – update your plans with any learnings.case of breakdown.

Other considerations

Keep your plan safe

Store copies of your plans away from the workplace to keep them safe. Make sure they stay up to date, note any new risks and keep contact details updated. For example, if major legislation changes affect your business, update your plans accordingly.

Make sure you’re fully insured

When getting your business back on track after an incident, it helps to be insured against the major threats – from building damage to the loss of key staff.

Find out about more about Business Insurance

Useful links

The Business Continuity Institute

ISO 22301 Business Continuity Management

HM Government Business Continuity Management Toolkit (PDF, 569KB)

National Cyber Security Centre

You may also be interested in:

Business Insurance

Protect your business from day-to-day risks, including including equipment, property damage and liability claims.

More on Business Insurance

How to manage your business

A selection of guides and products to help with the day-to-day running of your operation – focusing on money and tax, insurance, and people.

Visit the hub