How to create a Business Continuity Plan (part 1)

Cyber attacks can happen to any business. In this blog, East Midlands Special Operations Unit (EMSOU) outlines the steps firms can follow in the face of disaster.

Critical files encrypted by ransomware, denial of service attacks, hardware failures, human error and even adverse weather can bring any organisation to its metaphorical knees.

During such times of trouble, a Business Continuity Plan (BCP) will not only keep critical functions running, but will also address how to deal with customers, the press, suppliers and even the workforce.

In this blog post, EMSOU - a collaborative venture between the five East Midlands police forces - looks at how to implement a Business Impact Assessment. Part 2 will follow next week.

Business Impact Assessment (BIA)

Step 1: Fire up a spreadsheet and in column one, for each department, list all business activities. What tasks do your employees perform day in, day out? Helpful Tip: Many organisations will distribute the spreadsheets to departmental managers in the first instance or ask a knowledgeable member of the BCP team to conduct interviews. The latter gives us consistency and also allows those being questioned to 'show and tell'.

Step 2: In the next three columns, record  What hardware is needed to perform these jobs (look around the office)  What software is needed to perform these jobs (look on the computers staff use)  What data is needed to perform these jobs and where this data is stored (sometime called a vital records programme) Helpful Tip: Have an I.T bod around when performing this part of the analysis to clarify the names of the systems and applications in use.

Step 3: Consolidate and refine - is there scope to collapse discrete activities under bigger 'functions' to make our list more manageable?

Step 4: We now want to rate the importance of each activity against our Mission Critical Functions (MCF). So, we might develop a yardstick like this:

If the activity stops, what is the impact on: 

  • MCF1: Employee welfare and safety 

  • MCF2: Enterprise reputation 

  • MCF3: Compliance with legal, regularity or even contractual obligations 

  • MCF4: Operating costs 

  • MCF5: Our competitive edge

For each activity, we can then assign a 'subjective' ranking of:

Very High (5 points), High (4 points), Moderate (3), Low (2), Very Low (1)

If we repeat this process for other activities we will eventually have a prioritised list of departmental activities or business functions.

Step 5: In the next column, specify how long we can go without each business function before irreparable harm is done. Is it minutes, hours, days or weeks? This time limit is known as the 'Maximum Tolerable Downtime' (MTD). Many organisations compliment this figure with another: The Recovery Time Objective - this is the amount of time in which you can feasibly recover the business function in the event of a disruption. As you can imagine, the goal of Business Continuity Planning is to ensure that your RTOs are less than your MTDs. In other words, you do not want a situation where a business function is unavailable beyond the maximum tolerable downtime.

Putting it all together:

Our spreadsheet is starting to build a picture of what activities and functions are mission critical and the systems, applications and data upon which they rely. Once we know what is most important, we can prioritise our resources protecting them.

For example, perhaps we need:

  • Alternate premises / reciprocal agreements or support for mobile working 

  • Redundant equipment 

  • Redundant data stores (aka backups) 

  • Redundant supply chains 

  • Redundant utilities 

  • Redundant support services / supply chains 

  • Cross training or succession planning for staff 

  • Work arounds - such as using paper based systems. 

  • Better security controls


* This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands region to raise awareness among businesses and the public. If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team.


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.