Guide

Business continuity planning

Business continuity planning can help you develop resilience so your business can continue operating during a major disaster, incident or crisis, and then recover.

In this section

  1. 1. What is business continuity?
  2. 2. Types of crisis that could affect your business
  3. 3. Plan how you'll deal with an emergency
  4. 4. Test your business continuity plan
  5. 5. Keep your plan updated

Guide 5 min read

1. What is business continuity?

Unexpected events can have a devastating impact on small businesses. Global crises (such as geopolitical instability or global IT outages) and business crises (such as fire or cyber-attacks) can all make it difficult or even impossible to carry out your normal day-to-day activities. In the worst case scenario they could force you out of business altogether.

Business continuity planning is a vital part of your business operations, helping to build your business resilience and ensure it can continue operating during a crisis and then recover quickly.

A business continuity plan: 

  • identifies potential crises that might cause business interruption

  • determines how you will minimise the risks of these crises occurring

  • sets out how you'll react in the event of an incident 

  • details how the plan will be reviewed and tested regularly.

2. Types of crisis that could affect your business

Events that could constitute a crisis for your business may vary according to your location, sector, business model, size, and reliance on key customers or suppliers.

There are two main categories of crisis and you need to consider the probability, potential frequency and possible impact of both.

  • incidents which can be anticipated and may be preventable (or the impact reduced) with appropriate management of internal risks within your control

  • crises involving external risks outside your control that are impossible to avoid.

Crises which may be prevented or their likelihood reduced

All businesses should consider risk management which involves maintaining a risk register that:

  • identifies possible risks

  • considers the likelihood of them happening

  • evaluates the possible impact on your business

  • identifies how they could be prevented 

Each risk should be assigned to a specific person to oversee prevention and monitoring.

Risks that might be identified include:

  • fire, vandalism and theft affecting premises

  • technological incidents such as opportunistic cyber attacks, IT system failures

  • people issues such as human error, malpractice, and fraud

  • legal and compliance infringements, such as data breaches or health and safety issues.

Procedures, policies and training may be put in place to reduce the likelihood of many of these, along with physical interventions such as security measures.

Unavoidable external crises

It’s impossible to anticipate or prevent many types of crises. For example:

  • natural disasters and extreme weather such as storm damage and floods restricting access to property

  • international external issues such as geo-political instability and global pandemics leading to supply chain disruption

  • global IT outages preventing transactions or normal operations

  • staff issues such as illness or unavailability of key staff impacting service delivery.

For incidents that you cannot prevent, you can look for ways to spread risk as far as possible, but there are far fewer factors within your control. Therefore your business continuity plan is particularly important to build resilience.

3. Plan how you'll deal with an emergency

Once you understand your risks, you should draw up a business continuity plan setting out how you will cope if a crisis does occur. 

As part of this analysis, identify which business functions are essential to your day-to-day business operations. You're likely to conclude that certain roles within the business - while necessary in normal circumstances - aren't absolutely critical in a disaster scenario.

Create your business continuity plan

Think about the things that would cause the most disruption and that are most likely to happen to your business. Then make sure that your plan covers each of the risks.

It should detail the key business functions you need to get operating as quickly as possible as well as the resources you'll need to do so. It must also detail the roles of individuals in the emergency.

This business resilience 10 minute plan from Ready Scotland can give you an idea of what to cover.

Given the increasing cyber security risks faced by businesses, you should have a specific section covering a plan for cyber incidents.

Making the most of the first hour after an emergency occurs is essential in minimising the impact. As a result, your plan needs to explain the immediate actions to be taken.

Key considerations

When creating your plan, consider including:

  • checklists - arrange the plan in the form of checklists to make sure that key steps are followed 

  • call trees - detail how call trees will be used to contact all staff

  • contact details - include contact details for those you're likely to have to notify in an emergency such as the emergency services, insurers, the local council, the authorities, staff, customers, suppliers, utility companies and neighbouring businesses

  • service providers who can help - include details of service-providers such as glaziers, locksmiths, plumbers, electricians, and IT specialists

  • premises map - include maps of your premises' layout to help emergency services, showing fire escapes, sprinklers and other safety equipment

  • communicate - set out a communication plan detailing how you'll communicate with customers and deal with possible media interest in an incident to protect your reputation during a crisis

  • paper copies - make sure hard copies of your business continuity plan are lodged at your home and with your bank and at the homes of other key members of staff

  • staff training - give staff specific training to enable them to fulfil their responsibilities in an emergency situation and ensure all employees are aware of what they have to do.

4. Test your business continuity plan

Once your plan is in place, you'll need to test how well it's likely to perform in the event of an emergency.

You should test your plan regularly (at least annually), even if your business hasn't undergone significant changes.

This is likely to involve testing your chain of communication across the business, using your planned “call trees” and actually ensuring your teams can work remotely at short notice or can adapt to a loss of internet connection or digital access for example, as opposed to just talking about it. 

An important task is carrying out a debrief after the test so your plan can be updated with any learnings.

5. Keep your plan updated

It’s important to keep your plan up to date and update it regularly to take into account your business' changing circumstances.

As your business evolves or grows you will need to ensure your plan reflects this. This could include changes to key staff, staff contact details, new IT platforms or systems, new equipment, etc. 

For example, if you move into new premises, you could face an entirely new set of risks. You'd need to draw up new maps for the emergency services and amend any contact numbers necessary.

Business Gateway can offer you advice on other areas of managing a business. Find your local office and contact us below.

Last updated: 13/11/2025