Business Continuity Planning for SMEs
A practical guide to business continuity planning for UK SMEs, covering how to identify risks, assess their impact, develop recovery strategies and test your plan.
Business continuity planning (BCP) is the process of identifying threats to your business and building a plan to ensure that critical operations can continue – or recover quickly – when things go wrong. For SMEs, a disruption that stops trading for even a few days can be financially devastating, yet fewer than half of UK small businesses have any form of continuity plan.
The threats are real and varied: fire, flood, cyberattack, supply chain failure, loss of a key employee, pandemic restrictions or a major customer going insolvent. A business continuity plan does not prevent these events, but it ensures you can respond effectively when they happen.
Why SMEs need a plan
Large organisations have dedicated risk and continuity teams. SMEs typically do not, which makes them more vulnerable, not less – thinner margins, key person dependency, fewer supplier alternatives, customer concentration and limited IT resilience all compound the risk.
Business interruption insurance covers financial losses and cyber insurance covers the costs of a cyber incident, but neither can restore customer confidence, recover lost data or get your operations running again on their own.
The business impact analysis
The business impact analysis (BIA) is the foundation of any continuity plan. It identifies which activities are critical to your business and how quickly they need to be restored after a disruption.
How to conduct a BIA
For each business function or process, assess:
| Factor | Question |
|---|---|
| Criticality | How important is this activity to the business? |
| Maximum tolerable downtime | How long can this activity be unavailable before the impact becomes unacceptable? |
| Revenue impact | How much revenue is lost per day/week if this activity stops? |
| Contractual obligations | Are there SLAs, delivery deadlines or regulatory requirements tied to this activity? |
| Dependencies | What does this activity depend on (people, IT systems, suppliers, premises)? |
| Recovery priority | In what order should activities be restored? |
Example BIA for a small professional services firm
| Business activity | Maximum tolerable downtime | Revenue impact | Key dependencies | Recovery priority |
|---|---|---|---|---|
| Client service delivery | 2 days | High | Staff, IT systems, email | 1 |
| Invoicing and payments | 5 days | Medium | Accounting software, bank access | 2 |
| Payroll | Until next pay date | Medium | Payroll provider, HMRC access | 3 |
| New business development | 2 weeks | Low (short term) | CRM, marketing materials | 4 |
| Office administration | 2 weeks | Low | Office supplies, post handling | 5 |
Risk identification
Once you know which activities are critical, identify the threats that could disrupt them:
| Threat category | Examples |
|---|---|
| Premises | Fire, flood, structural damage, utility failure, denial of access |
| Technology | Cyberattack (ransomware, data breach), hardware failure, software corruption, internet outage |
| People | Illness of key staff, resignation, injury, bereavement |
| Supply chain | Key supplier failure, logistics disruption, raw material shortage |
| Financial | Major customer insolvency, cash flow crisis, credit risk materialising |
| External | Pandemic, severe weather, civil disruption, regulatory change |
For each threat, assess the likelihood (how probable it is) and the impact (how severe the consequences would be). Focus your planning effort on threats that are either highly likely or highly impactful – or both.
Recovery strategies
For each critical activity, define how you will maintain or restore it:
Premises
- Remote working – ensure staff can work from home with access to key systems
- Alternative premises – identify a backup location (serviced office, co-working space)
Technology
- Data backup – automated daily backups to a cloud or offsite location, tested regularly
- Cloud-based systems – reduce dependency on physical servers by using cloud-hosted applications
- Cyber incident response plan – define the steps to take if a cyberattack occurs, including isolating systems and reporting to the ICO if personal data is compromised
People
- Cross-training – ensure more than one person can perform each critical role
- Documentation – maintain up-to-date process documentation for all key activities
- Succession planning – identify who would step in if a key person were unavailable
Supply chain
- Alternative suppliers – identify at least one backup supplier for critical goods or services
- Contractual protections – include force majeure and termination clauses in key contracts
Financial
- Cash reserves – maintain sufficient reserves to cover at least 3 months of fixed costs
- Insurance – review cover annually to ensure it reflects current risks and business value
- Credit management – actively manage debtor days and monitor the financial health of major customers
Writing the plan
A business continuity plan does not need to be a lengthy document. For most SMEs, a clear, practical plan of 5-10 pages is more useful than a detailed manual that nobody reads.
Core contents
| Section | What to include |
|---|---|
| Purpose and scope | What the plan covers and when it should be activated |
| Roles and responsibilities | Who does what in a crisis (incident manager, communications lead, IT lead) |
| Contact list | Emergency contacts for staff, key suppliers, insurers, IT support, landlord |
| Critical activities and recovery priorities | From the BIA |
| Recovery strategies | The specific actions for each scenario (premises loss, IT failure, key person absence) |
| Communication plan | How you will communicate with staff, customers, suppliers and regulators |
| Insurance details | Policy numbers, broker contact, claims procedures |
Testing the plan
A plan that has never been tested is a plan that will fail when you need it. Testing does not have to be elaborate:
| Test type | What it involves | Frequency |
|---|---|---|
| Desk-based walkthrough | Key staff talk through the plan and identify gaps | Every 6 months |
| Communication test | Activate the emergency contact list and measure response times | Annually |
| IT recovery test | Restore data from backup and verify it is complete and usable | Every 6 months |
| Scenario exercise | Simulate a specific disruption (e.g. ransomware attack) and work through the response | Annually |
After each test, document what worked, what did not and what needs to change. Update the plan accordingly.
Maintaining the plan
A continuity plan is a living document. Review and update it annually as a minimum, when the business changes significantly, after any incident or near miss, and after each test exercise. Assign a named person as the plan owner with responsibility for keeping it current.