Plan B: Business continuity plan for SMEs

Start with a thorough risk analysis. What dangers might threaten ongoing operations – and therefore the company – in the event of an IT failure? Consider all conceivable scenarios and assess the probability and impact. Possible scenarios include technological risks such as cyber attacks or system failures.

A business impact analysis enables you to understand the effects of failures and interruptions. You can identify business-critical processes and IT dependencies and determine how quickly they need to be restored in order to avoid serious consequences. The analysis helps to allocate resources sensibly and to develop a strategy for risk mitigation and recovery. Some processes and departments or areas may take longer to recover than others, without customers being directly affected. Ultimately, it is about deciding which processes are most important for value creation and relevant for sales.

Once all impacts and dependencies have been identified, plan measures to minimize the potential impact with a risk mitigation strategy. You then use a recovery strategy to determine how you can restore the critical business processes as quickly as possible. Plan crisis communication, define clear communication channels and assign responsibilities.

Every business continuity plan is divided into two subject areas. The departments or divisions are responsible for maintaining business operations, as they know their processes best. Internal or external IT specialists are responsible for technical recovery. 

Maintenance of business operations

• Print complete process documentation with instructions, plans and directories
• Print and store forms for process documentation
• Record contacts of customers, partners and employees and keep them available offline
• Find alternatives for relocating production and procuring materials
• If possible, set up an external warehouse with production-critical components
• Clarify with the bank how urgent bills can be paid in an emergency
• Look for alternatives to card payment, for example cash or invoice forms
• Discuss documents and emergency scenarios with key employees
• Save important documents on a laptop with an independent Internet connection
• If possible, set up emergency organization with employees and the IT service provider

Technical restoration

• The first thing to check is the availability of the backup data; how many days or weeks does it go back, and do you want to use this as a basis for the future? Do the data carriers work, and is a sufficient read/copy infrastructure available?
• Before restoring the backups, it must be ensured that the target systems have been completely deleted and are virus-free. In some cases, it makes sense to procure new hardware or restore backups in a cloud environment
• For more complex system landscapes, an extensive "clean-up" of the systems may be more efficient than a complete restore from backups. An experienced IT emergency service provider should be brought in to help remove all viruses and backdoors and set up an "alarm system" for new infections
• With the help of the IT service provider, a secure network area can also be created for recovery, which is physically separated, or separated by suitable firewalls, from any systems that may still be infected
• First of all, the central systems should be restored or cleaned up, i.e. user management, file servers, email, security and network systems, as well as systems for operating virtual machines
• The sequence of recovery of servers, virtual machines, applications and databases depends on the criticality of these systems and on dependencies, which should be identified and documented in advance
• At the same time, desktops and laptops can be reinstalled, and affected control systems in production environments can be cleaned up

Involve your employees in the risk analysis, business impact analysis and emergency planning. On the one hand, they know their work area, possible dangers and the effects of failures or interruptions best. On the other, this involvement promotes their understanding of the business continuity management (BCM) process and increases their commitment to the BCM strategy. For this reason, it makes sense to organize regular training and feedback for relevant employees and to update the plan in the event of major organizational changes.

No plan is set in stone. The business continuity plan should be tested and updated at least once a year. In addition, recovery tests should be carried out and manual processes practiced in emergency scenarios so that everyone knows what to do in an emergency. As with fire alarm drills. Update the business continuity plan after every major disruption or interruption and after every major change in the operating environment, print it out and distribute it to all affected employees and service suppliers.