From reading so far you will understand that unless you are a really small business this is probably not going to be a lone effort. You will need to build a team of reliable staff who can help you research, design, co-ordinate and implement your plan. Some of these people will work with you in IT, but you will also need the help of people from other departments. For example, it may be useful to enrol the help of your Health and Safety Officer. They should already have a procedure in place for fire related emergencies and will have been responsible for ensuring all staff know how to react in an emergency. Even if you decide to tackle this on your own, you will need to communicate with each department to decide what systems are critical to their operation and to understand the inter-dependencies of your departments.
So where do you start? You will need to get buy-in from the director, owner or whoever takes overall responsibility for the company, without this your plan will fail. You will need to be able to explain the risks to the business; physical, environmental and localised, and what impact these could have on the business. It may also be true in smaller companies that the board will make the decision as to what level of protection is required, for which systems and processes, and how quickly you should be able to recover. Plus they will need to commit a budget to the planning, implementation and testing of the plan. From here, at least you will be able to investigate what systems and procedures are needed to fulfil these requirements and whether it can be achieved within the budget. It may not always be possible, compromises may have to be made and the board will need to be fully aware of these and agree to them, otherwise it will be your neck on the chopping board after an incident.
It might also be worth getting some outside help. There are many specialist firms and consultants who can bring a lot of expertise and added value to your plan and can save you a lot of time during the initial research and planning stages. For example, Business Impact Analysis is a complex process that can be applied and will provide you with valuable information about your business and the potential impact of incidents. I would also recommend looking at third party help when testing your plan. Remember, a Business Continuity Plan is only as good as its last test. Plus, your company is probably growing and evolving and that means you need to make regular updates to the plan. Using a third party will help to highlight weak points in the plan, which can then be rectified. Testing also helps to reinforce your staff training and forms part of that training, ensuring that everyone reacts appropriately. The benefit of testing a plan is that it is pre-scheduled: customers and suppliers can be pre-warned and it demonstrates your commitment to business continuity. Your longevity is important and your responsible behaviour will help strengthen the relationships with your customers and suppliers.
So as a final thought, is it practical to pass the business continuity planning to your IT professional? Well in a lot of cases, yes. As we all become more and more reliant on technology and as it forms the core of many of today’s businesses, it makes sense that the IT professional takes ownership of it, certainly in smaller organisations. However I feel very strongly that IT can not go it alone. Internal and possibly external help will be required and without the commitment of others, the plan is doomed to fail (if you even manage to get it off the ground!).