Business Continuity Plan:
A Practical Guide to Keeping an Organisation Running During Disruption

A business continuity plan, often shortened to BCP, is a practical management document that sets out how an organisation will continue operating, recover critical activities and communicate effectively during and after a serious disruption.

At its simplest, a business continuity plan asks:

What must keep running, what could disrupt it, how quickly must we recover, who does what, and how will we keep customers, staff, suppliers, service users and stakeholders informed?

That makes it useful for business planning, charity governance, project management, public sector services, property management, manufacturing, professional services, cyber security, healthcare, education, retail, ecommerce, construction and board reporting.

The UK Government’s business continuity management toolkit describes business continuity management as identifying the parts of an organisation it cannot afford to lose, such as information, stock, premises and staff, and planning how to maintain them if an incident occurs.

Used properly, a business continuity plan helps an organisation move from panic and improvisation to controlled, practical response.

What is a business continuity plan?

A business continuity plan is a documented plan for dealing with disruption.

It explains what the organisation will do if an incident affects normal operations.

That incident could include:

1. Fire
2. Flood
3. Cyber attack
4. Power failure
5. IT outage
6. Loss of premises
7. Staff shortage
8. Supplier failure
9. Severe weather
10. Pandemic or major illness
11. Data loss
12. Utilities failure
13. Transport disruption
14. Major customer disruption
15. Regulatory or compliance incident
16. Contractor failure
17. Loss of key records
18. Security incident
19. Reputational crisis
20. Financial disruption

The purpose of a business continuity plan is not to predict every possible incident. That is impossible.

The purpose is to identify what matters most, decide how disruption will be managed, and make sure the organisation can continue or recover its critical activities within an acceptable timescale.

ISO 22301 is the international standard for business continuity management systems. ISO describes it as a framework for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

Business continuity plan and business continuity management

A business continuity plan is often confused with business continuity management.

They are related, but they are not the same.

Business continuity management

Business continuity management is the wider discipline.

It includes:

1. Understanding the organisation
2. Identifying critical activities
3. Carrying out a business impact analysis
4. Assessing risks
5. Developing continuity strategies
6. Creating plans
7. Training people
8. Testing arrangements
9. Reviewing lessons
10. Improving resilience

The Business Continuity Institute’s Good Practice Guidelines describe a structure for developing a business continuity management system, using professional practices that support the development, implementation and management of business continuity.

Business continuity plan

The business continuity plan is the documented response plan.

It explains:

1. Who is responsible
2. What should happen first
3. Which activities are critical
4. How disruption will be assessed
5. How staff will be contacted
6. How customers or service users will be informed
7. How suppliers and partners will be managed
8. How systems and data will be restored
9. How alternative working arrangements will operate
10. How the organisation will return to normal

In simple terms:

Business continuity management is the whole discipline.

The business continuity plan is the practical document used during disruption.

History and development of business continuity planning

Business continuity planning developed from several overlapping areas of management practice.

These include:

1. Disaster recovery
2. Emergency planning
3. Civil protection
4. IT resilience
5. Health and safety
6. Crisis management
7. Risk management
8. Internal control
9. Insurance
10. Corporate governance

Earlier approaches often focused heavily on IT disaster recovery. The main question was:

How do we recover systems and data after a technical failure?

That remains important, but modern business continuity is wider. It considers people, premises, suppliers, customers, communications, finance, operations, legal duties, reputation and stakeholder confidence.

The development of ISO 22301 helped standardise business continuity management internationally. ISO’s free publication on ISO 22301 describes it as an international standard for implementing and maintaining effective business continuity plans, systems and processes.

Business continuity also became more important as organisations became more dependent on technology, outsourced suppliers, global supply chains, digital communication, data, complex logistics and public confidence.

The COVID-19 pandemic, cyber attacks, extreme weather events, supply chain shocks and energy disruption all reinforced a simple point:

Continuity planning is not just for large corporations.

Small businesses, charities, schools, care providers, local authorities, professional firms and property businesses all need to think about how they would continue operating if normal arrangements failed.

Business continuity plan, disaster recovery, emergency plan and crisis plan

These terms are often used together, but they are different.

Business continuity plan

A business continuity plan focuses on continuing or recovering critical operations.

It asks:

How do we keep the organisation functioning at an acceptable level during disruption?

Disaster recovery plan

A disaster recovery plan usually focuses on restoring IT systems, data, software, networks and technical infrastructure.

It asks:

How do we recover technology and data after a failure?

Disaster recovery is usually part of business continuity, but it is not the whole plan.

Emergency response plan

An emergency response plan focuses on immediate safety and incident response.

It asks:

How do we protect people and property in the first moments of an emergency?

Examples include evacuation, first aid, emergency services contact, fire response and site safety.

Crisis management plan

A crisis management plan focuses on leadership, decisions, reputation and communication during a serious event.

It asks:

How do senior leaders manage the wider consequences of a major incident?

A serious incident may require all four:

1. Emergency response to protect people
2. Crisis management to lead the organisation
3. Disaster recovery to restore systems
4. Business continuity to keep critical services running

Key elements of a business continuity plan

1. Scope and purpose

The plan should start by explaining what it covers.

It may cover:

1. The whole organisation
2. A specific site
3. A department
4. A service
5. A project
6. A property portfolio
7. A charity programme
8. A school or care setting
9. A technology platform
10. A supply chain

The plan should be clear about its purpose.

For example:

The purpose of this plan is to ensure that the organisation can continue delivering critical services, protect staff and service users, communicate effectively with stakeholders, and recover normal operations following a significant disruption.

2. Critical activities

A business continuity plan should identify the activities that must be maintained or recovered quickly.

Critical activities may include:

1. Customer service
2. Payroll
3. Cash collection
4. Order fulfilment
5. Care delivery
6. Safeguarding
7. Emergency repairs
8. IT access
9. Statutory reporting
10. Finance processing
11. Supplier communication
12. Booking systems
13. Clinical or care records
14. Tenant communication
15. Website or ecommerce operations
16. Manufacturing production
17. Dispatch and logistics
18. Regulatory compliance
19. Data protection response
20. Public communications

Not everything is critical.

A good plan separates what must continue from what can pause temporarily.

3. Business impact analysis

A business impact analysis, or BIA, identifies the effects of disruption on business functions, processes and services.

Ready.gov explains that a business impact analysis predicts the consequences of disruption to a business function or process and gathers the information needed to develop recovery strategies.

A business impact analysis helps answer:

1. Which activities are critical?
2. What happens if they stop?
3. How quickly must they recover?
4. What resources are needed?
5. What dependencies exist?
6. What systems are essential?
7. Which staff are needed?
8. Which suppliers are critical?
9. What legal or contractual duties apply?
10. What would the financial, operational and reputational impact be?

Without a business impact analysis, a continuity plan may be based on guesswork.

4. Recovery time objectives

A recovery time objective, often shortened to RTO, is the target time for restoring a process, activity or system after disruption.

For example:

1. Payroll must be restored within two working days.
2. Customer support must resume within four hours.
3. Safeguarding escalation must be maintained immediately.
4. Ecommerce checkout must be restored within six hours.
5. Finance system access must be restored within one working day.

RTOs help prioritise recovery.

Not every activity needs to return immediately. Some can wait. Some cannot.

5. Recovery point objectives

A recovery point objective, often shortened to RPO, is the maximum amount of data loss the organisation can tolerate.

For example:

1. Losing 24 hours of website analytics may be acceptable.
2. Losing 24 hours of customer orders may not be acceptable.
3. Losing care records may be unacceptable.
4. Losing accounting records may cause serious compliance and operational issues.

RPOs are especially important for IT and data recovery.

They help decide how often backups are required and how quickly data must be restored.

6. Roles and responsibilities

A business continuity plan should clearly define who does what.

Roles may include:

1. Incident lead
2. Business continuity lead
3. Senior decision-maker
4. Communications lead
5. IT recovery lead
6. HR or people lead
7. Finance lead
8. Operations lead
9. Site or facilities lead
10. Safeguarding lead
11. Customer communication lead
12. Supplier contact lead
13. Board or trustee contact
14. Legal or compliance contact
15. External adviser

Each role should have:

1. Name
2. Deputy
3. Contact details
4. Responsibilities
5. Authority level
6. Escalation route

A plan that depends on one person is vulnerable.

7. Contact information

The plan should include key contact details.

These may include:

1. Staff
2. Directors
3. Trustees
4. Emergency services
5. Landlords
6. Insurers
7. IT providers
8. Telecoms providers
9. Utilities providers
10. Banks
11. Key customers
12. Suppliers
13. Contractors
14. Local authority contacts
15. Professional advisers
16. Media contacts
17. Safeguarding contacts
18. Regulators
19. Funders
20. Alternative premises contacts

This information should be kept up to date and available even if normal systems are unavailable.

8. Incident assessment process

The plan should explain how an incident will be assessed.

Questions include:

1. What has happened?
2. Who is affected?
3. Is anyone at risk?
4. Which services or systems are affected?
5. Is the incident local or organisation-wide?
6. Is customer or service user communication required?
7. Is board, trustee or senior management escalation required?
8. Is regulatory notification required?
9. Is legal advice needed?
10. Should the business continuity plan be activated?

The first hour of an incident is often messy. A clear assessment process helps reduce confusion.

9. Communication plan

Communication is one of the most important parts of business continuity.

The plan should cover:

1. Staff communication
2. Customer communication
3. Supplier communication
4. Service user communication
5. Tenant communication
6. Funder communication
7. Regulator communication
8. Board or trustee communication
9. Media communication
10. Website and social media updates

The plan should include prepared templates where possible.

For example:

1. Service disruption notice
2. Staff instruction message
3. Customer update
4. Supplier request
5. Website banner
6. Holding statement
7. Out of office wording
8. Emergency contact message
9. Tenant update
10. Incident closure message

In a crisis, it is much easier to adapt a prepared template than write from scratch.

10. Alternative working arrangements

The plan should explain how work will continue if normal arrangements are not available.

This may include:

1. Remote working
2. Alternative premises
3. Temporary office space
4. Manual processes
5. Paper forms
6. Alternative phone lines
7. Mobile devices
8. Cloud systems
9. Redeployment of staff
10. Prioritisation of critical work
11. Reduced service model
12. Extended hours
13. Third-party support
14. Emergency rota
15. Mutual aid arrangements

Alternative arrangements should be realistic and tested.

A plan that says “staff will work from home” is not enough if staff lack laptops, system access, phone access, secure data arrangements or broadband.

11. IT and data recovery

Modern organisations rely heavily on IT.

The business continuity plan should link to the disaster recovery plan and include:

1. Critical systems
2. System owners
3. Backup arrangements
4. Recovery time objectives
5. Recovery point objectives
6. Cyber incident response
7. Data access arrangements
8. Alternative systems
9. Manual workarounds
10. Supplier contacts
11. Password and access recovery
12. Multi-factor authentication arrangements
13. Cloud service dependencies
14. Telecoms recovery
15. Testing schedule

IT recovery should not be left as a vague statement.

It needs practical detail.

12. Premises and facilities

The plan should explain what happens if premises cannot be used.

This may cover:

1. Fire
2. Flood
3. Power failure
4. Heating failure
5. Security incident
6. Structural issue
7. Access restriction
8. Utilities disruption
9. Severe weather
10. Environmental incident

Questions include:

1. Can critical work continue elsewhere?
2. Where are keys held?
3. Who contacts the landlord?
4. Who contacts insurers?
5. Are paper records accessible?
6. Are servers on-site?
7. Is equipment insured?
8. Is there alternative storage?
9. Are tenants or occupiers affected?
10. Is site security required?

For property businesses, landlords and care or education settings, premises continuity can be especially important.

13. People and staffing

A business continuity plan should address staff availability.

Disruption may be caused by:

1. Sickness
2. Transport disruption
3. Severe weather
4. Pandemic
5. Industrial action
6. Family emergencies
7. Burnout
8. Key person dependency
9. Staff resignation
10. Safeguarding or welfare incident

The plan should consider:

1. Critical roles
2. Deputies
3. Cross-training
4. Emergency rotas
5. HR communication
6. Staff welfare
7. Remote working
8. Temporary staff
9. Agency cover
10. Succession arrangements
11. Contact cascades
12. Lone working considerations

People are not just resources in a spreadsheet. Staff need clear communication, support and realistic expectations during disruption.

14. Suppliers and partners

Many organisations depend on external suppliers.

The plan should identify critical suppliers and what happens if they fail.

This may include:

1. IT provider
2. Payroll provider
3. Telecoms provider
4. Utilities
5. Logistics provider
6. Cleaning contractor
7. Security contractor
8. Care agency
9. Key material supplier
10. Software platform
11. Payment provider
12. Professional adviser
13. Maintenance contractor
14. Food supplier
15. Data processor

Questions include:

1. Which suppliers are critical?
2. Are alternative suppliers available?
3. What service levels exist?
4. Are contracts clear?
5. Are emergency contacts known?
6. Is supplier continuity tested?
7. Are there single points of failure?
8. Are subcontractors involved?
9. Are costs likely to rise during disruption?
10. Is dependency recorded in the risk register?

A continuity plan that ignores suppliers is incomplete.

15. Finance and cash

Disruption often affects cash.

A business continuity plan should consider:

1. Access to bank accounts
2. Payroll continuity
3. Supplier payments
4. Customer collections
5. Insurance claims
6. Emergency spending authority
7. Cash reserves
8. Credit facilities
9. Grant funding
10. Rent collection
11. VAT and tax deadlines
12. Financial reporting
13. Delegated approval limits
14. Fraud prevention during disruption
15. Emergency budgeting

Cash flow can become a continuity issue very quickly.

For SMEs and charities, a few delayed receipts or emergency costs can create immediate pressure.

16. Insurance and legal considerations

The plan should record key insurance and legal contacts.

This may include:

1. Broker
2. Insurer
3. Policy numbers
4. Claims procedure
5. Business interruption cover
6. Cyber insurance
7. Property insurance
8. Professional indemnity
9. Public liability
10. Employers’ liability
11. Legal adviser
12. Contract notification obligations
13. Regulatory reporting duties
14. Data protection notification requirements
15. Health and safety reporting duties

Insurance is not a continuity plan. It may help with financial recovery, but it does not keep operations running by itself.

Why business continuity planning matters

Business continuity planning matters because disruption is rarely convenient.

Incidents happen when staff are busy, deadlines are close, cash is tight, customers are demanding, trustees are concerned, suppliers are stretched, or projects are already under pressure.

A business continuity plan helps organisations:

1. Protect people
2. Continue critical services
3. Reduce downtime
4. Protect income
5. Protect reputation
6. Improve stakeholder confidence
7. Support legal and regulatory compliance
8. Reduce decision-making delays
9. Improve communication
10. Recover more quickly
11. Demonstrate good governance
12. Support audit and assurance
13. Reduce financial impact
14. Protect vulnerable service users
15. Learn from incidents

Ready.gov’s continuity planning guidance explains that organisations should create a business continuity team and compile a plan to manage business disruption, including testing, training and exercises.

The key point is simple:

The worst time to design a business continuity plan is during the incident.

When to use a business continuity plan

A business continuity plan should be used when disruption affects normal operations.

Common triggers include:

1. Premises unavailable
2. IT systems unavailable
3. Cyber attack
4. Major staff absence
5. Supplier failure
6. Utilities failure
7. Severe weather
8. Fire or flood
9. Data breach
10. Health and safety incident
11. Serious safeguarding concern
12. Loss of critical records
13. Transport disruption
14. Public health incident
15. Contractor failure
16. Financial disruption
17. Reputational crisis
18. Regulatory incident
19. Major customer disruption
20. Emergency affecting service users

The plan should include activation criteria.

For example:

The business continuity plan will be activated where an incident is expected to prevent delivery of critical services for more than four hours, create significant customer or service user impact, affect staff safety, or require senior management coordination.

Business continuity planning in different industries

SMEs and owner-managed businesses

For SMEs, business continuity planning should be simple, practical and focused.

Typical risks include:

1. Owner unavailable
2. Cash flow disruption
3. Major customer loss
4. Supplier failure
5. IT outage
6. Cyber attack
7. Loss of premises
8. Staff illness
9. Utilities failure
10. Key data loss

A small business continuity plan should answer:

1. Who takes charge if the owner is unavailable?
2. How are customers contacted?
3. Where is critical information stored?
4. How is cash protected?
5. How is payroll processed?
6. What happens if the office or workshop cannot be used?
7. How are key systems restored?
8. Which suppliers are critical?
9. What work must continue first?
10. What can pause?

For SMEs, the plan should not be over-engineered. It should be usable on a bad day.

Manufacturing

Manufacturers need continuity plans for production, supply chains, machinery, labour, utilities and customer delivery.

Key issues include:

1. Machinery breakdown
2. Supplier disruption
3. Stock shortage
4. Power failure
5. Fire
6. Flood
7. Product recall
8. Transport disruption
9. Labour shortage
10. Quality failure

A manufacturing continuity plan should cover:

1. Critical production lines
2. Alternative suppliers
3. Spare parts
4. Maintenance support
5. Alternative production routes
6. Customer communication
7. Stock buffers
8. Health and safety response
9. Quality assurance
10. Logistics recovery

Manufacturing continuity planning should link closely to value chain analysis, supplier risk, maintenance planning and stock control.

Retail and ecommerce

Retail and ecommerce businesses rely on stock, websites, payment systems, fulfilment, suppliers and customer trust.

Key issues include:

1. Website failure
2. Payment processing outage
3. Stock shortage
4. Delivery failure
5. Supplier delay
6. Warehouse disruption
7. Cyber attack
8. High return rates
9. Marketplace suspension
10. Customer service outage

A retail continuity plan should cover:

1. Alternative sales channels
2. Website recovery
3. Payment provider contact
4. Stock prioritisation
5. Customer communication
6. Delivery alternatives
7. Refund process
8. Temporary fulfilment options
9. Social media updates
10. Reputation management

For ecommerce, even a short outage can affect revenue and customer confidence.

Professional services

Professional services firms need continuity plans for client work, deadlines, data, staff availability, systems and regulatory duties.

Key issues include:

1. IT outage
2. Cyber attack
3. Key staff absence
4. Missed filing deadline
5. Client data loss
6. Office unavailable
7. Software failure
8. Power or internet disruption
9. Professional indemnity issue
10. Client communication failure

A professional services continuity plan should cover:

1. Deadline protection
2. Secure access to client files
3. Alternative communication channels
4. Remote working
5. Data backup
6. Regulatory reporting
7. Client prioritisation
8. Staff cover
9. Professional adviser contacts
10. Insurance notification

For accountants, solicitors, consultants, architects and advisers, continuity planning should be linked to professional risk and client expectations.

Charities and voluntary organisations

Charities need continuity plans because disruption can affect vulnerable people, funding, volunteers, safeguarding and service delivery.

Key issues include:

1. Loss of funding
2. Staff sickness
3. Volunteer shortages
4. Premises unavailable
5. Safeguarding escalation
6. IT outage
7. Referral backlog
8. Partner failure
9. Transport disruption
10. Reputational incident

A charity continuity plan should cover:

1. Critical services
2. Safeguarding continuity
3. Volunteer communication
4. Funder communication
5. Trustee escalation
6. Beneficiary communication
7. Alternative delivery methods
8. Remote support
9. Emergency funding options
10. Service prioritisation

For charities, the plan should support mission delivery, trustee oversight and protection of beneficiaries.

Public sector and local government

Public bodies need continuity plans for statutory services, public communication, staff resilience, contractors and democratic accountability.

Key issues include:

1. Major incident
2. Cyber attack
3. Demand surge
4. Contractor failure
5. Service backlog
6. Severe weather
7. Public health incident
8. Data breach
9. Workforce shortage
10. Budget disruption

Public sector continuity planning should consider:

1. Statutory duties
2. Critical services
3. Vulnerable residents
4. Communication with elected members
5. Public messaging
6. Contractor arrangements
7. Mutual aid
8. Emergency planning
9. Legal duties
10. Equality impacts

The Government Security profession guidance refers to business continuity responsibilities including documenting risks and issues, maintaining an up-to-date organisational picture, and collaborating with incident response on structures for strategic, tactical and operational disruption.

Property and construction

Property and construction organisations need continuity plans for sites, contractors, tenants, utilities, insurance and legal obligations.

Key issues include:

1. Fire
2. Flood
3. Site accident
4. Contractor insolvency
5. Utilities failure
6. Planning delay
7. Tenant disruption
8. Security incident
9. Building damage
10. Access restriction

A property continuity plan should cover:

1. Emergency contacts
2. Tenant communication
3. Contractor call-out
4. Insurance notification
5. Site security
6. Utilities providers
7. Alternative access
8. Health and safety response
9. Legal advisers
10. Business interruption

For construction projects, the plan should connect to the construction phase plan, risk register, issue log, programme, contract arrangements and site emergency procedures.

Technology and software

Technology businesses and digital teams need continuity plans for systems, cyber security, customers, data and platforms.

Key issues include:

1. System outage
2. Data breach
3. Ransomware
4. Cloud provider failure
5. Failed deployment
6. Integration failure
7. Loss of key developer
8. Support system outage
9. Customer data corruption
10. Payment platform failure

A technology continuity plan should cover:

1. Incident response
2. Disaster recovery
3. Backup restoration
4. Customer communication
5. Security escalation
6. Support triage
7. Service status updates
8. Supplier escalation
9. Regulatory notification
10. Post-incident review

For technology businesses, the plan should be tested regularly. Untested backups and untested recovery processes are weak controls.

Healthcare and social care

Healthcare and social care organisations need continuity plans because disruption can affect safety, dignity and care quality.

Key issues include:

1. Staff shortage
2. Medication system failure
3. Care record outage
4. Safeguarding incident
5. Infection outbreak
6. Premises unavailable
7. Transport disruption
8. Utilities failure
9. Supplier failure
10. Communication breakdown

A care continuity plan should cover:

1. Safe staffing
2. Safeguarding escalation
3. Medication continuity
4. Care records
5. Family communication
6. Emergency cover
7. Regulatory reporting
8. Infection control
9. Alternative premises or delivery
10. Clinical or professional escalation

In this sector, continuity planning should always support safety, safeguarding and professional judgement.

Education and training

Education providers need continuity plans for safeguarding, learner access, teaching delivery, digital platforms, premises and funding compliance.

Key issues include:

1. School or training site closure
2. Tutor absence
3. Safeguarding escalation
4. Online platform outage
5. Assessment delay
6. Transport disruption
7. Cyber attack
8. Funding evidence loss
9. Severe weather
10. Learner support disruption

An education continuity plan should cover:

1. Safeguarding arrangements
2. Remote learning
3. Tutor cover
4. Learner communication
5. Parent or employer communication
6. Assessment continuity
7. Digital platform recovery
8. Attendance recording
9. Funding evidence
10. Quality assurance

How to create a business continuity plan properly

1. Define the purpose and scope

Start by deciding what the plan covers.

Ask:

1. Is this plan for the whole organisation?
2. Is it for one site, service or department?
3. Which activities are included?
4. Which incidents are in scope?
5. Who owns the plan?
6. Who approves the plan?
7. Who uses the plan during an incident?

A clear scope prevents confusion.

2. Identify critical activities

List the activities that must continue or recover quickly.

Ask:

1. What must keep running?
2. What can pause temporarily?
3. What affects customers or service users most?
4. What affects safety or safeguarding?
5. What affects cash flow?
6. What affects legal or regulatory duties?
7. What affects reputation?
8. What affects contractual obligations?
9. What affects the organisation’s survival?
10. What would cause serious harm if stopped?

This stage should be practical and honest.

3. Carry out a business impact analysis

For each critical activity, assess the impact of disruption.

Consider:

1. Financial impact
2. Customer impact
3. Service user impact
4. Staff impact
5. Legal impact
6. Compliance impact
7. Reputational impact
8. Operational impact
9. Safety impact
10. Strategic impact

Then define:

1. Maximum tolerable period of disruption
2. Recovery time objective
3. Recovery point objective
4. Minimum service level
5. Resources required
6. Dependencies
7. Workarounds

The BIA is the foundation of the plan.

4. Identify risks and disruption scenarios

Use the risk register and risk matrix to identify serious disruption scenarios.

Possible scenarios include:

1. Loss of premises
2. Loss of IT
3. Loss of people
4. Loss of supplier
5. Loss of data
6. Loss of utilities
7. Loss of communications
8. Loss of funding
9. Loss of transport
10. Loss of key records

The plan should not need a separate procedure for every possible incident. Instead, it should focus on the effect of the incident.

For example, it matters less whether the office is unavailable because of fire, flood or police cordon. The continuity question is:

How do we operate if the office cannot be used?

5. Develop continuity strategies

For each critical activity, decide how continuity will be maintained.

Strategies may include:

1. Remote working
2. Alternative premises
3. Manual processes
4. Alternative suppliers
5. Staff redeployment
6. Mutual aid
7. Data backups
8. Cloud systems
9. Stock buffers
10. Emergency funding
11. Temporary outsourcing
12. Reduced service model
13. Customer prioritisation
14. Extended hours
15. Emergency rota

The strategy should be realistic, costed where appropriate and linked to recovery times.

6. Write the plan clearly

A business continuity plan should be easy to use under pressure.

It should include:

1. Activation criteria
2. Roles and responsibilities
3. Contact lists
4. Critical activities
5. Immediate actions
6. Communication plan
7. Recovery strategies
8. IT and data arrangements
9. Premises arrangements
10. Supplier arrangements
11. Finance arrangements
12. Staff welfare arrangements
13. Escalation routes
14. Checklists
15. Review and testing arrangements

Avoid long narrative where checklists would be better.

During disruption, people need clarity.

7. Assign owners and deputies

Every critical area needs an owner and deputy.

For example:

1. Overall incident lead
2. Operations lead
3. IT lead
4. Communications lead
5. HR lead
6. Finance lead
7. Facilities lead
8. Supplier lead
9. Safeguarding lead
10. Customer lead

If the plan depends on one person, it may fail when that person is unavailable.

8. Communicate and train

A continuity plan is only useful if people know it exists and understand their roles.

Training may include:

1. Leadership briefing
2. Staff awareness
3. Role-specific training
4. Contact cascade testing
5. Remote working test
6. IT recovery test
7. Tabletop exercise
8. Scenario workshop
9. Supplier communication test
10. Board or trustee briefing

The aim is not to make everyone an expert. The aim is to make sure people know what to do.

9. Test the plan

Testing is essential.

Types of testing include:

1. Document review
2. Contact list check
3. Tabletop exercise
4. Scenario exercise
5. IT recovery test
6. Backup restoration test
7. Call cascade test
8. Evacuation drill
9. Supplier response test
10. Full simulation

Ready.gov’s continuity planning guidance includes testing, training and exercises as part of continuity planning.

A plan that has never been tested is only a theory.

10. Review and improve

The plan should be reviewed regularly.

Review when:

1. Staff change
2. Suppliers change
3. Systems change
4. Premises change
5. Services change
6. Contracts change
7. Risks change
8. Lessons are learned
9. An incident occurs
10. A test reveals weaknesses
11. Strategy changes
12. The organisation grows

Business continuity is not a one-off exercise. It is a cycle of planning, testing, learning and improving.

Common mistakes in business continuity plans

Mistake 1: Treating it as a document rather than a capability

A plan on a shelf is not enough.

The organisation needs people, systems, training, testing and leadership.

Mistake 2: Focusing only on IT

IT is important, but business continuity is wider.

A full plan should also cover people, premises, suppliers, customers, finance, communication and governance.

Mistake 3: Not identifying critical activities

If everything is treated as critical, nothing is prioritised properly.

The plan should distinguish between essential and non-essential activities.

Mistake 4: No business impact analysis

Without a BIA, recovery priorities may be based on assumptions.

The organisation may recover the wrong things first.

Mistake 5: Out-of-date contact details

During an incident, old contact details waste valuable time.

Contact lists must be maintained.

Mistake 6: No deputies

If only one person knows what to do, the plan is fragile.

Every key role needs a deputy.

Mistake 7: Unrealistic workarounds

A workaround is only useful if it can actually be used.

For example, manual invoicing may not work if nobody has access to customer details, bank information or invoice templates.

Mistake 8: Not testing backups

Backups are not enough.

The organisation needs to know whether data can be restored within the required timescale.

Mistake 9: Poor communication planning

Silence during disruption creates anxiety and reputational damage.

Staff, customers, service users, funders, suppliers and regulators may all need timely communication.

Mistake 10: Not learning after incidents

Every disruption should lead to review.

The question should be:

What worked, what failed, and what needs to change?

Limitations and weaknesses of business continuity plans

Business continuity plans are useful, but they have limits.

They cannot predict everything

No plan can cover every possible incident.

The plan should provide principles, roles and practical actions that work across different scenarios.

They can become outdated quickly

People, systems, suppliers, contracts and services change.

A plan that is not reviewed becomes unreliable.

They can create false confidence

A polished document may look impressive but fail in practice if people are not trained and arrangements are not tested.

They depend on people

During a serious disruption, people may be stressed, unavailable or dealing with personal consequences.

Plans should be simple enough to use under pressure.

They may not cover supplier failure properly

Many organisations assume suppliers will continue operating.

That assumption may be wrong.

Critical supplier continuity should be checked.

They may underplay cash flow

Operational continuity and financial continuity are connected.

A business may continue trading but still run out of cash if receipts stop or emergency costs rise.

They can be too long

A 100-page plan may not be usable during an incident.

Detailed supporting information may be useful, but the live plan should be clear and practical.

They do not replace leadership

A business continuity plan supports decision-making.

It does not make decisions automatically.

Leadership judgement is still essential.

Business continuity plan compared with other strategic and management tools

Business continuity plan and risk register

A risk register identifies and manages risks.

A business continuity plan explains how the organisation will respond if disruption occurs.

Use the risk register to reduce likelihood and prepare controls.

Use the continuity plan to respond when disruption happens.

Business continuity plan and risk matrix

A risk matrix prioritises risks by likelihood and impact.

High-impact risks identified through the matrix may require continuity planning.

Business continuity plan and issue log

An issue log records problems that have already happened.

If an issue causes serious disruption, the business continuity plan may need to be activated.

Business continuity plan and assumptions log

An assumptions log records what a plan relies on.

A business continuity plan should challenge assumptions such as:

1. Staff can work remotely.
2. Suppliers will respond quickly.
3. Backups will restore properly.
4. Customers can be contacted.
5. Cash reserves are sufficient.
6. Alternative premises are available.

Business continuity plan and bow-tie analysis

Bow-tie analysis maps causes, consequences and controls.

It can help identify preventive controls and mitigating controls that should be reflected in the business continuity plan.

Business continuity plan and disaster recovery plan

The disaster recovery plan focuses mainly on IT and data recovery.

The business continuity plan focuses on the wider organisation.

Both should be aligned.

Business continuity plan and crisis management plan

The crisis management plan focuses on leadership and communication during a serious event.

The business continuity plan focuses on maintaining and recovering critical operations.

A major incident may need both.

Business continuity plan and incident response plan

An incident response plan focuses on immediate response to a specific type of incident, such as cyber attack or health and safety incident.

A business continuity plan focuses on keeping the organisation operating afterwards.

Business continuity plan and insurance

Insurance may help fund recovery.

It does not usually provide immediate operational continuity.

Insurance should support the plan, not replace it.

Business continuity plan and OKRs

OKRs define objectives and key results.

A continuity plan protects the organisation’s ability to continue delivering objectives when disruption occurs.

A key result might also be used to improve continuity, such as:

Test recovery of critical systems within agreed recovery time objectives by quarter end.

Alternatives and complementary frameworks

Business impact analysis

Use a business impact analysis to identify critical activities, impacts, recovery times and resource needs.

It is one of the foundations of the business continuity plan.

Disaster recovery plan

Use a disaster recovery plan for IT systems, data and technical infrastructure.

Crisis management plan

Use a crisis management plan for senior leadership, decision-making and reputation management during a serious event.

Emergency response plan

Use an emergency response plan for immediate safety actions, such as evacuation, first aid and emergency services contact.

Risk register

Use a risk register to identify, assess and manage risks that could lead to disruption.

Bow-tie analysis

Use bow-tie analysis for high-impact risks where causes, consequences and controls need deeper review.

Supplier continuity assessment

Use supplier continuity assessment to test whether critical suppliers have their own resilience arrangements.

Cyber incident response plan

Use a cyber incident response plan for cyber attacks, data breaches, ransomware and system compromise.

Communications plan

Use a communications plan to manage staff, customer, media, supplier, regulator and stakeholder communication.

Tabletop exercise

Use tabletop exercises to test how people would respond to a realistic disruption scenario.

A practical business continuity plan template

A useful business continuity plan should include:

1. Document owner
2. Version control
3. Approval date
4. Review date
5. Purpose
6. Scope
7. Activation criteria
8. Incident assessment checklist
9. Critical activities
10. Business impact analysis summary
11. Recovery time objectives
12. Recovery point objectives
13. Minimum service levels
14. Roles and responsibilities
15. Deputies
16. Staff contact details
17. Key supplier contacts
18. Customer or service user communication plan
19. IT recovery arrangements
20. Premises recovery arrangements
21. Alternative working arrangements
22. Finance and cash arrangements
23. Insurance details
24. Legal and regulatory notifications
25. Manual workarounds
26. Escalation process
27. Testing schedule
28. Lessons learned process
29. Appendices and supporting documents

Example:

Critical activity: Payroll processing

Impact of disruption: Staff may not be paid on time, creating hardship, employee dissatisfaction and reputational damage.

Maximum tolerable period of disruption: Three working days.

Recovery time objective: One working day.

Required resources: Payroll software, bank access, payroll records, authorised approver, payroll provider contact.

Continuity strategy: Payroll provider emergency contact, deputy payroll approver, secure remote access, emergency payment approval process.

Owner: Finance Manager.

Deputy: Operations Director.

Test frequency: Twice yearly.

Questions to ask when creating a business continuity plan

Critical activity questions

1. What must keep running?
2. What can stop temporarily?
3. What affects customers or service users most?
4. What affects safety or safeguarding?
5. What affects legal duties?
6. What affects cash flow?
7. What affects reputation?
8. What affects contractual obligations?
9. What would cause serious damage if unavailable?
10. What must recover first?

Business impact questions

1. What happens if this activity stops for one hour?
2. What happens if it stops for one day?
3. What happens if it stops for one week?
4. What is the financial impact?
5. What is the customer impact?
6. What is the staff impact?
7. What is the compliance impact?
8. What is the reputational impact?
9. What is the maximum tolerable period of disruption?
10. What recovery time is required?

Resource questions

1. Which people are essential?
2. Which systems are essential?
3. Which records are essential?
4. Which suppliers are essential?
5. Which premises are essential?
6. Which equipment is essential?
7. Which data is essential?
8. Which communications channels are essential?
9. Which approvals are essential?
10. Which alternatives exist?

Communication questions

1. Who needs to be informed?
2. How quickly must they be informed?
3. Who approves messages?
4. What channels will be used?
5. What if email is unavailable?
6. What if phones are unavailable?
7. What should staff be told first?
8. What should customers or service users be told?
9. What should suppliers be told?
10. What holding statements are needed?

Testing questions

1. Has the plan been tested?
2. When was it last tested?
3. What scenario was tested?
4. Who took part?
5. What worked?
6. What failed?
7. Were contact details accurate?
8. Did recovery times prove realistic?
9. Were backups restored successfully?
10. What has been improved since?

Governance questions

1. Who owns the plan?
2. Who approves it?
3. How often is it reviewed?
4. How are changes recorded?
5. Who reports to the board or trustees?
6. How does it link to the risk register?
7. How does it link to insurance?
8. How does it link to IT recovery?
9. How are lessons learned captured?
10. Is the plan actually used in decision-making?

The best way to think about a business continuity plan

A business continuity plan is not just an emergency document.

It is a resilience tool.

A good business continuity plan should be:

1. Practical
2. Clear
3. Current
4. Tested
5. Owned
6. Focused on critical activities
7. Linked to business impact analysis
8. Linked to risk management
9. Supported by communication plans
10. Reviewed regularly

A weak business continuity plan says:

“Here is what we will do if something goes wrong.”

A strong business continuity plan asks:

“What must keep running, what would stop it, how quickly must we recover, who is responsible, and have we tested whether the plan works?”

The key question is not simply:

Do we have a business continuity plan?

The better question is:

Would this plan actually help us protect people, continue critical services and recover quickly during a real disruption?

Conclusion: a business continuity plan turns disruption into managed recovery

A business continuity plan remains useful because disruption is not rare, theoretical or limited to large organisations.

Every organisation depends on people, systems, premises, suppliers, cash, data and communication. If any of those fail, the organisation needs to know what happens next.

Used badly, a business continuity plan becomes a document produced for compliance, audit or insurance and then forgotten.

Used properly, it becomes a practical management tool. It helps leaders, managers, trustees and teams identify critical activities, understand disruption impacts, prepare recovery strategies, assign responsibilities, communicate clearly and improve resilience.

The real value is not in having a plan saved somewhere.

The real value is in having a plan that people understand, trust and have tested.

A strong business continuity plan helps an organisation move from saying, “We will deal with it when it happens,” to asking, “What needs to keep running, what could stop it, and are we genuinely ready?”