Business Continuity Plan

A business continuity plan (BCP) is a document describing how your organisation maintains critical business functions during and after a crisis. The plan identifies risks, defines roles and responsibilities and establishes procedures to minimise downtime and loss.

Back to Dictionary

What is a business continuity plan?

A business continuity plan (BCP) is your organisation's comprehensive plan for surviving a crisis. This could be anything from a cyber attack and power outage to a pandemic or fire. The purpose is straightforward: you must be able to continue your most important business processes even when something goes seriously wrong.

A BCP differs from a disaster recovery plan in that it covers the entire organisation, not just IT. Where disaster recovery is about getting systems back up and running, business continuity planning is about keeping the business operational during the crisis itself.

A good business continuity plan is built on a thorough risk assessment that maps out which threats are most likely and most damaging. On that basis, you prioritise which functions are critical and how quickly they must be operational again.

Contents of a business continuity plan

An effective business continuity plan typically includes the following elements:

Business Impact Analysis (BIA): An analysis of which business processes are critical and what the consequences are if they stop. Here you establish the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each system.
Roles and responsibilities: Who does what when the crisis strikes? The plan must designate a crisis management team and define clear chains of command.
Communication plan: How do you inform employees, customers, authorities and suppliers? You must have contact lists and templates prepared in advance.
Procedures for critical processes: Step-by-step instructions for maintaining or restoring each critical function.
IT contingency: Here the plan overlaps with your disaster recovery strategy, including backup procedures and failover solutions.
Supplier management: Identification of critical suppliers and alternative solutions. Third-party risk must be part of the assessment.

The plan must be documented as part of your policies and procedures and be accessible to all relevant employees, even when normal systems are down.

Regulatory requirements for business continuity

Several regulations impose direct or indirect requirements for business continuity planning:

GDPR requires in Article 32 that you can restore the availability of personal data in a timely manner following an incident. In practice, this presupposes a business continuity plan and a testing strategy.

NIS2 sets explicit requirements for business continuity for essential and important entities. You must have continuity plans, crisis management processes and procedures for incident response.

DORA (Digital Operational Resilience Act) applies to financial undertakings and sets detailed requirements for ICT continuity plans, testing of these plans and reporting to supervisory authorities.

ISO 27001 addresses business continuity in Annex A and requires that your information security policy encompasses continuity management. A structured approach through an ISMS makes it easier to integrate continuity planning into day-to-day operations.

Testing and maintenance

A business continuity plan that has never been tested is not a plan. It is a document. Testing is what determines whether the plan holds up in practice.

There are several ways to test:

Tabletop exercise: The team walks through a scenario verbally and identifies gaps in the plan.
Simulated exercise: A more realistic test where selected processes are actually activated.
Full test: The entire organisation acts as if the crisis is real. This is the most demanding but also the most instructive form of testing.

After each test you must document the results, identify weaknesses and update the plan. This cycle mirrors the continuous improvement you know from internal audit and management review.

The plan must also be updated when the organisation changes: new systems, new locations, new suppliers or new regulatory requirements. Make maintenance a fixed part of your compliance framework.

Frequently Asked Questions about Business Continuity Plan

What is the difference between a business continuity plan and a disaster recovery plan?

A business continuity plan covers the entire organisation's ability to continue operations during a crisis, whilst a disaster recovery plan focuses specifically on restoring IT systems and data after a disruption.

Who is responsible for the business continuity plan?

Senior management bears overall responsibility for the business continuity plan. In practice, most organisations appoint a continuity coordinator or team that maintains and tests the plan on an ongoing basis.

How often should a business continuity plan be tested?

Best practice is to test the business continuity plan at least once a year. In the event of significant organisational changes, new systems or following an actual incident, you should test more frequently.

Does GDPR require a business continuity plan?

GDPR requires the ability to restore the availability of personal data in a timely manner following a physical or technical incident (Article 32). A business continuity plan is the most effective way to document and ensure this.