The anatomy of a business continuity plan
A BCP that has not been tested is a false comfort. The seven sections aligned to ISO 22301 and BCI GPG, and the five failure modes that catch plans out.
Definition
Business continuity plan — a documented set of procedures and information developed, compiled, and maintained in readiness for use in an incident, so that the organisation can continue to deliver critical activities at an acceptable predefined level (ISO 22301).
Most business continuity plans are long documents written once, signed off by a director who has not read them, filed in a shared drive folder nobody can locate under pressure, and last updated three technology generations ago. A BCP that is not actively maintained and regularly tested is not a plan — it is a false comfort.
The seven sections of a complete BCP
Section 1 — Scope and purpose: What the BCP covers, what it explicitly excludes, who has authority to activate and execute, and what regulatory obligations it addresses.
Section 2 — Business Impact Analysis (BIA): Which functions are critical, the MTPD for each, the MBCO (minimum acceptable service level during an incident), and all dependencies. Signed off by business owners, not IT alone.
Section 3 — Risk assessment: Most likely disruption scenarios mapped to critical functions. The bridge between abstract criticality and concrete planning.
Section 4 — Response strategies: For each critical function and priority scenario: what manual workarounds exist, what alternate resources are available, who has the authority to commit funds, and the activation sequence.
Section 5 — Crisis communications plan: Who communicates with whom — staff, customers, regulators, media, board — on what channels, with what authority, at what cadence, using what pre-approved message frameworks.
Section 6 — Testing schedule: ISO 22301 requires regular testing. The BCI GPG defines five exercise types: tabletop walkthrough, structured walkthrough, simulation, parallel test, full interruption test. Committed cadence, named owners, findings incorporated.
Section 7 — Maintenance and review: Who owns the BCP, what triggers an out-of-cycle review, and how changes are version-controlled. The section that prevents drift into obsolescence.
"A BCP without a Business Impact Analysis is a plan built on assumptions rather than evidence. And assumptions fail at the worst possible moment."
Common BCP failures
-
1The BCP is out of dateWritten before the last major migration, restructure, or supplier change. By the time it is needed, it is fiction.
-
2The BCP owners have leftThe plan names individuals who have moved on or changed roles. In an incident, nobody knows who is responsible for what.
-
3The BCP has never been testedThe most common failure of all. The first test should never be a real incident, but for many organisations it is.
-
4Resources assumed that are no longer availableThird-party contracts not renewed, alternate sites occupied, staff moved on. Each unavailable resource is a step the response cannot take.
-
5The BCP is too detailed to use under pressureA 200-page document is not suitable for incident response. Summary activation cards and one-page quick-reference sheets are essential.
Closing
A BCP is not a document. It is a capability. The difference is testing. The organisations that survive significant disruption exercised last quarter, found three things wrong, fixed them, and are scheduled to exercise again. A BCP that lives in a drawer will not save a business. A BCP rehearsed, refined, and known by the people who will execute it just might.