business continuity plan questions

• Managed IT Services Resources
• Data Backup
• Network Monitoring
• IT Consulting
• IT Help Desk
• Network Support
• Planning & Design
• Vendor Management
• Voice & Data Cabling
• Unified Communications
• On-Premise Phone Systems
• Cloud-Hosted Phone Systems
• Cloud Backup
• Cloud Hosting
• Cloud Security
• Cloud Storage
• Hybrid Cloud Services
• Security Solutions
• Cybersecurity Training
• Threat Detection
• Email Security Solutions
• Client Portals
• SCHEDULE A DEMO
• (402) 704-4543

Technology Unwrapped

The most important technology concepts, strategies and actions uncovered for your business.

Business Continuity and Disaster Recovery: 17 Key Questions to Ask + [Incident Response]

As any business can attest, maintaining a business continuity and disaster recovery (BCDR) plan is important to reducing your business risk and downtime. And now you have incident response plans to consider as well. Each business continuity plan (BCP) and disaster recovery plan (DRP) serves a specific purpose and will outline your response strategies, processes, and responsibilities when a disruptive event occurs. 

Disasters, big or small, can include things like:  

• Natural Disasters: Floods, fires, and blizzards  
• Human Error: Accidental deletions or security/data breaches  
• Hardware failures or power outages  
• Cybersecurity attacks
• And more  

No matter what type s of events or incidents may attempt to knock your business offline, you   will want to have steps you can take to ensure  your technology is useable to keep your business, in business .  The benefit of maintaining these plans is that  you  can continue business operations with minimal  downtime , as well as the least possible  productivity and revenue interruption .  

What is a business continuity and disaster recovery plan?  

The goal of a BC/DR plan is, as TechTarget explains, to “limit risk and get an organization running  as close to normal as possible  after an unexpected interruption.”   

Business continuity and disaster recovery plans are designed to  maintain  productivity when  problems arise, all the while reducing the risk of data loss and  the potential for lost revenue .   

However,  there are key differences, and  these three terms are not interchangeable.    

Information in the section below was updated on August 28, 2023.

What are the differences between business continuity, disaster recovery, and incident response plans?  

Business continuity plan.

A business continuity plan   is an outline or full document that states how your business will resume operations during a disaster or unplanned incident. The plan includes processes and procedures that your company is dependent on and must implement in order to continue core business functions. You will want the plan to focus on the daily products and services you deliver, as well as quoting and invoicing so that you are able to receive money. These plans are short-term fixes that continue basic business functions, including access to vital company data. 

Disaster Recovery Plan

The disaster recovery plan , on the other hand, is the steps your business is going to take to recover after a disaster or event. How are you bringing up the systems you need and recovering business functions? The plan efforts are generally concentrated on bringing your technology back online and prioritizing IT components that will support your business process and functions. While business continuity should cover data accessibility to quickly get important functions running, disaster recovery is the longer-term step to bring your business back to fully functioning.

Incident Response Plan

So what is an incident response plan?  This plan is specific to cybersecurity threats and attacks that may impact your business. Like the plans above they are put in place and tested on a regular basis. Your business has IT security tools, monitoring,  and likely cybersecurity insurance, however, your team must know what actions to take when a debilitating event occurs. Your incident response plan will include what actions need to be taken to minimize the impact of incidents, quickly restore normal operations, and effectively manage the aftermath.  Be certain to take advantage of outsourced teams that are knowledgeable in conducting a business impact analysis and putting these plans together. The plans and expertise will set your mind at ease. Now, at the same time, review the questions you and your team can ask yourselves to start collecting the information you need to either craft your plans or work with the experts.

What questions do I consider when crafting my company’s  business continuity and disaster recovery  plan?  

As discussed in our eBook, The 4 Business Continuity Planning Essentials, there  are several   key  questions  to ask  as you work  on  your company’s  specific plan. These questions may not be exhaustive, since no two businesses are the same, but they are a good framework to help you through the process.

1. Ensure Employee Well-Being  

If your business is thrown off-kilter by a disaster, such as part of your city flooding (including your office building), then one of your first priorities is to keep employees safe. The second is to keep them informed. They can both be challenging, but make sure your emergency planning sessions address the following questions:   

• How will my company keep employees safe during a disaster event?  
• How will my company communicate essential information to employees following the event?  
• How can my company test its communication methods before a disaster happens, so we know we’re prepared?

2. Keep Customers in the Loop  

Once you know your employees are safe, you also need to keep your customers informed about what’s happening with your business.   

Are you continuing operations from a different location? Are you shifting to a remote model for the time being?   

The important thing here is to make sure that you r  customers can get their questions , like the ones mentioned in the previous paragraph, answered,  so they aren’t surprised by momentary glitches in service.   

Consider these questions to keep your customers in the loop:   

• What communication methods will we use to reach our customer base?  
• How do we plan to handle the influx of  customer  questions and  needs  following an event?  
• Do we have the necessary strategies in place to keep our company's reputation intact?  

3. Enable IT Uptime  

When it comes to getting your IT back online following an emergency event, you’ll need to take these questions into consideration :   

• What is our current data backup plan ?  
• How long will it take for our company data to be available following an event?  
• Do our employees have access to their necessary applications?  
• If our office is unavailable, do we have the ability to shift to a remote model?  
• Do we have adequate voice operations for a remote working model?  
• When was the last time we tested our data backups and disaster recovery plans?  

4. Keep your  business moving  forward  

Midsized businesses can’t afford prolonged periods of downtime. You need to continue business operations as efficiently as possible when responding to a major event, unusual weather patterns, or a disaster. In that case, don’t forget to take these questions into account:  

• How long can my business safely afford to be offline?  
• Are there technologies we can take advantage of to continue operations?  
• Does my business have the right kind of insurance to cover not only damaged technology or office equipment but also warehouse inventories and other assets?  
• Are the right people trai ned  on our recovery processes?
• What are the key roles and responsibilities that  I need to assign ?  

Developing a BC/DR plan is no easy feat, but it is a critical aspect of running a business.  

There is a lot to  think about  when drafting your  business continuity and disaster recovery  plan, and the CoreTech team is here to help. From designing your technological infrastructure and data backups to helping you draft your actual business continuity and disaster  plans,  our expert consultants are here to answer your questions.   

We know that no two businesses are alike, and your IT setup and strategies shouldn’t be either. When you  schedule a meeting  with us, we take the time to learn about your business goals and needs to recommend the best  technological  solutions ,   and plans  of action ,  for you.

In the meantime, I invite you to download our eBook,  The 4 Business Continuity Planning Essentials.  This guide to forming a BC/DR plan covers these 4 topics in greater detail, providing crucial knowledge and tips for your business's emergency plans. 

Additional Resources:

• How are Business Continuity, Disaster Recovery, and Data Backups Different?
• Managed Backups: Why Your Business Needs Them
• Simplify Your Use of Microsoft Outlook with These 7 Productivity Tips

Subscribe to Email Updates

Posts by topic.

• Security Threats (45)
• Network Security (32)
• The Workplace (24)
• Microsoft Products (20)
• Staff Training (19)
• Trends (19)
• Technology Planning (18)
• Data Breach (14)
• Owners & Managers (14)
• IT Support (12)
• Outsourced IT (8)
• Phone Systems (8)
• Equipment Purchases (6)
• Finance (4)
• Manufacturing (4)
• Our Company (4)
• Cybersecurity (3)
• Health Care (3)
• Local Omaha News (3)
• Artificial Intelligence (2)
• Unified Communications (2)
• It Policies (1)
• Password Management (1)

Authors List

• Angela Wight (15)
• Bob Tingwald (1)
• Chris Vilim (19)
• CoreTech Staff (1)
• CoreTech Staff (3)
• CoreTech Staff (8)
• CoreTech Staff (2)
• CoreTech Staff (33)
• Damon Hagerty (1)
• Derek Warak (3)
• Eric Weber (1)
• Ethan Weber (1)
• Jason Hahn (2)
• Joel Havenridge (8)
• Lori Mahoney (1)
• Tom Montgomery (4)
• Wynn Obermeyer (4)

CoreTech 9711 M St. Omaha, NE 68127 402.398.9580 [email protected]

Subscribe to Our Blog

Receive helpful security alerts, time-saving tips and technology trends directly in your inbox.

• Lincoln, Nebraska
• Council Bluffs, Iowa

7 Business Continuity Plan Questions To Ask When Developing Your BCP

American novelist Thomas Berger once mused that, “the art and science of asking questions is the source of all knowledge.” The quest for answers, searching beyond the surface and challenging currently accepted assumptions, provokes greater understanding and wisdom in any aspect of life…even in developing business continuity plans (BCPs).

To build a robust, full actionable plan, you must ask questions and consider what is missing or needs to be refined. To help your organization develop the most successful program, we’ve gathered five important questions to pollinate your plans.

7 Questions You Ask to Develop Strong Business Continuity Plans

1. what are your company’s critical functions.

You cannot begin to build your plan without understanding what processes and operations most impact your ability to conduct business and maintain services without incurring damage and loss.

2. What are your chief products and services?

What products or services would induce significant revenue or customer loss if they were undeliverable for a certain period of time? Knowing this information helps you better focus your efforts.

3. What risks are your organization most likely to encounter based on your geographical location?

Is your home office located in a flood-prone valley? Does your third-party vendor dwell in the snow-packed northern country? Are several of your satellite locations populating regions extreme heat inflicts power outages? Consider your unique weather patterns and other geographical influences on your facilities.

That’s not to say that organizations in, say, Washington state shouldn’t prepare for a tornado because it’s ‘unlikely.’ But, when your enterprise or supply chain resides in an area prone to particular business-disrupting weather events, preparation is critical. Are employees prepared to address internet outages due to loss of power? What will you do if 90 percent of your workforce is unable to make it onsite due to heavy snowfall? What if an earthquake renders your office uninhabitable?

Think it through and prepare for it.

4.  Do you have backup for crucial job functions and incident response tasks?

Only in a perfect world would employees never get sick or go on vacation. What if your office gets hit by the latest stomach virus and your entire accounting department is out sick? Do you have another employee who can get payroll completed in time? Or what if top-management – which includes key incident responders – is visiting a conference when a crisis hits? Do you have other personnel who can step in and handle the situation appropriately?

5. Can you avoid disruption of service when key locations are closed?

Situations of any severity can cause a site closure – from something as devastating and destructive as a tornado hit to something as benign as a national holiday. Will you have enough product in stock if your manufacturing facility is closed? Do you have an alternate work site if your office is flooded? Do you have an emergency communication plans to reach employees?

6.  Do you have backups of all important data?

If you do possess backups, when was the time they were updated? Failing to keep current backups of vital data plagues many enterprises. A backup made even a year ago may be obsolete or lack critical information at the very least. Also, are those backups kept on a separate server or locations from the originals? Storing backup data in the same location as the original defeats the purpose.

7. Can you be certain your plan is without vulnerabilities?

Do all employees know their role? Are all staff aware of the plan and, at least superficially, of its processes and procedures? In what amount of time can you  actually  respond and recover as opposed to what you’ve proposed on paper? What if one of your intended processes fails? These kinds of questions must be answered to ensure success. And these answers can be found by testing your plan.

This of course, is not a fully comprehensive list, but it should get you started thinking about what’s important. Don’t settle for templated plans, think about your unique organization, what threats are most likely to surface, and what you need to do to recovery quickly avoid disruptions.

Want to remain resilient and protect your bottom line? Visit our  website  or  contact a Riskonnect certified business continuity professional today. We will be happy to help.

Share This, Choose Your Platform!

Related posts.

Resilience Lessons from the Tragic Collapse of the Francis Scott Key Bridge

Geopolitical Risk: 3 Techniques to Protect Your Business

APRA CPS 230: What You Need to Know Now

• BCM and ERM Difference
• BCAW 2021: 7 Tips to Elevate Business...
• Business Continuity Roles and Responsibilities

Review our cookie policy

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.

Privacy Overview

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Business Continuity Planning

Organize a business continuity team and compile a  business continuity plan  to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

• Business Continuity Plan Situation Manual
• Business Continuity Plan Test Exercise Planner Instructions
• Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

What Is A Business Continuity Plan? [+ Template & Examples]

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

• Business Continuity Types
• Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

• Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

Crisis Communication and Management Kit

Manage, plan for, and communicate during your corporate crises with these crisis management plan templates.

• Free Crisis Management Plan Template
• 12 Crisis Communication Templates
• Post-Crisis Performance Grading Template
• Additional Crisis Best Management Practices

You're all set!

Click this link to access this resource at any time.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

Don't forget to share this post!

Related articles.

How to Navigate Customer Service During a Business Closure

10 Crisis Communication Plan Examples (and How to Write Your Own)

I Tried 7 Crisis Management Software to See if They’re Worth It (Results & Recommendations)

20 Crisis Management Quotes Every PR Team Should Live By

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

Manage, plan for, and communicate during a corporate crisis.

Service Hub provides everything you need to delight and retain customers while supporting the success of your whole front office

ISO 22301 Business Continuity Simplified: Fortify Your Business Against Disruption

By Andy Marker | June 22, 2020 (updated September 15, 2022)

• Share on Facebook
• Share on LinkedIn

Link copied

In this article, you’ll find expert tips and implementation guides, and you'll learn how ISO 22301 can buffer your business against disasters. 

Included on this page, you’ll find an International Standards Organization (ISO) 22301 audit checklist template , a simplified ISO 22301 cheat-sheet , and an ISO 22301 self-assessment checklist , as well as examples of ISO 22301 in action and an ISO 22301 quick-start guide .

What Is ISO 22301?

ISO 22301 is a global standard for business continuity planning requirements to help organizations protect themselves against disruptions. The most current version is 22301:2019, Security and resilience - Business continuity management systems - Requirements.

The requirements in ISO 22301 address disruptive incidents that can be natural or human-made, widespread or local, intentional or unintentional, such as a snowstorm, a broken water main, an epidemic, a data breach, or a phishing attack. Large or small, for- and nonprofit organizations alike can use ISO 22301.

The Business Manager’s Quick-Start Guide to ISO 22301

The ISO 22301 standard can provide benefits for your business continuity planning, even if your organization chooses not to pursue certification, or the review process that confirms your business continuity system meets all ISO 22301 requirements. 

"Certification is nice, but not required,” says Mart Rovers of InterProm. “First, seek compliance. That way, you know that your business continuity management practices are in better shape." You can start to create a solid business continuity plan with just a few simple steps, which you can also download as this ISO 22301 Quick-Start Guide .

• Check If You Already Have Continuity Plans: Find out if your organization already has business continuity plans. Search through your document management system and ask management or long-time employees. Organizations sometimes create and quickly forget about resources, or store responses locally in an informal system.  As Andrew Nichols of the Michigan Manufacturing Technology Center suggests, if your organization already implements other ISO standards, such as ISO 9001 or ISO 27000, you can leverage some of the common requirement elements for your 22301 plan.
• Identify Missing Components: Conduct a gap analysis of existing policies and processes to see what business continuity resources you need. According to Mart Rovers, one way to conduct a self-assessment is to copy into a spreadsheet each phrase of the ISO 22301 standard that contains the word "shall." Then, determine gaps between your company and the standard. "Use the standard as your guide to establishing a coherent set of practices to address business continuity management for your organization," says Rovers. You can also use Smartsheet's ISO 22301 Self-Assessment Checklist and ISO 22301 Simplified Cheatsheet for your gap analysis.
• Keep It Simple: Having binders full of perfectly formatted procedures won’t help in an emergency. Create easy-to-follow guidelines and checklists and, more importantly, build "muscle memory" in your employees through training and drills. That way, in a panic, people understand what to do without having to be told.
• Make Your Plan a Living Document: Ticking off items on an audit checklist doesn't mean you’re prepared. Frequently read, revise, and practice your plan to keep it relevant and to train new staff.

• Communicate Your Plan to Staff and Other Stakeholders: Even the most well-written plan is useless if the people who can benefit from it don't know about it. Inform everyone covered by the plan that it exists, including your supply chain and other outside stakeholders.

ISO 22301 Requirements

The ISO 22301 standard offers a framework for planning, testing, and monitoring a business continuity management system (BCMS). The ISO 22301 document contains 10 sections, which introduce the standard and definitions, as well as actionable requirements of the standard. 

As with other ISO requirement documents, ISO 22301 describes only what organizations must do to reach minimum proficiency — it does not prescribe how to achieve these standards. Each organization must consider its distinct conditions and obligations to find the best way to follow the requirements.

Here is an overview of the clauses in ISO 22301 that impact an organization most: 

• Clause 4, Context: Your organization must understand what it is, what it does, and what outputs and processes it must sustain. You must also determine who has a stake in the continuity of your operations — in other words, the interested parties. For example, customers have a stake in your organization continuing to function.
• Clause 5, Leadership: Few organizational initiatives thrive without the sustained support and championship of top management. Management must commit to a business continuity plan and make available any resources — human, financial, or otherwise — to ensure its success. 
• Clause 6, Planning: To plan for sustainability, you must understand what disruptions could potentially occur and how these incidents affect the business — in other words, potential risks and their impact. Set measurable business continuity objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. 
• Clause 7, Support: No program can advance without resources and support. Decide what personnel, roles, and teams you need for threat response and how you can best enhance their effectiveness. Create internal and external communication procedures for reference, and communicate the continuity plan to all necessary parties before and during a crisis. Establish a document management system for key continuity documents, such as procedures.
• Clause 8, Operation: Conduct your risk assessment and business impact analysis , and plan your disruption recovery approach. Implement the recovery plan with detailed procedures, and test it regularly to verify that it works. Make sure people can find the procedures (and other documents) they need, and revise your plan as necessary.
• Clause 9, Evaluation: Establish a process to regularly measure and assess your continuity policies and procedures and their execution. Review and revise your plan and documents to ensure they are effective and relevant
• Clause 10, Improvement: Seek continual improvement in all functional and operational areas, including through periodic management reviews. Improvements in day-to-day activities help bolster the organization in times of disruption. When processes veer from the standard or fail to conform with ISO and quality management standards, implement corrective action.

Key Definitions Related to ISO 22301

Some of the following key terms and concepts originate with ISO, some with ISO 22301, and some with business continuity and risk management:

• Context: The purpose and character of the organization and the environment in which it operates. This includes internal and external influences that shape the business continuity management system.
• Disruptive Incident: A disruptive incident is an event that stops or slows the everyday work of an organization. Examples of disruptive incidents include earthquakes, internet stoppages, broken fans in a data center, or food poisoning in a cafeteria. 
• Interested Parties: Interested parties are stakeholders in the successful operation and outcomes of your business continuity plan. They can include customers, employees, suppliers, or regulatory officials.
• Leadership: In ISO 22301, leadership refers to top management or the person or people who run the organization and champion the business continuity effort. 
• Maximum Acceptable Outage (MAO): The length of time an activity or process can be unavailable or ineffective before the health and survival of the organization are threatened. 
• Minimum Business Continuity Objective (MBCO) : The lowest level of products or services that is acceptable for a business to offer during a disruption.
• Recovery Timeframe Objectives (RTO): This refers to the prioritization of key activities and the timing that makes those activities operational.

Benefits of ISO 22301 and Business Continuity Management System

If teams are already overwhelmed with their workload, they may not like to think about disasters. Furthermore, organizations might think that ISO standards include difficult jargon and that pursuing a continuity plan adds unnecessary work. However, management systems practitioners suggest that continuity preparations produce substantial gains.

“I think it's a truism that many organizations can benefit from the principles and some of the practices of resiliency and contingency planning,” says Andrew Nichols, Quality Program Manager at the Michigan Manufacturing Technology Center .

As an example of the benefits that risk analysis and preparation can yield, Nichols relates his experience of visiting a small northeastern town during a widespread winter power outage. The whole town was closed, with the exception of one restaurant that had a generator. 

“They had a line of people out the door every mealtime because nowhere else was capable,” Nichols remembers. “Somebody had the foresight to think about the loss of power. And that organization cleaned up financially because they were able to provide what the customers needed.” 

Consider these specific benefits to using ISO 22301 business continuity planning:

• Protect against and recover from disruptive incidents.
• Identify and control current and future threats.
• Improve your risk management planning efforts.
• Prevent large-scale damage.
• Become proactive in preventing problems and recovering from incidents, rather than reactive to damage and disruption.
• Reduce downtime and increase recovery time.
• Keep important activities running during disruption.
• Deliver quality products consistently. 
• Provide dependable service. 
• Prove you’re a reputable supplier.
• Prove your resilience to all stakeholders.

Experts also assert that ISO 22301 can be a simple and effective continuity tool. “All these ISO standards, they’re like hidden gems because of how fast they can get you up to speed without having to reinvent the wheel,” says Mart Rovers, President of IT consulting firm InterProm . 

“I cannot emphasize enough how within reach this standard is. Anytime people hear the word ‘ISO,’ they think, ‘Oh, that's for large organizations. Oh, that's way too formal. It's too much. It's overkill.’ I understand where this is coming from because the word ‘standard’ itself is scary for many organizations. However, the size of organization really doesn't matter. The things you should be doing in ISO 22301, you can do at a smaller scale,” says Rovers. 

Some also hesitate at the thought of certification. Both Nichols and Rovers stress that certification is not necessary for every enterprise. Although certification may be a condition of doing business for some companies, those who don’t need certification can still gain advantages from following ISO 22301. 

In weighing the pros and cons of ISO certification, Rovers suggests buying a copy of ISO 22301 , and then copying and pasting each sentence that contains the word “shall” into a spreadsheet (these sentences represent the requirements you must follow). From the spreadsheet, consider whether full ISO adoption and certification are too complicated for your organization. Regardless of your decision, you can always use the spreadsheet to conduct a self-audit.

ISO 22301 in Action

The following image provides a small sample of the possible outcomes to business continuity management.

How a Management System Helps Business Continuity

For those familiar with other ISO standards, the management system component of ISO 22301 might be a new concept. Rovers describes management systems as follows: 

“The best way to explain a management system is to imagine opening up an old watch. It has these spinning wheels, these gears. In the case of an ISO standard, you're looking at a number of requirements to put that watch together with all these spinning wheels. That watch is a coherent system. You take out one of those gears, and then the watch fails. 

“A management system for continuity follows the same idea — every requirement that the standard asks for represents one of those gears. And every requirement serves a distinct purpose (otherwise, it would not be a requirement). If you don't meet a particular requirement, the watch, so to speak, may not function as it could or should. These ISO requirements are not just there to keep you busy.”

ISO 22301 and PDCA

Each segment of the PDCA (plan-do-check-act) cycle for continuous improvement corresponds to at least one ISO 22301 clause. Organizations can use ISO 22301 to test continuity procedures, review outcomes, and implement updates or fix problems in a continuous cycle that leads to an increasingly resilient business continuity system.

ISO 22301 and Maturity Models

A maturity model measures an organization’s ability to pursue continuous improvement in key areas. ISO 22301 does not have a maturity model.

As Rovers explains, “It was never the intent of ISO 22301 to be a maturity model. You either meet all the requirements of the standard, or you don’t. You could say that by not meeting the requirements of the standard, you’re not mature. Or better said, your business continuity management practices are not mature.”

BCM Lifecycle ISO 22301

The business continuity management (BCM) lifecycle represents industry best practices and some of the core requirements of ISO 22301. These practices offer a solid foundation for resilience, while offering flexibility to adapt to changes in the organization. 

Guided by leadership, these are the key activities for the lifecycle:

• Conduct a business impact analysis and risk assessment.
• Establish a business continuity strategy.
• Establish and implement business continuity procedures.
• Exercise and test the procedures regularly before a disruption occurs.

ISO 22301 Audit Checklist Template (Excel)

Use this detailed checklist to determine if your business continuity plan aligns with ISO 22301 standards. You can use the template whether you’re applying for certification or simply pursuing a continuity management plan. 

Download ISO 22301 Audit Checklist Template

Excel  | Smartsheet

ISO 22301 Self-Assessment Checklist

This self-assessment checklist is divided into sections that correspond to clauses in ISO 22301. Use it to confirm whether your business continuity system meets the requirements for leadership, planning, support, operation, performance evaluation, and continual improvement.

Download ISO 22301 Self-Assessment Checklist Template

Excel | Word |  PDF

ISO 22301 Implementation Guide

This guide states the essential information from ISO 22301 in plain English. For best results, read it with the full standard, which is currently available for free online to support the COVID-19 response. 

Download ISO 22301 Implementation Guide Template

Excel | Word | PDF

ISO 22301 Simplified Cheat-Sheet

Use this simplified cheat-sheet to understand the basic elements of creating a business continuity plan. The template walks you through the process of determining critical aspects of your organization, writing the recovery plan, and exercising the plan to ensure proficiency. 

Download ISO 22301 Simplified Cheat-Sheet Template

ISO 22301 Business Continuity Policy Template

A business continuity policy describes the processes and procedures an organization needs in order to function well daily, including in times of disruption and crisis. This policy template includes space for BCMS objectives, a leadership description, a policy outline, and any certification details.

Download ISO 22301 Business Continuity Policy Template

ISO 22301 Business Continuity Template

Use this template to create a business continuity plan. Describe the results of your risk analysis and business impact analysis, detail your disaster recovery and continuity procedures, and list key contacts and important assets. 

Download ISO 22301 Business Continuity Template

Word |  PDF

ISO 22301 Business Continuity Sample

The Community Nonprofit Center of New York made available this business continuity template to support the response to coronavirus. Find space to detail responses to minimal and critical emergencies, a risk matrix template, and lists for information about insurance, critical assets, and responses to disruptive events.

For other most useful free, downloadable business continuity plan (BCP) templates please read our  "Free Business Continuity Plan Templates"  article.

Disaster Recovery Plan Templates

After you perform a risk analysis and business impact analysis, consider writing a disaster recovery plan. Disaster recovery plan templates , available in different formats, provide an easy-to-use structure for documenting continuity plans. Download templates specialized for IT, payroll, small businesses, and more.

To learn about the difference between recovery plans and continuity plans, visit our "Business Continuity and Disaster Recovery: Their Differences and How They Work Together" article.

ISO 22301 Versus ISO 27301

ISO 27301 provides requirements that organizations use to ensure their information and communications technology (ICT) continuity, security, and readiness to survive a disruption. The standard is often staged with ISO 22301 because both are based on similar management system approaches.

The full name of this standard is ISO 27301 - Information Technology - Security Techniques . Originally published in 2011, it is soon to be revised.

“Both [ISO 27301 and ISO 22301] ask for top management involvement and commitment, both ask that you have the right resources, that you have documentation management, that you do performance evaluations, and that you make improvements,” explains Rovers. 

They differ in the focus of the risk assessment: ISO 27001 addresses security, whereas ISO 22301 addresses business continuity. “Each area has different risks, but the approach to the risk management assessment and mitigation follows the same steps. There's enormous overlap.”

IT security continuity has significant relevance in the remote work environment. For example, while using your work laptop at home or signed into the work network, what happens when someone innocently plugs in a thumb drive that infects your laptop and corrupts the network? Both ISO 22301 and ISO 27001 work together to prevent such incidents and mitigate problems that occur.

For additional resources, visit " Free ISO 27001 Checklists and Templates ."

General Requirements Across Management System Standards

Some ISO requirements are commonly stated across the management system standards, which include ISO 22301; ISO 9001 , Quality Management; ISO 20000, IT Service Management; and ISO 27001, Information Security. Examples of common requirements include establishing objectives for the business continuity management system as appropriate to the organization, obtaining management’s commitment to supporting the system, implementing a documentation management system, conducting internal audits, and pursuing continual improvement. This functional overlap enables organizations to undertake combined audits for these standards.

Historical Foundations of ISO 22301

The concept of business continuity was borne out of the IT boom of the 1980s and 1990s. Public and private organizations realized the need to ensure continuity of service and key supplies and to mitigate the effects of disruptive events. The first formal standard reflecting these concerns was the United Kingdom’s British Standard (also known as BS) 25999, which introduced the management system concept to the business continuity discipline. 

In 2012, the global standards body ISO released ISO 22301:2012 as the first international standard for business continuity. Based on the contributions and comments of continuity professionals from assorted industries in over 60 countries, ISO 22301 superseded BS 25999. 

ISO’s consensus-based standards, such as 22301, cover practices and industries ranging from quality management, IT service, and food safety to environmental safety and information security. ISO standards aim to increase the quality and safety of many products and services, including most common household items, appliances, and cars. Although large enterprises and manufacturers usually follow ISO requirements and guidelines, organizations of all sizes and types can benefit from ISO principles. 

For ISO 22301, the standard provides a consistent BCMS framework and a universal language among organizations for communicating about continuity and aligning processes.

When they get certified in ISO 22301 and other ISO standards, organizations can demonstrate to management, legislators, regulators, customers, and other stakeholders that they follow good practices. For ISO certification, organizations need third-party verification that they comply with all requirements of a standard. 

“Certification shows you have some level of competence,” explains Rovers. “It shows you take the standard seriously. For organizations buying your goods or services, it can be a compelling reason to choose you.”

Guidance Documents for ISO 22301

For in-depth discussions of aspects of the 22301 standard, ISO offers a series of guidance documents. To those considering pursuing ISO 22301 certification, these documents provide additional insight:

• ISO 22313 - Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301
• ISO 22316 - Security and resilience — Organizational resilience — Principles and attributes
• ISO 22317 - Societal security — Business continuity management systems — Guidelines for business impact analysis (BIA)
• ISO 22318 - Societal security — Business continuity management systems — Guidelines for supply chain continuity
• ISO 22330 - Security and resilience — Business continuity management systems — Guidelines for people aspects of business continuity
• ISO 22331 - Security and resilience — Business continuity management systems — Guidelines for business continuity strategy

What Is the Latest Version of ISO 22301?

The requirement document ISO 22301:2019, Security and resilience - Business continuity management systems - Requirements , was released on October 31, 2019. The update from the original 2012 version reflects changes in management system approaches and clarifies specifications around clause 8.

Build Powerful, Automated Business Processes and Workflows with Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk. 

These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Tough questions for: your business continuity plan

Listen to the news for just an hour and you’ll hear all the justification you need for business continuity planning: labor strikes, civil unrest, hacker attacks, natural disasters, manmade disasters, and a host of other events with the potential to abruptly halt critical business operations. Yet much like the TV news, many business continuity plans just skim the surface, leaving out crucial elements necessary to respond to such events.

Conventional wisdom holds that business continuity planning (BCP) is mainly about information technology (IT) and the nuts and bolts of IT disaster recovery. Not so. BCP produces significantly more value when it goes beyond just keeping IT systems running or restoring a damaged facility. What’s at stake? Protecting reputation, maintaining market share, reducing exposure to stakeholder lawsuits, enhancing insurability, and minimizing risk. For all these reasons, BCP should be a core business practice.

In the past, technology has clearly played a key role in the business continuity process. In today’s climate, for a recovery plan to be successful, technology must be treated as an enabler rather than a solution. IT cannot, by itself, address organizational resiliency. This shift in outlook demands that BCP be more closely tied to overall business planning. A true continuity plan must go beyond traditional emergency response and become an important part of a company’s strategic focus.

The following six questions will stretch the limits of how business leaders view BCP. For companies with continuity plans in place, these questions may stimulate concern over whether or not they would be fully prepared should the unthinkable actually take place.

Is business continuity a strategic or tactical issue for your organization?

Task-driven continuity plans create documents the size of large telephone books, but tactics quickly become obsolete and irrelevant when not tied to an enterprise-focused strategy. By making BCP part of strategic planning, senior managers gain a more robust perspective on the recovery process. For instance, an event’s impact on key staff and critical assets is often overlooked. An effective business continuity plan must consider protection of these assets to ensure an organization’s ability to restore its revenue flow. Business leaders who have engaged in aggressive cost-cutting actions in pursuit of a better profit margin should be aware that they have likely exposed themselves to significant new risks as a result of these actions.

Does your BCP emphasize keeping customers whole in addition to restoring damaged assets?

An effective business continuity plan does more than identify the steps required to restore halted operations. Many traditional disaster recovery plans limit their scope to emergency response, such as evacuations, first aid, and facility protection. These, however, are just early components of a business continuity plan. Making emergency response the primary objective at the expense of larger strategic considerations can leave a business unprepared in the event of a crisis. In contrast, an effective business continuity strategy considers risks beyond facility restoration; such a strategy establishes contingencies to these risks, such as prearranged alternate sourcing, and includes intentional operational redundancies.

Does business continuity support your company’s operational effectiveness and lean initiatives?

Inventory reduction has been a rallying cry for U.S. businesses trying to become leaner, more efficient organizations. But when an incident threatens to stop the flow of goods and services to customers, managers must already know (as a result of their business continuity due diligence) how long current inventory levels and safety reserves can continue to meet demand. BCP helps businesses decide if a short-term gain in the bottom line is worth exposing the organization as a whole to increased long-term vulnerability.

Companies don’t always need an in-depth business impact analysis as a foundation for developing a business continuity plan. But underwriters, shareholders, and government regulators have demonstrated growing interest in knowing which resources a lean business can deploy to launch and maintain a recovery plan. A holistic look at the organization through the lens of the business continuity process provides reassurance for all stakeholders and demonstrates the prudence and foresight of senior management.

Have you factored BCP into your fiduciary responsibilities?

There are not many examples of leaders in fiduciary roles being taken to task for lack of BCP planning, at least for now. It is only a matter of time before stakeholder suits against an unprepared business become more commonplace.

Sarbanes-Oxley considerations have placed a new emphasis on ensuring that companies keep their businesses whole. Insurance underwriters are now asking for a more thorough review of an organization’s BCP. Many organizations claim an effective plan is in place without actually satisfying the underwriter’s need for detailed BCP documentation, thereby compromising their fiduciary responsibility.

When was the last time senior management tested business continuity?

Companies must constantly evolve to meet competitive challenges in the global marketplace. From costly investment in new products or services to satellite offices in new markets, each change introduces increasingly critical assets to protect or restore, and key liabilities and exposures to mitigate. Making business continuity part of overall business planning and practices is key to ensuring that a recovery strategy evolves with the business and is capable of supporting an effective response. One way to ensure BCP remains a part of your everyday business practices is by conducting regular tabletop exercises. This allows senior managers to invest in the development of their plan, which will identify weaknesses and enhance existing response actions before the plan is actually deployed.

Are you prepared to respond to the public and your customers within 15 minutes of an event?

In today’s climate of instant media, a business has a maximum 24-hour window to set the tone of its response to a crisis, though in many cases, senior management will need to react much faster. Stakeholders demand to know what has happened and what the organization is doing about it. A relatively minor event can escalate quickly into a serious crisis when customers respond impulsively, looking to mitigate the impact on their own operations and consequently overloading the organization’s communication systems. This vulnerability is especially acute with operations such as call centers and Web sites, where failure is instantly visible.

Management may only have moments to respond in order to prevent a small event from escalating into a serious crisis. Prior planning and preparation are key to this rapid response. The days of issuing a “no comment” statement are long gone; in fact, such a response may lead some to jump to the conclusion that there is a serious problem or wonder what it is that the organization is not willing to disclose.

Who delivers the reassurances is just as important as what is communicated. Internal communications professionals should always be made part of the crisis management team and used as the initial spokespersons, especially while the parameters of the crisis are still in flux. However, effectively maintaining or reclaiming a company’s reputation will require that senior management be prepared to explain the situation and remedial steps that are being taken, once the extent of the problem is known. Communications that manage public and customer perceptions must be integrated with a business recovery strategy to eliminate stakeholder uncertainty and provide clear information about what happened to the organization and what management is doing to repair it. Even government agencies, with unlimited expertise and funding, are not ensured of effective communications in the aftermath of a crisis without effective planning—just look at New Orleans during and after hurricane Katrina.

The bottom line is that BCP is no longer a luxury. If a pharmaceutical provider of life-saving drugs loses a key supplier and can no longer supply customers with the medicine they need to stay healthy, that provider will be answerable for the lack of planning. If the product has a short shelf life and no plan exists to easily migrate to a competitive drug until after the crisis ends, there’s an immediate impact on millions of people and perhaps an irreversible blow to an organization’s reputation and, ultimately, market share. Likewise, an unexpected event is no longer an adequate excuse for a loss in shareholder value. Management and stakeholders are beginning to recognize the potential for business interruption. The bar is being set higher, and will only be cleared by those organizations whose leaders make continuity of their business operations a prime objective.

Jerry Coletta heads Milliman’s business continuity consulting practice and is based in the company’s Boston office. He has been involved in risk management and consulting for much of his career, and developed Milliman’s state-of-the-art, graphics-based business continuity methodology. Jerry is a chemical engineer by training. He is a nationally recognized expert in manufacturing, distribution, and supply-chain-related business continuity processes. He has published numerous articles, has contributed to several academic volumes, and has accepted many lecturing and teaching assignments.

Bill Carolan is a consultant based in Southern California who is part of Milliman’s business continuity consulting practice in Boston. He has worked in risk management for more than 20 years, and specializes in the design, implementation, management, auditing, and testing of business continuity plans. Bill previously practiced law, and later directed risk management services at a large property and casualty insurance brokerage firm. He is a member of the California Bar Association and the American Society of Safety Engineers.

About the Author(s)

Jerry coletta, william carolan, we’re here to help.

Ask the tough questions. We’re ready for them.

Share this page

Listen to the news for just an hour and you’ll hear all the justification you need for business continuity planning labor strikes, civil unrest, hacker attacks, natural disasters, manmade disasters, and a host of other events with the potential to

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

Home  >  Learning Center  >  Business continuity planning (BCP)  

Article's content

Business continuity planning (bcp), what is business continuity.

In an IT context, business continuity is the capability of your enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures.

The core of this concept is the business continuity plan — a defined strategy that includes every facet of your organization and details procedures for maintaining business availability.

Start with a business continuity plan

Business continuity management starts with planning how to maintain your critical functions (e.g., IT, sales and support) during and after a disruption.

A business continuity plan (BCP) should comprise the following element

1. Threat Analysis

The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include:

2. Role assignment

Every organization needs a well-defined chain of command and substitute plan to deal with absence of staff in a crisis scenario. Employees must be cross-trained on their responsibilities so as to be able to fill in for one another.

Internal departments (e.g., marketing, IT, human resources) should be broken down into teams based on their skills and responsibilities. Team leaders can then assign roles and duties to individuals according to your organization’s threat analysis.

3. Communications

A communications strategy details how information is disseminated immediately following and during a disruptive event, as well as after it has been resolved.

Your strategy should include:

• Methods of communication (e.g., phone, email, text messages)
• Established points of contact (e.g., managers, team leaders, human resources) responsible for communicating with employees
• Means of contacting employee family members, media, government regulators, etc.

From electrical power to communications and data, every critical business component must have an adequate backup plan that includes:

• Data backups to be stored in different locations. This prevents the destruction of both the original and backup copies at the same time. If necessary, offline copies should be kept as well.
• Backup power sources, such as generators and inverters that are provisioned to deal with power outages.
• Backup communications (e.g., mobile phones and text messaging to replace land lines) and backup services (e.g., cloud email services to replace on-premise servers).

Load balancing business continuity

Load balancing  maintains business continuity by distributing incoming requests across multiple backend servers in your data center. This provides redundancy in the event of a server failure, ensuring continuous application uptime.

In contrast to the reactive measures used in failover and  disaster recovery  (described below) load balancing is a preventative measure.  Health monitoring  tracks server availability, ensuring accurate load distribution at all times—including during disruptive events.

Disaster recovery plan (DCP) – Your second line of defense

Even the most carefully thought out business continuity plan is never completely foolproof. Despite your best efforts, some disasters simply cannot be mitigated. A disaster recovery plan (DCP) is a second line of defense that enables you to bounce back from the worst disruptions with minimal damage.

As the name implies, a disaster recovery plan deals with the restoration of operations after a major disruption. It’s defined by two factors: RTO and  RPO .

• Recovery time objective (RTO)  – The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services. A different RTO should be assigned to each of your business components according to their importance (e.g., ten minutes for network servers, an hour for phone systems).
• Recovery point objective (RPO)  – The point to which your state of operations must be restored following a disruption. In relation to backup data, this is the oldest age and level of staleness it can have. For example, network servers updated hourly should have a maximum RPO of 59 minutes to avoid data loss.

Deciding on specific RTOs and RPOs helps clearly show the technical solutions needed to achieve your recovery goals. In most cases the decision is going to boil down to choosing the right failover solution.

See how Imperva Load Balancer can help you with business continuity planning.

Choosing the right failover solutions

Failover  is the switching between primary and backup systems in the event of failure, outage or downtime. It’s the key component of your disaster recovery and business continuity plans.

A failover system should address both RTO and RPO goals by keeping backup infrastructure and data at the ready. Ideally, your failover solution should seamlessly kick in to insulate end users from any service degradation.

When choosing a solution, the two most important aspects to consider are its technological prowess and its service level agreement (SLA). The latter is often a reflection of the former.

For an IT organization charged with the business continuity of a website or web application, there are three failover options:

• Hardware solutions  – A separate set of servers, set up and maintained internally, are kept on-premise to come online in the event of failure. However, note that keeping such servers at the same location makes them potentially susceptible to being taken down by the same disaster/disturbance.
• DNS services  – DNS services are often used in conjunction with hardware solutions to redirect traffic to a backup server(s) at an external data center. A downside of this setup includes  TTL-related delays  that can prevent seamless disaster recovery. Additionally, managing both DNS and internal data center hardware failover solutions is time consuming and complicated.
• On-edge services  – On-edge failover is a managed solution operating from off-prem (e.g., from the  CDN  layer). Such solutions are more affordable and, most importantly, have no TTL reliance, resulting in near-instant failover that allows you to meet the most aggressive RTO goals.

Latest Blogs

• Industry Perspective

Lynne Murray

Apr 2, 2024 3 min read

Brian Robertson

Mar 11, 2024 4 min read

Feb 28, 2024 5 min read

Latest Articles

• Regulation & Compliance

629.3k Views

200.9k Views

42.7k Views

42.4k Views

40.5k Views

36.1k Views

30.1k Views

26.6k Views

2024 Bad Bot Report

Bad bots now represent almost one-third of all internet traffic

The State of API Security in 2024

Learn about the current API threat landscape and the key security insights for 2024

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

Select Page

5 critical questions to ask when preparing a business continuity plan

Posted by Michele Marius | 19 Feb 2014 | Business , Computing , ICT/Tech , Lists | 1

Business continuity plans have become an essential requirement for organisations, and where there is an even greater reliance on IT/ICT, it is critical to minimise downtime and disruption to the organisation, its employees and customers.

Increasingly, organisations, their employees and customers are relying on technology, IT and ICT for seamless, efficient and effective operations, which they cannot afford to have malfunction, period. However, developing a business continuity plan (even for an IT/ICT department) can be an involved process, and may be a bit overwhelming to those charged with spearheading its preparation. As a starting point, this post outlines five critical questions that should be answered by an organisation (or an IT/ICT department) to improve its understanding of the impact of disruptive incidents, and provide essential inputs for the discussions and efforts required to produce the final plan.

Definition and context

Business continuity is a well-developed concept for which a number of internationally accepted standards have been developed. One of the most widely accepted is that of the International Standards Organisation (ISO 22301:2012), which defines business continuity as,

… the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident…  (Source: Business Continuity Institute )

By extension, business continuity management encompasses

…a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities…  (Source: ISO 22301:2012, Business Continuity Institute )

The established standards would set out a detailed approach and requirements to comprehensively address business continuity. The questions below in no way replace those standards and processes, but hope to begin to orient organisations to mindset and thinking needed to begin developing such a critical plan and supporting systems.

Q1.  What are the organisation’s purpose, core roles and functions?

To establish the correct context for the business continuity planning process, it is important from the outset to identify the organisation’s core roles and functions. In the exercise, it is likely that a number of items will be listed; hence it is necessary to also rank them by how critical they are to the organisation and its mandate.

From an IT/ICT perspective, this process should also be followed. However, the questions should first be answered from an organisational perspective. (If an organisational business continuity plan exists, that information might be readily available.) However, thereafter, the focus should be on identifying what might be the IT/ICT department’s mandate, or the role of IT/ICT within the organisation, and ensuring that they are aligned with the overarching organisational obligations.

Q2.  What are the critical products and/or services that must be delivered?

Following on from the previous question, this question encourages a fuller recognition and examination of the products and/or services that must be delivered by the organisation to its clients and customers. Generally, the results of that engagement are a key source of revenue for the business, or are otherwise used to gauge its performance.

Again, it may be necessary to rank the listed goods and services in order of priority, as acceptable delivery levels and downtime are likely to be more stringent for the most critical ones, and ultimately may vary across the list of products and services.

Q3.  What are the types of disruptions the organisation can experience?

Although a key purpose of a business continuity plan is to focus on minimising and managing the aftermath of a disruptive incident, it is critical to ensure that the plan also includes preventative measures that can be implemented and provide some redundancy against failure. Hence it is recommended that attention be given to identifying the types of disruptive incidents to which the organisation could be subject, and arranging them by likely frequency and potential impact on the organisation.

Factors such as geographic and physical location, country and civil stability, the actual products and services offered, among other things, are likely to influence the types of disruptions listed, and how they are ranked. For example, tropical storms and hurricanes frequently occur across most of the Caribbean – from the Bahamas to Saint Vincent and the Grenadines, and so should feature prominently in plans developed in those countries. However, for plans developed in Curaçao or Guyana, for example, that specific type of storm might be considered a rare occurrence, as those countries generally lie outside the hurricane belt.

Within the context of an IT/ICT business continuity plan, disruptive incidents may be scheduled or unexpected, or may be internal to the network, or due to external forces. Examples of disruptive incidents that could affect an organisation’s IT/ICT infrastructure and ought to be listed and considered would include, but not limited to:

• electrical outages
• equipment damage and malfunction
• software glitches
• the effects of system breaches/network hacking
• equipment/system servicing, upgrades, changeovers.

Q4.  What is the likely impact of disruptions?

Having identified the organisation’s critical products and services and the types of disruptions that may be experienced, it now possible to synthesise those outputs to begin to determine the impact of those disruptions. It is emphasised that it is not enough to state that a particular incident might be “highly disruptive”, or have “minimal impact”. Instead, it is recommended that the exercise consists of determining, among other things:

• how long could the organisation function without a particular product or service?
• how long customers might be prepared to be inconvenienced by the absence of a product or service?

Q5. What are the consequences to the organisation?

In order to truly drive home the importance of business continuity, the final question to be answered is regarding the consequences to the organisation.  Again, it is best to be thorough and, to the extent possible, quantify the losses that could result, for example with respect to:

• loss of revenue
• additional expenses that may be incurred, such as for penalties and fines, for interim arrangements, and to rectify to problem, and
• other losses that might be incurred, such as sanctions that might be imposed, or losses to the organisation’s reputation, market share, or stock price.

In summary, the above five questions would provide organisations with a solid foundation upon which to develop their business continuity plans, and to appreciate the resources that may be needed for its successful implementation. It is therefore emphasised that the effort made to thoroughly address these questions will have an impact on the final quality of the plan developed.

Image credit:  nirots ( FreeDigitalPhotos.net )

_______________

About The Author

Michele Marius

Michele Marius has a wealth of experience in the telecoms and ICT space, which has been gained in the Caribbean, Southeast Asia and the South Pacific, and in the public and private sectors. She is the Editor and Publisher of ICT Pulse.

Related Posts

Rss: really so simple to collect information online.

19 July 2011

Top 5 free iPhone apps in the Caribbean

14 February 2014

Fusing ICT and human resource: has that boat already left the Caribbean?

29 January 2014

Snapshot: 2014 update on mobile data affordability in the Caribbean

23 July 2014

While the focus has been on instances of down-time, I think the questions and issues raised are equally pertinent to periods of business growth as well.

More so when pursuing business growth in new products and new market segments; the sort of growth that hinges tightly on ICT as it’s platform/enabler.

Upcoming Events

8th caribbean ict regulators forum, caribbean spectrum management conference , meeting of the spectrum management task force, ipv6 for decision makers: more connected people, smarter systems, and more secure internet, 2nd small island developing states internet governance forum.

We use essential cookies to make Venngage work. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

Manage Cookies

Cookies and similar technologies collect certain information about how you’re using our website. Some of them are essential, and without them you wouldn’t be able to use Venngage. But others are optional, and you get to choose whether we use them or not.

Strictly Necessary Cookies

These cookies are always on, as they’re essential for making Venngage work, and making it safe. Without these cookies, services you’ve asked for can’t be provided.

Show cookie providers

• Google Login

Functionality Cookies

These cookies help us provide enhanced functionality and personalisation, and remember your settings. They may be set by us or by third party providers.

Performance Cookies

These cookies help us analyze how many people are using Venngage, where they come from and how they're using it. If you opt out of these cookies, we can’t get feedback to make Venngage better for you and all our users.

• Google Analytics

Targeting Cookies

These cookies are set by our advertising partners to track your activity and show you relevant Venngage ads on other sites as you browse the internet.

• Google Tag Manager
• Infographics
• Daily Infographics
• Popular Templates
• Accessibility
• Graphic Design
• Graphs and Charts
• Data Visualization
• Human Resources
• Beginner Guides

Blog Business 7 Business Continuity Plan Examples

7 Business Continuity Plan Examples

Written by: Danesh Ramuthi Nov 28, 2023

A business continuity plan (BCP) is a strategic framework that prepares businesses to maintain or swiftly resume their critical functions in the face of disruptions, whether they stem from natural disasters, technological failures, human error, or other unforeseen events.

In today’s fast-paced world, businesses face an array of potential disruptions ranging from cyberattacks and ransomware to severe weather events and global pandemics. By having a well-crafted BCP, businesses can mitigate these risks, ensuring the safety and continuity of their critical services and operations. To further safeguard their operations, integrating measures to protect against ransomware into their BCP is a natural and essential step.

Responsibility for business continuity planning typically lies with top management and dedicated planning teams within an organization. It is a cross-functional effort that involves input and coordination across various departments, ensuring that all aspects of the business are considered.

For businesses looking to develop or refine their business continuity strategies, there are numerous resources available. Tools like Venngage’s business plan maker and their business continuity plan templates offer practical assistance, streamlining the process of creating a robust and effective BCP. 

Click to jump ahead: 

7 business continuity plan examples

Business continuity types, how to write a business continuity plan, how often should a business continuity plan be reviewed, business continuity plan vs. disaster recovery plan, final thoughts.

In business, unpredictability is the only certainty. This is where business continuity plans (BCPs) come into play. These plans are not just documents; they are a testament to a company’s preparedness and commitment to sustained operations under adverse conditions. To illustrate the practicality and necessity of these plans, let’s delve into some compelling examples.

Business continuity plan example for small business

Imagine a small business specializing in digital marketing services, with a significant portion of its operations reliant on continuous internet connectivity and digital communication tools. This business, although small, caters to a global clientele, making its online presence and prompt service delivery crucial.

Scope and objective:

This Business Continuity Plan (BCP) is designed to ensure the continuity of digital marketing services and client communications in the event of an unforeseen and prolonged internet outage. Such an outage could be caused by a variety of factors, including cyberattacks, technical failures or service provider issues. The plan aims to minimize disruption to these critical services, ensuring that client projects are delivered on time and communication lines remain open and effective.

Operations at risk:

Operation: Digital Marketing Services Operation Description: A team dedicated to creating and managing digital marketing campaigns for clients across various time zones. Business Impact: High Impact Description: The team manages all client communications, campaign designs, and real-time online marketing strategies. An internet outage would halt all ongoing campaigns and client communications, leading to potential loss of business and client trust.

Recovery strategy:

The BCP should include immediate measures like switching to a backup internet service provider or using mobile data as a temporary solution. The IT team should be prepared to deploy these alternatives swiftly.

Immediate measures within the BCP should encompass alternatives like switching to a backup internet service provider or utilizing mobile data, supplemented by tools such as backup and recovery systems, cloud-based disaster recovery solutions, and residential proxies , while the IT team should be prepared to deploy these swiftly. 

Additionally, the company should have a protocol for informing clients about the situation via alternative communication channels like mobile phones.

Roles and responsibilities:

Representative: Alex Martinez Role: IT Manager Description of Responsibilities:

• Oversee the implementation of the backup internet connectivity plan.
• Coordinate with the digital marketing team to ensure minimal disruption in campaign management.
• Communicate with the service provider for updates and resolution timelines.

Business continuity plan example for software company

In the landscape of software development, a well-structured Business Continuity Plan (BCP) is vital. This example illustrates a BCP for a software company, focusing on a different kind of disruption: a critical data breach.

Scope and objectives:

This BCP is designed to ensure the continuity of software development and client data security in the event of a significant data breach. Such a breach could be due to cyberattacks, internal security lapses, or third-party service vulnerabilities. The plan prioritizes the rapid response to secure data, assess the impact on software development projects and maintain client trust and communication.

Operation: Software Development and Data Security Operation Description: The software development team is responsible for creating and maintaining software products, which involves handling sensitive client data. In the realm of software development, where the creation and maintenance of products involve handling sensitive client data, prioritizing security is crucial. Strengthen your software development team’s capabilities by incorporating the best antivirus with VPN features, offering a robust defense to protect client information and maintain a secure operational environment. The integrity and security of this data are paramount.

Business Impact: Critical Impact Description: A data breach could compromise client data, leading to loss of trust, legal consequences and potential financial penalties. It could also disrupt ongoing development projects and delay product releases.

The IT security team should immediately isolate the breached systems to prevent further data loss. They should then work on identifying the breach’s source and extent. Simultaneously, the client relations team should inform affected clients about the breach and the steps being taken. The company should also engage a third-party cybersecurity or pentest firm for an independent investigation and recovery assistance.

Representative: Sarah Lopez Role: Head of IT Security Contact Details: [email protected] Description of Responsibilities:

• Lead the initial response to the data breach, including system isolation and assessment.
• Coordinate with external cybersecurity experts for breach analysis and mitigation.
• Work with the legal team to understand and comply with data breach notification laws.
• Communicate with the software development team leaders about the impact on ongoing projects.

Related: 7 Best Business Plan Software for 2023

Business continuity plan example for manufacturing

In the manufacturing sector, disruptions can significantly impact production lines, supply chains, and customer commitments. This example of a Business Continuity Plan (BCP) for a manufacturing company addresses a specific scenario: a major supply chain disruption.

This BCP is formulated to ensure the continuity of manufacturing operations in the event of a significant supply chain disruption. Such disruptions could be caused by geopolitical events, natural disasters affecting key suppliers or transportation network failures. The plan focuses on maintaining production capabilities and fulfilling customer orders by managing and mitigating supply chain risks.

Operation: Production Line Operation Description: The production line is dependent on a steady supply of raw materials and components from various suppliers to manufacture products. Business Impact: High Impact Description: A disruption in the supply chain can lead to a halt in production, resulting in delayed order fulfillment, loss of revenue and potential damage to customer relationships.

The company should establish relationships with alternative suppliers to ensure a diversified supply chain. In the event of a disruption, the procurement team should be able to quickly switch to these alternative sources. Additionally, maintaining a strategic reserve of critical materials can buffer short-term disruptions. The logistics team should also develop flexible transportation plans to adapt to changing scenarios.

Representative: Michael Johnson Role: Head of Supply Chain Management Contact Details: [email protected] Description of Responsibilities:

• Monitor global supply chain trends and identify potential risks.
• Develop and maintain relationships with alternative suppliers.
• Coordinate with logistics to ensure flexible transportation solutions.
• Communicate with production managers about supply chain status and potential impacts on production schedules.

Related: 15+ Business Plan Templates for Strategic Planning

BCPs are essential for ensuring that a business can continue operating during crises. Here’s a summary of the different types of business continuity plans that are common:

• Operational : Involves ensuring that critical systems and processes continue functioning without disruption. It’s vital to have a plan to minimize revenue loss in case of disruptions.
• Technological : For businesses heavily reliant on technology, this type of continuity plan focuses on maintaining and securing internal systems, like having offline storage for important documents.
• Economic continuity : This type ensures that the business remains profitable during disruptions. It involves future-proofing the organization against scenarios that could negatively impact the bottom line.
• Workforce continuity : Focuses on maintaining adequate and appropriate staffing levels, especially during crises, ensuring that the workforce is capable of handling incoming work.
• Safety : Beyond staffing, safety continuity involves creating a comfortable and secure work environment where employees feel supported, especially during crises.
• Environmental : It addresses the ability of the team to operate effectively and safely in their physical work environment, considering threats to physical office spaces and planning accordingly.
• Security : Means prioritizing the safety and security of employees and business assets, planning for potential security breaches and safeguarding important business information.
• Reputation : Focuses on maintaining customer satisfaction and a good reputation, monitoring conversations about the brand and having action plans for reputation management.

As I have explained so far, a Business Continuity Plan (BCP) is invaluable. Writing an effective BCP involves a series of strategic steps, each crucial to ensuring that your business can withstand and recover from unexpected events. Here’s a guide on how to craft a robust business continuity plan:

1. Choose your business continuity team

Assemble a dedicated team responsible for the development and implementation of the BCP. The team should include members from various departments with a deep understanding of the business operations.

2. Outline your plan objectives

Clearly articulate what the plan aims to achieve. Objectives may include minimizing financial loss, ensuring the safety of employees, maintaining critical business operations, and protecting the company’s reputation.

3. Meet with key players in your departments

Engage with department heads and key personnel to gain insights into the specific needs and processes of each department. This helps in identifying critical functions and resources.

4. Identify critical functions and types of threats

Determine which functions are vital to the business’s survival and identify potential threats that could impact these areas. 

5. Carry on risk assessments across different areas

Evaluate the likelihood and impact of identified threats on each critical function. This assessment helps in prioritizing the risks and planning accordingly.

6. Conduct a business impact analysis (BIA)

Perform a BIA to understand the potential consequences of disruption to critical business functions. It has to be done in determining the maximum acceptable downtime and the resources needed for business continuity.

7. Start drafting the plan

Compile the information gathered into a structured document. The plan should include emergency contact information, recovery strategies and detailed action steps for different scenarios.

8. Test the plan for any gaps

Conduct simulations or tabletop exercises to test the plan’s effectiveness. This testing can reveal unforeseen gaps or weaknesses in the plan.

9. Review & revise your plan

Use the insights gained from testing to refine and update the plan. Continual revision ensures the plan remains relevant and effective in the face of changing business conditions and emerging threats.

Read Also: How to Write a Business Plan Outline [Examples + Templates]

A Business Continuity Plan (BCP) should ideally be reviewed and updated at least annually. 

The annual review ensures that the plan remains relevant and effective in the face of new challenges and changes within the business, such as shifts in business strategy, introduction of new technology or changes in operational processes. 

Additionally, it’s crucial to reassess the BCP following any significant business changes, such as mergers, acquisitions or entry into new markets, as well as after the occurrence of any major incident that tested the plan’s effectiveness. 

However, in rapidly changing industries or in businesses that face a high degree of uncertainty or frequent changes, more frequent reviews – such as bi-annually or quarterly – may be necessary. 

A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are two crucial components of organizational preparedness, yet they serve different functions. The BCP is aimed at preventing interruptions to business operations and maintaining regular activities. 

It focuses on aspects such as the location of operations during a crisis (like a temporary office or remote work), how staff will communicate and which functions are prioritized. In essence, a BCP details how a business can continue operating during and after a disruption​​​​.

On the other hand, a DRP is more specific to restoring data access and IT infrastructure after a disaster. It describes the steps that employees must follow during and after a disaster to ensure minimal function necessary for the organization to continue. 

Essentially, while a BCP is about maintaining operations, a DRP is about restoring critical functions, particularly IT-related, after a disruption has occurred​

It’s clear that having a robust and adaptable business continuity plan (BCP) is not just a strategic advantage but a fundamental necessity for businesses of all sizes and sectors. 

From small businesses to large corporations, the principles of effective business continuity planning remain consistent: identify potential threats, assess the impact on critical functions, and develop a comprehensive strategy to maintain operations during and after a disruption.

The process of writing a BCP, as detailed in this article, underscores the importance of a thorough and thoughtful approach. It’s about more than just drafting a document; it’s about creating a living framework that evolves with your business and the changing landscape of risks.

To assist in this crucial task, you can use Venngage’s business plan maker & their business continuity plan templates . These tools streamline the process of creating a BCP, ensuring that it is not only comprehensive but also clear, accessible and easy to implement. 

Discover popular designs

Infographic maker

Brochure maker

White paper online

Newsletter creator

Flyer maker

Timeline maker

Letterhead maker

Mind map maker

Ebook maker

• ERM Solution
• Compliance Solution
• Operational Resilience Management Solution
• IT Risk Management (ITRM) Solution For Regulated Industries
• Audit Solution
• Procurement Solution
• The Quantivate Platform
• Enterprise Risk Management
• Business Continuity
• Vendor Management
• Compliance Management
• IT Risk Management
• Internal Audit
• Issue Management
• Complaint Management
• Policy & Document Management
• Consulting for GRC Success
• ERM Services
• Vendor Due Diligence
• Contract Review
• Business Continuity Services
• Credit Unions
• Financial Services
• Mortgage Banking
• Resource Center
• Webinars & Events
• About Quantivate
• Request a Demo

12 Questions to Assess Your Business Continuity Program Maturity

• January 16, 2019

Can you trust your business continuity plan to get you through a crisis?

Your organization’s business continuity and disaster recovery plans are an essential part of protecting your critical processes and resources in case of a disaster or other unexpected event.

Get the conversation started about improving your business continuity management procedures and see how your organization measures up with 12 questions to assess the maturity of your BC/DR program.

How to Assess Your Business Continuity Program Maturity

1. what is the scope of your program does it take into account all the processes and resources identified in your business impact analysis does it consider stakeholder requirements (stakeholders may include management, customers, regulators, etc.), 2. have you identified your organization’s critical business processes by overall impact and risk, 3. have you identified the dependencies needed to perform your critical processes (may include applications, vendors, skills, locations, other processes, etc.), 4. have you calculated the acceptable amount of time following an unplanned incident that a service or technology can be unavailable (i.e., the recovery time objective / rto), 5. have you calculated the maximum data loss each system can tolerate following an unplanned incident (i.e., the recovery point objective / rpo), 6. have you conducted exercises to verify the recovery time and recovery point objectives of key dependencies, 7. have you developed and documented a consistent process for responding to incidents, 8. have you conducted a scenario exercise to ensure that staff members know their roles and responsibilities, 9. are your bc/dr plans well-documented and easy to implement (i.e., not dependent on particular individuals), 10. do you have a maintenance timetable and process for reviewing and updating your plans, 11. have your plans been updated within the last year, 12. do you have a system in place to communicate to all staff in a timely manner, need some help maturing your business continuity program.

If you answered “no” to any of these questions, it maybe be time to upgrade to a complete business continuity solution. Quantivate can help, with Business Continuity Software that features guided processes for identifying critical processes and dependencies, completing a business impact analysis, conducting scenario-based exercises, and more — all in one centralized platform.

Plus, our expert consultants can help fast-track your business continuity program maturity with service options including:

• Maturity roadmap
• Business impact analysis (BIA)
• Threat and vulnerability assessment
• RTO and RPO documentation
• Plan owner interviews

Learn more about Quantivate Business Continuity Software & Services or request a personalized demo .

Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry:

More topics.

• Risk Management
• Regulatory Compliance
• Cybersecurity
• Integration
• Third-Party Risk
• AML Compliance
• Third-Party Risk Management
• Information Security

10 Questions To Ask When Developing A Business Continuity Plan

Every business should have a business continuity plan in place in order to remain operational and efficient should the unexpected happen. “ The main goals of a business continuity plan  are to improve responsiveness by the employees in different situations, ease confusion by providing written procedures and participation in drills and help ensure logical decisions are made during a crisis.” There are several questions your business will need to answer to create a comprehensive business continuity plan that keeps your business operating at a sufficient level.

1. What is the scope of your business continuity plan?

How big do you really need to go, and what kind of budget do you have available to funnel into your preparations? A business continuity plan is a necessary investment, and an appropriate budget that ensures your needs are met should be set aside. Start with the bare bones of what you need to remain operational and expand from there as your budget allows.

2. What are your key business areas that need to be accounted for?

Each area of your business has a varying degree of importance and specific needs. Which ones are vital to ensure continuity, and what type of support will they require? Certain departments are more essential than others to keep running in the event of an emergency. Some may be able to be scaled back or temporarily shut down without causing significant disruption.  

3. Which functions are vital to business continuity?

Certain functions are more critical than others. Which ones do your need to remain operational to continue doing business even in a small capacity? Both core functions and support functions will need to be addressed. 

Certain support functions may be able to be trimmed for a period of time, provided they don’t have too great an impact on operations.

4. Which areas of your business need to remain connected to ensure smooth operations?

Certain departments and functions depend on others. What is the plan to keep them in proper communication? Communications are essential in business. Your plan should include a directory of cell phone numbers, backup phone systems, meeting software, and a web-based program to share documents at a minimum.

5. How much downtime is acceptable for each of your critical functions?

“ The Critical Business Functions  or CBF are business activities and processes that must be restored in the event of a disruption to ensure the ability to protect the organization’s assets, meet organizational needs, and satisfy regulations.” After identifying your critical functions, you need to know the bottom line costs of downtime for each of them and have a plan to get them back up in an acceptable amount of time.

6. Which strategies are essential to your organization in order to handle daily tasks?

Which aspects of your business strategy cannot be adjusted in case of an emergency, and how can you become more flexible? Strategies that are essential to your core operations should be addressed first. 

Things like hiring and growth initiatives can likely be placed on hold in an emergency, but every organization will be different.

7. What software is necessary to continue operating efficiently?

Software and data are critical to nearly every business. Which ones are vulnerable, and what might need to be changed to remain operational? If there is a security breach or people are forced to work remotely, you will need backups and alternatives to your most vital software and data, as well as a plan to get things back up fast and efficiently.

8. Which processes will need to be adjusted to ensure continuous operations?

Specific processes will need to change in the event of a disaster. Which ones need added flexibility to ensure continuity? The processes behind core business functions need to have a continuity plan all their own in order to maintain operations. 

Processes need to have a certain level of flexibility built-in. The type of problem you’re facing will determine which operations will be impacted and dictate what adjustments need to be made.

9. Which technologies are vital to business continuity specific to your organization and industry?

Are your phone systems, computer hardware, and machinery specific to your industry able to remain functional if disaster strikes? You’ll need to uncover your current technologies’ vulnerabilities and shortcomings and understand how different disaster scenarios will impact each of them. 

You’ll want to have a plan to remain operational even at a reduced capacity, as well as a plan to get everything back up and running as quickly as possible.

10. Do you have a backup facility reserved as a disaster recovery site?

Many businesses are not able to send everyone home and remain operational. Do you have a backup facility available that will fit the needs of your organization? Many organizations have learned that some departments can remain productive working from home, but areas like manufacturing and research and development will require a backup facility to stay productive. The cost of a backup facility should be weighed against the potential cost of downtime in the case of an emergency.

The last year has highlighted the need to have a plan in place that will prepare your business for any situation. Alto9 can help you to develop and implement a plan that will give you peace of mind moving forward.

Contact us today for a free consultation.

Share this:

Discover more from alto9.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

• (888) 244-1912
• [email protected]

• Understanding Business Continuity vs BDR: A Guide
• About Invenio IT
• Business Continuity

Can we break it? 9 business continuity plan (BCP) testing scenarios

Dale Shulmistra

• May 2, 2023
• 10 min read

Nobody wants to get those dreaded 3 a.m. phone calls. “The servers are down.” “The backups failed.” “Ed from logistics opened a phishing email again!” These calls are an IT professional’s worst nightmare. But the good news is: by exploring the right business continuity plan testing scenarios, you may never have to get such a call.

Creating a business continuity plan (BCP) is only the first step toward implementing a rock-solid continuity strategy. The systems and protocols outlined in your plan might sound good in theory, but how do they hold up in a real-world disaster?

• Can your backup systems survive a real data meltdown?
• Will you be able to meet your RTO for restoring data?
• How well will employees follow emergency procedures?
• Will your emergency communication strategy work out as planned, or will it implode?
• What will really happen when things go bad?

There’s no way to know for sure without  testing . This is a critical component of continuity planning. Without putting your BCP to the test, you’ll never know if your company is truly prepared for a disaster—until it’s too late.

Today, we look at 9 business continuity plan testing scenarios that can ensure your technologies and teams are ready for anything.

Get your hammer ready (metaphorically speaking)

Once your plan is finalized, it’s time to try to  break it.

Don’t worry—you’re not actually shredding the document that you spent so many weeks writing, editing and getting approved from higher-ups. And you’re not actually  breaking  anything at all.

However, you  do  need to prove the soundness of everything you put in the plan. By that, we mean using strategic tests that will help you to:

• Identify weaknesses in your BC systems
• Confirm that infrastructure investments meet your continuity objectives
• Evaluate the company’s response to different types of disruptive events
• Make improvements to systems and procedures based on test findings
• Update your BCP accordingly

Don’t make the mistake of creating a comprehensive plan but never putting it to the test. That’s more than just laziness. It’s dangerous.

Without testing your plan, you’re putting both the business and its people at risk.

Keep this in mind: only 6 percent of companies without a disaster recovery plan survive a disaster, according to Datto.  Having an inadequate plan is just as risky as having no plan at all.

Before you get started

The question you’re probably already asking is: what do you test and how often?

If you’ve done your job, then your BCP is already filled with hundreds of procedures for various events, including even the smallest of emergency-response steps, such as calling 9-1-1 in a fire. Do you test everything? How much is too much?

This depends on your company’s unique risks (as you’ve hopefully identified in a thorough risk assessment and business impact analysis).

For example:

• A company that has more to lose from a disruption (revenue losses, operational downtime, credibility / reputation, etc.) will usually require a higher number of business continuity plan testing scenarios, as well as a greater frequency of those tests.
• Keep in mind: the tests that you deem as “most important” may not be as important to another business in the same building as you. They may not even apply at all.

Every business is different, and thus its BCP is different as well: in scope and priority.

Below, we’ve included tests that we recommend for most businesses who are concerned about continuity. Some of the recommendations may be a bit general, depending on your operations. Customize and implement as needed for your business’s unique needs.

BCP or Business continuity plan testing scenarios

As you prepare for your tests, you’ll also need to determine just how “real” you want the test to be.

Testing is often a challenge for companies. The tests require time and resources for planning and executing them. For that reason, you may find it easier to conduct certain tests sitting around a conference table, rather than involving the entire organization in a full-scale drill. In  business continuity , these varying types of tests are typically defined as follows:

• Plan review:  the most basic test, in which the recovery teams go over the BCP, line by line, to make sure everything is accurate and shipshape.
• Tabletop test: a more involved version of the plan review, in which employees participate in actual exercises (usually in a conference-room setting) to confirm that everyone knows their responsibilities in various types of emergencies. These tests may also be used for testing technology components so that multiple people can evaluate how the systems behave and how it affects their roles.
• Simulation test:  this is the most realistic test, requiring team members to perform their BC/DR duties within their actual work environments. For certain types of disasters, this may even mean going off-site (for example, to resolve issues at a local data center or mock-prepare a backup office location).

Full-scale simulation tests are ideal because they allow you to evaluate your teams’ and technologies’ response to disasters in a way that’s as close to the “real thing” as possible. But if time and resources don’t allow for repeated simulations, then fall back on the tabletop tests (rather than not testing at all).

Okay, let’s dive into the tests …

1) Data loss

Let’s start with one of the most common workplace disasters today: a loss of data. This loss could be caused by a number of culprits:

• Ransomware and other cyberattacks
• Accidentally deleted files or folders
• Server / drive failure
• Datacenter outage

Assume that the lost data is mission-critical. Perhaps it’s your CRM information or the data that runs your sales and logistics applications.

The obvious goal is to get that data back as quickly as possible, ideally by restoring a  backup . But whose job is it to do that? How should they communicate the problem with other personnel (and at what point in the crisis)? What are the priorities? Do outside vendors, such as managed service providers (MSPs) need to be contacted?

If your primary IT person isn’t available to start the recovery, do other team members know how to do it?

These are all questions that should be answered by your test.

2) Data recovery

You need to make sure your BC/DR systems work like they’re supposed to. Conduct a test that involves losing a massive amount of data, and then try to recover it.

Here’s what you’ll need to evaluate:

• How long does the recovery take?
• Were any files corrupted during the recovery?
• Did you meet your RTO?
• If you virtualized a backup in the cloud, were there any issues? Did internal applications run without connectivity issues or lag?

Make sure that the teams who rely on this business-critical data participate in the test. For example, if they’ll be expected to work with a virtualized environment, watch them do this – see what questions they have or what issues they run into.

3) Power outage

Scenario: Last night, power was knocked out by a storm. The utility company says it won’t be back up for days.

So, what now? What does your BCP say should happen in an event like this?

As part of the test, you’ll want to make sure that your DR team knows their responsibilities and how to communicate with the rest of the organization.

• How will personnel be notified? Are they expected to come to work?
• If a prolonged work stoppage occurs, does HR and Accounting know how it impacts payroll?
• Are there backup generators that need to be manually started?
• Is there a backup office location?

These answers should already be in your BCP. But with the test, you’ll be able to confirm that everyone follows the protocols as outlined.

4) Network and/or Internet outages

Very similar concerns here. Chances are if there’s no electricity then there’s no network either. Although there are numerous situations in which you could have electricity but the network is down.

For situations like this (if the outage is prolonged), it’s increasingly common for organizations to provide personnel with the means to work remotely from home (more on that in the next continuity plan testing scenario, below). So as part of this test, you’ll want to make sure that this plan works as designed:

• Do employees know how to use/access the remote desktop systems?
• Does the technology work as designed? Are speeds/connectivity strong enough to maintain productivity levels?
• How is the network being restored? Do recovery teams know what to do?

What about network tests?

In addition to testing your preparedness for a network outage, you’ll want to test the network itself. This will enable you to verify the resilience of the network in various scenarios, such as cyberattacks, heavy bandwidth usage, changes in network configurations and so on.

There are numerous types of network stress tests that allow you to simulate congested network conditions. Sometimes referred to as “torture testing,” these tests give you insight into how your network performs when stressed to the max. Most network testing tools will allow you to measure bandwidth utilization and latency, and see how spikes in packet levels affect the performance of your network devices.

In addition to routine testing, these tests should also be conducted prior to the rollout of new applications or other significant changes to the network.

Remember: a critical aspect of these testing scenarios is to test your response to the simulated incident. So in a simulated network outage, for example, you’ll want to run through the steps needed to resolve the problem. Then, conduct a post-incident analysis to measure the speed and effectiveness of that response.

5) Application failure

What happens when an application that is most critical to your operations suddenly stops working? Aside from bringing your operations to a halt, your employees will likely be idled with nothing to do. This is an extremely costly scenario for most businesses, because it means that revenue is halted while expenses continue (and are wasted).

Routinely testing your applications can help to prevent these costly outages from happening and ensure that teams know how to rapidly respond when failure does occur.

Here’s what to consider as part of this testing scenario:

• What events or conditions are most likely to cause the application to fail? (i.e. heavy network usage, large-scale changes, etc.)
• When failure occurs, what steps are needed for recovery?
• What can be done to mitigate or eliminate these outages in the future?

Stress tests and performance tests are especially valuable, as they can help to identify how the application performs under different workloads. If the applications are externally developed and there are bugs or other issues inherent in the software (as opposed to adverse internal conditions, such as network issues), then organizations should work with their software vendor to identify a fix.

6) Public health crisis

This is a larger-scope continuity testing scenario that businesses became well-acquainted with during the Covid-19 pandemic.

As the coronavirus spread, organizations raced to adhere to critical health guidelines that ushered in a new era of remote work, virtually overnight. Not all businesses were able to quickly adapt to this sudden shift. However, some organizations had been testing such a scenario as part of their continuity planning long before the pandemic started.

Businesses of all sizes need to be sure they can continue to operate during a public health crisis that threatens the health, wellness and availability of workers. This means testing the ability to shift operations, as it relates to both logistical feasibility and IT infrastructure:

• Can employees perform their jobs remotely?
• Do they already have devices that make remote work possible? Or would new devices need to be acquired?
• Are IT systems already in place that would enable workers to securely connect to the network?
• In the event of prolonged staffing issues, can critical operations be carried out by limited personnel?

As we discovered, a global health crisis can occur at any time. Businesses need to continually test their ability to adapt to such an event to ensure their operations can continue without interruption.

7) On-site danger

This is a very important office-wide drill that you must conduct at least once a year. Chances are that your local fire codes may already require you to have a periodic fire drill. If not, it’s critical that you conduct one anyway.

In addition to fire, these drills can be used for testing response to other dangerous situations, such as:

• Earthquakes
• Bomb threats
• Terrorist attacks
• Structural instability

As part of your test, make sure people know their emergency procedures, whether it’s evacuation, duck and cover, retreating to a safe area or even staying at their desks.

Additionally, you should be testing your procedures for maintaining operations in case such an event is prolonged.

8) Communication protocols

Communication is critical in a disaster. And in the most disruptive events (such as a severe natural disaster), you’ll probably lose most of your traditional communication means.

Your BCP should already outline how communication should occur in these situations: who should call whom and how. Some companies use calling trees. Some have an emergency email alert system, a call-in number for updates or special company websites used exclusively for communicating during these events.

Your tests should check that these systems and steps actually work: that personnel know they exist, that they know how to use them and that they work as designed.

9) Crisis of any kind

Let’s face it—there are so many different disasters that threaten your operations. Hopefully they’re already thoroughly defined in your business continuity plan.

Your job is to make sure you’re creating realistic tests that prepare the business for each of these crises. We’ve included some of the most destructive (and common) disasters in the recommended tests above, but there are numerous others to consider as part of your testing, including:

• Loss of personnel (transportation blockage, strike, illness, etc.)
• Additional utility outages (gas, telecommunications)
• Application outages
• On-site flooding
• City/area-wide evacuation
• IT infrastructure failure or damage

As with each of the tests outlined above, your drills for these scenarios should be designed to ensure that personnel know how to respond, that they’ll be  safe and that the business can continue running.

Documenting your testing scenarios

All tests should be thoroughly documented. This enables organizations to identify how the test was conducted, what went right and what needs to be improved. Each test provides a baseline for conducting future tests and also for making changes to continuity planning.

Each testing scenario should be individually documented, but can also be summarized to provide a high-level overview. Here is a very basic example of what that might look like, just for templating purposes:

This summary should be followed by a more detailed description of each test, when it was conducted, what occurred and recommendations for further testing and/or improvements.

Frequently asked questions

1) What is an example of business continuity?

Business continuity is an operational objective that means a business can continue to function without disruption or interruption. One example of maintaining business continuity would be a hospital that is able to continue providing healthcare services during a hurricane.

2) How do you write a business continuity plan?

Writing a business continuity plan involves outlining your business’s unique risks, the impact of those adverse events, protocols for mitigation, response and recovery, and the systems that support those continuity efforts. For more tips, see our related post on how to develop a business continuity plan .

3) Why is a business continuity plan important?

Planning for potential operational disruptions is the best thing businesses can do to prevent, mitigate and recover from such events. A business continuity plan serves as important documentation for understanding risks and guiding an organization through all stages of a disruption, from prevention to recovery.

4) How often do we test our business continuity plan objectives?

The timing and frequency of your plan testing will depend on the unique objectives of each business, and you will likely need to test different parts of your BCP at different times. For example, you might decide to conduct emergency preparedness drills for employees once a year, while your data backups may need to be tested every few months.

Get more information

To learn more about how your company can mitigate downtime after data loss and other disasters, contact our business continuity experts at Invenio IT.  Request a free demo  or contact us today by calling (646) 395-1170 or by emailing  [email protected] .

Join 23,000+ readers in the Data Protection Forum

Related articles.

BCDR Faceoff: How Do Datto Competitors Stack Up? What are the Alternatives?

Do you know what makes Datto Encryption So Secure?

The Truth about All Datto SIRIS Models for BCDR

Where’s My Data? 411 on Datto Locations around the Globe

2023 Guide to Datto SaaS Protection for M365 and Google Workspace

Cybersecurity.

© 2023 InvenioIT. All rights reserved.

• Skip to right header navigation
• Skip to main content
• Skip to secondary navigation
• Skip to footer

Business Continuity and Crisis Management Consultants

7 Business Continuity Exercise Scenarios That You Need to Prepare For

May 17, 2022 By //  by  Bryan Strawser

According to research, about 25% of businesses fail to recover after disasters. If they lack a recovery plan, it becomes hard to cope with the repercussions. That’s why your business needs an ideal business continuity plan (BCP). In this article, we discuss how to test your BCP plan using several different business continuity exercise scenarios.

To top off business security in case of exercise scenarios, testing your BCP prior is crucial. However, it’s good to understand that each business has a distinct BCP depending on size and other factors. That’s why you need to carry out a risk assessment and business impact analysis to be aware of the ideal risk factors.

Luckily, below, we discuss seven of the most common business continuity exercises, types of tests, and the importance of testing your continuity plan.

Types of Tests

These are the three most common tests for your plan to ensure business continuity if the risk occurs.

1. Plan Review

It’s one of the most straightforward tests. The planning and recovery team goes through all the points on the BCP. The team ensures the plan covers all the company’s objectives without conducting any practical work.

2. Tabletop Testing

It’s the most common in many businesses and a better version of the plan review. In this test, employees test the plan in a conference setting . The employees get to act and respond to specific exercises as they would if it was the actual day of the incident.

3. Simulation Test

It’s the most realistic of the three, where employees perform the exercises in their workstations. It’s also the most practical, as they don’t skip any activity.

Importance of Testing

Testing your business’s BCP is crucial because it creates a picture of the scenarios, making it easy for team members to relate. Here’s why you need to conduct the tests.

• Team members get practical preparation.
• It’s good to identify any loopholes in the BCP.
• It ensures you cover all your company’s objectives.
• Lastly, it gives room to amend the BCP before the ideal scenarios.

Want to put your tabletop exercises on auto-pilot?

In our experience, business teams that practice crisis, disruption, and business continuity scenarios respond faster and recover more quickly than teams that do not.

Managing crisis & continuity exercises for hundreds of business units worldwide is a tall order. That’s why we’ve developed a set of crisis & continuity exercises that can be executed by a business leader in an hour or less – and don’t require expert facilitation from a crisis management or business continuity team.

Our Exercise in a Box scenarios and materials were written by the battle-tested experts in crisis management, business continuity, and crisis communications at Bryghtpath.

Learn more about Exercise in a Box >>

Business Continuity Exercise Scenarios

Now that you understand why you need a business continuity plan, the kind of tests to conduct, and their importance, let’s dive into the ideal exercise scenarios.

1. Cyberattacks

Cyber security is still a worrying issue for most businesses, as it poses a threat to a company’s data. Since most companies today share their data through the internet, they are prone to phishing, ransomware , and malware. These could lead to data loss and an expensive yet risky recovery process.

For instance, imagine a scenario where one of the employees gets exposed to phishing, leaking the company’s critical details. To handle such a case, you need to answer a few questions like, do you have the proper means to retrieve the data? How fast would the process take? Is the information encrypted? And lastly, who should the employee report to first? That will help you develop the best plan to help you in such a situation if it happens.

2. Pandemics

In as much as pandemics don’t happen every so often, COVID-19 came as a reminder that you cannot avoid preparing for one. You should have measures to control the effects of the pandemic as a business since inception.

For instance, if it’s a contagious disease, your BCP should stipulate what departments need to report to work physically. It should also state how remote workers can access the company’s data. Lastly, your business continuity plan should note if such an arrangement would affect payroll for better coordination. With such measures in place, the situation becomes manageable, and you have an assurance of business continuity until the pandemic is over.

3. Physical Disruptions

These could involve fire, active shooters, or workplace violence. For instance, if there was a fire, is your team aware of how they could respond to that ? Depending on your company’s location, some areas have a requirement to conduct fire drills often. Either way, it’s wise to prepare your employees in advance.

Conduct a fire drill often, and let your team know how they respond if it happens. The same goes for active shooter scenarios. Let them know the essential measures for their protection.

4. Natural Disasters

Especially in disaster-prone areas, prior preparation is crucial. These disasters could include earthquakes, hurricanes, and wildfires. For instance, in the case of earthquakes, the west coast is prone to earthquakes and wildfires, while the east coast is more prone to hurricanes and snowstorms.

Depending on your business location, you need to prepare to handle such occurrences. You can even set aside a budget to control damages and set up your business in a way it can withstand disasters. Also, it would help if you prepared for a time when it’ll be impossible to have employees reporting to work physically.

5. Power Outage

For instance, in a scenario where there’s a power outage because of a storm and the power company gives a power outage notice for a few days, do you plan to run the business? Do you have backup generators? Will all employees have to report to work physically? These are some questions you should consider when making a continuity plan for a power outage.

6. Network Outage

Today, access to a network is crucial for communication and completing everyday tasks. Having a backup plan is vital. You should ensure employees can access company data through a secure means. That ensures business continues, especially in critical departments.

7. Emergency Communication

It’s the most critical part of any business. That involves a channel of informing the ideal personnel when there’s a hitch or any shortcoming. For instance, how fast is your channel for emergency communication? Does your channel offer emergency contacts, people that are first to get information? In case of a power or network outage, would you still communicate? Is your team well informed on how to access it?

These are some of the questions you need to ask when selecting an ideal communication channel . That’s because communication is the backbone of success in any undertaking. It helps with coordination, ensuring you conquer any barriers your business might encounter.

It would be easier for a business to respond to a risk occurrence with measures already in place. That’s because you are not starting from zero. Also, you get to minimize the downtime and survive the season until recovery. Every business needs this for its continuity despite setbacks.

Want to work with us or learn more about Business Continuity & Crisis Management?

• Our proprietary  Resiliency Diagnosis  process is the perfect way to advance your business continuity & crisis management program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
• Our  Business Continuity (including effective continuity exercises) & Crisis Management  services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
• Our  Ultimate Guide to Business Continuity  contains everything you need to know about Business Continuity while our  Ultimate Guide to Crisis Management  does the same for Crisis Management.
• Our free  Business Continuity 101 Introductory Course  and/or our  Crisis Management 101 Introductory Course  may help you with an introduction to the world of business continuity & crisis management – and help prepare your organization for your next disruption.
• Learn about our  Free Resources , including articles, a  resource library , white papers, reports,  free introductory courses , webinars, and more.
• Set up an  initial call with us  to chat further about how we might be able to work together.

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link .

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

• Active Shooter Programs
• Business Continuity as a Service (BCaaS)
• IT Disaster Recovery Consulting
• Resiliency Diagnosis®️
• Crisis Communications
• Global Security Operations Center (GSOC)
• Emergency Planning & Exercises
• Intelligence & Global Security Consulting
• Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

After-Action Templates

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

17 Business Continuity Manager Interview Questions and Answers

Learn what skills and qualities interviewers are looking for from a business continuity manager, what questions you can expect, and how you should go about answering them.

In the event of a natural disaster, power outage, terrorist attack, or other emergency, businesses need a plan in place to continue operations. That’s where business continuity managers come in. They create and implement continuity plans that ensure a business can still function even in the face of disaster.

If you’re interviewing for a business continuity manager job, you’ll need to be prepared to answer questions about your experience, knowledge, and skills. In this article, we’ll provide you with some tips on how to answer common business continuity manager interview questions. And, to help you get started, we’ve also included a few sample questions and answers.

Are you familiar with the different types of business continuity plans?

What are the key components of a business continuity plan, how would you implement a business continuity plan within an organization, what is your experience with developing and implementing disaster recovery plans, provide an example of a time when you had to deal with an emergency situation and how you handled it., if hired, what would be your priorities as a business continuity manager, what would you do if you noticed a potential issue with a critical business continuity system, how well do you communicate with other members of the business continuity management team, do you have any experience working with it professionals, when is the best time to perform disaster recovery drills, we want to improve our business continuity plan so that it is more effective. what are some areas that you would improve, describe your experience with risk management., what makes you an ideal candidate for this business continuity manager position, which business continuity frameworks do you have experience with, what do you think is the most important aspect of business continuity management, how often should business continuity plans be updated, there is a growing trend of businesses experiencing disruptions due to natural disasters. how would you help our company prepare for this.

The interviewer may ask you this question to see if you have the experience necessary to create a continuity plan for their organization. Use your answer to highlight your knowledge of different types of business continuity plans and how they can benefit organizations.

Example: “There are three main types of business continuity plans, including recovery plans, disaster recovery plans and emergency response plans. Recovery plans focus on getting an organization back up and running after a disruption or disaster. Disaster recovery plans help businesses prepare for disasters by creating backup systems and procedures that allow them to continue operations in the event of a disaster. Emergency response plans provide guidance to employees during emergencies so they know what to do when something happens.”

The interviewer may ask you this question to assess your knowledge of the business continuity process. Your answer should include a list of key components and how they relate to one another.

Example: “The key components of a business continuity plan are risk assessment, disaster recovery planning, business impact analysis, testing and training, communication and documentation. Risk assessment is the first step in developing a business continuity plan because it helps organizations identify their vulnerabilities and determine what types of disasters could affect them. Disaster recovery planning involves creating a strategy for recovering from different types of emergencies. Business impact analysis determines which functions of the organization are essential to its success. Testing and training ensure that employees know how to respond during an emergency. Communication and documentation help keep everyone informed about the business continuity plan.”

This question can help the interviewer understand how you would apply your skills and experience to a new role. Use examples from previous roles or explain what steps you would take if you had no prior experience implementing business continuity plans.

Example: “I would first assess the organization’s risk factors, including its location, industry type and size. Then I would create a plan that includes all of the necessary elements for an effective business continuity strategy. These include identifying critical systems and data, developing recovery strategies and creating testing procedures. After completing these tasks, I would train employees on the business continuity plan so they know how to respond in case of an emergency.”

This question can help the interviewer understand your experience with business continuity planning and how you might apply that knowledge to their organization. Use examples from previous roles to highlight your skills in developing plans, implementing strategies and monitoring progress.

Example: “In my last role as a business continuity manager, I worked with several departments to develop a comprehensive disaster recovery plan for our company. We started by identifying all possible threats to our operations, including natural disasters, cyberattacks and human errors. Then we developed strategies for each threat, such as backup systems, emergency procedures and communication methods. Finally, we implemented these strategies into our daily operations so we could respond quickly if any of the threats occurred.”

An interviewer may ask this question to learn more about your problem-solving skills and how you react in emergency situations. When answering, try to describe the steps you took to resolve the situation and highlight any specific skills or abilities that helped you solve the issue.

Example: “In my previous role as a business continuity manager, I had to deal with an emergency situation when our company’s website went down for several hours. At first, I was worried because I knew many customers would be trying to access our site at once. However, I quickly realized that we needed to find a solution before too many people noticed the outage.

I immediately contacted our web hosting company and explained the situation. They were able to fix the problem within two hours. While it was unfortunate that the website went down, I’m glad that I was able to handle the situation calmly and efficiently.”

This question helps the interviewer determine how you prioritize your work and what you consider important. Your answer should include a list of tasks that show you understand the role’s responsibilities and are prepared to take on the job.

Example: “My first priority would be to create an emergency plan for my organization. I would hold meetings with key personnel, such as executives and managers, to discuss their roles during emergencies and develop strategies for responding to different types of crises. Next, I would implement training programs for employees so they know what to do in case of an emergency. Finally, I would regularly test the emergency procedures to ensure everyone knows their roles.”

This question can help interviewers understand how you handle challenges and make decisions. Use your answer to highlight your problem-solving skills, ability to think critically and willingness to take action when necessary.

Example: “If I noticed a potential issue with a critical business continuity system, I would first try to determine the severity of the situation. If it was something that could be fixed quickly, I would immediately start working on a solution. However, if the issue was more serious or complex, I would notify my supervisor so they could decide what steps we should take next. For example, if there were no immediate solutions available, I would begin researching different options for resolving the issue.”

The interviewer may ask this question to assess your communication skills and how well you work with others. Use examples from past experiences where you successfully communicated with other members of the team, such as a project manager or IT specialists.

Example: “I have experience working in teams before, so I know that it’s important to communicate effectively with my colleagues. In my last role, I worked alongside two other business continuity managers who were responsible for developing plans for data recovery and disaster response. We met regularly to discuss our progress on these projects and shared ideas we had for improving our processes.”

The interviewer may ask this question to learn more about your experience working with a team of professionals. Use your answer to highlight any specific skills you have that make you a good fit for the role.

Example: “I’ve worked with IT professionals in my previous roles, and I find it helpful to work with them because they can help me understand how technology works within our organization. In my last position, I had an issue where one of our servers was down, so I called on the IT department to help me figure out what was going on. They were able to fix the problem quickly, which helped us get back up and running.”

The interviewer may ask you this question to assess your knowledge of when and how often to perform disaster recovery drills. Use your answer to highlight your ability to plan, organize and manage time effectively.

Example: “I believe the best time to perform disaster recovery drills is before a major holiday or vacation period. This way, if something were to happen during that time, we would already have a plan in place for handling it. I also think it’s important to perform regular disaster recovery drills throughout the year so our team members can get used to performing them. This helps ensure everyone knows what they’re doing and reduces any confusion.”

This question is an opportunity to show your knowledge of business continuity plans and how you can improve them. When answering this question, it can be helpful to mention specific areas that you would improve in the current plan or discuss what you would do differently if creating a new plan from scratch.

Example: “I would first look at the recovery time objectives for each system and application. These are important because they tell us how long we can go without access to a particular system before it starts to impact our operations. I would also make sure that all employees have access to training on their roles during an emergency so that everyone knows what to do when there’s a disaster.”

Business continuity managers must understand the risks their organizations face and how to mitigate them. Employers ask this question to make sure you have experience with risk management processes. In your answer, explain what a risk is and give an example of one that you’ve encountered in the past.

Example: “Risk management is the process of identifying potential threats to an organization’s operations and implementing strategies to reduce or eliminate those threats. I’ve been working as a business continuity manager for five years now, and during that time I’ve seen many different types of risks. For instance, my last employer had a fire at its warehouse. We used our risk management protocols to determine which employees were essential to the company’s day-to-day operations and who could take leave while we rebuilt the warehouse.”

Employers ask this question to learn more about your qualifications for the role. They want someone who is passionate about their work and has a strong background in business continuity management. Before your interview, make sure you read through the job description thoroughly. Review any skills or experience requirements that you have. Use these as examples when answering this question.

Example: “I am an ideal candidate for this position because of my extensive knowledge of business continuity management. I’ve worked in this field for five years now, and I feel confident in my abilities to lead a team. In fact, I was promoted to this role after working as a business continuity manager for two years. I also think I would be a great fit for this role because of my communication skills. I know how to communicate effectively with both employees and clients.”

The interviewer may ask this question to see if you have experience with the frameworks they use in their organization. If you don’t have direct experience, consider mentioning a framework that is similar to the one used by the company and explain how it works.

Example: “I’ve worked with several business continuity frameworks throughout my career, including BCP/DRP, COBIT, ISO 22301 and ITIL. I find these frameworks helpful for creating plans because they provide step-by-step instructions on what needs to be done to create an effective plan. However, I also like using them as references when developing plans because they help me understand which steps are most important.”

This question is your opportunity to show the interviewer that you understand what business continuity management entails. Your answer should include a brief description of each aspect and how it contributes to the overall success of a business continuity plan.

Example: “I believe the most important part of business continuity management is risk assessment. It’s essential to know which risks are likely to occur, as well as their potential impact on the company. This information can help me create an effective strategy for mitigating those risks. Another important aspect is communication. I think it’s crucial to keep employees informed about any changes in the workplace so they’re prepared when emergencies arise.”

The interviewer may ask you this question to gauge your knowledge of industry standards and best practices. Your answer should include a specific time frame, such as annually or bi-annually, along with an explanation of why these times are important for businesses to update their plans.

Example: “I recommend updating business continuity plans every year or two because the risk landscape changes so frequently. For example, if a company has a plan in place that includes a backup data center but then decides to outsource its IT services, it’s important to update the plan to reflect the new arrangement. This ensures that the company is prepared for any unexpected events.”

The interviewer may ask you a question like this to understand how you would apply your skills and experience to help their company prepare for disruptions. Use examples from your past experiences in helping companies plan for natural disasters or other types of disruptions that can affect business continuity.

Example: “I have worked with several clients who experienced power outages, flooding and other issues due to natural disasters. In these situations, I work with the client to develop a disaster recovery plan that includes steps they can take to minimize disruption to operations during an emergency situation. For example, one of my previous clients had a backup generator installed at their facility after experiencing multiple power outages. This helped them continue operating without interruption when there was another power outage.”

17 Architectural Technologist Interview Questions and Answers

17 property accountant interview questions and answers, you may also be interested in..., 25 ecologist interview questions and answers, 25 chemical technician interview questions and answers, 25 curriculum director interview questions and answers, 20 security researcher interview questions and answers.

Ad-Blocker not supported

PracticeQuiz content is free on an ad-supported model.

Unfortunately, we can't support ad blocker usage because of the impact on our servers. If you'd like to continue, please disable your ad blocker and reload page.

Business Continuity Professional Exam Prep

Maintained and Updated as of 2024

Practice Quiz presents 125 free review questions and explanations for the business continuity professional, looking to to take the business continuity professional certificaiton exam

Select how would you like to study

• Project Initiation and Management
• Risk Evaluation and Control
• Business Impact Analysis
• Developing Business Continuity Strategies
• Emergency Response and Operations
• Developing and Implementing Business Continuity Plans
• Awareness and Training Programs
• Exercising and Maintaining Business Continuity Plans
• Public Relations and Crisis Coordination
• Coordination with External Agencies

The DRI certifications are excellent from a career and knowledge perspective.  We highly recommend you consider them.

Looking for more questions? Try our CBCP set #2!

The Business Continuity Professional Exam has 40 questions.

The Business Continuity Professional Exam is 1 hour long.

The passing score for the Business Continuity Professional Exam is 28 out of 40 questions correct.

Passing the Business Continuity Professional Exam grants the test taker Certified Business Continuity Professional (CBCP) certification. This credential helps test takers stand out by certifying their knowledge in business continuity and IT disaster recovery,

Supplemental Test Prep Materials

Top exams on practicequiz.

• 3237 subscribers ServSafe / Food Safety Practice Test
• 2335 subscribers Medical Coding Exam Prep
• 2136 subscribers CPCE Exam Prep
• 1802 subscribers EMT Practice Test
• 1729 subscribers National Counselor Exam Prep (NCE)

Managing Editor

Ted Chan is the Managing Editor of PracticeQuiz.com. Ted has experience as a journalist and a writer, including editorial or content production roles at ESPN, Better Business Bureau, The Boston Globe, and Forbes. Ted holds a BA from Swarthmore College with High Honors, and a MBA from the MIT Sloan School of Management. Ted also studied at the Harvard Business School, earning a Certificate in Value-based Health Care Delivery. All content, unless otherwise noted, was created for PracticeQuiz. Let an editor now if you have suggested content edits by emailing us at the support address in the header, or by commenting in the Contribute box above.