Introduction to Business Continuity Planning

11 reasons why you need to have a Business Continuity Plan

1. In the event of a disruption: 
2. You avoid knee-jerk dead-end reaction 
3. You have calculated recovery deadlines that avoid excessive spend or risk 
4. You develop capability, so your people know what to do when called on 
5. You build organisational resilience, balancing toughness and recoverability 
6. Your plans can save lives, ensuring correct emergency procedures are followed 
7. You enhance insurance value, balancing BCP against BI 
8. You inspire customer confidence, knowing they can rely on you, no matter what 
9. You have the confidence of your investors, knowing their money is in safe hands 
10. You have the confidence of your suppliers, knowing their bills will be paid 
11. Your plans can preserve brand value and company reputation 
12. Your plans can ensure supply chain security and order fulfilment

Benefits of BCP

1. Structured Recovery: Minimise the impact of disruptions with a clear plan that ensures swift restoration of operations.
2. Enhanced Risk Management: Identify potential risks more effectively and implement strategies to mitigate their impact.
3. Optimised Insurance Alignment: Strengthen coordination between your business continuity plan and business interruption insurance for smoother recovery processes. 
   Improved Relations with Insurers: Build trust with insurers by showcasing comprehensive planning aligned with coverage.
4. Stakeholder Confidence: Demonstrate resilience and preparation to stakeholders, reinforcing their trust in your business. 

The relationship between Continuity and Insurance 

Business Interruption (BI) insurance compensates organisations with long recovery times, underwriting their gross profit and increased cost of working. For many it represents essential risk management. 

Business Interruption insurance is arguably as important as your Buildings and Contents cover and is an essential part of your Business Continuity Plan. It is designed to cover losses you may experience if your business is affected by insurable perils such as damage by fire, flood or even the loss of utilities for a defined period of time. 

Organisations fail when they run out of cash. This can arise for many reasons, from market collapse to financial mismanagement, but also because of unplanned disruption. BI underwrites your gross profit, typically for a year or more. It buys you time to focus on rebuilding, keeping customers and restoring revenues. 

The problem is that without a BCP, your response to catastrophe is purely reactive. You’re in shock and even with funding and your best efforts, it may be too late for the business. Equally, if you don’t have BI, you may run out of cash before your plans can be realised. The fact is, BI needs BCP and vice versa, each maximising the value of the other.

Linking Business Continuity with Cyber Risk:

Practical BCP strategies for common threat scenarios

Cyber risk is often viewed as a problem for IT, yet when an incident occurs, it quickly becomes a wider business issue — disrupting operations, undermining trust, and affecting performance.

While Business Continuity Planning (BCP) doesn’t address the technical nature of individual cyber threats — which remain the domain of IT and information security — it should provide a structured organisational response to their potential outcomes. These typically include loss of access to critical systems, the compromise of sensitive data and decisions regarding involvement of specialised third parties such as insurers and PR agencies.

Cyber incidents differ from standard IT outages in one important respect: uncertainty. Attack modes are diverse and recovery is less predictable; the scale of impact can be hard to define, and events often unfold without clear visibility. This ambiguity calls for a flexible, impact-driven approach to continuity planning.

Below are several key cyber threats, summarizing how BCP should be structured to address their effects:

• Malware / Ransomware – can result in the loss of critical systems and exposure of sensitive data, potentially halting operations and prompting regulatory and reputational consequences.
  → Prepare scenario-specific runbooks with workarounds covering loss of each critical system and/or environment; create separate runbooks for data compromise.
• Phishing & Social Engineering – can lead to unauthorised access, often culminating in system outages or data breaches.
  → As above, maintain targeted runbooks for both system disruption and data loss.
• Denial-of-Service (DoS) / Distributed DoS (DDoS) attacks – can prevent access to key platforms and services.
  → Ensure plans and workarounds exist for responding to the temporary loss of system availability.
• Supply Chain Attacks – seeking to exploit third-party provider access privileges to reach internal systems.
  → Runbooks should still reflect internal system and data impacts and workarounds, regardless of the origin of the breach.
• Insider Threats – whether malicious or accidental, insider actions can cause significant disruption.
  → Apply the same impact-led response planning used for external threats.
  
  

Foundations Still Matter

Even if your continuity planning only accounts for general IT failure, you’re not starting from scratch. You’ll have mapped out the IT systems and data assets underpinning your operations and prioritised their recovery. This foundation remains valid in a cyber context — only the cause of the disruption differs.

This approach to cyber continuity reflects the principles set out by both the UK’s National Cyber Security Centre (NCSC) and the US-based National Institute of Standards and Technology (NIST). Both organisations emphasise impact-based planning, clear documentation, and regular testing as essential components of an effective response strategy.

From the NCSC’s focus on integrating cyber response into broader business resilience, to NIST’s structured planning around system recovery and business impact, the message is clear: continuity planning should not treat cyber as a technical exception, but as an operational risk to be addressed alongside any other disruption.

By aligning BCP with these frameworks, organisations can demonstrate that their resilience planning meets not only internal expectations but also recognised international standards.

Who should be in charge of your BCP? 

For businesses without a dedicated Business Continuity Manager this isn't always an easy question to answer, but it usually involves appointing a senior sponsor and a dedicated project manager (PM). 

The Role of the Sponsor

The best sponsors are those who truly understand and value Business Continuity (BC) and resilience. Think of BC as a practical insurance policy: planning, preparation, and practice are the premiums you pay to ensure your organisation can recover from major disruptions. An outdated or weak BCP can fail when needed most, misleading stakeholders. Unlike traditional insurance, BC is a governance obligation and is mandatory for many organisations, but you are fully responsible for making sure it works. 

So, who is best placed to own this? Many aspects of BC focus on operational disruption, so perhaps your COO is an obvious candidate. But then, BC provides an aspect of risk management required by many insurers, so maybe the CFO is best placed. Almost every aspect of business is underpinned by technology, so the CIO, and/or CTO hats can also be thrown into the ring. 

There is no de facto “home” for BC sponsorship, save that it always has a strong operational component requiring technology appreciation and insight. 

What We Look for in a BC Sponsor

When our consultants are assigned to a project, we hope for a BC sponsor with seniority, buy-in, and energy. We need their influence to fully engage key individuals and drive the project to completion. We need their authority to roll out policy and plans, adapting and testing to ensure it works. BC can be a hard sell, so perhaps most of all, we need their support, presence, and enthusiasm, communicating and helping us embed BC in day-to-day business. 

The Role of the Project Manager 

The BC project manager should be empowered by the sponsor and tasked with producing working BC capability in the organisation. To do this, the PM needs solid organisational skills, familiarity with the business, and a strong appreciation of IT. They need enough seniority to be credible, but not so much that they have no time to properly fulfil the role. They might either be a direct report to the project sponsor or an individual selected specifically because of their experience, knowledge, and skills. They should be familiar with continuity risk environments, ideally based at a site addressed by planned-for scenarios. 

Ideal Characteristics of a PM

Our ideal PM has all the above characteristics but ideally, few preconceptions about how BC should be carried out. Similarly, PMO assignees tend to be short-term and risk diluting long-term BC priorities to satisfy project ideals. Our perfect PM is in it for the long term, buys into our approach, efficiently harvests and provides the information and insights we need, facilitates our workshops, circulates drafts, verifies our deliverables prior to sponsor signoff, and helps us keep the project on track. They may then oversee the implementation of improvements to make the BCP work effectively, maintaining it and facilitating tests to prove it works.

Who else needs to be involved?

We’ve already covered who should lead a Business Continuity Planning (BCP) project — but effective delivery depends on wider involvement.

We know it’s difficult to get people into meetings, especially for initiatives that don’t promise immediate returns or business-as-usual improvements. That said, getting the right voices in the room early can make the difference between a paper plan and a practical way out of trouble when things go wrong.

While full participation from the senior leadership team is ideal, it’s not always realistic. As a minimum, consider involving the following roles:

• CFO / CCO / Finance or Commercial Director – Essential for identifying value streams and understanding financial exposure and stakeholder sensitivity to disruption.
• COO / Operations Director – Helps connect the  value streams to the operational processes that deliver them.
• CIO / CTO / IT Director – Provides insight into systems architecture and helps map operational dependencies on technology.

You should also consider input from:

• Procurement or Supply Chain Manager – To flag critical supply lines and supplier risks.
• Facilities Manager – For awareness of single points of failure in infrastructure, workspace, or specialist equipment.

The key is proportionality. For smaller or more focused projects, this core group can ensure BCP isn’t seen as just another compliance exercise — but a genuine asset to business resilience and a material benefit for all stakeholders.

How does Business Continuity Planning vary by industry?

You’d be forgiven for thinking that most organisations’ Business Continuity Plans (BCPs) are broadly the same shape, size, and structure. Of course, they need to be tuned to fit, but the same template with a few tweaks and adjustments ought to work for all, right?

Consider how you’d plan to recover two organisations, each with 200 staff and a turnover of £50M, each needing to recover to 80% of normal within a week. Organisation A works out of rented city-centre offices, operates a call centre, and sells online advisory services using a SaaS-based technology platform. Organisation B operates and owns a heavily automated manufacturing, packaging, and distribution facility on an out-of-town industrial park. Head office is on-site with an in-house IT team running customised self-hosted systems. For broadly the same disruption scenarios, the planning differences are significant.

Imagine that major fires affect both organisations during peak business but with no casualties. Organisation A immediately switches to working from home and a rented office, picking up where they left off with virtually no impact. Organisation B is a different story. Their plan must include: 

• A rapid response to the incident, reacting, containing, and escalating to save what they can 
• Interactions with the emergency services, agencies, high visibility, and media interest 
• Crisis management, customer, staff and supplier retention, competitor opportunism, reputation 
• A robust financial and insurance response, since bank loans must be repaid, revenue restored 
• Technology replacement, recovery, security, and rebuild from backups 
• Business recovery, prioritising and restoring each function with workarounds 
• Plant rebuild with specialised imported equipment, 6 months lead time on some key parts 
• Stock replenishment and salvage

Each line implies a checklist to be included in scenario response strategies, adjusted to reflect circumstances, in the form of a runbook. 

Sector-Specific Risks 

Sector also determines risk profile and the resulting set of disruption scenarios we plan for. Organisation A might sensibly plan against denial of access, cyber-attack, SaaS (supplier) failure, and network outage. Organisation B also needs to consider these, plus others: loss of site, potentially several modes of automation and/or plant failure, utility failure, distribution failure, and so on.

The pace of recovery for each scenario is dictated by stakeholders and captured in a Business Impact Analysis (BIA) and can affect the recovery solutions used to deliver each line of strategy. For example, we may need to replicate certain systems if client C insists organisation A is able to restore services to 80% in 2 days instead of 5. However, the underlying form of response plan may be unaffected.

Clearly, organisation B’s challenge is more complex and the chances of it surviving without sufficient Business Interruption (BI) insurance and a right-sized Business Continuity Plan (BCP) are reduced. 

The Goldilocks Zone

Experience shows that our list of planning points is relevant for most SME manufacturing sector firms. Similarly, a lighter BCP is sufficient for most office-based SMEs with work-from-home capability. It illustrates the fact that each industry has its own “just right” level of preparedness and plan content.

• Too Light: If you under-plan, any untested assumption you make or scenario you miss could be a showstopper. Plan-on-a-page examples include “we’ll rent a vacant factory”, “our suppliers will move heaven and earth to help us”, “we’ll use legacy equipment”, “our backups will work fine”, “our investors will pump in cash”, “we’ll plan (only) for the worst case”. Ask yourself, will the plan be followed or will it simply be discarded in an incident?
• Too Heavy: If you over-work your plan, include too much, or prioritise the wrong things, your BCP’s utility and value may be reduced. Symptoms include thick documents, dense text, excessive or incident-level scenarios, unnecessary detail, stating the obvious, repetition, and padding. Examples include inserting training or policy material at the front of the BCP, writing text descriptions in place of checklists or graphics, detailed BIA findings, embedding SOP extracts that exist elsewhere. Again, will the plan be followed or discarded in an incident?
• Just Right: The perfect BCP will be unique for your organisation but may still be characteristic for your industry. It means that a proven same-sector plan can be a good place to start, and that most office/SaaS-based businesses will be able to adopt strategies similar to those of organisation A. The same applies for organisation B, and similarly again for other sector businesses with characteristic operation. In each case, maximum BCP value is achieved by following plan design rules, focusing on strategy, and scaling detail so it reflects need.

Why all parts of the business should be interested in BCP

Risk and Insurance 

Insurance doesn’t cover all aspects of Business Continuity risk, since it can’t reasonably prevent brand or customer erosion if you respond inappropriately or too slowly. Because of this, many policies now expect you to have a tested BCP that documents your capability. 

Marketing and PR

What you communicate in a major incident defines how you are judged by your customers, competitors, investors, suppliers and employees. Their confidence in your planned recovery can determine whether you will succeed, so what you say and do matters. BCP supports this. 

Finance

Major disruption reduces income, starving the business of liquidity over a period of time, causing it to fail. Insurance policies oblige you to minimise insurable losses too. Business Continuity Planning focuses on this, establishing what must be done and by when to recover revenues before this point is reached.

HR

In a major business incident protecting people is our number one priority, but somehow alongside this we must also prioritise the needs of the business and its customers. Business Continuity Planning coordinates emergency response with crisis management and business recovery.

IT

IT delivers vital services but how it does this is rarely understood by the business. In a major disruption, every department will tolerate loss of IT for a characteristic time before it becomes unbearable, and this shapes what IT must deliver and at what cost. BCP sets acceptable recovery times for IT services.

Procurement

Organisations rely on their supply chain and inherit its risk. It helps to know which suppliers are business-critical and how your response to major disruption dovetails with theirs. Business Continuity Planning takes account of supply chain dependencies.

Operations

Rebuilding production following disruption can be complex and carried out under extreme pressure invites catastrophic error. Business Continuity Plans formalise the response to different sources of disruption, ensuring they are thought-through and viable.

Governance

Investors are more likely to entrust their money to an organisation who takes governance seriously, managing all exposures against their risk appetite. Every organisation faces extreme events and Business Continuity Planning helps mitigate this class of risk.

Health, Safety and Environment

Most regulatory bodies require their subject organisations to own and test Business Continuity Plans. Many formal standards also include risk and continuity management as part of their implementation framework and certification requirements.

Facilities

Many major incidents involve damage or destruction of infrastructure and having available alternatives underpins every other aspect of recovery. Consequently, facilities managers should have Business Continuity Planning as part of their remit.

Sales and Customer Service

People think twice before buying any product from a failing organisation. Business Continuity Planning delivers powerful messages to customers, reassuring them that they will never be left uncertain or under-supplied if the business suffers disruption. 

Using a BCP consultant: how to choose one and what it should cost

Understandably, most organisations don’t know exactly what they need or what to expect from a BCP consultant — and why would they? It’s a specialist area that rarely sits front and centre until it has to. That makes getting the scope right all the more important: it’s easy to arrive at something that looks credible on paper but doesn’t match your risk profile or operational needs. And when it comes to cost, again, there’s no simple answer. But in practice, what you need delivered is usually determined by three things: proportionality, scope and risk.

We’ve delivered professionally developed plans for small businesses from around £3,000. We’ve also produced solid, organisation-wide continuity strategies for 10,000+ staff global firms for under £10,000. Conversely, we’ve built in-depth, tailored programmes for 100-person businesses that have cost considerably more. Complexity, not size, tends to be the real driver.

When evaluating proposals, consider the following:

1. Ensure the consultants are subject matter experts
   Many firms offer BCM as an add-on without the depth of experience required. Be cautious — generic risk or management consultants may not have the expertise to deliver meaningful continuity planning for your organisation.
2. Look for relevant experience
   Continuity planning in a 5,000-person bank isn’t the same as for a 50-person food manufacturer. Make sure your provider understands your operating context.  Time spent learning dilutes what they can deliver.
3. Be mindful when engaging larger consultancies
   Larger consulting firms can offer broad credentials, but it’s worth considering how your project will actually be delivered. Often,  the day-to-day work is carried out by junior team members, with limited hands-on involvement by senior consultants. There’s also a tendency to apply enterprise-sized models that may be out of step with the scale or needs of your business. If you’re looking for a proportionate, pragmatic solution — rather than an overengineered best-practice programme — working with a specialist provider might prove more effective and cost-efficient.
4. Complexity drives cost
   More sites, varied operations, critical systems or a complex IT stack will each increase delivery time — and cost.
5. A narrow scope reduces cost
   If your BCP is for a specific purpose (like meeting insurance requirements for a single site), it may be faster and cheaper to deliver than an organisation-wide plan.
6. Not all quotes are equal
   Lower prices usually mean a slimmer scope. Always check what's included — workshops, documentation, testing, and handover should be clearly itemised.
7. Beware of bloated BIAs
   Department-level business impact analyses can inflate timelines and costs. In most cases, a value-stream-led approach is leaner and more effective.
8. Alignment with standards adds cost
   ISO alignment can significantly increase costs — often without proportional benefit, unless formal certification is required.
9. Set aside budget for ongoing activity
   A BCP isn’t one-and-done. It needs regular review, testing and exercises. A sensible rule of thumb: if your initial BCP cost £10k, expect to spend a similar amount annually (or a bit less) to keep it alive and relevant.

The takeaway? There’s no one-size-fits-all price — and nor should there be. The best value comes from a plan that satisfies the Goldilocks principle; it should be proportionate, focused, and just right for your organisation — not one that’s oversized or undercooked.

Common misconceptions 

"We don’t need one - we’re prepared and will cope" 

In a catastrophe you have a finite time available in which to recover, using only what is to hand. If you miss the deadline, your organisation faces a possibly irrecoverable situation, haemorrhaging money and reputation beyond the point of no return. Planning buys time, prepares and co-ordinates resources in the best possible way. It allows forethought, refinement and practice, making the deadline more concrete, and it documents the steps to recovery. 

"We don’t have the time nor money to develop a plan" 

We get it. BCP is off the radar for many small firms. However, most are relatively uncomplicated so it isn’t so hard to write a plan, and any investment of time, effort and money should be correspondingly small. Set this against the blood, sweat and tears invested in creating and nurturing your business, and why would you not take this last common-sense step to help protect what you built? If the business is multi-faceted with complex processes and supply chains, then recovering it following a disruption probably needs a BCP. 

"We have insurance to cover our losses" 

Insurance provides you with cash compensation. However, it won’t reconstruct operations or hold onto your customers and reputation - you must do this yourself. You need to create belief in your ability to deliver before they turn to competitors and are potentially lost forever. Smaller firms may be able to do this reactively, but common-sense suggests that most chaotic situations do not run smoothly - unless you planned for them.