How to Write a Business Continuity Plan (BCP)
Many businesses know they “should” have a Business Continuity Plan (BCP), but very few are confident theirs would actually stand up to scrutiny — whether from customers, insurers, or auditors.
This guide explains how to write a pragmatic, proportionate Business Continuity Plan, without jargon or unnecessary complexity.
What Is a Business Continuity Plan?
A Business Continuity Plan documents how your business will continue to operate during and after a major disruption.
Disruptions might include:
Loss of premises
IT outages or cyber incidents
Key supplier failure
Loss of critical staff
Severe weather or utilities failure
A BCP is not just a document — it is evidence that your business has thought through how it would respond under pressure.
When Does a Business Actually Need a BCP?
Most organisations don’t need a BCP until one of the following happens:
A key customer asks for one during due diligence
An insurer requests evidence of resilience
You begin working in a regulated or high-risk supply chain
You experience a near-miss incident and Management were scrambling to try and find out critical information
At that point, rushing together a document usually creates more risk than reassurance.
Step 1: Define the Scope and Objectives
Start by being clear about what the BCP is for.
For most organisations, the objective is:
To protect staff
To continue delivering critical products or services
To meet contractual and customer expectations
To recover within an acceptable timeframe
Keep the scope proportionate. I am a big believer in simplicity - a 30-person business does not need a 200-page plan.
Step 2: Assign Roles and Responsibilities
A BCP without ownership is just paperwork.
Clearly define:
Incident lead
Deputies
Escalation routes
External contacts
This reassures third parties that the plan is actionable.
Step 3: Identify Critical Risks and Scenarios
Focus on realistic threats, not edge cases.
Common scenarios include:
IT system outage
Loss of internet or power
Cyber incident
Staff unavailability
Premises inaccessible
You are not predicting the future — you are showing you have considered credible disruption. These are your critical risks, and along with the critical activities, will form the skeleton that the rest of the BCP will be built around.
Step 4: Identify Your Critical Activities
You cannot protect everything equally.
Ask yourself and your team:
What activities must continue to avoid serious harm?
What would stop us trading within 24–72 hours?
What would damage customer confidence if disrupted?
These are your critical activities, the ones that if not operating, your business grinds to a halt.
Step 5: Conduct a Simple Business Impact Assessment (BIA)
A Business Impact Assessment doesn’t need to be complex.
For each critical activity, document:
Maximum tolerable disruption
Key dependencies (people, IT, suppliers, premises)
Likely impacts of failure (financial, operational, reputational)
This step demonstrates to auditors and customers that your plan is risk-based, not generic.
Step 6: Identify Key Risks and Scenarios
Focus on realistic threats, not edge cases.
Common scenarios include:
IT system outage
Loss of internet or power
Cyber incident
Staff unavailability
Premises inaccessible
You are not predicting the future — you are showing you have considered credible disruption.
Step 7: Define Response and Recovery Actions
This is where many BCPs fall down.
Your plan should clearly state:
Who makes decisions during an incident
How staff are contacted
Immediate actions to stabilise the situation
How critical activities are recovered
Alternative working arrangements
If someone unfamiliar with the business picked up the plan, they should understand what happens first.
Step 8: Include IT and Data Recovery
Even non-technical businesses depend on IT.
Document:
Critical systems
Backup arrangements
Recovery time expectations
Third-party support arrangements and contacts
This does not need to be technical — it needs to be understandable.
Step 9: Key Contacts
Your organisation depends on it’s people. Without them, you can’t open your doors.
Include:
Crisis Management Team phone numbers
Other internal contacts, facilities, health and safety, receptionist, anyone else you would turn to or need to contact should the worst happen.
External contacts: I have ran BCP scenarios where the team are scrambling to find out who supplies their electric. Include utilities, security, landlord, council, key third party suppliers, key customers etc.
Step 10: Testing and Maintenance
A BCP is not “done” once written.
At a minimum:
Review annually
Update after major changes
Run a simple tabletop exercise
Even a short discussion counts as evidence of testing.
Common Mistakes Organisations Make
Copying enterprise-level templates
Over-engineering scenarios, or not testing it at all
Treating the BCP as a compliance exercise
Writing the plan alone without involving operations or IT
Forgetting to maintain it
Not having copies of their BCP printed and easily accessible. As we rely more and more on IT solutions, are you able to find key contact details should you lose access to your systems?
A shorter, well-thought-through plan is far better than a long one nobody understands.
Final Thoughts
A good Business Continuity Plan is:
Proportionate
Practical
Risk-based
Easy to understand under pressure
It should provide confidence, not complexity. It can also be a really strong selling point for customers and other stakeholders, allowing you to demonstrate your resilience in the face of a crisis whilst your competitors flap.
If you are writing your first BCP, using a structured, focused template can significantly reduce the time required while ensuring you cover what customers and auditors expect.
If you’d like to shortcut the process, I’ve created a comprehensive yet pragmatic Business Continuity Plan template specifically designed to be used by a range of different organisations, including businesses and charities, intended to be completed in a few hours rather than weeks.