How-to guide: How to draft a business continuity plan (UK)

Introduction

This guide provides risk and compliance teams with recommendations on what to include in a business continuity plan (BCP) in order to achieve the following:

continuation of business processes and operations in the event of a major (unplanned) incident or disruptive event;
recovery of business processes and operations following an incident or disruption; and
contractual provisions related to the BCP.

This guide covers:

What is a BCP?
Conducting a business impact assessment
Drafting a BCP
Reviewing a BCP (including a checklist)
Governance
Business continuity in a pandemic
BCP contractual clauses

This guide can be used in conjunction with the following How-to guides: How to reduce the risk of a GDPR data breach , How to ensure compliance with the GDPR, How to deal with a GDPR data breach, How to create a supplier code of conduct, How to assess suppliers for modern slavery risk and How to manage the risk of contracting with a company in financial difficulty and Checklists: GDPR compliance self-assessment audit, Lawful processing of personal data under the GDPR, What to consider when reviewing terms and conditions for the purchase of goods and services (buyer’s perspective) – B2B and Supplier contracts and unforeseen events.

Increased awareness of the consequences that companies face due to potential business interruptions has resulted in a greater focus on the importance of operational resilience, and greater regulatory oversight. Whilst it is not possible to predict with accuracy the nature and extent of all unforeseen events, those businesses that have implemented a BCP will be far better prepared to cope with such events than those who have not implemented a BCP.

BCPs might usually be managed by the risk management function of your organisation, or by the IT department (particularly as many BCPs are now heavily focused on systems and technology) but they are likely to become increasingly prevalent in the more complex contracts that are dealt with on a day-to-day basis. Increasingly businesses rely on operational resilience and seek support from their suppliers to ensure they are adequately prepared for future unforeseen events.

Section 1 – What is a BCP?

The purpose of a BCP is to set out the procedures to be followed to allow business operations to be able to continue as far as possible in the event of a major incident or disruption that affects ab organisation’s ability to function or perform.

A BCP seeks to preserve:

business assets in the event of a business interruption;
the business’s ability to maintain core business processes;
operational capability;
brand and reputation;
customer loyalty; and
profitability.

In general terms, a BCP is likely to be invoked when day to day business operations are interrupted for a day or more (maybe even weeks, depending on the nature of the business), rather than minutes or hours. While each BCP will be unique to the relevant organisation, there is external guidance available as to how to develop a comprehensive BCP, details of which are set out below. For a large organisation, a BCP will be an incredibly complex document with multiple interfaces with the various functions of the business, such as security, IT, facilities management, corporate affairs, HR, supply chain, audit, finance and legal. There may be a need to seek expert external advice to confirm its appropriateness.

The Business Continuity Institute provides guidelines and certification to its members. For global organisations, a business may choose to follow internationally recognised guidelines or to obtain internationally recognised certification.

The recognised international standard accreditation for business continuity management is ISO 22301. It is a management system that is designed to help your business protect itself from potential disruption. This may be caused by extreme weather, natural disaster, pandemic events, IT outages, cyberattacks and terrorist or other criminal activity. Some organisations choose to adopt this standard for their business continuity management to demonstrate to third parties that they have adequate business continuity arrangements in place. Investing in ISO 22301 accreditation demonstrates to other businesses, such as customers, regulators and industry bodies, that the organization commits and conforms to certain standards in its operations in terms of business continuity planning. This may be of particular benefit if an organisation regularly participates in competitive tendering processes. In the absence of accreditation, a company might be required to take additional lengthy and time consuming steps to provide alternative documentation to demonstrate the strength of the business continuity measures it has in place.

Maintenance of up to date BCPs, and ongoing testing of the BCPs, in supporting key business operations is key. This ensures a successful business continuity management system reflective of the current risks faced by the business and any changes that may have been made by law or otherwise which are relevant to the industry in which the business operates. Failure by an organization to manage its ability to continue its operations could result in litigation. For example, for breach of contract or the imposition of fines, if an organisation is found to be in breach of statutory requirements, such as data protection legislation. For further guidance see How-to guide: How to reduce the risk of a GDPR data breach (UK).

The ICO has guidance on business continuity management but has said that this guidance is under review and may be subject to change following the coming into force on 19 June 2025 of the Data (Use and Access) Act 2025 (‘Data Act’). Businesses are advised to monitor any updates issued by the ICO. Whilst the guidance itself may not necessarily be legally binding, it is likely to be the minimum standard required of businesses.

Section 2 – Conducting a business impact assessment

The first step towards drafting a BCP is to conduct a business impact assessment detailing possible threats or risks to an organisation. To do this, first identify the key assets and infrastructure that are essential to the business operations and the parties that could be affected in the event of disruption to the business. For a business impact assessment to be accurate, engage with relevant stakeholders throughout the organisation. This enables a more comprehensive understanding of the systems and processes that are currently in place. It also enables the identification of gaps and areas of vulnerability in the event of an unforeseen disruption or attack. As part of this process, ascertain from stakeholders what business continuity measures are already in place and what newly identified scenarios might require a BCP to be put in place (for example, new products/services, new technologies, new categories of customer).

To carry out a business impact assessment, identify:

the full range of the organisation’s services, products and other customer offerings;
details of the organisation’s supply chain arrangements;
relationships with customers and other interested parties, such as shareholders, regulators, industry bodies; and
the potential impact of a disruption to the organisation’s services.

The next step is to identify the essential operations within the organisation that are absolutely necessary to continue in the event of a major incident or disruption. This includes an assessment of whether it is possible to put back-up systems in place. Examples might include back-up servers or data storage systems if the organisation were to become the victim of a cyberattack; or manual workaround procedures in the event, for whatever reason, its IT systems failed.

The above steps will direct the focus of the BCP and the actions required for the business to maintain operations or to promptly recover from an incident. To implement the plan, incident management processes and an incident management team will need to be put in place. Also identify any dependencies the business may have on third parties to implement its BCP, and ensure their availability to support any required actions (and alternative sources as back up in the event those third parties also suffer from the incident).

Section 3 – Drafting a BCP

3.1 Scope and objectives

Explain the scope and objectives of the plan and set out details of the systems required to be able to continue to perform the services or to continue operations. Consider the potential risks to the organisation should those systems fail due to an unforeseen event.

3.2 Certification and standards

If the plan has been prepared in accordance with recognised industry standards or has been certified by an external body, include details of such standards or accreditations. Ensure the plan supports any necessary requirements.

3.3 Incident management

Set out the underlying principles to the BCP and include details of the incident management process. These may include:

a definition of what constitutes an “incident” for the purposes of the BCP;
details of how incidents are detected, recorded and notified to the relevant personnel;
a process of classification and prioritisation of incidents based on impact and urgency;
how to access the provision of initial incident support;
a process for investigation of incidents;
a process for resolution and recovery of operations in line with any acceptable performance levels; and
a procedure for closure of an incident and associated incident reporting.

3.4 Implementation

Set out clear guidelines on when the plan should be invoked and the priority for recovery of systems where more than one is affected.

Whilst it is impossible to predict the nature and scale of all possible business interruptions, the BCP should be clear in how each type of incident will be managed. This will be dependent on which system is interrupted, with the potential effects of the incident driving the actions within the BCP. This approach will allow the business to manage events that may not have previously been experienced by it.

3.5 Unforeseeable risks and events

It is advisable to put in place sub-processes to manage specific categories of catastrophic events. This will ensure that a business can identify the scale of the interruption, analyse the specific risks to the organisation and provide for any additional or specific measures needed. It will also allow for continuity in the event of a disruption—whether that be a terrorist attack, a natural disaster, a pandemic, a cyberattack or other potentially catastrophic event.

For example, the BCP should address specifically the process to be followed where a cyberattack or other incident involves a breach of personal data, include details of any back-up storage facilities for data and any additional notification requirements needed within the organisation’s communications strategy, both for internal and external communications. See How-to guide: How to reduce the risk of a GDPR data breach (UK).

Likewise, if the incident involves a breach of security, it is likely that the information security/IT department will need to be alerted immediately, and that the incident will need to be managed in accordance with a specific way in accordance with the organisation’s security policy.

Businesses are also advised to consider if there is a force majeure clause in the relevant agreement. On the occurrence of a force majeure event, often the affected party is temporarily relived of fulfilling its contractual obligations for a specified period while the event is still occurring. However, being able to call on a BCP might help to minimise or avoid the impact of the event as there may be steps the affected party can take that are specifically set out in the BCP to cater for certain types of event. It is therefore advisable to check both that there is a BCP in place and also the potential effect of the BCP if a force majeure event occurs.

3.6 Response team

Include the contact details of the response team. Also indicate the different roles and responsibilities of both the organisation and of any relevant third parties in relation to the implementation of the BCP, as well as in respect of the recovery of any systems and services.

3.7 Relocation to alternative sites

Provide details of the alternative work area or recovery location for the recovery of services, where relevant. Also identify any actions needed to implement temporary work arrangements and the time frames for completion.

Include any information needed to support required actions, such as the contact details of insurers, professional advisors (such as lawyers, accountants, auditors) or third parties, including suppliers.

3.8 Communications strategy

Set out details of the organisation’s communications strategy, covering both internal and external communications. This will need a structured approach to communicating with interested parties within the organisation, as well as with customers, third parties and appropriate regulatory bodies or authorities, where necessary. For example, if the incident has caused damage to the environment or injury to persons, or has affected a significant number of customers, the organisation may wish to issue a press release or statement to manage any reputational damage as part of its incident management response, as well as ensure employees are informed of the corporate strategy and how they should respond to any external parties about the incident.

3.9 Recovery and incident review

Provide a checklist for recovery and post-incident review that sets out the process for reporting on the incident and recovery of services, as well as any issues identified as a result of any incident and lessons learned, and any aspects that need to be improved or changed to avoid the risk of the same or a similar incident recurring.

3.10 Testing the BCP

Make provision for the BCP to be tested on a regular basis using different scenarios. Specify the aims and objectives of each test exercise, ensuring they represent real-life incidents, involving third parties where appropriate. Testing different scenarios over time will allow the business to validate all aspects of the BCP.

Ensure the test exercises accurately represent what would happen during a real incident, as far as possible, balancing the need to minimise disruption to the business operations.

Ensure a comprehensive post-exercise report is completed, with recommended actions that are followed up promptly following the report. Review the BCP based on the report’s findings to promote continuous improvement. Ensure any feedback is used to improve the content of the BCP.

3.11 Review and update of the BCP

Determine who is responsible for reviewing and updating the BCP, and the frequency of such reviews. This ensures the content of the BCP remains accurate and compliant with the organisation’s BCP. An organisation may choose to conduct random internal audits of the BCP to verify such compliance, or alternatively it may seek guidance and advice from an experienced third party. Customers may sometimes require that the BCP is tested by an independent third party to ensure its robustness.

Include procedures for measuring the extent to which the objectives of the BCP are being met. Monitor compliance with any relevant standards in addition to the organisation’s business continuity objectives. It is sensible to include a process for monitoring historical evidence of non-compliance with the BCP: false alarms, as well as actual incidents. Consider the appropriate process for sharing this information in the context of business continuity management within the organisation, to ensure it forms part of any high-level management review of the adequacy of the BCP and ongoing resilience following business interruptions.

Include a process for updating the BCP following review and identification of required changes. Detail where and how the BCP is stored and a process for documenting version control.

Section 4 – Reviewing a BCP (including a checklist)

The following is a simple checklist for reviewing a draft BCP. This is designed to be used to review a BCP prepared by someone else within the organisation but could equally be used to review a BCP submitted by a supplier pursuant to a contractual requirement, or as part of a tender response.

No.	Item
1	Consider whether the objectives of the plan are up to date and aligned to any business continuity policy
2	Assess whether the procedures and arrangements described in the plan are sufficiently clear
3	Consider the feasibility of any alternative processes or workarounds that are proposed for adoption if operations are disrupted
4	Consider whether any time frames for actions within the plan are realistic
5	Verify the accuracy of supporting information
6	Check whether any contact details for personnel need updating
7	Identify any requirements for updates to account for changes to business operations and dependencies or changes in communication strategy
8	Check whether any updates to the BCP (and operations) are required following the last test or review

Section 5 – Governance

Establish a governance framework to ensure the BCP is tested and reviewed on a regular basis. This should include a business continuity policy that is approved by the board of directors. It should set out objectives, targets, controls, processes and procedures relevant to business continuity planning.

Maintain an up to date risk matrix with input from across the organisation to ensure risks to the business are captured and covered within the BCP. ISO 31000 provides guidance on risk management, and software tools are available to assist larger organisations in managing their risk data.

Where possible, assemble a multi-disciplinary team to be responsible for and manage business continuity planning for the organisation. This will most likely include representatives from the various departments throughout the business, such as risk management, operations, supply chain, security, audit, IT, facilities management and HR. From time to time, input may be needed from other areas of the business, such as the data protection team, to ensure contact information or other details remain up to date.

Verify the effectiveness of the BCP against the objectives set out in the business continuity policy and consider training and education requirements throughout the business to ensure risks are identified and incidents are managed effectively. These should include regular incident management meetings and exercises to test the effectiveness of the BCP.

Ensure key suppliers maintain their own BCPs which support the organisation’s business continuity planning needs by including relevant provisions in key supplier contracts that require engagement from the supplier in business continuity planning. Such requirements might include an obligation to implement a plan in accordance with specific criteria or recognised industry standards, and audit rights to ensure the supplier complies with its obligations. This may also require the supplier to take part in any exercises in support of the testing of an organisation’s BCP.

Where an organisation is required to have a BCP in place in support of services supplied to customers, ensure the BCP is reviewed on a regular basis so that the organisation can practically implement the actions required by the BCP, when needed.

Section 6 – Business continuity in a pandemic

The following is a simple checklist for assisting with business continuity in a pandemic.

No.	Item
1	Appoint a pandemic team (including a senior executive and a deputy). The pandemic team to assess the high-level impact on the business, prioritise activities accordingly and agree the strategic priorities for the business
2	Establish authorities and procedures to implement the BCP
3	Ensure availability of up to date information regarding the pandemic
4	Consider the impact of the pandemic on the business and its market and its customers’ needs
5	Consider impact of disruption to supply chains and consult with suppliers on measures they are taking, and on potential disruptions they may face
6	If relevant, consider the impact of not having access to business-related travel and prepare policies for foreign travel during pandemic event
7	Review insurance policies
8	Identify critical business activities and key employees to maintain them
9	Plan for the possibility of changes to the organisation’s services/product as a result of the pandemic and consider any possible financial implications
10	Consult with employees/workers/workers' representatives as appropriate
11	Consider impact of possible employee absences and consider and identify alternative resources/labour as appropriate and provide training. If appropriate, consider and plan for needs of staff overseas
12	Plan for increased demand for health benefits and prepare policies for sick leave and compassionate leave during pandemic
13	Consider the potential for remote working and communicate regularly with staff regarding the pandemic in accordance with national recommendations
14	Prepare and adhere to appropriate polices on hygiene for employees and visitors to the business premises
15	Prepare appropriate policies to advise infected employees as per national recommendations
16	Determine if legal professional privilege needs to be considered when implementing the plan

Depending on the size of an organization, a pandemic team will typically include senior executives such as the Chief Operations officer (COO), the Chief Finance Officer (CFO) and the Chief Executive Officer (CEO). This will normally form the team responsible for defining responsibilities and who will have responsibility for any budget related to dealing with the effect of the pandemic on business operations.

An organisation should consider the priority list of functions and give further detailed consideration to the actions that will be taken. Review the key elements of the business that are needed to continue trading while considering the impact to those functions that a business interruption might have.

As part of its overall pandemic management strategy, an organisation should look at specific actions to take and considerations in keeping the business going as far as reasonably possible and to the best of its abilities, considering all the circumstances and the steps it would be reasonable to expect for a business to take.

Section 7 – BCP contractual clauses

Whilst the BCP itself is not typically intended to be a legally binding document capable of being enforced by customers or other parties, more often these days, customers are seeking to include binding obligations in commercial agreements so that the relevant supplier provides certain contract commitments in respect of the BCP. Increasing regulatory oversight in certain industries also requires that customers ensure they have such provisions in place to ensure continuity of service to customers of the customer.

BCP clauses in a commercial agreement frequently include the following obligations on the supplier:

to either have in place or to establish a robust BCP to ensure product/service continuity;
to regularly review and update its BCP to take into account any lessons learned from actual incidents and/or as a result of legal/regulatory/industry updates;
to test its BCP on a reasonably regular basis (typically every 12 months) to ensure it is current and effectively addresses all key risks, and to provide the results of the test to the customer for review/discussion; and
to take into account any of the customer’s requirements for the BCP to be updated/amended to reflect changes in the customer’s own processes/policies/controls.

From the supplier’s perspective, it will usually want to: (a) limit/reduce (as far as possible) any ability for the customer to dictate the terms of the supplier’s BCP as well as how it implements its BCP (and any remedial actions identified as a result of any testing); (b) limit the test results it discloses to the customer just to those results relevant to the customer (and not, in the case of a large multinational organisation for example, the supplier’s entire organisation); and (c) have complete discretion as to whether it is itself conducting the testing or who it uses to conduct the testing (if engaging a third party to test).

Additional resources

Business continuity and risk management resources:

BSI ISO 22301 Business Continuity Management
Business Continuity Institute
ISO 31000 Risk Management
Data (Use and Access) Act 2025
ICO Business Continuity Management guidance
HM Government Business Continuity Management Toolkit