A Business Continuity Plan (BCP) is a formal, written framework that identifies an organization's essential operations, the threats that could interrupt them, and the steps required to keep those operations running—or restore them quickly—when disruption occurs. Disruptions in scope typically include natural disasters, cyber incidents, pandemics, supply-chain failures, civil unrest, and loss of key personnel or facilities.
A standard BCP is built on several components:
- A Business Impact Analysis (BIA) that ranks processes by criticality and sets a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each.
- A risk assessment identifying plausible threats and vulnerabilities.
- Recovery strategies covering alternate sites, remote work, backup systems, and manual workarounds.
- Roles and responsibilities, including a crisis management team and succession lines.
- Communication protocols for staff, regulators, customers, and media.
- Testing, exercises, and maintenance to keep the plan current.
For research analysts and policy professionals, BCPs are relevant in several ways. Think tanks and NGOs maintain them to protect data, donor relationships, and field operations. Governments require them from regulated sectors: financial firms in the EU fall under the Digital Operational Resilience Act (DORA), which entered into application on 17 January 2025, while critical infrastructure operators are addressed under the NIS2 Directive. In the United States, the FFIEC and FINRA Rule 4370 mandate continuity planning for financial institutions. International standard ISO 22301 provides the most widely cited framework for Business Continuity Management Systems.
A BCP is distinct from, but often paired with, a Disaster Recovery Plan (which focuses narrowly on IT restoration) and an Incident Response Plan (which handles the immediate containment of a security event). Together they form the operational backbone of organizational resilience, and increasingly feature in due-diligence questionnaires, procurement screening, and sovereign risk assessments.
Example
In March 2020, HSBC activated its Business Continuity Plan to shift roughly 70% of its global workforce to remote operations within weeks of the WHO declaring COVID-19 a pandemic.
Frequently asked questions
A BCP covers the full continuity of business functions—people, processes, facilities, and communications—while a Disaster Recovery Plan focuses specifically on restoring IT systems and data after an outage.
Keep learning