Question: Are Business Continuity Plans (BCPs) developed and maintained for all critical functions?
Why This Matters
BCPs translate strategies into execution steps during disruption. They reduce confusion and enable rapid recovery.
Maturity
No formal BCPs.
Plans exist for a few departments.
Standard template and owner assigned per plan.
Plans updated annually and tested.
Plans linked to BIA, IT DR, and communications.
Dynamic plans with workflow automation and real-time updates.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |Identify departments with no BCP. | | 1 → 2 |Provide template and assign plan owners. | | 2 → 3 |Test plans annually and record results. | | 3 → 4 |Integrate plans with other resilience functions. | | 4 → 5 |Enable real-time workflow updates. |
Enablers
- People: Plan Owners, BCM Manager
- Process: Develop → Test → Maintain
- Technology: Document portal, workflow engine
Evidence
- Approved BCPs
- Test records and review notes
- Change log
KPIs
- Number of plans tested annually
- Percentage updated within 12 months
- Average test score vs criteria
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Templates | Google Docs | Reusable structure | | Tracking | Airtable | Plan register | | Testing | Metabase | Score dashboard |
Common Pitfalls
- Plans never tested
- Unclear roles during crisis
- Documents stored inaccessible locations
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO 22301 | 8.4 (BCP development and implementation) | | ISO 27001 | A.5.30 | | NIST CSF 2.0 | RS.RP | | NIRMATA Mapping | BC-Q04 operationalizes continuity through maintained plans. |