Business continuity plan (BCP): how to build it, structure, template

What a BCP is, in plain language

A Business Continuity Plan (BCP) is a document that answers "what we do if a key process stops": who is responsible for what, in what order they act, and within what time they restore operations. A good BCP is not hundreds of pages but a set of short step-by-step scenarios, 2–3 pages each.

The BCP is part of the wider continuity management system (BCM). It builds on the business impact analysis (BIA) and follows the logic of the ISO 22301 standard.

What a working BCP contains

Critical processes and recovery priorities — what we bring back first (from the BIA).
Targets: RTO (maximum acceptable downtime) and RPO (acceptable data loss) for each process.
Scenarios — a separate instruction for each type of failure (cyberattack, IT outage, loss of office, loss of supplier, loss of a key person).
Roles and contacts — who decides, who is notified, phone numbers and backup communication channels.
Backup resources — alternative sites, suppliers, equipment, data.
Communications plan — what and how we tell customers, partners and staff.

How to build a BCP in 7 steps

Identify critical processes. What the business cannot run a single day without.
Run a BIA. Estimate each process's downtime cost and set RTO/RPO.
Find risk concentration points. A single server, supplier, person or channel.
Describe recovery scenarios. Step by step, in plain language, one per threat.
Assign roles and backups. Who does what; how to replace the missing link.
Run drills. Only practice shows the plan works.
Maintain the plan. Review it as the company and market change.

Why it matters in money: per ITIC (2024), for 90%+ of mid-sized and large companies an hour of downtime costs over 300,000 USD. A prepared BCP cuts downtime from weeks to days — that difference is the economic point of the plan.

Common mistakes

The plan is written "for show" and never tested — it fails in a crisis.
Too bulky a document that nobody opens.
No owners or contacts — unclear who decides.
The plan is not updated — a year on, the business and the risks have changed.

See how resilient your business really is

13 questions, 5 minutes, free — results on screen and by email.

Take the free assessment → Book a review · 4,900 ₽ BCM turnkey →

FAQ

How is a BCP different from a disaster recovery plan (DRP)?

A BCP is about the whole business (processes, people, suppliers, communications). A DRP is about restoring IT systems and data. The DRP is usually part of the BCP as its IT component.

How many pages should a BCP be?

A working plan is short scenarios of 2–3 pages per threat, plus contacts and priorities. What matters is not length but that the team can act on it without hesitation.

Where do I start building the plan?

With a business impact analysis (BIA): identify critical processes and their downtime cost. You can start with the free resilience assessment on this site.

Evgeny Telenkov

Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"

20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.

More about the approach and expert →

Business continuity plan (BCP): how to build it in 7 steps

What a BCP is, in plain language

What a working BCP contains

How to build a BCP in 7 steps

Common mistakes

See how resilient your business really is

FAQ

How is a BCP different from a disaster recovery plan (DRP)?

How many pages should a BCP be?

Where do I start building the plan?