ISO 22301 Business Continuity Simplified: Fortify Your Business Against Disruption

By Andy Marker | June 22, 2020 (updated September 15, 2022)

  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Link copied

In this article, you’ll find expert tips and implementation guides, and you'll learn how ISO 22301 can buffer your business against disasters. 

Included on this page, you’ll find an International Standards Organization (ISO) 22301 audit checklist template , a simplified ISO 22301 cheat-sheet , and an ISO 22301 self-assessment checklist , as well as examples of ISO 22301 in action and an ISO 22301 quick-start guide .

What Is ISO 22301?

ISO 22301 is a global standard for business continuity planning requirements to help organizations protect themselves against disruptions. The most current version is 22301:2019, Security and resilience - Business continuity management systems - Requirements.

The requirements in ISO 22301 address disruptive incidents that can be natural or human-made, widespread or local, intentional or unintentional, such as a snowstorm, a broken water main, an epidemic, a data breach, or a phishing attack. Large or small, for- and nonprofit organizations alike can use ISO 22301.

The Business Manager’s Quick-Start Guide to ISO 22301

The ISO 22301 standard can provide benefits for your business continuity planning, even if your organization chooses not to pursue certification, or the review process that confirms your business continuity system meets all ISO 22301 requirements. 

"Certification is nice, but not required,” says Mart Rovers of InterProm. “First, seek compliance. That way, you know that your business continuity management practices are in better shape." You can start to create a solid business continuity plan with just a few simple steps, which you can also download as this ISO 22301 Quick-Start Guide .

  • Check If You Already Have Continuity Plans: Find out if your organization already has business continuity plans. Search through your document management system and ask management or long-time employees. Organizations sometimes create and quickly forget about resources, or store responses locally in an informal system.  As Andrew Nichols of the Michigan Manufacturing Technology Center suggests, if your organization already implements other ISO standards, such as ISO 9001 or ISO 27000, you can leverage some of the common requirement elements for your 22301 plan.
  • Identify Missing Components: Conduct a gap analysis of existing policies and processes to see what business continuity resources you need. According to Mart Rovers, one way to conduct a self-assessment is to copy into a spreadsheet each phrase of the ISO 22301 standard that contains the word "shall." Then, determine gaps between your company and the standard. "Use the standard as your guide to establishing a coherent set of practices to address business continuity management for your organization," says Rovers. You can also use Smartsheet's ISO 22301 Self-Assessment Checklist and ISO 22301 Simplified Cheatsheet for your gap analysis.
  • Keep It Simple: Having binders full of perfectly formatted procedures won’t help in an emergency. Create easy-to-follow guidelines and checklists and, more importantly, build "muscle memory" in your employees through training and drills. That way, in a panic, people understand what to do without having to be told.
  • Make Your Plan a Living Document: Ticking off items on an audit checklist doesn't mean you’re prepared. Frequently read, revise, and practice your plan to keep it relevant and to train new staff.

Alex Fullick

  • Communicate Your Plan to Staff and Other Stakeholders: Even the most well-written plan is useless if the people who can benefit from it don't know about it. Inform everyone covered by the plan that it exists, including your supply chain and other outside stakeholders.

ISO 22301 Requirements

The ISO 22301 standard offers a framework for planning, testing, and monitoring a business continuity management system (BCMS). The ISO 22301 document contains 10 sections, which introduce the standard and definitions, as well as actionable requirements of the standard. 

As with other ISO requirement documents, ISO 22301 describes only what organizations must do to reach minimum proficiency — it does not prescribe how to achieve these standards. Each organization must consider its distinct conditions and obligations to find the best way to follow the requirements.

Here is an overview of the clauses in ISO 22301 that impact an organization most: 

  • Clause 4, Context: Your organization must understand what it is, what it does, and what outputs and processes it must sustain. You must also determine who has a stake in the continuity of your operations — in other words, the interested parties. For example, customers have a stake in your organization continuing to function.
  • Clause 5, Leadership: Few organizational initiatives thrive without the sustained support and championship of top management. Management must commit to a business continuity plan and make available any resources — human, financial, or otherwise — to ensure its success. 
  • Clause 6, Planning: To plan for sustainability, you must understand what disruptions could potentially occur and how these incidents affect the business — in other words, potential risks and their impact. Set measurable business continuity objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. 
  • Clause 7, Support: No program can advance without resources and support. Decide what personnel, roles, and teams you need for threat response and how you can best enhance their effectiveness. Create internal and external communication procedures for reference, and communicate the continuity plan to all necessary parties before and during a crisis. Establish a document management system for key continuity documents, such as procedures.
  • Clause 8, Operation: Conduct your risk assessment and business impact analysis , and plan your disruption recovery approach. Implement the recovery plan with detailed procedures, and test it regularly to verify that it works. Make sure people can find the procedures (and other documents) they need, and revise your plan as necessary.
  • Clause 9, Evaluation: Establish a process to regularly measure and assess your continuity policies and procedures and their execution. Review and revise your plan and documents to ensure they are effective and relevant
  • Clause 10, Improvement: Seek continual improvement in all functional and operational areas, including through periodic management reviews. Improvements in day-to-day activities help bolster the organization in times of disruption. When processes veer from the standard or fail to conform with ISO and quality management standards, implement corrective action.

Key Definitions Related to ISO 22301

Some of the following key terms and concepts originate with ISO, some with ISO 22301, and some with business continuity and risk management:

  • Context: The purpose and character of the organization and the environment in which it operates. This includes internal and external influences that shape the business continuity management system.
  • Disruptive Incident: A disruptive incident is an event that stops or slows the everyday work of an organization. Examples of disruptive incidents include earthquakes, internet stoppages, broken fans in a data center, or food poisoning in a cafeteria. 
  • Interested Parties: Interested parties are stakeholders in the successful operation and outcomes of your business continuity plan. They can include customers, employees, suppliers, or regulatory officials.
  • Leadership: In ISO 22301, leadership refers to top management or the person or people who run the organization and champion the business continuity effort. 
  • Maximum Acceptable Outage (MAO): The length of time an activity or process can be unavailable or ineffective before the health and survival of the organization are threatened. 
  • Minimum Business Continuity Objective (MBCO) : The lowest level of products or services that is acceptable for a business to offer during a disruption.
  • Recovery Timeframe Objectives (RTO): This refers to the prioritization of key activities and the timing that makes those activities operational.

Benefits of ISO 22301 and Business Continuity Management System

If teams are already overwhelmed with their workload, they may not like to think about disasters. Furthermore, organizations might think that ISO standards include difficult jargon and that pursuing a continuity plan adds unnecessary work. However, management systems practitioners suggest that continuity preparations produce substantial gains.

Andy Nichols

“I think it's a truism that many organizations can benefit from the principles and some of the practices of resiliency and contingency planning,” says Andrew Nichols, Quality Program Manager at the Michigan Manufacturing Technology Center .

As an example of the benefits that risk analysis and preparation can yield, Nichols relates his experience of visiting a small northeastern town during a widespread winter power outage. The whole town was closed, with the exception of one restaurant that had a generator. 

“They had a line of people out the door every mealtime because nowhere else was capable,” Nichols remembers. “Somebody had the foresight to think about the loss of power. And that organization cleaned up financially because they were able to provide what the customers needed.” 

Consider these specific benefits to using ISO 22301 business continuity planning:

  • Protect against and recover from disruptive incidents.
  • Identify and control current and future threats.
  • Improve your risk management planning efforts.
  • Prevent large-scale damage.
  • Become proactive in preventing problems and recovering from incidents, rather than reactive to damage and disruption.
  • Reduce downtime and increase recovery time.
  • Keep important activities running during disruption.
  • Deliver quality products consistently. 
  • Provide dependable service. 
  • Prove you’re a reputable supplier.
  • Prove your resilience to all stakeholders.

Experts also assert that ISO 22301 can be a simple and effective continuity tool. “All these ISO standards, they’re like hidden gems because of how fast they can get you up to speed without having to reinvent the wheel,” says Mart Rovers, President of IT consulting firm InterProm . 

Mart Rovers

“I cannot emphasize enough how within reach this standard is. Anytime people hear the word ‘ISO,’ they think, ‘Oh, that's for large organizations. Oh, that's way too formal. It's too much. It's overkill.’ I understand where this is coming from because the word ‘standard’ itself is scary for many organizations. However, the size of organization really doesn't matter. The things you should be doing in ISO 22301, you can do at a smaller scale,” says Rovers. 

Some also hesitate at the thought of certification. Both Nichols and Rovers stress that certification is not necessary for every enterprise. Although certification may be a condition of doing business for some companies, those who don’t need certification can still gain advantages from following ISO 22301. 

In weighing the pros and cons of ISO certification, Rovers suggests buying a copy of ISO 22301 , and then copying and pasting each sentence that contains the word “shall” into a spreadsheet (these sentences represent the requirements you must follow). From the spreadsheet, consider whether full ISO adoption and certification are too complicated for your organization. Regardless of your decision, you can always use the spreadsheet to conduct a self-audit.

ISO 22301 in Action

The following image provides a small sample of the possible outcomes to business continuity management.

How a Management System Helps Business Continuity

For those familiar with other ISO standards, the management system component of ISO 22301 might be a new concept. Rovers describes management systems as follows: 

“The best way to explain a management system is to imagine opening up an old watch. It has these spinning wheels, these gears. In the case of an ISO standard, you're looking at a number of requirements to put that watch together with all these spinning wheels. That watch is a coherent system. You take out one of those gears, and then the watch fails. 

“A management system for continuity follows the same idea — every requirement that the standard asks for represents one of those gears. And every requirement serves a distinct purpose (otherwise, it would not be a requirement). If you don't meet a particular requirement, the watch, so to speak, may not function as it could or should. These ISO requirements are not just there to keep you busy.”

ISO 22301 and PDCA

Each segment of the PDCA (plan-do-check-act) cycle for continuous improvement corresponds to at least one ISO 22301 clause. Organizations can use ISO 22301 to test continuity procedures, review outcomes, and implement updates or fix problems in a continuous cycle that leads to an increasingly resilient business continuity system.

PDCA for ISO 22301

ISO 22301 and Maturity Models

A maturity model measures an organization’s ability to pursue continuous improvement in key areas. ISO 22301 does not have a maturity model.

As Rovers explains, “It was never the intent of ISO 22301 to be a maturity model. You either meet all the requirements of the standard, or you don’t. You could say that by not meeting the requirements of the standard, you’re not mature. Or better said, your business continuity management practices are not mature.”

BCM Lifecycle ISO 22301

The business continuity management (BCM) lifecycle represents industry best practices and some of the core requirements of ISO 22301. These practices offer a solid foundation for resilience, while offering flexibility to adapt to changes in the organization. 

Guided by leadership, these are the key activities for the lifecycle:

  • Conduct a business impact analysis and risk assessment.
  • Establish a business continuity strategy.
  • Establish and implement business continuity procedures.
  • Exercise and test the procedures regularly before a disruption occurs.

BCM Lifecycle ISO 22301

ISO 22301 Audit Checklist Template (Excel)

ISO 22301 Audit Checklist Template

Use this detailed checklist to determine if your business continuity plan aligns with ISO 22301 standards. You can use the template whether you’re applying for certification or simply pursuing a continuity management plan. 

Download ISO 22301 Audit Checklist Template

Excel  | Smartsheet

ISO 22301 Self-Assessment Checklist

ISO 22301 Self-Assessment Checklist Template

This self-assessment checklist is divided into sections that correspond to clauses in ISO 22301. Use it to confirm whether your business continuity system meets the requirements for leadership, planning, support, operation, performance evaluation, and continual improvement.

Download ISO 22301 Self-Assessment Checklist Template

Excel | Word |  PDF

ISO 22301 Implementation Guide

ISO 22301 Implementation Guide Template

This guide states the essential information from ISO 22301 in plain English. For best results, read it with the full standard, which is currently available for free online to support the COVID-19 response. 

Download ISO 22301 Implementation Guide Template

Excel | Word | PDF

ISO 22301 Simplified Cheat-Sheet

ISO 22301 Simplified Cheatsheet Template

Use this simplified cheat-sheet to understand the basic elements of creating a business continuity plan. The template walks you through the process of determining critical aspects of your organization, writing the recovery plan, and exercising the plan to ensure proficiency. 

Download ISO 22301 Simplified Cheat-Sheet Template

ISO 22301 Business Continuity Policy Template

ISO 22301 Business Continuity Policy Template

A business continuity policy describes the processes and procedures an organization needs in order to function well daily, including in times of disruption and crisis. This policy template includes space for BCMS objectives, a leadership description, a policy outline, and any certification details.

Download ISO 22301 Business Continuity Policy Template

ISO 22301 Business Continuity Template

ISO 22301 Business Continuity Plan Template

Use this template to create a business continuity plan. Describe the results of your risk analysis and business impact analysis, detail your disaster recovery and continuity procedures, and list key contacts and important assets. 

Download ISO 22301 Business Continuity Template

Word |  PDF

ISO 22301 Business Continuity Sample

The Community Nonprofit Center of New York made available this business continuity template to support the response to coronavirus. Find space to detail responses to minimal and critical emergencies, a risk matrix template, and lists for information about insurance, critical assets, and responses to disruptive events.

For other most useful free, downloadable business continuity plan (BCP) templates please read our  "Free Business Continuity Plan Templates"  article.

Disaster Recovery Plan Templates

After you perform a risk analysis and business impact analysis, consider writing a disaster recovery plan. Disaster recovery plan templates , available in different formats, provide an easy-to-use structure for documenting continuity plans. Download templates specialized for IT, payroll, small businesses, and more.

To learn about the difference between recovery plans and continuity plans, visit our "Business Continuity and Disaster Recovery: Their Differences and How They Work Together" article.

ISO 22301 Versus ISO 27301

ISO 27301 provides requirements that organizations use to ensure their information and communications technology (ICT) continuity, security, and readiness to survive a disruption. The standard is often staged with ISO 22301 because both are based on similar management system approaches.

The full name of this standard is ISO 27301 - Information Technology - Security Techniques . Originally published in 2011, it is soon to be revised.

“Both [ISO 27301 and ISO 22301] ask for top management involvement and commitment, both ask that you have the right resources, that you have documentation management, that you do performance evaluations, and that you make improvements,” explains Rovers. 

They differ in the focus of the risk assessment: ISO 27001 addresses security, whereas ISO 22301 addresses business continuity. “Each area has different risks, but the approach to the risk management assessment and mitigation follows the same steps. There's enormous overlap.”

IT security continuity has significant relevance in the remote work environment. For example, while using your work laptop at home or signed into the work network, what happens when someone innocently plugs in a thumb drive that infects your laptop and corrupts the network? Both ISO 22301 and ISO 27001 work together to prevent such incidents and mitigate problems that occur.

For additional resources, visit " Free ISO 27001 Checklists and Templates ."

General Requirements Across Management System Standards

Some ISO requirements are commonly stated across the management system standards, which include ISO 22301; ISO 9001 , Quality Management; ISO 20000, IT Service Management; and ISO 27001, Information Security. Examples of common requirements include establishing objectives for the business continuity management system as appropriate to the organization, obtaining management’s commitment to supporting the system, implementing a documentation management system, conducting internal audits, and pursuing continual improvement. This functional overlap enables organizations to undertake combined audits for these standards.

Historical Foundations of ISO 22301

The concept of business continuity was borne out of the IT boom of the 1980s and 1990s. Public and private organizations realized the need to ensure continuity of service and key supplies and to mitigate the effects of disruptive events. The first formal standard reflecting these concerns was the United Kingdom’s British Standard (also known as BS) 25999, which introduced the management system concept to the business continuity discipline. 

In 2012, the global standards body ISO released ISO 22301:2012 as the first international standard for business continuity. Based on the contributions and comments of continuity professionals from assorted industries in over 60 countries, ISO 22301 superseded BS 25999. 

ISO’s consensus-based standards, such as 22301, cover practices and industries ranging from quality management, IT service, and food safety to environmental safety and information security. ISO standards aim to increase the quality and safety of many products and services, including most common household items, appliances, and cars. Although large enterprises and manufacturers usually follow ISO requirements and guidelines, organizations of all sizes and types can benefit from ISO principles. 

For ISO 22301, the standard provides a consistent BCMS framework and a universal language among organizations for communicating about continuity and aligning processes.

When they get certified in ISO 22301 and other ISO standards, organizations can demonstrate to management, legislators, regulators, customers, and other stakeholders that they follow good practices. For ISO certification, organizations need third-party verification that they comply with all requirements of a standard. 

“Certification shows you have some level of competence,” explains Rovers. “It shows you take the standard seriously. For organizations buying your goods or services, it can be a compelling reason to choose you.”

Guidance Documents for ISO 22301

For in-depth discussions of aspects of the 22301 standard, ISO offers a series of guidance documents. To those considering pursuing ISO 22301 certification, these documents provide additional insight:

  • ISO 22313 - Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301
  • ISO 22316 - Security and resilience — Organizational resilience — Principles and attributes
  • ISO 22317 - Societal security — Business continuity management systems — Guidelines for business impact analysis (BIA)
  • ISO 22318 - Societal security — Business continuity management systems — Guidelines for supply chain continuity
  • ISO 22330 - Security and resilience — Business continuity management systems — Guidelines for people aspects of business continuity
  • ISO 22331 - Security and resilience — Business continuity management systems — Guidelines for business continuity strategy

What Is the Latest Version of ISO 22301?

The requirement document ISO 22301:2019, Security and resilience - Business continuity management systems - Requirements , was released on October 31, 2019. The update from the original 2012 version reflects changes in management system approaches and clarifies specifications around clause 8.

Build Powerful, Automated Business Processes and Workflows with Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk. 

These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Common Gaps in Enterprise Business Continuity Plans

Recovery Plan

Your business is a continuously evolving entity. Different moving parts influence change, create an opportunity for progress, and support growth. When it comes to developing an enterprise business continuity plan (BCP), these moving parts need to mirror the changes. Whether change follows from workforce restructuring, acquisitions, or employee turnover, a BCP must be reviewed annually.

However, regardless of plan reviews, some companies still overlook the most common glaring gaps in their BCPs that can lead to extensive losses. Having worked with hundreds of organizations and orchestrated a myriad of recoveries, our experts highlight the most common gaps in enterprise business continuity plans.

Unclear definition of disaster recovery success and planning by management

A cost-benefit analysis of business continuity can present its challenges.

The management may disregard a “what-if” scenario unless there are certain rules and regulations to be followed. What drives the decision-making of company leaders is based on solid financials that profit departments, stakeholders, and the bottom line.

There’s always some uncertainty associated with executing an enterprise business continuity plan. However, benefits that result from BC planning efforts are everchanging and affect numerous departments and operations.

That’s why it’s essential to provide managers with detailed analyses covering the impact of various business interruptions. Industry reports make a compelling case that will convince and encourage company leaders to implement a BCP.

Relying on a single vendor/strategy as an ultimate BCDR solution

Relying on one vendor or strategy as a “one-and-done” approach is destined to fail.

If an organization relies on a work from home plan for their entire workforce, it’s most likely to be a single point of failure for such a company.

Our experts have encountered instances in which a company didn’t have enough licenses for their employees to access their projects remotely. Besides that, how many of your employees take their laptops home? If access to your building were to be compromised, those employees who left their work equipment in the office would be cut off from the operations. Among other significant disadvantages of working from home are security concerns and lack of productivity.

Arranging for redundancy when it comes to either vendors or contingency strategy allows enterprises to minimize risk and improve ROI. If your vendor is going through management changes or a crisis, your company can easily switch providers or use a backup plan without any complications.

For that reason, a vendor checklist for critical services can be a lifeline during business continuity planning and evaluation. This can include due diligence of essential services on which a specific vendor relies. The goal of such an assessment is not to delegate the responsibility of a failure to the vendor. The point is to estimate any potential threats related to the vendor.

It’s advantageous to educate vendors with your previous experiences because they are your partners in continuity planning.

Lack of enterprise business continuity testing and training

The limits of a business continuity plan and its processes often come to management’s attention only after a business interruption. Planning and training helps address the missing parts of the strategy.

Whether it is a tabletop exercise or a simulation walk-through, testing business continuity allows you and your workforce to exercise how to approach an emergency situation. It also helps in finding gaps in the plan to address where it needs improvement.

A common issue that we’ve seen over the years is businesses that have a plan, but don’t make it a priority to test regularly. Such neglect leaves your BCDR plan to get buried under more gratifying things such as profits.

We recommend taking the time to thoroughly test your BCDR plan at least once a year to help you mitigate any risks before a disaster actually strikes.

Lack of emergency communication plan/software

The success of your BC plan also depends on timely communication among everyone on the incident response team and the rest of the employees about everyone’s responsibilities. Members of incident management teams should be properly trained on their roles in managing the crisis.  

Lack of any communication channels is a significant gap in any business continuity plan. 

Continually updating and testing your incident management plan will allow your organization to adapt to new and rising threats. Having certain forms of communication set up to alert everyone during an emergency is also critical in responding quickly and efficiently. It’s hard to predict the occurrence of specific threats. However, if your incident management plan includes all of the above elements, you will be ready to maneuver through any unanticipated business disruption.

Build Resilience with RecoveryPlanner

RecoveryPlanner’s fully integrated cloud-based software offers mature, flexible functionality to support a comprehensive BCM program and build operational resilience for enterprise-level companies.

Subscribe to Our Newsletter

Get the latest business continuity news and insights

Optimize your business continuity plan.

Our experts are only a few clicks away.

Latest Articles

Business Impact Analysis (BIA) Checklist

Business Impact Analysis (BIA) Checklist

The ROI of Business Continuity Guide

The ROI of Business Continuity Guide

Man works with reports and laptop, RecoveryPlanner

Announcing RecoveryPlanner, a Business Continuity and Resilience Software Suite

Interested in all things continuity planning?

Sign up for our newsletter

Terms of Use   Privacy Policy

5 Step Guide to Business Continuity Planning (BCP) in 2021

A business continuity plan provides a concrete plan to maintain business cohesion in challenging circumstances. Click here for the key steps that can help you formulate a formidable BCP.

A business continuity plan (BCP) is defined as a protocol of preventing and recovering from potentially large threats to the company’s business continuity. This article explains what a business continuity plan is today, its key benefits, and a step-by-step guide to creating a formidable plan.

Table of Contents

What is a business continuity plan (bcp), key benefits of having a business continuity plan, step-by-step guide to building a formidable business continuity plan (bcp) in 2021.

A business continuity plan (BCP) is a protocol of preventing and recovering from potentially large threats to the company’s business continuity. Such a plan often aims to address the need for updated business norms and operational standards in unpredictable circumstances such as natural disasters, data breach/ exposures, large scale system failures etc. The goal of such a plan is to ensure continuity of business with no or little damage to regular working environments, including job security for its employees.

It covers everything from business processes, human resources details, and more. Essentially a BCP provides a concrete plan to the organization to maintain business continuity even in challenging circumstances. 

Below are key reasons why businesses need to have a BCP today:

  • BCP’s relevance has gone up considerably after the outbreak of the COVID-19 pandemic and was also a major testing time for organizations that did have such a plan in place. The organizations which had a business continuity plan in place were better able to cope during these unprecedented circumstances better than those who did not have any such plans.
  • The recorded number of natural disasters has increased from 375 in 2016 to 409 in 2019 Opens a new window . Globally, the loss because of natural disasters was $232 billion in 2019, according to a study by Aon Opens a new window .
  • The number of cyberattacks has also increased in all geographies and all business verticals. MonsterCloud reported that cyberattacks have skyrocketed during the COVID-19 pandemic. All this means that the organizations have to be better prepared to fight disasters. The importance of BCP can hardly be exaggerated in this context. Preparing a BCP is imperative for any enterprise, big or small, today. 

The end goal of a BCP is to ensure that the essential services continue to run in the event of an incident. For instance, if there is an earthquake where your customer service representatives operate from, your BCP will be able to tell you who will handle customer calls until the original office is restored.

Also Read: What Is Disaster Recovery? Definition, Cloud and On-premise, Benefits and Best Practices

Difference between a business continuity plan (BCP) and disaster recovery plan (DCP)

A BCP is often confused with a disaster recovery (DR) plan. While a DR plan is primarily focused on restoring the IT systems and infrastructure, a BCP is much more than that. It covers all areas and departments of the organization, including HR, marketing and sales, support functions. 

The underlying thought behind BCP is that IT systems can hardly work in silos. Other departments also need to be restored to cater to the client or for meeting the business demands. 

“Many people think a disaster recovery plan (DRP) is the same as a business continuity plan, but a DRP is only a small, yet essential, a portion of a full BCP. A DRP focuses solely on restoring an organization’s IT infrastructure while minimizing data loss. On the other hand, a BCP is a comprehensive guide on how to continue the mission and business-critical operations during a time of an unplanned disruption (natural disasters, pandemics, or malware),” says Caleb Pipkin, a security expert at Logically . 

Whether a business is small, big, or medium-sized, it needs a ‘plan B’ to recover quickly in the event of a natural disaster or a crisis and can survive the disruption. BCP helps you dust yourself and get back to business quickly and easily. It means that the enterprise will be better placed to address their customers’ needs even in the wake of a disaster. 

On the other hand, the lack of a plan means that your organization will take longer to recover from an event or incident. It could also lead to loss of business or clients. Let’s look at some key benefits of BCP.

1. It is a roadmap to act in a disaster

A well-defined business continuity plan is like a roadmap during a disruption. It allows the firms to react swiftly and effectively and maintain business continuity. In turn, this leads to a faster and complete recovery of the enterprise in the shortest possible timeframe. It brings down the business downtime and outlines the steps to be taken before, during, and after a crisis and thus helps maintain its financial viability. 

2. Offers a competitive edge

Fast reaction and business continuity during a disruption allow organizations to gain a competitive edge over its business rivals. It can translate into a significant competitive advantage in the long run. Further, your clients will be more confident in your ability to perform in adverse circumstances allowing you to build a long and sustainable relationship with your business partners.

Developing competence to act and handle any unfavorable event effectively has a positive effect on the company’s reputation and market value. It goes a long way in enhancing customer confidence. 

Also Read: Top 8 Disaster Recovery Software Companies in 2021

3. Cuts down losses

Disasters have a considerable impact on all types of business, whether big or small. Business disruption can lead to financial, legal, and reputational losses. Failure to plan could be disastrous for businesses. You may lose your customers while trying to get your business on track. In the worst circumstances, you may not be able to recover at all. A well-defined business continuity strategy minimizes the damage to an organization and allows you to bring down these losses as much as possible. 

4. Enables employment continuity and protects livelihoods

One of the most significant consequences of a disaster is the loss of employment. The loss of livelihood can be curtailed to an extent if the business continues to function in the event of a disaster. It leads to greater confidence in the workforce that their jobs might not be at risk, and the management is taking steps to protect their jobs. It helps build confidence in senior management’s ability to respond to the business disruption in a planned manner. 

5. Can be life-saving

A regularly tested and updated BCP can potentially help save the lives of the employees and the customers during a disaster. For instance, if the BCP plan for fire is regularly tested, the speed with which the workforce acts can help save lives. 

6. Preserves brand value and develops resilience

Possibly the biggest asset of an organization is its brand. Being able to perform in uncertain times helps build goodwill and maintain its brand value and may even help mitigate financial and reputational loss during a disaster. 

BCP curtails the damage to the company’s brand and finances because of a disaster event. This helps bring down the cost of any incident and thus help the company be more resilient. 

Also Read: 10 Best Practices for Disaster Recovery Planning (DRP)

7. Enables adherence to compliance requirements

Having a BCP allows organizations to have additional benefits of complying with regulatory requirements. It is a legal requirement in several countries.

8. Helps in supply chain security

A precise BCP goes a long way in protecting the supply chain from damage. It ensures continuity in delivering products and services by being able to perform critical activities.

9. Enhances operational efficiency

One of BCP’s lesser-known benefits is that it helps identify areas of operational efficiency in the organization. Developing BCP calls for an in-depth evaluation of the company’s processes. This can potentially reveal the areas of improvement. Essentially, it gathers information that can benefit in enhancing the effectiveness of the processes and operations. 

Also Read: 7 Ways to Build an Effective Disaster Recovery and Business Continuity Plan  

The COVID-19 pandemic has put the spotlight on preparing for a disaster like never before. We make the job easier for you by listing out the key steps in building a formidable business continuity plan: 

How to Build a Business Continuity Plan

How to Build a Business Continuity Plan

Step 1: Risk assessment 

This phase involves asking crucial questions to evaluate the risks faced by the company. What are the likely business threats and disruptions which are most likely to occur? What is the most profitable activity of your organization? It is vital to prioritize key risks and operations, which will help mitigate the damage in the event of a disaster. 

Step 2: Business impact analysis

The second step involves a thorough and in-depth assessment of your business processes to determine the vulnerable areas and the potential losses if those processes are disrupted. This is also known as Business Impact Analysis . 

Essentially, Business impact analysis (BIA) is a process that helps the organization define the impact if critical business operations are interrupted because of a disaster, accident, or emergency. It helps in identifying the most crucial elements of the business processes. For instance, maintaining a supply chain might be more critical during a crisis than public relations.

While there is no formal standard for a BIA, it typically involves the following steps: 

  • Collating information: As a first step, a questionnaire is prepared to find out critical business processes and resources that will help in the proper assessment of the impact of a disruptive event. One-on-one sessions with key management members may be conducted further to gain insights into the organization’s processes and workings.
  • Analysis: This is followed by analyzing the collected information. A manual or computer-assisted analysis is conducted. The analysis is based on an interruption in which crucial activities or resources are not available. Typically it works on the assumption of the worst-case scenario, even when the chances of a risk likelihood are low. This approach is followed to zero in on the systems that, when disrupted or interrupted, threaten the organization’s very survival. This way, these processes are prioritized in the business continuity plan. 

The analysis phase helps identify the minimum staff and resources required for running the organization in the event of a crisis. This also allows the organizations to assess the impact on the revenue if the business is unable to run for a day, a week, or more. There might be contractual penalties, regulatory fines, and workforce-related expenditure which need to be taken into account while finding out the impact on the business. Further, there might be specific vulnerabilities of the firm, and they need to be considered in the BIA. 

  • Preparing a report: The next step is preparing a BIA report, which is assessed by the senior management. The report is a thorough analysis of the gathered information along with findings. It also gives recommendations on the procedure that should be followed in the event of a business disruption. The BIA report also shares the impact on the revenue, supply chain, and customer delivery to the business in a specific time frame. 

The business impact analysis report may also include a checklist of all the resources, such as the names of key personnel, data backup , contact information, emergency responders, and more.

  • Presenting the report: Usually, this report goes through several amendments before being cleared by the senior management. The involvement of senior management is crucial to the success of the business continuity plan. It sends out a strong signal in the organization that it is a serious initiative. 

Also Read: Will Extreme Weather Events Affect Your Business? Lessons From the Texas Winter Storm

Step 3: BCP Testing

Several testing methods are available to test the effectiveness of the BCP. Here are a few common ones: 

  • TableTop test: As the name suggests, the identified executives go through the plan in detail to evaluate whether it will work on not. Different disaster types and the response to them are discussed at length. This type of testing is designed to make all the key personnel aware of their role in the event of a disaster. The response procedure is reviewed, and responsibilities are outlined, so everybody knows their roles.
  • Walk through: In this type of testing, the team members go through their part in the plan with a specific disaster in mind. Drills or a simulated response and disaster role-playing are part of this. This is a more thorough form of testing and likely to reveal the shortcoming in the plan. Any vulnerabilities discovered should be used to update the BCP accordingly.
  • Disaster simulation testing: In this type of testing, an environment that simulates an actual disaster is created. This is the closest to the actual event and gives the best case scenario about the plan’s workability. It will help the team find gaps that might be overlooked in the other types of tests. Document the results of your testing so you can compare the improvement from the previous tests. It will help you in strengthening your business continuity plan. 

Frequency of testing – Typically, organizations test BCP at least twice a year. At the same time, it depends on the size of your organization and the business vertical you operate in.

Step 4: Maintenance

A business continuity plan should not be treated as a one-time exercise. It needs to be maintained , so the organization’s structural and people changes are updated regularly. The key personnel might move on from the firm, and this would need to be updated in the Business Impact Analysis and BCP. The process for regular updating of the documentation should be followed to ensure that the organization is not caught on the wrong foot in case of a business disruption. 

Also Read: Offsite Data Replication: A Great Way To Meet Recovery Time Objectives

Step 5: Communication

Sometimes executives tend to ignore communication while preparing a BCP. It is a crucial aspect, and your BCP should clearly define who will maintain the communication channels with the employees, regulators, business partners, and partners during the crisis. The contact information of the key people should be readily accessible for the BCP to work without any trouble.

In the end, the organizations should accept that despite preparing a formidable business continuity plan, several factors beyond your control may still affect its success or failure. The key executives might not be available in the event of a crisis; both the primary and the alternate data recovery sites might have been affected by the event; the communications network might be damaged, and so on. Such factors are common during a natural disaster and may lead to the limited success of the business continuity plan. 

The success of a business depends on it acting swiftly and efficiently when confronted with an unanticipated crisis. Any failure to do so results in a financial and reputational loss, which takes up a long time to recover. It can be avoided if the organization quickly gathers itself during a disaster. A business continuity plan is then of paramount importance for a business of any size. At the same time, it is crucial to ensure that the BCP is not a one-time exercise. It needs to be continuously evaluated, tested, amended, and maintained so it doesn’t let you down when you need it the most. 

Did you enjoy reading this article? Comment below or let us know on  LinkedIn Opens a new window ,  Twitter Opens a new window , or  Facebook Opens a new window . We’d love to hear from you!

Share This Article:

Take me to Community

Recommended Reads

WiFi Security Vulnerabilities Make Linux and Android Systems Susceptible to Hackers

WiFi Security Vulnerabilities Make Linux and Android Systems Susceptible to Hackers

Vulnerable to Vigilant: SMBs Ramp Up Cybersecurity Efforts

Vulnerable to Vigilant: SMBs Ramp Up Cybersecurity Efforts

Over 25,000 Websites Impacted by WordPress Theme Vulnerability

Over 25,000 Websites Impacted by WordPress Theme Vulnerability

Azure and Microsoft Exchange Servers Victim To Active Exploitation by Hackers

Azure and Microsoft Exchange Servers Victim To Active Exploitation by Hackers

The Invisible Pickpocket: When Your Gmail Becomes a Hacker’s Playground

The Invisible Pickpocket: When Your Gmail Becomes a Hacker’s Playground

3 Significant Ways AI Can Impact Cybersecurity This Year

3 Significant Ways AI Can Impact Cybersecurity This Year

  • Search Search Please fill out this field.
  • Business Continuity Plan Basics
  • Understanding BCPs
  • Benefits of BCPs
  • How to Create a BCP
  • BCP & Impact Analysis
  • BCP vs. Disaster Recovery Plan

Frequently Asked Questions

  • Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

business continuity plan gap analysis

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

  • Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
  • BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
  • BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

  • Determining how those risks will affect operations
  • Implementing safeguards and procedures to mitigate the risks
  • Testing procedures to ensure they work
  • Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

  • Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
  • Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
  • Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
  • Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

  • The impacts—both financial and operational—that stem from the loss of individual business functions and process
  • Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

business continuity plan gap analysis

  • Terms of Service
  • Editorial Policy
  • Privacy Policy
  • Your Privacy Choices

Five steps for business continuity amid COVID-19

As a former CFO, I have managed through crises, including the Gulf War, 9/11 and the 2008 financial crisis. The financial disruption of the coronavirus (COVID-19) pandemic is like having all three of those events occur simultaneously. Our entire global economic and social system is operating in uncharted territory.

Amid the uncertainty, the finance function can create value and elevate its role as a strategic business partner. As CPAs and CGMA® designation holders, our training and experience equip us with the expertise and skills to mitigate risks and lead the recovery efforts for our organizations, businesses and communities.

To help guide you, the Association of International Certified Professional Accountants®, the global voice of the AICPA® and CIMA®, delivers the latest news, resources and guidance through our AICPA and CIMA Coronavirus Resource Centers. Visit frequently to stay up to date on the coronavirus and learn about upcoming events, such as the free webcast series I’ll host with finance leaders in the coming weeks. This series will offer expert insights on business planning to help you lead your organization through this crisis.

A five-step plan for business continuity

On my first webcast in this series (also available as a podcast), Chris Kite, Oracle’s VP of Global Strategy, shared her approach to business continuity, which starts with a business continuity plan (BCP). If your organization doesn’t have one, check if it has a disaster recovery plan (DRP) that can be leveraged. If it has neither, it’s time to start fresh. Once you have your BCP, follow these five steps to ensure its effectiveness:

Conduct a business impact analysis (BIA) A BIA can help your organization determine and evaluate the potential effects of the coronavirus on business operations. This process involves performing a gap analysis to assess your organization’s readiness for continued operations. When conducting this analysis, consider the impact on the following stakeholder groups: Employees — Your workforce should be your most important concern. How you manage your staff now can have a long-term impact on employee loyalty and retention. Start by identifying the “critically important” processes and the staff members who execute them. Next, determine if these processes must be conducted on premise or if they can be performed remotely. Also consider any actions that allow most of your organization to work remotely. It’s vital to start building back up capability as it’s possible that a portion of your workforce may get sick because of the virus. Customers — How your organization responds to and serves its customers now is crucial for building long-term loyalty. One misstep could cause long-term reputational damage. Closely monitor customer debt levels and regularly assess their credit risk. Don’t use standard credit scores that are now not accurate, but unconventional ones that will help you determine if a customer will be a going concern after normalcy returns. Suppliers — With global supply chains disrupted, you must determine what supplies or suppliers are “critically important” to keep your operations running. Review all your supplier contracts, understand the implications and determine if there are other ways to continue your operations if one of your suppliers cannot deliver goods. Now is the time to rethink and reconsider everything. This is your opportunity to challenge conventional thinking. Encourage innovation and creativity.

Build scenarios (modeling) Next, you’ll want to create models for “worst” and “most-likely” case scenarios. This provides an adequate range of outcomes for the business to consider. For example, if you look at your key stakeholder groups and the risks you have identified for each, you should be able to identify possible strategic, operational and financial outcomes for the next three, six or 12 months. The CGMA scenario planning tool is a great resource to guide you through this process. Don’t forget to also look at the upside risks. There might be alternate business models or new ways to serve your customers.

Perform risk analysis and mapping In this step, you should consider scenarios (created in step two above) to help you identify new risks. This will help you build robust scenarios. Consider also other potential risks — including financial, strategic, operational and external — and the probability of occurrence. The CGMA Risk Heat map can guide you with this effort.

Ensure organizational alignment and communication If your organization doesn’t yet have one, create a cross-functional pandemic response team. This will ensure organizational alignment around key objectives. You’ll also want to make sure approvals are in place to execute the continuity plan that conforms with governance requirements. Communication with stakeholders is also a vital step of every BCP. Identify the content and frequency with which you want to communicate with your stakeholder groups. It’s extremely useful to create specific landing pages for employees, customers, investors, etc., with resources and guidance.

Develop an action plan with continuous monitoring An effective BCP also focuses on key performance indicators (KPIs) of priority processes. Increase the frequency of measuring and monitoring liquidity, sales, stock, etc. to daily and/or weekly. Leverage data feeds for rapid responses to changing risks. Attempt to enable continuous forecasting in key functions and keep adjusting. As already mentioned, liquidity is the key. Also important is the workforce, the ability to continue to serve the customer, as well as maintaining the production lines and the supply chain.

The Association is here for you

We know your organizations, businesses and communities depend on your guidance during these challenging times. We’re here to help. If you have any questions or need anything, please don’t hesitate to contact our Global Engagement Center . We’re proud of the work you’re doing and honored to serve you.

Ash Noah , CPA, CGMA, FCMA

Ash Noah is Managing Director, CGMA Learning, Education and Development, at the Association of International Certified Professional Accountants.

In this position, Ash leads the Research, Examinations and Product Development for the Management Accounting Unit.

His primary responsibility is to ensure that the Association’s Finance Competency Framework, Syllabus, Examinations and Learning solutions are effective and remain relevant to the practice of Management Accounting. Ash works closely with Finance Leaders globally, identifying the trends impacting the finance profession.

Ash was the CFO for the International Unit of TNT global express logistics provider and has led finance transformation in teams across 45 countries. He is a licensed U.S. CPA, a Chartered Global Management Accountant (CGMA) designation holder, and a Fellow of the Chartered Institute of Management Accountants (CIMA).

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Mentioned in this article

Related content.

This site is brought to you by the Association of International Certified Professional Accountants, the global voice of the accounting and finance profession, founded by the American Institute of CPAs and The Chartered Institute of Management Accountants.

CA Do Not Sell or Share My Personal Information

  • Australasia
  • Asia Pacific
  • Middle East
  • North America

Continuity Central

default A methodology for business continuity gap analysis Popular

Published on 26 May 2016 By Super User 3669 downloads

The Hunt for Hidden Risks

Additional Resources

  • Business continuity resources
  • 2023 predictions
  • Operational resilience
  • Cyber resilience
  • Business resilience
  • DR and ICT continuity information
  • Business continuity standards

A website you can trust

Business continuity, get the latest news and information sent to you by email.

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.

0800 035 1231

Cambridge Risk logo

Business Continuity Gap Analysis

Have you considered a Business Continuity gap analysis, or ‘Health Check’? How well would your business cope with a disruption? Do you know what to do; do all your staff know what to do?

The Cambridge Risk Solutions Business Continuity Health Check will help you identify where your organisation is vulnerable and give you practical advice on how you can prepare for disruptions.

Whether or not you already have business continuity plans in place, the Cambridge Risk Solutions Business Continuity Healthcheck is an inexpensive way of establishing how vulnerable your organisation is and what practical steps you can take to prepare for the unexpected.

Business continuity Health check

One of our consultants will spend a day talking with relevant staff to discuss the critical activities in your organisation and evaluate the potential risks to them.

We can look through your existing procedures and documentation, and review them against the requirements of best practice documents, such as ISO 22301 and the BCI Good Practice Guidelines .

Using our expertise and experience, we can assess whether the business continuity and incident management procedures that you have in place are appropriate for your organisation, highlighting areas of best practice and identifying where improvements can be made.

We will then provide a full written report to highlight the key vulnerabilities and give advice for developing (or improving) your business continuity plans.

We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.

How can cambridge risk solutions help.

Cambridge Risk Solutions provides a range of services to assist with each stage of the Business Continuity Lifecycle. Alternatively, if you wish, you can outsource your entire Business Continuity Management function to us.

View some case studies of recent Business Continuity planning, training and exercising projects.

U.S. flag

An official website of the United States government

Here’s how you know

world globe

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

business continuity plan gap analysis

Business Continuity Planning

world globe

Organize a business continuity team and compile a  business continuity plan  to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

  • Business Continuity Plan Situation Manual
  • Business Continuity Plan Test Exercise Planner Instructions
  • Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

feature_mini img

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

Metrics that Matter in Business Continuity & Disaster Recovery

Reporting on metrics is one of the few ways to know if what you're doing is working, but for many bcdr managers it's a challenge..

business continuity plan gap analysis

When it comes to business continuity and disaster recovery, we all know that data is king. Reporting on metrics is one of the few ways to truly know that what you’re doing works, but for many business continuity and disaster recovery managers, this is a huge challenge. If you don’t have an automated tool, it’s likely that you rely on Word, Excel and colleagues in other departments to collect BC/DR metrics. We all know the struggle of working with Kyle from finance, a guy who is “way too busy” for your “little” business continuity project.

So, what’s a BC/DR manager to do? You already know that BC/DR is a critical component of an organization’s success. And you know that you need metrics to measure the effectiveness of your efforts. The first step is to understand the metrics that matter in business continuity and disaster recovery planning, which is exactly what this guide will cover. You’ll also need a tool to collect and report on these metrics. Depending on your organization’s size and the maturity level of your BC/DR program, this could range from an Excel template to powerful, automated software.

Important BC/DR Metrics

There are 7 important BC/DR metrics that you should be tracking to grow and measure recovery plans:

  • Recovery Time Objectives (RTO)
  • Recovery Point Objectives (RPO)
  • The number of plans that cover each critical business process
  • The amount of time since each plan was updated
  • The number of businesses processes that are threatened by a potential disaster
  • The actual time it takes to recover a business process
  • The difference between your target and actual recovery time

While there are several other metrics that you could track, these metrics serve as a core review of your program, and indicate how prepared you are for a real disaster.

Critical Metrics in BC/DR

The first two important BC/DR metrics are Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). RTOs is the maximum acceptable length of time that the item can be down. RPOs determine the age of the data you can afford to lose and whether your backups will save the rest. For example, if you can afford to lose an hour’s worth of data, you’ll have to run backups at least every hour.

Backup and recovery procedures are at the heart of a good BC/DR plan, so you need to consider both RTOs and RPOs to determine the best backup and recovery tools for the job. If, for example, you generate continuous transactions at a moderate-to-high-volume and value, how many minutes worth of transactions could you afford to lose? How long could you afford to be out-of-service? Such an application could benefit from the very frequent, block-level backups that are possible with Continuous Data Protection (CDP), but you wouldn’t know that unless you looked at both the RTOs and RPOs.

Finally, you should measure the number of plans that cover each business process , as well as the amount of time since each plan was updated . Key Performance Indicators (KPIs) are a measure of how well a program works and one that you can’t ignore. You can set KPIs for how often you review and update your plans (for example, every month, 6 months or year) and how many business functions are covered by a recovery plan, with an action plan to achieve 100% coverage. If you are limited on time and resources, start with your most critical business processes.

Metrics for Planning

Enterprises can have hundreds to thousands of processes and you can’t restore a process without a plan. A key metric for BC/DR planning is the number of processes that are threatened by a potential disaster .

You should start with a risk analysis and business impact analysis to a) understand the greatest risks that threaten your organization and, b) the impact of those risks on various functions of the business. Then, you can create plans to protect these processes and minimize the disruption when disaster strikes.

But static plans can stagnate. You can’t restore processes unless you update plans periodically to account for changes in applications, data, environments, employees and risks. You should set reminders for yourself to prompt plan reviews at appropriate points in the cycle. In a perfect world, you’d receive confirmation from the managers of various departments who have reviewed and updated their plans, but let’s be real — reviewing and updating those plans is a huge hassle and it’s near miraculous if they do it on time. Using software can alleviate this pain point — you can automate email reminders to the various plan owners and track their progress all within the software — no passive aggressive emails needed! Software also removes many of the tedious tasks concerned with change management. For example, automated data integrations will keep your data updated automatically as that data changes in other applications. If a single contact is used in 100 plans and their phone number changes, an integrated system will carry that change over to your business continuity and emergency management plans as well.

Using Metrics to Measure Plan and Recovery Effectiveness

One of the simplest ways to determine how business functions are interdependent is by using a dependency modeling tool. This will help you visualize whether application dependencies allow you to meet RTOs and SLAs.

For example, if you need to recover an accounts payable service in 12 hours, but that depends on finance software that can take up to 24 hours to recover, accounts payable cannot meet a 12-hour SLA. A dependency modeller illustrates these dependent relationships dynamically, and when and how a plan will break down as a result.

You should be measuring the actual time it takes to recover a business process . You can test recovery procedures using a BC/DR tool to track the time each step takes.

Alternatively, you could use the old-school method by timing each step manually. These tests will help you determine whether your people and processes can meet RTOs using your existing plan. You should be able to complete recovery tasks in the time the plan allows, and if you can’t, you need to revise your plan so that it’s realistic and achievable.

Finally, the last metric covered in this resource is the difference between your actual and target recovery time , also known as a gap analysis. You can (and should!) test for gaps with tabletop exercises, failover and recovery tests, enterprise wide BC/DR tests, and gap analyses. Once you’ve identified where there are gaps in your plans, you can set KPIs and use them in your planning process.

Best Practices for Clean BC/DR Data

The data that your BC/DR software collects needs to be “clean” to ensure accurate reports and planning. For good data hygiene, make sure you’re standardizing data input with drop down menus, pick lists, text formatting and data validation. For example, if you’re inputting employee phone numbers into a plan, you’ll want to validate whether those phone numbers include an area code and remain in use.

Deduplication and Identity and Access Management (IAM) can help you to cultivate elegant data. You can use deduplication to eliminate multiple appearances of the same entries. You can use credentials (authentication) together with permissions (authorization) to ensure that only qualified users enter vital records and data. You’ll also save yourself a lot of time and headaches by integrating your BC/DR system with other applications (for example, your HR system) to avoid the duplication of records and any chance of errors.

Where to Start

We live in a world where disasters happen and companies either suffer or die. BC/DR is critical to the success and resilience of an organization, and it’s your responsibility to keep the business afloat and your staff safe in an emergency”¦ but you already knew that.

With the weight of the world on your shoulders, you can only rely on data to sleep soundly at night.

You’ve made a great start to BC/DR planning by making it to the end of this guide, but now it’s time to turn your knowledge into action! Start by determining your critical business functions and how they are dependent on one another using a relationship modelling tool.

Next, set an acceptable downtime threshold using RTO and RPO metrics. Test your plans to see if you come close to or exceed those thresholds. If you do, revise the plans and test them again. You should set KPIs to measure how often your plans are updated and tested, and conduct a gap analysis to compare the planned vs. actual recovery time.

Finally, make sure that you’re maintaining “hygienic” data for accurate reporting. Your BC/ DR metrics are completely useless if the data isn’t accurate. It may seem like a no brainer, but it’s surprising how many companies lull themselves into a false sense of security with reports that misrepresent their SLAs. It’s always better to be a realist, even if that means you’re accepting the risks that go along with it.

Discover Resolver's Software

Incident management software.

Protect your organization and prove your security team’s value with Resolver’s Incident Management application. Improve data capture, increase operational efficiency, and generate actionable insights, so you can stop chasing incidents and start getting ahead of them.

Enterprise Risk Management Software

Provide your organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon. Manage risk holistically and proactively to increase the likelihood your business will achieve its core objectives.

Regulatory Compliance

Save time by monitoring all regulatory compliance activities, providing insights into key risk areas, and then focusing resources on addressing regulatory concerns.

We value your privacy

Privacy overview.

business continuity plan gap analysis

  • Business Continuity Plan (BCP) Insights

Review and adjust your business continuity plans (BCP)

In the event of a disaster such as a technological failure or cyber-attack, it’s critical to have a business continuity plan (BCP) that outlines the procedures your company must follow in order to continue operating and recover from the disruption. A business impact analysis (BIA) should also be part of your BCP, which evaluates the effects of a disruption on critical business functions.

Potential future waves and spikes in COVID-19 cases into 2021 could lead to repeated shutdowns and business disruptions. While the FCA have always been clear that regulated firms must take all reasonable steps to have a BCP in place, in 2020 the SEC added a list of BCP and COVID-19-related questions to their exams and the U.S. Securities and Exchange Commission’s (SEC) Division of Examinations (previously OCIE) issued a  Risk Alert  reporting that regulators do not believe firms are doing enough for cyber and compliance.

Update your BCP based on lessons learned from the first wave of the pandemic and to account for future disruptions. 

Review your BCP with our checklist

Latest insights on bcp, operational resiliance, and covid-19 resources.

abstract circles of multiple sizes connected by lines

RiskMutation™: Spearheading the Operational Response to Evolving Business Risks Following COVID-19

February 04, 2021

Business disruption, cybersecurity challenges and greater compliance burdens are well acknowledged operational challenges facing hedge fund, private equity and investment management industries. We examine how COVID-19 has heralded sweeping changes to the way financial services firms operate.

  • RiskMutation

Aponix blog background

ACA Aponix Cybersecurity Checklist

February 03, 2021

Does your cybersecurity program meet the requirements of regulators as well as your own internal and client expectations? Evaluate your cybersecurity program with our free checklist.

  • Cybersecurity

Compliance Alert

SEC Issues Risk Alert Identifying 6 Areas of Deficiencies in Investment Adviser Compliance Programs

November 20, 2020

The SEC's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on 11/19/20 providing an overview of notable compliance violations found during examinations relating to the Compliance Rule (Rule 206(4)-7 under the Investment Advisers Act of 1940). Here's what you need to know.

RiskMutation™ Strategic Roadmap: Building Operational Resilience

October 21, 2020

Building operational resilience – the ability to manage growing operational risks effectively, efficiently, and promptly - can help firms navigate the future of risk and compliance in the age of RiskMutation™. Get our operational resilience strategic roadmap here.

SEC OCIE Issues Risk Alert on COVID-19-Related Compliance Risks and Issues

August 14, 2020

The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has issued a risk alert on the COVID-19-related risks, issues, and challenges faced by SEC-registered investment advisers and broker-dealers, including those resulting from the widespread use of telecommuting practices and pandemic-related market volatility.

Blog IAA image

2020 Investment Management Compliance Testing Survey Results: BCP Related to COVID-19 Now Top Compliance Concern

July 16, 2020

From April 20 – May 31, ACA Compliance Group, Investment Adviser Association, and BrightSphere Investment Group ran the 15th annual Investment Management Compliance Testing Survey.

Psychiatrists, key staff quit as The Hobart Clinic slashes mental health services 

A woman wearing a brown dress stands with a serious expression in front of a bookcase

When Maddison Cutler was recently readmitted to southern Tasmania's last-remaining large-scale private mental health clinic, she expected to be taught new strategies to manage her bipolar and borderline personality disorder.

Over the past four years, the 27-year-old has been receiving care at The Hobart Clinic on the city's eastern shore.

She believes the group therapy sessions as well as the transcranial magnetic stimulation (TMS) therapy provided by the clinic are "crucial" to keeping her mental health "pretty stable".

But after her most recent stay, Ms Cutler said she "couldn't believe" the decline in therapy options.

"It felt like a glorified nursing home … a lot of the patients you could see were just sitting around doing nothing, and that's not the type of care you are going in for," she said.

The Hobart Clinic

Ms Cutler said the difference was stark from her five-day stay in November compared with her previous three-week stay in 2021.

"It's the type of difference that makes me not want to go back to the clinic because I feel I'm not getting the care that I need … and not the type of care you expect or pay for in the private sector," she said.

The Hobart Clinic, which has 27 beds for patients who need 24-hour care, marks its 40th anniversary this year as a vital mental health service for the state.

Since the closure of Hobart's St Helen's Private Hospital  in June 2023, the state government has worked to increase services at the clinic.

But some believe those services are at risk of being reduced.

In the clinic's January update, chief executive Kath Skinners hinted at fiscal constraints to the ongoing delivery of TMS and electroconvulsive therapy (ECT).

"We need to look at how we deliver TMS and ECT services to Hobart Clinic patients," she wrote.

"For the past few years, this has been an area of the business that has consistently run at a loss … [and] just like your household budgets, we simply can't continue to run at a loss."

Therapy services halved, nurse says

In a letter seen by the ABC, doctors at The Hobart Clinic wrote to the board of directors in November outlining "grave concerns" relating to the clinic's "risky administration" and called for an immediate reversal.

They asserted that the model of care on offer for patients was being "undermined".

Since then, the clinic's clinical director, three psychiatrists, director of nursing, as well as several nurses and administration staff have resigned.

A former nurse at the clinic, who spoke with the ABC on the condition that they remain anonymous, said that therapy programs had halved over the past six months.

"To see the deterioration of a once very good clinical service just drove me to the edge," they said.

"It was a nightmare to work in. I had to get out."

A woman sits on a couch with a serious expression. Behind her is a window

They said staff had resigned over the implementation of a new strategic plan, after feeling as though they were not being listened to by the CEO.

"Patients have been passed from one doctor to another … and have been crying to nurses about not feeling safe," they said.

"The patients are there to be treated, not to have more added to their illness; it's detrimental."

Decline in mental health services

Demand for services at The Hobart Clinic has grown since the closure of St Helen's Private Hospital.

A spokesperson for The Royal Australian College of General Practitioners (RACGP), Tim Jones, said one in three GP consultations in Tasmania were related to mental health.

He said he feared for the safety of affected Tasmanians if services were to decline.

"We might be referring one or two [patients] a week [to The Hobart Clinic], and since the closure of St Helen's last year we have been using it as our sole source of those services," Dr Jones said.

A man wearing a suit and tie standing in a courtyard with a serious expression

Above all, Dr Jones is concerned about providing continuity of care to some of the state's most vulnerable people.

"We know as GPs the value of continuity of care and being able to have someone understand you and not having to share your story every time," he said.

Dr Jones said mental health services were critical.

"At the moment that our society is going through a massive period of economic and social challenge, mental health services are a critical cornerstone to help us move out of that," he said.

"If we can't provide it, we are really going to struggle as a society.

"We need that support to be there for them. At the moment we have limited public sector support available, and we'd be deeply concerned that it won't be able to cover this gap."

Clinic moves to visiting medical officer model

In a statement, The Hobart Clinic said it "has recently developed a new strategic plan and recruited a CEO to lead its implementation".

"Following years of significant financial losses, the clinic is moving from an employed psychiatry workforce model to a visiting medical officer psychiatry model," the statement read.

"While acknowledging the transformation is challenging, the clinic remains committed to continuing to deliver high-quality, trauma-informed, patient-centred mental healthcare services through the transition.

The clinic said that it was well documented that inpatient mental health services across Australia were under increasing financial stress, citing key factors as the level of reimbursement and payment by private health insurers and national psychiatry workforce challenges.

  • X (formerly Twitter)

Related Stories

Psychiatrists and patients fear the future as mental health facility closes.

Woman with blonde hair sits in a dark room looking sad

Tasmanians more likely to have long-term mental health issues than any other state

A woman sitting in a dark room stares blankly at a screen, which illuminates her face.

  • Health Administration
  • Health Policy
  • Mental Health
  • Public Health

IMAGES

  1. Business Gap Analysis Template

    business continuity plan gap analysis

  2. Gap analysis: a tool for business planning

    business continuity plan gap analysis

  3. ISO 22301 Business Continuity Management System

    business continuity plan gap analysis

  4. 2024 Business Continuity Template: Streamline Your Plan Now

    business continuity plan gap analysis

  5. 7 Stages of a Business Continuity Plan

    business continuity plan gap analysis

  6. The importance of Business Continuity Planning

    business continuity plan gap analysis

VIDEO

  1. BUSINESS CONTINUITY PLAN

  2. Business Continuity Plan for the Cleaning Industry

  3. Business Continuity Planning BCP

COMMENTS

  1. A methodology for business continuity gap analysis

    A methodology for business continuity gap analysis Published: 26 May 2016 Whether as a step towards ISO 22301 certification or as a means to improve the current business continuity management program, a gap analysis is an effective method of identifying areas of the BCMS needing attention.

  2. ISO 22301 Business Continuity Management Made Easy

    ISO 22301 is a global standard for business continuity planning requirements to help organizations protect themselves against disruptions. The most current version is 22301:2019, Security and resilience - Business continuity management systems - Requirements.

  3. PDF PowerPoint Presentation

    Gap Analysis & Strategy Selection Methodology & Guide March 2021 Welcome to the Business Continuity Toolkit The COVID-19 pandemic has shone a spotlight on how quickly things can change for a business. You never really expect the unexpected, so it's useful to plan ahead for change and crises.

  4. PDF Crisis management and business continuity guide

    8 Introduction KPMG can support your organization: Crisis Management Program KPMG designs and delivers a series of independent cyber security simulations to test an organization's cyber incident response, business and board crisis management procedures when faced with a cyber focused disruption scenario. Business Continuity

  5. Common Gaps in Enterprise Business Continuity Plans

    Aug 12, 2019 Your business is a continuously evolving entity. Different moving parts influence change, create an opportunity for progress, and support growth. When it comes to developing an enterprise business continuity plan (BCP), these moving parts need to mirror the changes.

  6. 5 Step Guide to Business Continuity Planning (BCP) in 2021

    A business continuity plan (BCP) is defined as a protocol of preventing and recovering from potentially large threats to the company's business continuity. This article explains what a business continuity plan is today, its key benefits, and a step-by-step guide to creating a formidable plan. Table of Contents

  7. PDF Business Continuity Management

    kpmg.com/cn Are you ready for emergencies? Facing with major threat of global spread epi-demic of Covid-19, many enterprises' business activities have been impacted to varying de-grees. The business continuity management mechanism have also undergone rigorous test and experience.

  8. Business Impact Analysis: An Integral Part of Business Continuity Planning

    A BIA identifies the impact of a sudden loss of business functions, usually in terms of cost to the business. A BIA also identifies the most critical business functions, which allows you to create a business continuity plan that prioritizes recovery of these essential functions. However, the reason behind the business disruption is not important.

  9. ISO 22301 Gap analysis

    ISO 22301 gap analysis service. One of the biggest challenges when implementing an ISO 22301-compliant BCMS (business continuity management system) is understanding the Standard's specific requirements and how to meet them.. Receive an expert assessment of how effective your BCPs (business continuity plans) and procedures are against the international standard ISO 22301 with our Gap Analysis ...

  10. What is the difference between RPO, RTO, and MTD?

    Published Date: Aug 27, 2020 President Russ Horn Business Continuity Planning If you have ever worked to develop, review, or test a Business Continuity or Disaster Recovery Plan (BCP or DRP), you may be familiar with the terms Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Maximum Tolerable Downtime (MTD).

  11. PDF Business Continuity Toolkit Risk Assessment Methodology & Guide

    5. Gap analysis & strategy guide 6. MS Excel workbook 7. Resources: examples of recovery alternatives Context & process understanding Business impact analysis & resource requirements Continuity risk assessment Plan training & exercising Plan development Business resilience and continuity strategy On-going governance, awareness, maintenance ...

  12. ISO 22301 & Business Continuity Gap Analysis

    ISO 22301 gap analysis service. Receive an expert assessment of how effective your BCPs (business continuity plans) and procedures are against the international standard ISO 22301, which outlines the specification for a best-practice BCMS (business continuity management system). Conducted by our team of BCM (business continuity management ...

  13. PDF Business Continuity Toolkit Business Impact Analysis Methodology & Guide

    Step 1: Understand your business processes Step 2: Examine how each process is affected by a disruption, and the resources it requires to continue operating Step 3: Assess relevant disruption risks Step 4: Develop a continuity strategy Step 5: Develop continuity plans Step 6: Test continuity plans and continue to revise Toolkit components

  14. What Is a Business Continuity Plan (BCP), and How Does It Work?

    Business Continuity Planning - BCP: The business continuity planning (BCP) is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that ...

  15. Five steps for business continuity amid COVID-19

    CPE Credits: 2. CPE Self-study. Risk Assessment Today. Online. Level: Basic. $70 - $90. This site is brought to you by the Association of International Certified Professional Accountants, the global voice of the accounting and finance profession, founded by the American Institute of CPAs and The Chartered Institute of Management Accountants.

  16. A methodology for business continuity gap analysis

    Whether as a step towards ISO 22301 certification or as a means to improve the current business continuity management program, a gap analysis is an effective method of identifying areas of the BCMS needing attention. In this article Chris Alvord, Jayne Howe and Bob Draper from Austin Risk Consultants describe a method for an external business continuity gap analysis.

  17. Succession Planning for Business Continuity

    The high-level approach to succession planning includes the following steps: Review enterprise objectives and identify mission-critical operations. Identify the positions critical for these enterprise operations. Identify the candidates who have the required skills, knowledge and experience. Develop a training plan.

  18. Business Continuity Gap Analysis

    Business Continuity Gap Analysis One of our consultants will spend a day talking with relevant staff to discuss the critical activities in your organisation and evaluate the potential risks to them.

  19. Free Template: how to write an ISO 22301 business continuity plan

    Designed and developed by experienced business continuity consultants, the ISO22301 BCMS Documentation Toolkit includes: A complete set of easy-to-use, customisable and fully ISO 22301-compliant documentation templates that will save you time and money; Helpful dashboards and gap analysis tools to ensure complete coverage of the Standard; and.

  20. Business Continuity Planning

    Business Continuity Training Part 3: Planning Process Step 6. The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should "test" their business continuity plans. Organize a business continuity team and compile a business ...

  21. Metrics that Matter in Business Continuity & Disaster Recovery

    There are 7 important BC/DR metrics that you should be tracking to grow and measure recovery plans: The number of plans that cover each critical business process. The number of businesses processes that are threatened by a potential disaster. The difference between your target and actual recovery time.

  22. PDF Gap Analysis

    There are 342 DIS-200 controls which are categorized by 13 control families. We will perform the gap analysis and issue a report for each control family. This report focuses on the Business Continuity Management Control Family which has 49 controls. Of the 49 controls, 11 have priority gaps identified for remediation.

  23. Business Continuity Plan (BCP) Insights

    Business Continuity Plan (BCP) Insights. In the event of a disaster such as a technological failure or cyber-attack, it's critical to have a business continuity plan (BCP) that outlines the procedures your company must follow in order to continue operating and recover from the disruption. A business impact analysis (BIA) should also be part ...

  24. Skills Gap Analysis: A Guide to Training Your Teams

    This knowledge can be instrumental in planning future training programs, identifying who needs each training, and developing initiatives. ... Understanding what your organization aims to achieve is the foundation of a skills gap analysis. Clearly defining your business goals helps align the required skills with the organizational strategy. 2 ...

  25. Decline of mental health services at The Hobart Clinic lead key staff

    In short: Staff at southern Tasmania's last-remaining private mental health clinic are speaking out over cuts to services they believe will put patient care at risk. The Hobart Clinic says it is ...