Business Continuity Plans, Procedures and Disaster Recovery Policy Writing

This article covers Business Continuity Plans and Procedures, specifically the documentation required. What plans does your company have in the event of an emergency or disaster?

We are often asked to consult with companies and write their policies for Business Continuity and Disaster Recovery.

Business Continuity Planning (BCP) and Disaster Recovery (DR) can cover a broad range of scenarios and you should be prepared with a plan of action and defined roles and responsibilities for each one.

Example Business Continuity Plans Content

• What will you do if there are threats to your business location?
• Who holds the BCP and DR roles and responsibilities?
• What are your plans if your business location is destroyed?
• What are your plans if the location is inaccessible for certain time periods?

Example BCP Scenarios

• What threat types are there?
• How do you receive and disseminate information?
• What are the priorities in these scenarios?
• Where do you stand legally and what actions should you perform to maximise your Business Continuity Plan chances of success?

How We Can Help With BCP Documents

We assist companies in writing their BCP and DR plans, taking into account clients, staff and data/software systems. Therefore you can ensure that in the event of a disaster event you are well prepared and have a solid strategy to ensure continuity in business.

Contact Policy Pros

If you would like more information on how we can help you with your Disaster Recovery and Business Continuity Policies and Procedures, please contact us using the form below.

The Standard: ISO 22301

ISO 22301:2019 is the international standard for business continuity management systems and is the benchmark UK procurement teams, regulators and insurers expect.

The Cabinet Office's procurement Selection Questionnaire question 5.1 asks suppliers to confirm business continuity arrangements, and many private-sector buyers ask the same question.

For regulated sectors, additional rules apply: the FCA and PRA Operational Resilience rules require firms to identify Important Business Services, set Impact Tolerances, and demonstrate the ability to remain within tolerance during severe-but-plausible disruption.

What a Business Continuity Plan Should Cover

• Business Impact Analysis (BIA) identifying critical activities and recovery time objectives.
• Risk assessment for foreseeable disruption scenarios.
• Recovery strategies for people, premises, IT, suppliers and information.
• Incident management structure and escalation criteria.
• Communications plan (internal, customer, regulator, media).
• Test and exercise programme with documented evidence.
• Maintenance and review cycle.

Common Compliance Pitfalls

• Plan written and never tested. Audit failure rate increases dramatically once a plan is more than 18 months untested.
• BIA performed once at adoption and never refreshed.
• Cyber incident scenarios omitted or treated as IT-only.
• No documented Important Business Service mapping for FCA-regulated firms.
• Crisis communications templates absent or out of date.

Frequently Asked Questions

Do we need to be ISO 22301 certified?

Certification is voluntary but increasingly expected by enterprise procurement, financial services counterparties and regulated supply chains. Many organisations adopt the ISO 22301 framework without formal certification.

How often should the plan be tested?

At least annually for tabletop exercises and at least every two years for a live test, with scenario-driven exercises after material change. FCA-regulated firms must test against impact tolerance.

What Policy Pros Delivers

Our Business Continuity package includes the BCP, BIA template, recovery strategy library, incident management procedure, communications templates, and test and exercise programme aligned to ISO 22301.

Sector-specific add-ons cover FCA Operational Resilience, NHS EPRR and CQC requirements.