Since its emergence at the end of 2019, the COVID-19 pandemic has disrupted many businesses worldwide. The truth is, most organizations were unprepared to deal with such an unpredictable crisis. Their business continuity plans either lacked altogether or failed to include disruptions caused by a global pandemic.

If COVID-19 has taught companies anything is that the unexpected does happen. Hence, having a comprehensive business continuity plan (BCP) in place is essential.

This article shows you how to create an effective business continuity plan for your organization.


What is business continuity?

Business continuity refers to an organization’s ability to ensure that essential business functions can keep running as normally as possible in the event of a disruption. Some of the events that can cause such disruptions are natural disasters, cyberattacks, failure of IT systems, theft, etc.


What is a business continuity plan (BCP)?

A business continuity plan, aka BCP, is a document that outlines the policies and procedures that an organization needs to follow to restore core business functions and processes in the event of a disruption or disaster.

An efficient business continuity plan provides a comprehensive overview of potential business risks and their impact and ensures that companies can quickly react and recover when an unexpected event happens.


What is the difference between a business continuity plan and a disaster recovery plan?

Many people use the terms business continuity and disaster recovery interchangeably. However, a disaster recovery plan is mainly concerned with minimizing downtime and restoring critical IT infrastructure should it fail due to an unexpected event.

On the other hand, a business continuity plan has a much broader scope. A BCP focuses on keeping all the essential functions of the organization operational with minimal downtime.

Therefore, a disaster recovery plan is only a small part of the business continuity plan.


What are the benefits of a business continuity plan?

The main benefits of a business continuity plan are:

Significant cost savings

First and foremost, a BCP can save your organization time and money.

A 2014 study by Gartner found that the average cost of downtime is $5,600 per minute. Of course, this is just an average, and the cost varies based on the size of the company, its industry vertical, etc.

Research by IDC shows that the downtime cost for small businesses ranges from $137 to $427 per minute whereas, for Fortune 100 companies, downtime can cost upwards of $1 million per hour.

Fast reaction time

A business continuity plan ensures that the people in your organization will know how to react promptly if certain business functions fail, thus eliminating or minimizing downtime. By providing a clear plan of action, a BCP helps organizations significantly reduce downtime costs due to power outages, server issues, cyberattacks, etc.

Protection of business reputation

Additionally, having an effective BCP in place can also help protect your business’ reputation.

When a disruptive event happens, companies need to promptly inform their customers, partners, suppliers, and other affected stakeholders about the incident. The communications plan, which is part of the BCP, enables companies to effectively inform different audiences about how the disruption affects them and what steps they are taking to resolve it.

Also, the business continuity plan prepares the company’s employees to deal with customer inquiries following the disruption. Organizations need to be able to handle and quickly respond to a large number of customer requests.

Prompt and clear communication, constant updates, and efficient support during and following the incident are crucial for maintaining a positive reputation in a time of crisis.


What does a business continuity plan include?

Here is a quick overview of the main elements that you should include in a business continuity based on the ISO 22301 standard.

  1. Introduction
  2. Responsibilities and duties
  3. List of emergency contacts
  4. Communications plan
  5. Location of backup site
  6. Resources
  7. Incident response plan
  8. Recovery plan
  9. Disaster recovery plan
  10. Testing plan and exercises


How to create a business continuity plan?

Follow these steps to create a comprehensive business continuity plan for your organization:

1. Start with an introduction.

This section should introduce the purpose of the plan as well as its scope and objectives. Additionally, the introduction should specify who are the intended users of the document.

Other elements that the introduction should include are:

  • References and related documents that are relevant to the BCP
  • A distribution list showing where copies of the BCP are stored and the people who have a copy
  • A glossary defining the terms used throughout the BCP
  • Assumptions (what needs to happen for the plan to be activated)

2. Define roles and responsibilities.

This section defines the specific duties of each member of the staff in a crisis. Additionally, it indicates who has the authorization to activate or deactivate the plan.

Clearly communicating to employees what their duties and responsibilities are in case of an emergency is vital. This part of the BCP helps avoid panic and confusion and ensures that each employee knows what they have to do should the worst happen.

3. Prepare a list of internal and external key contacts.

The list should include internal emergency contacts (business continuity leader, business owner, etc.) and external emergency contacts (police, ambulance, insurance, etc.)

4. Create a communications plan.

The communications plan details:

  • who is going to communicate with the different stakeholders and
  • the communication channels they should use

For larger companies, the communications plan should also include guidelines regarding communication with the media.

5. Include the location of your backup site.

Inform your staff about the address of the backup site(s) and explain how they can get there.

6. Identify all the required resources.

Make a list of staff members, equipment, third parties, data, facilities, and systems required to restore normal operations.

7. Identify potential risks and prepare an incident response plan.

Write down all the potential threats that your business can’t mitigate without an immediate response. These risks can be:

  • natural disasters (fire, flooding, earthquake, etc.),
  • cyberattacks,
  • terrorist attacks,
  • power outages, etc.

Assess the probability of each threat occurring and how severely they could impact your core business functions. Next, prepare an incident response plan that details:

  • the steps that staff members need to take to respond to and limit the consequences of the incident
  • the equipment needed
  • the responsibilities of each team member
  • communication procedures
  • who activates the response plan and under what circumstances

An example of an incident response plan is a fire emergency evacuation plan (FEEP).

8. Conduct a Business Impact Analysis (BIA) and prepare a recovery plan to restore operations.

First, list all your business activities and processes. Next, assess the operational, reputational, and financial impacts that stem from the interruption of each business function.

Prioritize the functions that have the highest impact on your business and set recovery time objectives (RTOs) for all of them. The recovery time objective is the amount of time within which a business process needs to be restored after a disaster.

The next step is to prepare a recovery plan that includes:

  • the step-by-step actions that team members need to take to restore critical business functions and processes
  • the responsibilities and main tasks of each person involved
  • the resources needed to restore operations

9. Prepare a disaster recovery plan for IT-related incidents.

This plan will have the same structure as the recovery plan. However, it will only focus on recovering technology infrastructure and systems.

10. Continuously test, review, and update the BCP.

Create a test plan and practice the different scenarios outlined in your business continuity plan. As a result of continuous testing, you can use new information to improve the BCP.

Remember to continually review the business continuity plan and update it to include emerging technologies, changes in the organizations, and changing market conditions.


How does Penneo ensure business continuity?

Cloud storage

Penneo Sign and Penneo KYC are cloud-based solutions. Therefore, all your data and documents are stored online, and you can access them from any device connected to the internet. Should a disaster affect your local servers and computers, your documents will still be accessible on both Penneo platforms.

Additionally, all the data stored in Penneo Sign is mirrored between multiple off-site locations within the EU, so customers can rest assured that, no matter what happens, their documents won’t be lost.


At Penneo, we take cybersecurity seriously. That’s why both Penneo Sign and Penneo KYC ensure the highest level of data protection by employing security controls such as encryption, daily backups, two-factor authentication, and role-based access control.

Ease of access

Due to cloud storage, your staff members can access the data and documents remotely. Penneo Sign and Penneo KYC enable your team to work remotely from anywhere if a disruptive event prevents them from being in the office. A perfect example of such a disruptive event is the COVID-19 pandemic.

Companies that rely on cloud-based solutions can recover much faster from disasters with little to no downtime.



If you're looking to learn more, we have a few suggestions for you

9 expert tips for picking the perfect KYC solution

9 expert tips for picking the perfect KYC solution

eIDAS 2.0

eIDAS 2.0 and its impact on digital transactions and identity verification

EU unveils ambitious AML package

EU unveils ambitious AML package