Skip to content
FortaRisks
Back to the glossaryGovernance and risk management

Business continuity plan (BCP)

A business continuity plan (BCP) is the set of procedures that lets an organization maintain or restore its essential activities during and after a major disruption. It documents who does what, in what order and with what resources, to avoid improvising in a crisis.

Updated on July 2, 2026

What is a business continuity plan?

A business continuity plan, or BCP, is a documented arrangement that prepares an organization to face a major disruption: cyberattack, disaster, prolonged outage, unavailability of a supplier. Its goal is to ensure essential activities continue, even in degraded mode, until normal operations resume.

The BCP rests on a business impact analysis (BIA) that identifies critical functions, their dependencies and the point beyond which their interruption becomes unacceptable.

Why it matters for your organization

In a crisis, improvisation is costly. A BCP turns panic into execution: roles are assigned, procedures known, fallback solutions ready. It reduces downtime and limits financial and reputational losses.

It is also a growing expectation of customers, insurers and regulators, who want proof that an organization can withstand a shock without collapsing.

What a BCP contains

  • Business impact analysis (BIA): critical functions and tolerable timeframes.
  • Recovery objectives: RTO and RPO per activity.
  • Continuity procedures: workarounds and degraded modes.
  • Crisis organization: roles, responsibilities, decision chain.
  • Tests and exercises: regular validation of the plan under stress.

Where organizations most often fall short

The most common BCP is the one sleeping in a drawer, written once and never tested. An unexercised plan reveals its flaws at the worst moment. The other pitfall is limiting it to IT, forgetting the people, premises and suppliers that business continuity really depends on.

Frequently asked questions

What is the difference between a BCP and a disaster recovery plan (DRP)?

A BCP aims to maintain essential activities during the crisis, with workarounds. A DRP focuses on the technical restoration of IT systems after the incident. The DRP is often a component of the broader, activity-focused BCP.

What are RTO and RPO objectives for in a BCP?

They set the recovery targets. The RTO is the maximum acceptable time to restore a service; the RPO is the maximum amount of data you are willing to lose. These two values size the continuity and backup solutions you need.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.