How to Create a Business Continuity Plan

When creating a business continuity plan, there are four primary areas you will need to focus on.

Business continuity management is only effective if it has been implemented before the emergency occurs. Anticipating potential risks and preparing for them by establishing an emergency preparedness team will help ensure that when disaster strikes, your organisation isn’t left scrambling for direction. The anticipation phase should include the following:

Taking inventory

Having a detailed inventory of crucial supplies—and increasing that inventory when possible—will ensure that even when supply chains are disrupted, you have the resources you need to remain in business.

Identifying dependencies

Modern business processes don’t operate in a vacuum; they are a complex, connected web of inter-reliant functions. Identifying which functions, processes and systems are dependent upon which other functions, processes and systems will give you a clearer picture of where you should focus your efforts. Additionally, dependencies may exist outside if your organisation, and will need to be addressed as well.

Prioritising and assessing risk

A business impact analysis and risk assessment will help you better understand where key elements of your business are most in danger. With these areas identified, you can then prioritise them so that the most vital and potentially impactful elements get top consideration as you map your BCP.

As you create your business continuity plan, you will likely begin identifying potential weaknesses within your organisation. These vulnerabilities may create additional problems during an emergent event. Addressing existing flaws and conducting regular prevention activities can help decrease the likelihood of a disruption. The prevention phase should include the following:

Establishing controls

Often, with the right controls in place, businesses can avoid the disruptions that come with many disasters and other emergencies. Identifying and establishing which controls may be implemented in response to which emergencies—such as cybersecurity controls in the event of a cyberattack, or flood barriers in the event of a flood—is an essential part of business continuity management in the prevention phase.


As you develop your plan, don’t wait until an emergency occurs to see if it’s effective. Employee training, education and programme reviews will help you iron out any problems with your plan, and allow you to better prevent any problems before they arise.


A fast response may be the most effective protection against disruption. Actively monitor your systems for any signs of disruption, and respond accordingly when they occur. Advanced monitoring tools will even allow you to designate automatic responses to certain situations, effectively eliminating response time as an issue.

When disruptions occur, your response will determine the outcome for your business. Make sure that the responsibilities are clearly outlined for every member of your team, and have a strategy in place to provide direction and stability. The response phase should include the following:


Your first order of business in the event of a disruption is to recover so that you may resume operations. Work to quickly restore any affected systems, prioritising critical systems ahead of non-critical ones. Understand that some systems and applications may require more time to get up and running again.


Communication should be an essential part of your disaster response. Rely on available, unaffected communications channels to address your employees and inform them of the situation. Keep your emergency communications brief and to the point, and follow established communication protocols. Additionally, if the event is likely to impact your customers, it’s your responsibility to ensure that they are kept up to date on what is happening, and how you are working to resolve the issue.


With your essential processes and communication lines functioning properly, your next focus should be on restoring any damaged or compromised systems. Restoration may take a significant amount of time, but if you have an effective continuity plan in place, you should be able to address the highest risk elements first and return to business normalcy much more quickly.

It’s been said that no plan survives contact with the enemy. And while a robust, detailed business continuity plan can go a long way towards protecting your business during an emergency, there will likely be times when you need to adapt your plan to fit new or unexpected circumstances. The adaptation phase should include the following:

Identify root causes

Perform a systematic process for identifying the root cause of problems or events and an approach for preventing and responding to them. This is based on the idea that effective management requires more than merely putting out fires for problems that develop, but finding ways to prevent them.

Establish new or enhanced controls

Evaluate how effective your controls were. This includes assessing if the controls were effectively designed and operating as expected. Where gaps were identified, new controls should be implemented.

Get started with ServiceNow Governance, Risk, and Compliance

Manage risk and resilience in real time with ServiceNow.

Loading spinner