A business continuity plan (BCP) is a strategic document that describes the measures to be implemented to maintain an organisation's essential activities during and after a crisis or major incident (cyber attacknatural disasters, pandemics, etc.).
Not to be confused with a Disaster recovery plan (DRP).
Unlike the PRAIt adopts a proactive approach to avoid total business interruption, integrating technical, human and logistical measures.
Differences with the PRA
| BCP (Business Continuity Plan) | DRP (Disaster Recovery Plan) |
|---|---|
| Maintains activities for a crisis (e.g. switching to an emergency site) | Restore activities after a total shutdown (e.g. restoration of backups) |
| Proactive approachAnticipating risks to avoid downtime (redundant infrastructure, communication plans) | Reactive approach : acts after the incident to restore systems |
| Cover all aspects (IT, HR, logistics, legal) | Mainly targets IT systems and data |
How the BCP works
The BCP is structured around 5 key phases:
- Business Impact Analysis (BIA) :
- identify vital processes (e.g. production line, customer service).
- define interruption tolerances (e.g. 2-hour threshold for deliveries).
- Risk assessment :
- map threats (pandemic, supplier failure, strike) and their financial/reputational impact.
- Continuity strategies :
- redundancy : back-up sites, alternative suppliers.
- teleworking Cloud infrastructure, VPN secure.
- training Regular team exercises (e.g. crisis simulation).
- Drafting the plan :
- details of procedures (e.g. activation of the emergency site in <1 hour).
- key roles: crisis manager, logistics team, IT support.
- Testing and maintenance :
- annual simulations (e.g. health crisis, network failure).
- updated in line with developments (e.g. new regulations, technologies).
Application examples
- pandemic A logistics company is switching 80 % of its employees to teleworking using collaborative tools (Microsoft Teams, SharePoint).
- strike A hospital enters into a partnership with a private clinic to provide emergency services.
- supplier failure A car manufacturer uses buffer stock parts to avoid production stoppages.
✔ Benefits
- minimises losses Rapid activation of the BCP reduces downtime costs by 30 to 50 % (Business Continuity Institute study).
- protects the image 65 % of companies with a BCP maintain shareholder confidence in the event of a crisis (Deloitte).
- compliance compliance with ISO 22301 or SOC 2.
✖ Disadvantages
- high costs Maintaining redundant sites (up to €1M/year for a large company).
- operational complexity coordination between departments (IT, HR, legal).
- risk of under-utilisation 45 % of BCPs are never tested in real-life conditions (Gartner).
Typical structure of a BCP
- Objectives :
- minimum service levels (e.g. 70 % of production maintained).
- changeover times (e.g. back-up site operational in <2 hours).
- Inventory of resources :
- supply chain, servers, key personnel.
- secondary: non-vital applications, non-priority stocks.
- Activation procedures :
- priority 1: secure employees and customer data.
- priority 2: activate alternative infrastructures (e.g. hybrid cloud).
- Crisis team :
- managers: operational director, HR manager, cybersecurity expert.
- external partners: energy suppliers, insurers.
- Communication :
- message templates for customers, employees and the media.
- preferred channels: email, internal social networks, SMS.
Best practice
- involve the professions The operational teams must co-construct the BCP.
- automate scales Tools such as VMware SRM reduce intervention times.
- hybrid scenarios Anticipate combined crises (e.g. cyber-attack + staff shortage).
- regular audits Checking the adequacy of the BCP in relation to new threats (e.g. the threat of terrorism). Generative AI).
📊 Key figures
- France :
- 40 % of SMEs have no BCP (INSEE).
- Average cost of a day's stoppage: €10,000 for a very small business (Medef).
- World :
- 70 % of companies with a BCP withstand a major crisis (BCI).
- 90 % of business interruptions > 7 days result in bankruptcy (FEMA).
