Business Continuity Planning Guide
Complete business continuity planning guide for California businesses. Covers BIA, risk assessment, recovery strategies, and testing frameworks to keep operations running through any disruption.
Bottom Line: A business continuity plan is not a document you write once and file away. It is a tested, living system that determines whether your business survives a disruption or becomes a statistic. This guide shows you how to build one that actually works.
What You'll Learn
- How to conduct a Business Impact Analysis (BIA)
- Risk assessment frameworks for California businesses
- Recovery strategy development for people, processes, and technology
- How to write a BCP that employees can actually follow under stress
- Testing and maintenance schedules that keep your plan current
1. Why Most BCPs Fail
Most businesses that have a BCP still fail after a major disruption. The reason is almost always the same: the plan was written, filed, and never tested.
| BCP Status | Survival Rate After Major Disruption |
|---|---|
| Tested annually | 92% survive |
| Written but untested | 61% survive |
| No BCP | 40% survive within 1 year |
A plan you have not tested is not a plan — it is a hypothesis.
2. Business Impact Analysis (BIA)
The BIA is the foundation of your BCP. It identifies which business functions are critical and how long you can survive without them.
2.1 Define Critical Functions
For each business function, document:
| Field | Description |
|---|---|
| Function name | What the team or process does |
| Owner | Who is responsible |
| Dependencies | Systems, people, vendors required |
| RTO | Recovery Time Objective — max acceptable downtime |
| RPO | Recovery Point Objective — max acceptable data loss |
| Revenue impact | Cost per hour of downtime |
2.2 Typical RTO/RPO by Function Type
| Function Type | Typical RTO | Typical RPO |
|---|---|---|
| Customer-facing systems | < 4 hours | < 1 hour |
| Core business operations | < 8 hours | < 4 hours |
| Internal tools | < 24 hours | < 24 hours |
| Reporting and analytics | < 72 hours | < 24 hours |
2.3 Prioritization
Rank all functions as:
- Tier 1 — Critical: Business stops without this. Restore first.
- Tier 2 — Essential: Significant impact. Restore within 24 hours.
- Tier 3 — Important: Noticeable impact. Restore within 72 hours.
- Tier 4 — Deferrable: Can wait more than 72 hours.
3. Risk Assessment
Identify what could disrupt your Tier 1 and Tier 2 functions.
3.1 Threat Categories for California Businesses
| Threat | Likelihood (CA) | Impact | Priority |
|---|---|---|---|
| Ransomware / cyberattack | High | Severe | Critical |
| Extended power outage | Medium | High | High |
| Key employee unavailability | Medium | High | High |
| Natural disaster (earthquake, wildfire) | Medium | Severe | High |
| Internet/ISP outage | High | Medium | High |
| Vendor/supplier failure | Medium | Medium | Medium |
| Physical facility loss | Low | Severe | Medium |
3.2 Risk Scoring
For each threat, score:
- Likelihood: 1 (rare) to 5 (near-certain)
- Impact: 1 (minor) to 5 (catastrophic)
- Risk Score = Likelihood × Impact
Prioritize mitigation for anything scoring 12 or higher.
4. Recovery Strategies
For each critical function, define a recovery strategy before a disruption occurs.
4.1 Technology Recovery
| Scenario | Strategy |
|---|---|
| Server failure | Cloud failover (Azure, AWS) with < 1 hr RTO |
| Ransomware attack | Restore from air-gapped backup; activate incident response plan |
| Internet outage | 4G/LTE failover router pre-configured and tested |
| SaaS vendor outage | Documented manual workarounds for top 5 SaaS tools |
| Data loss | Automated offsite backups with tested restore procedures |
4.2 People Recovery
- Succession planning: Document who covers each critical role
- Cross-training: At least two people can perform every Tier 1 function
- Contact tree: Emergency contact list stored offline and off-site
- Remote work capability: VPN, cloud tools, and home equipment policies pre-defined
4.3 Facility Recovery
- Primary site: Your normal office
- Warm site: A pre-configured secondary location (another office, co-working space)
- Work-from-home: Documented remote work policy and tested VPN access
- Vendor relationships: Pre-negotiated agreements with IT recovery vendors
5. Writing the BCP Document
Your BCP needs to be usable by someone who has never read it before, under stress, at 2am.
5.1 Required Sections
- Activation criteria — What triggers the BCP? Who decides?
- Notification tree — Who calls whom, in what order
- Roles and responsibilities — Named people, not just titles
- Recovery procedures — Step-by-step, numbered, no assumed knowledge
- Resource lists — Vendor contacts, cloud credentials, backup locations
- Communication plan — How you notify customers, employees, vendors
- Return-to-normal criteria — How do you know the crisis is over?
5.2 Format Rules
- Use numbered steps, not paragraphs
- Include screenshots for technical procedures
- Store copies: digital (cloud) + printed (off-site)
- Version control: date every update
- Maximum length for core response procedures: 2 pages per function
6. Testing Your BCP
An untested plan is a liability. Test at minimum annually, and after every major change.
6.1 Test Types (Ascending Complexity)
| Test Type | Description | Frequency |
|---|---|---|
| Document review | Review for accuracy, update contact info | Quarterly |
| Tabletop exercise | Walk through scenarios verbally with key staff | Semi-annually |
| Functional test | Actually execute one recovery procedure | Annually |
| Full simulation | Simulate a complete disruption, activate full BCP | Every 2 years |
6.2 Tabletop Exercise Format
Run a 90-minute session with your leadership team:
- Present a scenario (e.g., "ransomware hit at 8am Monday, all servers encrypted")
- Walk through the BCP step by step
- Document every gap, confusion, or missing resource
- Assign owners and deadlines to fix each gap
- Update the BCP within 30 days
6.3 After Every Test
- Document what worked and what did not
- Update the BCP within 30 days of the test
- Track improvements over time
7. Maintenance Schedule
| Task | Frequency | Owner |
|---|---|---|
| Review and update contact lists | Quarterly | BCP Owner |
| Verify backup restore works | Monthly | IT |
| Review vendor/supplier contracts | Annually | Operations |
| Update BCP for org changes | After every major change | BCP Owner |
| Full BCP review | Annually | Leadership |
| Tabletop exercise | Semi-annually | BCP Owner + Leadership |
8. Quick-Start Checklist
Use this to assess where you stand today:
- Critical functions identified and ranked by tier
- RTO and RPO defined for each Tier 1 and Tier 2 function
- Risk assessment completed and updated within 12 months
- Recovery strategies documented for top 5 threat scenarios
- Emergency contact tree created and stored off-site
- Backups tested with a full restore in the last 90 days
- BCP document written and reviewed by key staff
- Tabletop exercise completed in the last 12 months
- Remote work capability tested for all critical roles
- BCP stored in at least 3 locations (cloud, on-site, off-site)
Need help building or testing your BCP? JSB-Tech provides BCP development, tabletop exercises, and ongoing maintenance for California businesses. Contact us for a free continuity assessment.
Need Help Implementing This?
Our technical experts can help you implement these solutions in your environment.