Skip to main content
    Main Menu
    Help & Info
    Company
    Back to Docs
    Operations
    Strategic

    Business Continuity Planning Guide

    Complete business continuity planning guide for California businesses. Covers BIA, risk assessment, recovery strategies, and testing frameworks to keep operations running through any disruption.

    40 min read
    Operations

    Bottom Line: A business continuity plan is not a document you write once and file away. It is a tested, living system that determines whether your business survives a disruption or becomes a statistic. This guide shows you how to build one that actually works.


    What You'll Learn

    • How to conduct a Business Impact Analysis (BIA)
    • Risk assessment frameworks for California businesses
    • Recovery strategy development for people, processes, and technology
    • How to write a BCP that employees can actually follow under stress
    • Testing and maintenance schedules that keep your plan current

    1. Why Most BCPs Fail

    Most businesses that have a BCP still fail after a major disruption. The reason is almost always the same: the plan was written, filed, and never tested.

    BCP Status Survival Rate After Major Disruption
    Tested annually 92% survive
    Written but untested 61% survive
    No BCP 40% survive within 1 year

    A plan you have not tested is not a plan — it is a hypothesis.


    2. Business Impact Analysis (BIA)

    The BIA is the foundation of your BCP. It identifies which business functions are critical and how long you can survive without them.

    2.1 Define Critical Functions

    For each business function, document:

    Field Description
    Function name What the team or process does
    Owner Who is responsible
    Dependencies Systems, people, vendors required
    RTO Recovery Time Objective — max acceptable downtime
    RPO Recovery Point Objective — max acceptable data loss
    Revenue impact Cost per hour of downtime

    2.2 Typical RTO/RPO by Function Type

    Function Type Typical RTO Typical RPO
    Customer-facing systems < 4 hours < 1 hour
    Core business operations < 8 hours < 4 hours
    Internal tools < 24 hours < 24 hours
    Reporting and analytics < 72 hours < 24 hours

    2.3 Prioritization

    Rank all functions as:

    • Tier 1 — Critical: Business stops without this. Restore first.
    • Tier 2 — Essential: Significant impact. Restore within 24 hours.
    • Tier 3 — Important: Noticeable impact. Restore within 72 hours.
    • Tier 4 — Deferrable: Can wait more than 72 hours.

    3. Risk Assessment

    Identify what could disrupt your Tier 1 and Tier 2 functions.

    3.1 Threat Categories for California Businesses

    Threat Likelihood (CA) Impact Priority
    Ransomware / cyberattack High Severe Critical
    Extended power outage Medium High High
    Key employee unavailability Medium High High
    Natural disaster (earthquake, wildfire) Medium Severe High
    Internet/ISP outage High Medium High
    Vendor/supplier failure Medium Medium Medium
    Physical facility loss Low Severe Medium

    3.2 Risk Scoring

    For each threat, score:

    • Likelihood: 1 (rare) to 5 (near-certain)
    • Impact: 1 (minor) to 5 (catastrophic)
    • Risk Score = Likelihood × Impact

    Prioritize mitigation for anything scoring 12 or higher.


    4. Recovery Strategies

    For each critical function, define a recovery strategy before a disruption occurs.

    4.1 Technology Recovery

    Scenario Strategy
    Server failure Cloud failover (Azure, AWS) with < 1 hr RTO
    Ransomware attack Restore from air-gapped backup; activate incident response plan
    Internet outage 4G/LTE failover router pre-configured and tested
    SaaS vendor outage Documented manual workarounds for top 5 SaaS tools
    Data loss Automated offsite backups with tested restore procedures

    4.2 People Recovery

    • Succession planning: Document who covers each critical role
    • Cross-training: At least two people can perform every Tier 1 function
    • Contact tree: Emergency contact list stored offline and off-site
    • Remote work capability: VPN, cloud tools, and home equipment policies pre-defined

    4.3 Facility Recovery

    • Primary site: Your normal office
    • Warm site: A pre-configured secondary location (another office, co-working space)
    • Work-from-home: Documented remote work policy and tested VPN access
    • Vendor relationships: Pre-negotiated agreements with IT recovery vendors

    5. Writing the BCP Document

    Your BCP needs to be usable by someone who has never read it before, under stress, at 2am.

    5.1 Required Sections

    1. Activation criteria — What triggers the BCP? Who decides?
    2. Notification tree — Who calls whom, in what order
    3. Roles and responsibilities — Named people, not just titles
    4. Recovery procedures — Step-by-step, numbered, no assumed knowledge
    5. Resource lists — Vendor contacts, cloud credentials, backup locations
    6. Communication plan — How you notify customers, employees, vendors
    7. Return-to-normal criteria — How do you know the crisis is over?

    5.2 Format Rules

    • Use numbered steps, not paragraphs
    • Include screenshots for technical procedures
    • Store copies: digital (cloud) + printed (off-site)
    • Version control: date every update
    • Maximum length for core response procedures: 2 pages per function

    6. Testing Your BCP

    An untested plan is a liability. Test at minimum annually, and after every major change.

    6.1 Test Types (Ascending Complexity)

    Test Type Description Frequency
    Document review Review for accuracy, update contact info Quarterly
    Tabletop exercise Walk through scenarios verbally with key staff Semi-annually
    Functional test Actually execute one recovery procedure Annually
    Full simulation Simulate a complete disruption, activate full BCP Every 2 years

    6.2 Tabletop Exercise Format

    Run a 90-minute session with your leadership team:

    1. Present a scenario (e.g., "ransomware hit at 8am Monday, all servers encrypted")
    2. Walk through the BCP step by step
    3. Document every gap, confusion, or missing resource
    4. Assign owners and deadlines to fix each gap
    5. Update the BCP within 30 days

    6.3 After Every Test

    • Document what worked and what did not
    • Update the BCP within 30 days of the test
    • Track improvements over time

    7. Maintenance Schedule

    Task Frequency Owner
    Review and update contact lists Quarterly BCP Owner
    Verify backup restore works Monthly IT
    Review vendor/supplier contracts Annually Operations
    Update BCP for org changes After every major change BCP Owner
    Full BCP review Annually Leadership
    Tabletop exercise Semi-annually BCP Owner + Leadership

    8. Quick-Start Checklist

    Use this to assess where you stand today:

    • Critical functions identified and ranked by tier
    • RTO and RPO defined for each Tier 1 and Tier 2 function
    • Risk assessment completed and updated within 12 months
    • Recovery strategies documented for top 5 threat scenarios
    • Emergency contact tree created and stored off-site
    • Backups tested with a full restore in the last 90 days
    • BCP document written and reviewed by key staff
    • Tabletop exercise completed in the last 12 months
    • Remote work capability tested for all critical roles
    • BCP stored in at least 3 locations (cloud, on-site, off-site)

    Need help building or testing your BCP? JSB-Tech provides BCP development, tabletop exercises, and ongoing maintenance for California businesses. Contact us for a free continuity assessment.

    Was this helpful?
    Get Help

    Need Help Implementing This?

    Our technical experts can help you implement these solutions in your environment.