Business Continuity Plan: Preparing Your Company for a Crisis
Building a business continuity plan (BCP): impact analysis, disruption scenarios, RTO/RPO, backups, crisis team and crisis cash, following ISO 22301. The method to absorb a shock without stopping.
This topic is part of our service
Outsourced CFO in France | Fractional finance leaderExpert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
Quick answer. A business continuity plan (BCP) is the set of measures that lets a company maintain or quickly restore its essential functions after a major shock: cyberattack, physical loss, failure of a key supplier, departure of a key person. The method, framed by ISO 22301, has five steps: analyse the impact of interruptions (BIA), set recovery objectives (RTO/RPO), choose responses, write the procedures, then test. It rests on three pillars: proven backups, a designated crisis team and a cash reserve. An SME can build a useful BCP in a few weeks.
2026 context: resilience is no longer optional#
Shocks have multiplied: ransomware, supply disruptions, floods, hosting outages, cascading failures. For an SME, the point is not to avoid the unexpected — that is impossible — but to absorb it without stopping. That is exactly what the business continuity plan is for: organising in calm what you will not have time to think through in the heat of the moment.
The common reflex is to reduce the BCP to IT. That is a mistake: a BCP covers all vital functions — production, payroll, invoicing, customer relations, cash — not just servers. Data backup is one brick among others. The right approach starts from the essential activities, then traces back to the resources (people, IT, finance, suppliers) they depend on. It complements the detection of difficulty signals: one anticipates the financial crisis, the other the operational crisis.
What a BCP is, and what it is not#
The BCP aims to keep essential activities running during the crisis and restore them quickly. Do not confuse it with two neighbouring notions:
- the DRP (disaster recovery plan) is the IT side: restoring systems and data after an incident. It is a subset of the BCP, not its equivalent.
- crisis management is the human and decision-making dimension: who decides, who speaks, who does what during the event. The BCP integrates it through the crisis team.
The international reference standard is ISO 22301 ("Security and resilience — Business continuity management systems"). It does not legally bind an SME, but offers a proven method, organised around the PDCA continuous-improvement cycle (plan, do, check, act).
The five steps of a BCP#
| Step | Objective | Deliverable |
|---|---|---|
| 1. Impact analysis (BIA) | Identify essential activities and the cost of an interruption | Map of critical activities |
| 2. Recovery objectives | Set tolerable downtime and data loss | RTO and RPO per activity |
| 3. Continuity strategies | Choose responses for each scenario | Fallback and redundancy solutions |
| 4. Procedures and crisis team | Write who does what, when, how | Continuity manual, crisis directory |
| 5. Tests and upkeep | Check that the plan works | Exercise reports, updates |
The impact analysis (BIA), the heart of it#
The business impact analysis answers one question: if a given activity stops, how much does it cost, and from when does it become vital? You rank activities by criticality, quantify the losses (lost revenue, penalties, lost clients), and identify the indispensable resources. Without a BIA, a BCP protects at random; with a BIA, it concentrates resources where stopping hurts most.
RTO and RPO: two numbers that structure everything#
Two metrics, recognised by ISO 22301 and by the French cybersecurity agency (ANSSI), set the tempo:
- the RTO (Recovery Time Objective) is the maximum tolerable interruption before an activity is restored. How long can you stay down?
- the RPO (Recovery Point Objective) is the maximum data you accept to lose, expressed in time. A daily backup implies a 24-hour RPO: you can lose one day of entries.
These two numbers dictate the investments. An RPO of a few minutes requires continuous replication; a 24-hour RPO settles for a nightly backup. Setting an RTO and RPO per activity avoids over-investing everywhere or under-protecting the essentials.
Disruption scenarios and their responses#
| Scenario | Typical impact | BCP response |
|---|---|---|
| Cyberattack (ransomware) | Data encrypted, activity paralysed | 3-2-1 offline backups, DRP, communication plan |
| Premises loss (fire, water damage) | Loss of tools and site | Fallback site, remote work, digitisation |
| Key-supplier failure | Supply disruption | Dual sourcing, buffer stock, contract clauses |
| Loss or absence of a key person | Loss of critical know-how | Documentation, cross-skilling, key-person insurance |
| Cash shock | Inability to pay during the stoppage | Cash reserve, confirmed credit lines |
The 3-2-1 backup rule is worth knowing for every owner: three copies of the data, on two different media, one of them off-site (and ideally offline, to withstand ransomware). A backup never restored is not a backup: it is an assumption. Testing restoration is part of the plan. On the physical-loss side, compensation and accounting also need preparing.
The forgotten pillar: crisis cash#
People readily document servers and procedures but often forget the sinews of war: money. During an interruption, costs continue (wages, rent, subscriptions) while collections stop. A solid BCP therefore includes a financial component:
- A cash reserve sized to last the longest RTO, fixed costs included.
- Confirmed credit lines mobilisable without delay (authorised overdraft, receivables line).
- A crisis cash forecast that simulates the stoppage and quantifies the need day by day. It is the natural extension of a cash-flow stress test.
This financial component is too often neglected because it belongs to a different skill set than IT. Yet it is what decides whether the company survives a three-week stoppage, and it is exactly where an outsourced finance director adds value.
The crisis team and communication#
A plan is only as good as the people who run it. The crisis team designates, in calm, who leads, who approves exceptional spending, who speaks to clients, staff, insurers and authorities. A crisis directory (up-to-date contacts, including personal ones, accessible outside the information system) avoids hunting for a number while everything burns. Communication is prepared: template messages to clients and teams, a single spokesperson, backup channels.
Special cases#
- The very small firm. No need for an 80-page manual: a one-page sheet per essential activity (who, what, where the backups are, who to call) already prevents paralysis.
- The all-cloud company. The risk shifts to the host and access: what happens if the SaaS provider goes down, or the admin account is compromised? Exported backups and two-factor authentication become vital.
- The seasonal business. The cost of an interruption depends on timing: a stoppage in peak season is devastating. The BCP must weight RTOs by the calendar.
- Platform dependence. Many activities depend on a single actor (marketplace, payment processor). The BCP plans a backup channel and reads the terms.
Key alerts in 2026#
- A BCP never tested is fiction. Schedule at least one exercise a year: backup restoration, crisis-team simulation.
- Online backups are no longer enough. Against ransomware, an offline or immutable copy is essential.
- Keep the plan up to date. A change of software, supplier or director quickly makes a BCP obsolete.
- Check your insurance. Business-interruption cover and cyber insurance are read before the crisis, not during.
Our expert-accountant analysis#
A client firm of about ten employees suffered ransomware one Monday morning: everything encrypted, including the first backup, connected to the network. They had no offline copy. Recovery took eleven days and cost far more than the avoided ransom: production halted, anxious clients, delayed payroll. We then helped them build a minimal but real BCP: 3-2-1 backups with a weekly tested offline copy, continuity sheets per activity, and above all a cash reserve equal to three weeks of fixed costs. A year later, a hosting outage stopped them for two days: thanks to the plan, they switched to their fallback procedure without panicking.
The real value of a BCP is measured not the day you write it, but the day you need it. And on that day, what saves you is never the document: it is having thought ahead. Building a BCP is the luxury of thinking in calm.
Hayot Expertise tip. Start small but start. List your three most critical activities, set a tolerable downtime for each, check that your backups actually restore, and quantify the cash needed to survive a stoppage. We help you connect the financial side — a crisis cash forecast — with securing your systems and data.
Frequently asked questions
Is a BCP mandatory for an SME?+
No, there is no general BCP obligation for SMEs. ISO 22301 is voluntary. Some sector or cybersecurity obligations — notably the EU NIS2 directive for essential and important entities — may, however, require resilience measures. Beyond the law, a BCP is above all a survival insurance against a shock.
What is the difference between a BCP and a DRP?+
The BCP covers all essential activities (production, payroll, invoicing, cash). The DRP (disaster recovery plan) is its IT side: restoring systems and data. The DRP is therefore a subset of the BCP, not its equivalent.
What do RTO and RPO mean?+
The RTO (Recovery Time Objective) is the maximum tolerable interruption before recovery. The RPO (Recovery Point Objective) is the amount of data you accept to lose, expressed in time. A daily backup gives a 24-hour RPO.
How long does it take to build a BCP?+
For an SME, a useful BCP is built in a few weeks: identify critical activities, set RTO/RPO, secure backups and cash, write the sheets. The key is to start simple and test, rather than aim for a perfect document never tried.
What is the 3-2-1 backup rule?+
Keep three copies of the data, on two different media, one off-site and ideally offline. That last copy withstands ransomware that would encrypt network-connected backups. A backup not tested by a restoration has no value.
Why include cash in a BCP?+
Because during a stoppage, costs continue while income stops. Without a cash reserve or a confirmed credit line, a technically resilient company can become insolvent. The financial component is as vital as the IT one.
Key takeaways#
- The BCP keeps essential activities running during a crisis; the DRP is only its IT side.
- The ISO 22301 method has five steps: impact analysis (BIA), recovery objectives (RTO/RPO), strategies, procedures and crisis team, tests.
- RTO and RPO size the investments: no need to over-protect everything.
- Three concrete pillars: tested 3-2-1 backups, a designated crisis team, a cash reserve.
- A BCP never tested is fiction: schedule one exercise a year and keep it current.
Official sources#
Article written by Samuel HAYOT
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
This topic is part of our service Outsourced CFO in France | Fractional finance leader
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.