IT KORR Knowledge Center
Business Continuity Plan Template
A structured template for documenting critical business functions, recovery priorities, roles, and communication procedures during a disruption.
Purpose & Scope
State why the plan exists and what it covers: the business units, locations, and types of disruptions in scope (e.g., natural disaster, extended outage, cyber incident, loss of facility or key personnel). A BCP that tries to cover everything in vague terms is rarely usable in the moment — be specific about what triggers activation.
- Define the events that trigger plan activation and who has authority to declare an activation.
- State the plan's objective in concrete terms: sustain or resume critical functions within defined timeframes and minimize impact to customers, revenue, and obligations.
- Identify the plan owner responsible for keeping it current.
Critical Business Functions & Dependencies
This section is built from a business impact analysis (BIA) — the exercise of identifying which functions the organization cannot operate without, and what each depends on.
- List each critical business function (e.g., order processing, payroll, client support, production).
- For each function, document its dependencies: systems/applications, data, key personnel, vendors, and facilities.
- Note the financial, operational, legal, or reputational impact of that function being unavailable for 1 hour, 1 day, and 1 week.
- Identify single points of failure — a function with only one person or one system able to perform it.
Recovery Priorities & Timeframes
- Rank critical functions in priority order for recovery, based on BIA impact findings.
- Assign a Maximum Tolerable Downtime (MTD) to each function — the longest it can be unavailable before serious harm occurs.
- Assign a target Recovery Time Objective (RTO) for each function that is shorter than its MTD, leaving margin for execution.
- Sequence recovery steps so that dependencies (e.g., network, core systems) are restored before the functions that rely on them.
Roles & Responsibilities
- Crisis Management Team Lead — declares activation, makes final decisions, coordinates across teams.
- Communication Lead — manages internal staff updates, customer notifications, and external/media messaging.
- IT Recovery Lead — directs technical recovery of systems and data per the Disaster Recovery Plan.
- Function Owners — responsible for resuming their specific critical business function and reporting status.
- Document a backup for every role — recovery cannot depend on a single person being reachable.
Communication Plan
- Internal staff — how and when employees are notified of an event, where to get updates, and who they report to.
- Customers — pre-drafted notification templates and the threshold at which customers are proactively contacted.
- Vendors & partners — key vendor contacts needed during recovery, and any contractual notification obligations.
- Maintain an up-to-date contact list (phone, personal email) that does not rely solely on systems that may be unavailable during the event.
Plan Maintenance & Review
- Review and update the plan at least annually, and after any significant organizational, system, or vendor change.
- Test the plan at least annually through a tabletop exercise, and document lessons learned.
- Assign a named owner accountable for keeping the plan current and scheduling reviews.
- Version and date every revision, with a record of who approved it.
Related Resources
- Business Continuity Fundamentals — /knowledge-center/business-continuity/business-continuity-disaster-recovery/business-continuity-fundamentals
- RPO vs. RTO Explained — /knowledge-center/business-continuity/business-continuity-disaster-recovery/rpo-vs-rto-explained