AlignTrust
Operations & Governance

Business Continuity

The capability to maintain essential business functions during and after a disruptive event — whether a cyberattack, system failure, or natural disaster.

What Is Business Continuity?

Business continuity (BC) is the ability of an organisation to continue delivering products or services at acceptable levels during and after a disruptive event. A business continuity plan (BCP) documents the people, processes, and resources needed to maintain critical operations through any disruption — whether a ransomware attack, major outage, flood, or loss of a critical staff member.

Business continuity is a broader concept than disaster recovery: it covers the entire business, not just IT systems.

Business Continuity vs Disaster Recovery

These terms are often used interchangeably but describe different scopes:

  • Business Continuity: Maintaining business operations during a disruption. Focuses on people, processes, communications, and critical functions.
  • Disaster Recovery (DR): Restoring IT systems and data after a disruption. A component of business continuity, focused specifically on technology.

A BCP asks: "How do we keep operating?" A DR plan asks: "How do we restore our systems?"

Key BCP Components

Business Impact Analysis (BIA): Identifies critical business functions, their dependencies, and the maximum tolerable downtime for each.

Recovery Time Objective (RTO): The maximum acceptable time to restore a function after a disruption.

Recovery Point Objective (RPO): The maximum acceptable data loss, measured in time (e.g., "we can afford to lose up to 4 hours of data").

Alternate operating procedures: How does payroll get processed if the HR system is down? How do customer queries get handled without the CRM?

Communication plan: Who contacts customers, staff, regulators, and media? What do you say and when?

Testing: BCPs that have never been tested are assumptions, not plans. Run tabletop exercises at least annually.

Business Continuity for SMBs

You don't need a 100-page BCP. Start by answering:

  1. What are your five most critical business functions?
  2. What's the maximum downtime you could survive for each?
  3. What single-points-of-failure threaten each?
  4. What would you do if your email system was down for three days?

Write it down, share it, and test it. Improve from there.

Related Terms

Disaster RecoveryIncident ResponseRansomwareSecurity Risk Assessment

Related Articles

← Back to Security Glossary