BCP (Business Continuity Plan) — IT definition

A BCP (Business Continuity Plan, French PCA — Plan de Continuité d'Activité) is the set of organizational, technical, and human arrangements that let a company keep its essential activities running, even partially, through a major disruption: IT outage, cyberattack, fire, flood, pandemic, civil unrest. It is a governance topic at IT and company-wide levels.

With DORA (Digital Operational Resilience Act) in force since January 2025 in finance and NIS2 across 18 critical sectors, a BCP is no longer optional: it is a regulatory obligation with sanctions attached. Per Gartner 2024, 65 % of companies that suffer a major incident without a tested BCP take more than six months to return to baseline — a quarter never fully recover.

BCP vs [DRP](/en/glossary/pra): the critical distinction

A common confusion:

• •The BCP is broad: it covers the whole company — IT, HR, premises, communication, logistics, suppliers. Its purpose: keep the business running.
• •The DRP (Disaster Recovery Plan, French PRA) is a technical subset of the BCP, focused on restoring the IT estate after a disruption.

In other words: without a DRP, the BCP has no technical foundation; without a BCP, the DRP is a pure IT drill missing business context.

Building a BCP

The ISO 22301 process has five steps:

1. Business Impact Analysis (BIA): identify critical processes, their tolerance for downtime (RTO), their tolerance for data loss (RPO), and their technical dependencies.
2. Risk assessment: catalog threats (cyber, natural, human, vendors).
3. Continuity strategies: alternative sites, fully remote work, degraded modes, vendor partnerships, target RTO.
4. Documentation: procedures, crisis org charts, communication scripts, contact lists.
5. Testing and continuous improvement: regular exercises (tabletop, simulation, real failover), lessons learned, at least annual updates.

Typical BCP content

A documented BCP includes:

• •The crisis team: composition, roles, deputies, physical and virtual war rooms.
• •Critical processes: prioritized list with RTO and RPO.
• •Degraded modes: how to operate without IT, paper-based, forced remote.
• •Alternative sites: geographic and IT (active-active, active-passive, cloud).
• •Communication plan: internal (staff), external (customers, vendors, press, regulators).
• •Call trees: who calls whom, in what order, by what means.
• •Technical annexes: failover procedures, scripts, configurations.

Testing the BCP

An untested BCP is paper. Test levels:

• •Tabletop exercise: review of procedures in a room, no real switchover.
• •Walkthrough: step-by-step with the actual responders.
• •Simulation: simulated crisis under realistic conditions, no production impact.
• •Partial test: real failover of one system or one site.
• •Full failover: complete switchover to the secondary site. At least annually for critical organizations.

DORA mandates at least an annual test for financial institutions and a full resilience test every three years.

Standards and frameworks

• •ISO 22301: international business continuity management standard.
• •ISO 22313: implementation guide for ISO 22301.
• •ITIL 4: Service Continuity Management practice.
• •NIST SP 800-34: US contingency planning guide.

BCP and application visibility

A credible BCP requires knowing precisely which applications support which critical business processes. Without an up-to-date application map, the BIA is speculative. Kabeen automatically connects applications, business usage, and cost to ground the BIA in live data.