All templates
OperationsPolicy

Business Continuity Plan template

A business continuity plan is the written playbook for keeping your business running — or getting it back running — when something serious goes wrong: the premises are unusable, the IT is down, a key supplier fails, or half the team is off at once. It answers, in advance, the questions that are hardest to answer mid-crisis.

Free to use
UK-focused
Updated 11 July 2026

Small businesses rarely fail because of the incident itself; they fail in the weeks after, when trading stops and nobody knows who decides what. A plan that fits on a few pages, with named people and current phone numbers, outperforms a binder nobody has opened.

This template covers the scenarios worth planning for, who takes charge, how you communicate, what gets recovered first, and how the plan is tested.

The template

Full text, ready to adapt.

Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.

Business Continuity Plan

Policy · Operations

1. Purpose and scope

This plan sets out how {{org.name}} responds to serious disruption to normal operations at [site(s)]. It covers incidents that stop or significantly reduce our ability to trade, serve customers, or pay staff — not routine operational problems.

It applies to all staff. The current version is held at [location] and a copy is accessible off site at [location/system], because the plan is useless if it is locked inside the incident.

2. Policy statement

{{org.name}} is committed to protecting the safety of its people first, then its ability to serve customers and meet its obligations to staff, suppliers, and regulators. We will plan for disruption honestly, keep the plan current, and test it rather than assume it works.

3. Roles and responsibilities

  • Continuity lead ([name/role]): invokes this plan, leads the response, and is the single decision-maker during an incident. Deputy: [name/role].
  • Communications owner ([name/role]): handles messages to staff, customers, and suppliers using the arrangements in this plan.
  • [Name/role]: owns IT and data recovery, including backups and data breach assessment.
  • All staff: know where the plan is kept, follow the communications channel below, and do not speak to press or post about incidents on social media.

4. Scenarios we plan for

  • Premises unusable (fire, flood, damage, denial of access): fallback is [alternative site / remote working / mobile arrangement].
  • IT failure or cyber attack: fallback is [backup and restore arrangement, manual workaround — e.g. paper order pads, backup card terminal].
  • Loss of utilities (power, water, gas): fallback is [arrangement, e.g. safe shutdown steps and temporary closure criteria].
  • Key people unavailable (illness, resignation, emergency): critical tasks and deputies are listed under recovery priorities.
  • Key supplier failure: alternative suppliers for [critical items] are listed in the contacts annex.

5. Invoking the plan

  1. 1Make people safe first: follow the emergency procedures for the incident (evacuation, first aid, 999) before anything in this plan.
  2. 2The continuity lead (or deputy) decides whether to invoke the plan and records the decision and time.
  3. 3Assemble the response team — in person or on [channel] — and assess what is affected, for how long, and what can still run.
  4. 4If personal data may be involved, start the data breach response procedure immediately — the 72-hour ICO clock runs from awareness.
  5. 5Notify the insurer ([name/policy number]) and landlord [if applicable] before authorising clean-up or repairs beyond making things safe.
  6. 6Work through the recovery priorities below, log every decision and expense, and reassess at least daily.

6. Communications during disruption

Staff are contacted through [channel — e.g. WhatsApp group or phone cascade] by the communications owner; the staff contact list is kept current at [location]. Tell staff what happened, whether to come in, and when the next update will come — silence fills itself with rumour.

Customers are told the practical truth — what is closed or delayed and when to expect an update — through [website, social channels, signage, direct contact for bookings]. Only the communications owner or continuity lead speaks for the business.

7. Recovery priorities

  • Within [number] hours: [e.g. make the premises safe, secure stock and cash, contact all staff, redirect deliveries].
  • Within [number] days: [e.g. restore payment and till capability, resume core service even if reduced, contact key customers and suppliers].
  • Within [number] weeks: [e.g. return to full trading, replace equipment, progress the insurance claim, review what happened].
  • Critical dependencies and deputies: [task — payroll, ordering, banking — with who does it normally and who can cover].

8. Testing, records and review

The plan is tested at least [frequency, e.g. annually] with a walkthrough of one scenario, and contact lists are verified [frequency, e.g. quarterly]. Test findings, incident logs, and decision records are kept at [system/location].

The plan is reviewed [frequency], after every invocation or near-miss, and when premises, systems, key staff, or suppliers change. Owner: [name/role]. Next review due: [date].

Make it yours

How to adapt this template.

1

Start with the shortest useful version: one page per scenario with names, numbers, and first actions — expand only where a real gap appears.

2

Fill in the contacts annex first (insurer, landlord, IT, bank, key suppliers, staff) and store a copy somewhere the incident cannot reach.

3

Set recovery time targets by asking how long you can stop trading before the damage is permanent — then build the priorities backwards from that.

4

Walk through one scenario with your response team before publishing; the walkthrough will surface the assumptions that are wrong.

5

Diary the contact-list check and the annual test now — an untested plan with stale numbers is a false sense of security.

A document is not a system

Turn this template into trained, proven behaviour

A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.

Business Continuity Plan template FAQs

Is a business continuity plan a legal requirement in the UK?

For most small businesses, no — it is good practice rather than statute, though some regulated sectors must have continuity arrangements and many contracts, tenders, and insurers ask for one. The one hard legal deadline that commonly bites during disruption is data breach reporting to the ICO within 72 hours.

How long should a business continuity plan be?

As short as it can be while still naming who decides, who calls whom, and what gets recovered first. For a small business, a few pages plus a contacts annex beats a long document nobody reads — the plan will be used by stressed people at speed.

What is the difference between business continuity and disaster recovery?

Disaster recovery usually means the IT-specific piece — restoring systems, data, and backups. Business continuity is the whole-business view: premises, people, suppliers, communications, and cash flow, of which IT recovery is one part.

How often should we test the plan?

Walk through at least one scenario a year, and verify the contact lists more often — quarterly is a common rhythm. Testing does not need to be theatrical: an hour around a table asking what you would actually do on day one finds most of the gaps.

Where should the plan be kept?

Anywhere staff can reach it when the primary site or system is down: printed at a second location, in cloud storage accessible from personal devices, or with the continuity lead at home. A plan stored only on the server it is meant to recover has failed before it starts.