How to create a business continuity plan

A thorough business continuity plan can help businesses prepare for the unpredictable and be the difference between success and failure for the company.

Insights • May 16, 2023 • 24-minute read

Key Takeaways

A business continuity plan (BCP) should all the vital information and organisation needs to respond effectively to any emergency situation.
Effective BCP must be flexible, accessible and consider the entire supply chain, ensuring key staff and processes are ready to respond when disruption hits.
Regular testing and simulations are essential for identifying gaps in BCP, as real-world scenarios often reveal unexpected challenges that need addressing.

Business resiliency and business continuity planning

The discipline of business continuity planning (BCP) should be focused on business resiliency, not just on preparing for the worst-case scenario.

There will always be factors beyond your control that affect how your organisation operates. Outages, cyber incidents, natural disasters and even rare black swan events all pose real threats that need to be actively planned for. That’s why an effective business continuity plan is so important. When disruption occurs, it can mean the difference between a manageable interruption and a catastrophic event.

A business continuity plan (BCP) outlines how your organisation will continue operating during and after a disruption to normal operations. Its goal is to ensure your organisation can operate as close to business as usual as possible during and immediately after a disruption.

Your business continuity plan should include all the information you need to respond effectively in emergency situations. In these high-pressure environments, an effective business continuity plan will turn chaos into control. So what should you include in a business continuity plan? Here are the key factors to consider when creating or reviewing your plan and overall disaster readiness.

What is Business Continuity Planning?

Business continuity planning is the process of creating systems to ensure essential organisational activities can continue during disruptions. Done right, it gives teams a clear playbook to follow when incidents occur.

While business continuity planning is often used in the context of IT, it’s actually a holistic discipline, covering people, processes, facilities and technology. That said, as almost every organisation depends on IT systems to function, IT is often a key focus.

Business continuity planning vs emergency response planning vs disaster recovery planning.

Importantly, the scope of a business continuity plan is limited to business activities. In the event of an incident, health and safety always comes first. An emergency response plan outlines the initial response to an emergency. Rather than business continuity, these plans focus on people safety and immediate containment. Once you’ve actioned your emergency response plan, and only then, can you shift your focus to restoring operations via your business continuity plan. A disaster recovery plan (DRP), then outlines how your organisation can return to full business as usual as quickly as possible.

Think of the difference this way:

If your car breaks down.

An emergency response plan focuses on getting you and your car to a safe place, calling roadside assistance and bringing the car to a mechanic.
A business continuity plan focuses on how you continue your everyday life without your car. How you go about this will depend on your life circumstances and tolerance for alternative forms of transport.
Finally, a disaster recovery plan focuses on getting your car back on the road (or buying a new one if the damage is too great).

Why business continuity planning is essential

Organisations are more dependent on interconnected IT systems than ever before. Combined with an increasingly volatile macro environment, the risk and potential impact of disruption have never been higher.

Here are some of the key reasons organisations need business continuity plans:

Cyber security incidents

In November 2023, a cyber incident impacting logistics company DP World’s Australian corporate network forced the company to take business-critical systems offline. As a result, their port operations across Australia ground to a halt. This is far from an isolated incident. Cyber risk is an unfortunate byproduct of today’s cyber threat landscape. Between 2021 and 2023, cyber incidents reported by Australian organisations jumped by more than 57% to 94,000. They’ve remained stubbornly high since, with 84,700 reported cyber incidents in the 2024-2025 financial year. Cyber incidents almost always lead to business-critical systems needing to be shut down. How impactful that downtime is depends on your business continuity plan.

Natural disasters

Natural disasters present a similarly material continuity risk. Climate change has increased the number of natural disasters and extreme weather events, and Australia’s unique geography and climate diversity compound their impact. Events such as bushfires, floods, cyclones and heatwaves routinely trigger failures across power, transport and communication systems. Due to Australia’s interconnected systems, this can impact business continuity far beyond the disaster zone. The nature of climate change means that Australian organisations must treat its impact as a regular occurrence, not the unpredictable black swan events they once were.

Regulatory requirements

For organisations delivering essential services, continuity is a regulatory expectation. Financial institutions regulated by APRA (CPS 230), along with operators in critical industries such as energy, transport, telecommunications and ports (SOCI Act), are required to demonstrate their ability to withstand and recover from operational disruption. With the rising volume of business-impacting incidents, regulators are increasingly scrutinising how effectively organisations respond. In this environment, business continuity planning is a core component of compliance. Therefore, the quality of those plans directly influences regulatory outcomes during audits, investigations and post-incident reviews.

Key components of a business continuity plan:

Risk assessment: You can’t plan for what you don’t know about. This is where you ask “what can possibly go wrong”. Your risk assessment identifies potential threats, vulnerabilities and the likelihood they will lead to disruption
Business impact analysis (BIA): Determine critical functions, their dependencies and acceptable downtime.
Recovery strategies: Outline how key operations will continue or be restored after disruption.
Testing: Rehearse plans to confirm they work in realistic scenarios and reveal any gaps in the plan that must be addressed to improve your response.
Maintenance: Keep plans up to date as systems, processes, people and risks change.

How to create an effective business continuity plan

What’s in a business continuity plan? These are the attributes of a plan that gets you back up and running as soon as possible. Of course, your business continuity requirements will be unique, depending on your organisation and industry. Treat the following tips as a general guide to help you get started.

1. Understand your business impacts and prioritise each business process or function

A business impact analysis (BIA) is the first step in business continuity planning. Its goal is to show how disruption impacts operations and what impacts matter most. It does this by identifying:

The most critical business functions: e.g. the kitchen in a restaurant
Their dependencies: e.g. power, gas, cooks and ingredient supply.
How disruption would impact them: e.g. a power or gas outage, unavailable staff or missing deliveries would prevent the restaurant from preparing and serving meals
How long each function can remain disrupted before the impact becomes unacceptable: e.g. a kitchen outage may be tolerable for 30–60 minutes in a high-end restaurant, but only 5–10 minutes in a fast takeaway setting.

From there, the business impact analysis gives you a baseline for prioritising business continuity initiatives in the event of disruption.

In terms of impact, you need to consider these four types:

Financial impact: How much money will you lose if this disruption goes on? This includes the fixed costs of operational downtime and the inability to conduct revenue-generating activities.
Stakeholder impact: What will disruption mean for your stakeholders? That includes employees being unable to work and customers unable to access your services or get in touch with you.
Legal/regulatory impact: For example, regulators (such as APRA for financial institutions) mandate uptime for critical services.
Reputational impact: How can disruption impact your organisation’s reputation? Organisations that provide essential services and/or are known for reliability will suffer the most from service-impacting disruption.

How to conduct a business impact analysis:

List all business processes: Every activity that keeps your organisation functioning, from service delivery to internal business support such as IT and payroll.

Identify the dependencies: For each process, map what it relies on to function. This includes people, technology, facilities, suppliers and utilities.

Calculate the financial impact per hour or day: Estimate the cost of downtime for each process.

Assign priority tiers: categorise processes based on how quickly they need to be restored.

Tier 1 processes are mission-critical . e.g. a core banking system for a financial institution.
Tier 2 processes are important but can tolerate short disruption. e.g. loan origination or customer onboarding platforms.
Tier 3 processes can be restored later with limited business impact. e.g. staff learning and development or performance review platforms.

Determine the maximum tolerable downtime: Define the longest each process can be unavailable before the impact becomes unacceptable. This drives recovery time objectives and helps shape continuity and recovery strategies.

The outcomes of your business impact analysis directly shape how you prioritise resources and recovery actions during a disruption.

For example, if your customer service agents can’t answer calls or emails due to an outage in your main contact centre, how many agent seats do you need to have in your disaster recovery (DR) facility to respond to critical customer enquiries?

An insurance company might have assessed that it needs 20 contact centre seats immediately for agents to process urgent claims and payments from customers. They can wait longer to bring outbound sales agents back online. However, that required seat figure might change depending on the nature of the incident. If it’s a wider scale natural disaster, the insurance company is likely to be fielding a lot more calls from customers. That means doubling or tripling those immediate seats.

2. A business continuity plan needs to be flexible

You can’t develop plans for every possible scenario. Trying to do so will just end up in overwhelm, ultimately diluting your response effectiveness.

Instead, your plan needs to be a guide or code of practice, not a step-by-step process. It should have the right balance of general and specific detail, equipping emergency response teams with the information and processes they need to:

Assess the impact of disruption across critical business functions and dependencies.
Prioritise which services and processes must be maintained or restored first.
Guide coordinated decision-making to sustain operations while the incident is stabilised.

A good analogy is a hospital’s emergency department. Identifying business impact is the critical triage process. That determines the courses of action: how quickly the issue needs to be dealt with, which operational staff and specialists are required and what equipment or facilities need to be available. From that point, a treatment (BC) plan kicks in to maintain critical functions and minimise any ongoing impact or further damage to the patient (business operations), and a longer-term strategy to restore the patient back to full health (recovery time objective – RTO). These actions might not be spelled out in the plan, because it will be up to the relevant specialists to determine the best approach.

That said, given the variety of disruptions, there is certainly a place for scenario-specific planning. For example, a cyber incident requires a different response than a natural disaster than a flood or pandemic.

A good way to begin your business continuity planning is to categorise disruptions by potential impact. A simple framework might be:
Level 1: A minor disruption that requires a department level response (e.g.: A CRM system outage impacting sales and marketing team’s access to customer data)
Level 2: A moderate disruption that requires executive team involvement (e.g.: A customer-facing portal outage)
Level 3: A major crisis that requires full activation of the business continuity plan (e.g.: A cyber incident or natural disaster causing an outage across your entire IT system)

These Severity levels are a guide only, and should be tailored to your organisation’s critical functions, risk appetite and compliance requirements.

3. A business continuity plan needs to be accessible

During a disruption, a business continuity plan is only effective if it can be accessed instantly. When every second counts, delays in finding it can become delays in responding.

 A general rule of thumb is to keep your business continuity plan in three locations: On your premises (at each location if you have more than one), off-site at another secure premises and in the cloud.

 Of course, a major event, such as a natural disaster impacting your premises and cloud provider, could wipe out all three at once. That’s why redundant digital storage locations (such as a backup provider) are essential.

 The key members of your crisis management team aren’t always going to be available to respond. You will want to make sure your broader team, not just your key operations staff, is made aware of your BC plans and has easy access to the documentation.

Mobile phones offer a valuable convenience in times of disruption. So, ensure your business continuity plan is available on, and responsive to, mobile. And to ensure everyone’s looking at the most up-to-date plan, implement robust version control and document management.

Key insight It’s also important to have business continuity champions across each of your locations and departments.

4. Factor in your supply chain

When business partners and suppliers are impacted by a disaster, your organisation can also be disrupted.

You need to ensure that you have identified your critical suppliers, what might happen if their services are disrupted, who you need to contact in the event of a disaster, and their agreed responsibilities and recovery strategies. These suppliers might also be a good source of support for additional resources or replacement or repair of damaged infrastructure.

However, there will be times when supplier continuity just isn’t possible, at least to your own business continuity standards. To address this, build relationships with 2-3 alternative suppliers, who can step in to support your organisation if required. Another approach is to keep a spare inventory on hand, if and where possible, which gives you an immediate buffer without the headache of coordinating with suppliers.

Make sure you have considered your obligations to your customers, particularly any contractual or compliance requirements, such as service level agreements (SLAs). If you’re providing services to regulated organisations, you’ll need to ensure you’re meeting those regulatory expectations, even if your organisation isn’t expected to meet them. For example, suppliers to APRA-regulated financial institutions must support their compliance with CPS 230 (Operational Risk Management).

5. Disasters are more likely to be mundane, not catastrophic

While catastrophic events make headlines, everyday disruptions are a more frequent threat.

That might include localised flooding from a burst water pipe, an evacuation from a suspected chemical or gas leak, or simply that the toilets are out of action. If you have critical business functions that will be interrupted by these occurrences, your business continuity planning needs to kick into action.

Then there are cyber incidents. According to the Australian Cyber Security Centre, there were more than 84,700 cybercrime reports in 2024–25. That’s roughly one incident every six minutes. Ransomware in particular continues to be a major cause of operational disruption, locking staff out of systems, halting services and delaying customer transactions.

What makes modern cyber incidents especially challenging is their impact on recovery. Attackers increasingly target backups to make restoration harder and extend downtime. That turns what might have been a technical incident into a full business continuity event.

Scenarios like these are the disruptions your organisation is most likely to face. So, business continuity planning should focus on preparing for these high-frequency, operational events, not just rare, large-scale catastrophes.

6. IT should be a top priority

Your organisation is heavily reliant on IT systems for everyday operations.

So, restoring these services should be a high priority in any business continuity plan.

Cyber incidents are a major test of IT continuity. Even with strong continuity planning, recovery remains a major challenge. Sophos’ 2024 State of Ransomware report found that 56% of organisations affected by data-encrypting (ransomware) attacks paid the ransom. That’s not all: average recovery costs excluding the ransom were still about USD 2.73 million. These figures show that without robust, tested IT continuity (including reliable backups, redundancy and rapid failover), you risk spending a lot more time and money on recovery than you would have securing the systems in the first place.

Ensure that your key IT management and operational staff are represented in your crisis management team or identified in your plan. As for the actions, there should be redundancy built in at all potential points of failure, so you can restore critical IT services quickly. These are the core components to consider in a business continuity plan:

Data backup and recovery: ensuring that copies of critical data are stored securely and can be restored quickly. A regular data backup in a secured data centre means you can easily recover your data in certain disaster scenarios, such as after a cyber attack.

Cloud infrastructure redundancy: replicating systems across multiple environments so no single failure brings everything to a halt.

Cyber incident response: planning how to detect, mitigate, and recover from attacks before they escalate into full breaches.

Communication systems: maintaining channels for internal coordination and customer engagement during outages.

For catastrophic failures, your organisation should be able to replicate a full operational environment, including the required IT infrastructure and services, at a dedicated or shared disaster recovery site.

Two metrics at the heart of resilience planning are RTO (Recovery Time Objective) and RPO (Recovery Point Objective).

RTO defines the maximum acceptable downtime for a system or business function. In other words, how long can your organisation tolerate being offline before serious damage occurs?

RPO defines the maximum acceptable data loss measured in time. That is, how much recent data you can afford to lose before the impact becomes unacceptable?

7. Don’t make any assumptions

Business continuity plans can come unstuck for simple but unexpected reasons.

In one such example, an organisation was forced to execute a business continuity procedure which involved key staff logging on from home. But when those staff tried to do so, they discovered their remote access authentication tokens were out of date.

Running regular simulations of scenarios like this would have identified and resolved that issue – and potentially a range of other assumptions that might have been made.

This is particularly relevant today. There’s now a perception that you can run your business from anywhere and any device. But can you do this for an extended period? And is it safe for your organisation?

Another dangerous assumption is that backups equal a fast recovery. According to a 2024 Sophos report, around 84 % of ransomware victims said cyber criminals tried to compromise their backups as part of the attack. Approximately 57% of those attempts were successful.

So, challenge what your business continuity plan assumes is true. The best way to do this is through regular exercises that test how your plan works in practice.

Keep calm and carry on: Business Continuity in practice

nteractive helps Australian organisations maintain business continuity through major disruptions, from natural; disasters to fires and localised flooding. We do this through business continuity planning advice and assistance from expert professionals, who have a practical understanding of how business continuity events unfold in practice.

Here’s how we’ve helped our customers navigate disruption.

APT Travel Group: When not even a fire can get in the way of top-notch customer service

Customer service is everything for APT Travel Group. Their brand was built on being available, responsive and reliable for travellers planning complex, high-value trips. Any extended outage to their contact centre would damage trust long after recovery. That’s why APT worked with Interactive to build a business continuity plan designed to keep their customer service teams available, even in the event of a serious disruption.

That disruption came sooner than anyone expected. A fire in an uninterruptible power supply (UPS) unit made APT’s main customer support centre unusable. Overnight, the organisation lost access to its customer service team’s workplace.

Because the continuity plan had already been developed and tested, APT could activate it immediately. They relocated staff to Interactive’s disaster recovery facility, redirected phones. This, combined with pre-configured desktops already at the site, allowed teams to resume work without delay. By the next business day, customer service operations were functioning from the recovery site, with customers largely unaware that anything had happened.

What could have been a prolonged outage and a reputational setback became a controlled shift in location. The incident proved the value of investing in robust business continuity planning. It ensured APT could continue supporting customers at the exact moment reliability mattered most.

Read the full case study.

TelstraSuper: When days become weeks, the value of adaptability in business continuity planning

When a burst water pipe flooded most of TelstraSuper’s office, core operations ground to a halt. A disruption of that nature had the potential to cascade into a long-term productivity hit. But TelstraSuper’s business continuity plan set the scene for a fast, agile resumption of key business activities.

Because the fund had an established business continuity arrangement with Interactive, they were able to relocate staff to an alternate workplace recovery site within hours. Phones were redirected, critical systems were accessible and business-critical teams were back up and running the same day. As a result, member services continued with minimal interruption, and internal coordination remained intact. What could have been days or weeks of operational paralysis became a temporary change of scenery.

As the disruption unfolded, the focus shifted from immediate response to longer-term continuity. As the flood repair timeline stretched, TelstraSuper needed additional space and facilities to support operations over the medium term. Interactive scaled the recovery environment to match, while TelstraSuper used the experience to refine its continuity documentation and strengthen executive engagement in resilience planning.

For TelstraSuper, preparation turned a facilities disaster into a controlled operational adjustment. The trigger was unpredictable, but the outcome wasn’t. That’s what a good business continuity plan looks like when it’s tested.

Read the full case study.

Getting started with business continuity planning

If you’re starting out on your business continuity planning journey, it might seem overwhelming at first. It often helps if you think of business continuity planning as a continuum. Start at a high level by sorting out your critical functions, then refine your plan and get more and more granular as you go.

And remember, you can have the best business continuity plan in the world, but if you don’t test it, it’s worthless. Test your plan and run simulations regularly. This helps you identify any gaps in your plan that you’ll need to fix to ensure you’re fully ready if disaster strikes.

Can we help with your Business Continuity Plan?

With business environments becoming more volatile, effective business continuity planning is essential.

Since 1988, we’ve worked with 2,000+ Australian organisations to build the infrastructure that keeps them running when disruptions hit.

We deliver a range of BCP-enabling services that strengthen your resilience and make sure your critical technology systems are prepared for outages, attacks, or disasters:

Multi-region cloud infrastructure with automated failover, enabling rapid switchover and achieve RTOs under 1 hour.
Managed private cloud to maintain Australian data sovereignty for compliance-sensitive workloads.
24/7 monitoring and support to detect and respond to incidents as they occur.
Disaster Recovery as a Service (DRaaS) for predictable and rapid recovery.
Secure Access Service Edge (SASE) solutions for secure remote access during disruptions.
Data centres in Brisbane, Sydney and Melbourne, providing geographic redundancy and local presence for your infrastructure.

Interactive works alongside your team to make sure the technology behind your business continuity plan (BCP) supports how your organisation operates.

Our focus is on practical resilience: planning properly, testing regularly, and automating recovery wherever possible. By bringing together cloud, connectivity, security and disaster recovery, we help reduce downtime, protect your data and keep your business running when something goes wrong.

Get your free business continuity plan template

Getting started with business continuity planning can feel overwhelming, especially if you’re building your first formal document. To make the process easier, we’ve created a practical business continuity plan template. It includes the essential components of business continuity that every organisation should consider. This sample structure gives you a clear framework to document your resilience strategy, recovery priorities and response procedures all in one place.

Get the template

This business continuity strategy template includes:

Executive summary section to help you define and the purpose, scope and key objectives of your plan.
Business Impact Analysis (BIA) tables to identify critical processes, systems, recovery time objectives (RTOs) and recovery point objectives (RPOs).
Threat analysis worksheets to assess risks such as natural disasters, power failures, site access issues and cyber incidents.
Cyber incident scenario prompts to help you think through real-world security disruptions and their business impact.
Recovery planning templates to outline specific actions, responsibilities and estimated recovery timeframes.
Supplier and key contact registers so you know exactly who to call during an emergency.
Internal response team structure to define roles, responsibilities and escalation paths.

The template is designed to be flexible. You can tailor each section to suit your organisation’s size, industry and risk profile. Whether you’re formalising an existing BCP or building your first business continuity plan, this template gives you a structured starting point. Done right, it will ensure your team’s not forced to run with fragmented, incomplete documentation when disruption strikes.

If you’d like a review of your existing business continuity plan, or a new one tailored to your organisation, our team can help. View our Business Continuity solutions or contact our team.

How Business Continuity Planning supports APRA CPS 230 for financial services

Financial services organisations face unique business continuity challenges due to strict operational demands and the critical nature of financial transactions.

Regulators share this expectation. Under APRA CPS 230, financial institutions must demonstrate their ability to maintain resilience and recover quickly after disruptions. Key requirements include:

Clearly defined tolerance levels for disruption to critical operations.
Maximum acceptable data loss limits: often near-zero RPO for critical financial transactions.
Regular plan testing and comprehensive documentation.
Board-level accountability for business continuity plan financial services effectiveness.
Proactive management of third-party and supply chain risks.

Financial institutions should also document specific recovery time objectives for their critical operations, such as core banking platforms, payment processing systems, customer service channels, regulatory reporting and digital banking services.

Failure to comply with APRA CPS 230 exposes your organisation to significant regulatory action and supervisory intervention. What’s more, in today’s banking environment, where customers primarily access banking services, poor business continuity due to an outage will almost certainly cause reputational damage. That’s why a tailored financial services business continuity plan is critical.

Interactive’s Australian data centres provide financial services organisations with infrastructure that supports APRA CPS 230 requirements. Our multi-region private cloud services enable automated failover between Brisbane, Sydney and Melbourne, helping organisations meet their RTO and RPO requirements while maintaining data sovereignty. With real-time replication and zero-RPO support for transactional workloads, Interactive delivers the resilience that a financial services business continuity plan demands.

How Cloud Services Support Business Continuity

Cloud has changed what’s possible in business continuity. Instead of waiting days to rebuild systems after an outage, cloud infrastructure lets you design environments that fail over quickly and keep services running with minimal interruption. But strong outcomes don’t happen automatically. Business continuity for cloud services still depends on deliberate architecture, clear recovery targets and the right balance between resilience, performance and compliance with Australian data sovereignty requirements.

Multi-region design sits at the centre of effective business continuity. When workloads are spread across geographically separated data centres, failure in one location doesn’t bring everything down with it. Automated failover between regions allows systems to switch across quickly during a disruption, supporting recovery times of minutes to hours rather than days. Data replication is just as important. Critical systems may require synchronous replication to minimise data loss, while less sensitive workloads can use asynchronous replication to balance resilience with cost and performance. Load balancing across environments also helps maintain stability during both normal operations and disruption.

Hybrid models add another layer of resilience. Many organisations use the cloud as a recovery platform for on-premises systems, while still keeping some on-premises capability as a fallback for key cloud workloads. This flexibility makes business continuity more practical and achievable than traditional disaster recovery approaches, where recovery often relies on manual rebuilds and lengthy restoration windows.

Cloud platforms also improve recovery performance. Automated failover reduces reliance on manual intervention, lowering the risk of delays or mistakes during an incident. Continuous replication helps limit data loss, and container-based architectures allow applications to be rebuilt quickly and consistently.

However, for Australian organisations with data residency requirements, cloud-based business continuity can be more complicated, because not just any backup will do. However, with the growth of Australian cloud services in both capability and accessibility, it’s never been easier to balance cloud convenience with robust, compliant backup infrastructure.

Interactive’s managed private cloud and multi-region infrastructure are designed with business continuity in mind. With resilient connectivity between data centres, secure remote access and round-the-clock monitoring, we help organisations recover faster while keeping their data where it belongs.