Business Continuity Plan Section Catalogue In The United Kingdom
Section Name | Purpose | Plan Relevance | Typical Use Cases | Typical Owner |
|---|---|---|---|---|
Core | ||||
Document Control | Tracks version history, approvals, review dates and document ownership. | Both | All UK organisations needing auditable continuity arrangements. | Business continuity manager or company secretary. |
Management Approval | Records senior approval and confirms authority to implement the plan. | Both | Board-approved plans for SMEs, charities and regulated firms. | Managing director, board or senior responsible owner. |
Purpose And Objectives | Explains what the plan is designed to protect and achieve. | Both | Customer assurance, tender responses and internal governance. | Business continuity manager. |
Scope And Applicability | Defines covered sites, teams, services, systems and exclusions. | Both | Multi-site UK businesses and outsourced service providers. | Senior management with business continuity lead. |
Recommended | ||||
Definitions And Acronyms | Clarifies continuity terms such as RTO, RPO, MTPD and incident levels. | Both | Plans used by mixed operational, technical and executive audiences. | Business continuity manager. |
Business Continuity Policy Statement | Sets organisational commitment, principles and continuity expectations. | Business Continuity | ISO-aligned management systems and supplier due diligence. | Board, executive sponsor or risk director. |
Core | ||||
Governance And Accountability | Defines oversight, accountability, reporting lines and decision rights. | Both | Organisations with boards, committees or multiple business units. | Chief operating officer or risk committee. |
Legal And Regulatory Requirements | Identifies legal, contractual and regulatory duties relevant to disruption. | Both | Financial services, healthcare, education, public sector suppliers. | Legal, compliance or risk manager. |
Health And Safety Duties | Links response actions to employer duties to protect staff and others. | Business Continuity | Workplace incidents, evacuation, unsafe premises and lone workers. | Health and safety manager or facilities manager. |
Personal Data Breach And UK GDPR Duties | Sets actions for assessing, containing and reporting personal data breaches. | Both | Cyber attacks, lost devices, unavailable systems and data corruption. | Data protection officer or privacy lead. |
Recommended | ||||
Operational Resilience Requirements | Aligns continuity planning with impact tolerances and important services. | Both | Banks, insurers, payment firms and FCA-regulated businesses. | Compliance director or operational resilience lead. |
Core | ||||
Risk Assessment | Identifies disruption threats, vulnerabilities, likelihood and potential impacts. | Both | Cyber, flood, power loss, supplier failure and staff absence planning. | Risk manager with department heads. |
Recommended | ||||
Threat Scenario Catalogue | Lists credible disruption scenarios used for planning and exercises. | Both | Cyber exercises, pandemic planning and operational outage rehearsals. | Risk manager or incident response lead. |
Core | ||||
Business Impact Analysis | Determines critical activities, impacts, dependencies and recovery timeframes. | Business Continuity | Prioritising services, resources and recovery during major disruption. | Business continuity manager with process owners. |
Critical Activities Register | Lists activities that must continue or be restored quickly. | Business Continuity | Customer service, fulfilment, payroll, care delivery and trading operations. | Department heads and process owners. |
Recovery Objectives | Defines RTO, RPO, MTPD and minimum service levels. | Both | IT outages, customer operations and regulated service recovery. | Business continuity manager and IT service owner. |
Recommended | ||||
Impact Tolerances | States maximum tolerable disruption to important business services. | Both | FCA and PRA firms, payments, insurance and consumer credit. | Operational resilience lead or compliance director. |
Core | ||||
Dependency Mapping | Maps people, premises, technology, data, suppliers and utilities. | Both | Outsourced operations, cloud services, manufacturing and logistics. | Process owners with procurement and IT. |
Minimum Resource Requirements | Specifies minimum staff, systems, equipment, records and facilities needed. | Business Continuity | Lean staffing, remote work, branch operations and service desks. | Operations manager or department head. |
Incident Detection And Reporting | Explains how incidents are identified, reported and initially logged. | Both | Cyber alerts, site incidents, service outages and supplier failures. | Incident manager, service desk or duty manager. |
Escalation Criteria | Defines thresholds for escalating incidents to crisis or continuity response. | Both | Major IT outages, media interest, injury, legal risk and service failure. | Incident manager or crisis management team lead. |
Plan Activation Procedure | States who can activate the plan and how activation is communicated. | Both | Out-of-hours incidents, sudden outages and severe weather disruptions. | Senior responsible owner or duty director. |
Recommended | ||||
Incident Severity Levels | Provides common severity categories for response, reporting and escalation. | Both | Service desks, cyber response, facilities incidents and executive reporting. | Incident manager or IT service manager. |
Core | ||||
Command, Control And Coordination | Defines strategic, tactical and operational response roles and coordination. | Both | Large incidents involving multiple teams, sites or external agencies. | Crisis management team lead. |
Crisis Management Team Roles | Lists crisis team members, deputies, responsibilities and decision powers. | Both | Major business interruptions, reputational events and cross-functional crises. | Chief executive or crisis management lead. |
Roles And Responsibilities Matrix | Allocates tasks using named roles, deputies and accountability lines. | Both | SMEs needing clear cover during holidays or staff absence. | Business continuity manager with HR and department heads. |
Recommended | ||||
Delegated Authority And Financial Limits | Sets emergency spending, contract and operational decision authority. | Business Continuity | Emergency purchases, alternative premises and urgent supplier engagement. | Finance director or managing director. |
Core | ||||
Emergency Contact Directory | Provides current contact details for staff, responders and key partners. | Both | Out-of-hours activation, call trees and emergency communications. | HR, facilities or business continuity administrator. |
Staff Communication Procedure | Explains how staff receive instructions, updates and welfare information. | Business Continuity | Office closure, transport disruption, pandemic and remote working. | HR and internal communications lead. |
Customer And Stakeholder Communications | Sets messages, channels and approval for external disruption updates. | Business Continuity | Service outages, delivery delays, reputational incidents and contract notices. | Communications director, customer service or account management. |
Recommended | ||||
Media Handling And Public Statements | Controls press enquiries, public statements and spokesperson approvals. | Business Continuity | High-profile outages, safety incidents and public-facing services. | PR, communications lead or chief executive. |
Core | ||||
Regulator And Authority Notifications | Lists when and how regulators, insurers and authorities are notified. | Both | Data breaches, financial incidents, HSE events and sector reporting. | Legal, compliance or data protection officer. |
Recommended | ||||
Emergency Services Liaison | Defines interface with police, fire, ambulance and local responders. | Business Continuity | Fire, flood, security threat, serious injury and evacuation. | Facilities manager or site incident controller. |
Core | ||||
Evacuation And Assembly Procedure | Sets evacuation routes, assembly points, roll call and re-entry rules. | Business Continuity | Offices, factories, warehouses, schools and public venues. | Facilities manager, fire marshal or health and safety manager. |
Fire Safety Response | Links fire response to fire risk assessment and responsible person duties. | Business Continuity | Premises-based organisations with staff, visitors or tenants. | Responsible person, facilities manager or landlord liaison. |
Recommended | ||||
Lockdown And Security Threat Procedure | Guides protective actions during violent, terrorist or security threats. | Business Continuity | Retail, education, venues, public buildings and transport hubs. | Security manager or facilities manager. |
Core | ||||
Loss Of Premises Procedure | Defines actions when a site is inaccessible, unsafe or unusable. | Business Continuity | Fire, flood, utility failure, police cordon and landlord restrictions. | Facilities manager or operations director. |
Recommended | ||||
Alternative Worksite Arrangements | Identifies backup locations, access rules and required facilities. | Business Continuity | Office relocation, call centres, labs and operational depots. | Facilities manager with IT and operations. |
Core | ||||
Remote Working Continuity Procedure | Sets secure remote access, equipment, supervision and communication rules. | Both | Office closure, severe weather, transport strikes and pandemic response. | IT, HR and operations management. |
Workforce Availability Plan | Plans cover for absence, redeployment, travel disruption and key roles. | Business Continuity | Pandemics, industrial action, transport disruption and peak workload. | HR director and operations managers. |
Recommended | ||||
Staff Welfare And Support | Sets support for affected staff, stress, trauma and wellbeing needs. | Business Continuity | Serious incidents, bereavement, prolonged outages and traumatic events. | HR and health and safety manager. |
Key Person Dependency Plan | Identifies critical knowledge holders, deputies and succession actions. | Business Continuity | Owner-managed SMEs, specialist technical teams and finance functions. | HR and department heads. |
Core | ||||
Manual Workaround Procedures | Describes temporary non-system methods for critical business activities. | Both | Payment processing, order taking, care records and warehouse dispatch. | Process owner with IT and compliance input. |
Prioritised Recovery Sequence | Orders recovery of services, teams, systems and sites by priority. | Both | Limited resources, phased restoration and competing customer demands. | Crisis management team and operations director. |
IT Disaster Recovery Strategy | Defines technical restoration approach for systems, data and infrastructure. | Disaster Recovery | Server failure, ransomware, cloud outage and network loss. | IT director or disaster recovery manager. |
Critical Systems Inventory | Lists critical applications, infrastructure, owners and business dependencies. | Disaster Recovery | Cloud estates, SaaS services, ERP, CRM and operational technology. | IT asset manager or service owner. |
Backup And Restore Arrangements | Specifies backup frequency, retention, isolation and restoration testing. | Disaster Recovery | Ransomware, accidental deletion, database corruption and system rebuilds. | IT infrastructure manager or backup administrator. |
Recommended | ||||
Data Recovery Priorities | Prioritises datasets for restoration based on business and legal impact. | Disaster Recovery | Finance records, customer data, clinical records and operational databases. | Data owner, IT and data protection officer. |
Core | ||||
Cyber Incident Response Interface | Links business continuity actions with cyber containment and recovery steps. | Both | Ransomware, account compromise, DDoS and data exfiltration. | CISO, IT security manager or incident response lead. |
Recommended | ||||
Ransomware Response Playbook | Sets containment, communication, backup recovery and decision steps. | Both | SMEs, law firms, schools, healthcare providers and local authorities. | CISO or IT incident response manager. |
Cloud Service Outage Procedure | Defines actions for SaaS, IaaS or cloud platform unavailability. | Both | Microsoft 365, hosted CRM, cloud ERP and payment platforms. | IT service owner or cloud platform manager. |
Core | ||||
Network And Telecoms Failure Procedure | Sets fallback connectivity, call routing and communication alternatives. | Both | Contact centres, remote workforces, retail sites and logistics depots. | IT network manager or telecoms lead. |
Power And Utilities Failure Procedure | Defines response to electricity, water, gas and heating disruption. | Business Continuity | Manufacturing, retail, offices, care homes and data rooms. | Facilities manager or operations manager. |
Recommended | ||||
Severe Weather And Flood Procedure | Sets preparedness and response for flood, snow, heat and storms. | Business Continuity | Flood-risk premises, logistics, construction and customer-facing sites. | Facilities manager and operations manager. |
Pandemic And Infectious Disease Procedure | Plans absence, infection controls, remote work and service prioritisation. | Business Continuity | Care, education, healthcare, public services and customer operations. | HR, health and safety and operations leaders. |
Core | ||||
Supplier Continuity Arrangements | Identifies critical suppliers, alternatives, SLAs and disruption contacts. | Both | Outsourced IT, logistics, payroll, cloud, facilities and manufacturing inputs. | Procurement manager and contract owners. |
Recommended | ||||
Critical Supplier Failure Procedure | Sets actions when a key outsourced provider fails or withdraws service. | Both | Insolvent suppliers, logistics delays, SaaS failure and subcontractor loss. | Procurement, legal and contract owner. |
Third-Party Assurance Evidence | Records supplier resilience evidence, test results and audit information. | Both | Regulated outsourcing, cloud providers and material subcontracting. | Procurement, compliance or vendor management. |
Insurance And Claims Procedure | Sets insurer notifications, evidence preservation and claims responsibilities. | Business Continuity | Property damage, business interruption, cyber insurance and liability claims. | Finance director, insurance manager or broker contact. |
Finance And Cashflow Continuity | Maintains payroll, supplier payments, invoicing and emergency funding. | Business Continuity | SMEs, charities, payroll-critical businesses and supplier payment risks. | Finance director or finance manager. |
Core | ||||
Vital Records Protection | Identifies essential records and how they are protected and recovered. | Both | Contracts, payroll, care records, legal files and customer records. | Records manager, legal or data owner. |
Information Security During Disruption | Maintains access control, confidentiality and secure handling during workarounds. | Both | Remote working, manual records, emergency accounts and cloud access. | CISO or information security manager. |
Recommended | ||||
Accessibility And Vulnerable Persons Support | Ensures continuity actions consider disabled staff, visitors and customers. | Business Continuity | Evacuation, remote work, service access and customer communications. | HR, facilities and equality lead. |
Contractual Service Obligations | Identifies contractual SLAs, notice duties, penalties and customer commitments. | Business Continuity | Managed services, SaaS, logistics, facilities and B2B supply contracts. | Legal, sales operations or contract manager. |
Core | ||||
Incident Decision Log | Records key decisions, rationale, approvals, times and action owners. | Both | Regulatory reviews, insurance claims, lessons learned and litigation risk. | Incident scribe, legal or crisis coordinator. |
Recommended | ||||
Action Tracker | Tracks response tasks, owners, deadlines, status and completion evidence. | Both | Crisis calls, recovery meetings and post-incident follow-up. | Incident coordinator or PMO. |
Situation Report Template | Provides consistent updates on impact, actions, risks and support needed. | Both | Executive briefings, customer reporting and multi-site incident coordination. | Incident coordinator or communications lead. |
Optional | ||||
Emergency Procurement Procedure | Sets urgent buying routes, approvals, preferred suppliers and controls. | Business Continuity | Generators, laptops, temporary premises, couriers and specialist recovery firms. | Procurement manager and finance director. |
Recommended | ||||
Facilities Recovery Checklist | Guides inspection, repair, cleaning, access and safe reoccupation steps. | Business Continuity | Flood, fire, contamination, break-in and utility damage. | Facilities manager or estates lead. |
Critical Equipment Replacement | Identifies essential equipment, spares, suppliers and replacement lead times. | Business Continuity | Manufacturing, healthcare, laboratories, logistics and print operations. | Operations, engineering or facilities manager. |
Optional | ||||
Stock And Inventory Continuity | Sets minimum stock, substitutes and priority allocation during disruption. | Business Continuity | Retail, healthcare, manufacturing, food businesses and field services. | Supply chain or operations manager. |
Transport And Logistics Disruption | Plans alternative routes, carriers, depots and delivery prioritisation. | Business Continuity | E-commerce, wholesalers, couriers, care providers and field engineers. | Logistics manager or operations director. |
Product Recall And Safety Interface | Links continuity actions with product safety, recall and market reporting. | Business Continuity | Manufacturers, importers, distributors and consumer goods retailers. | Quality, legal or product safety manager. |
Environmental Incident Response | Sets response and reporting for pollution, spills and environmental harm. | Business Continuity | Manufacturing, construction, logistics, farms and fuel storage sites. | Health, safety and environment manager. |
Clinical Or Care Service Continuity | Prioritises safe care delivery, patient records and clinical staffing. | Business Continuity | GP practices, dentists, care homes, clinics and healthcare suppliers. | Registered manager, clinical lead or practice manager. |
Education Continuity Arrangements | Sets arrangements for pupil safety, remote learning and safeguarding continuity. | Business Continuity | Schools, nurseries, colleges, training providers and academy trusts. | Headteacher, safeguarding lead or business manager. |
Safeguarding During Disruption | Maintains safeguarding reporting, supervision and vulnerable person support. | Business Continuity | Schools, charities, care providers, youth services and faith organisations. | Designated safeguarding lead. |
Food Safety Continuity Controls | Maintains food hygiene, temperature control and safe disposal during outages. | Business Continuity | Restaurants, food manufacturers, caterers, retailers and cold chains. | Food safety manager or operations manager. |
Recommended | ||||
Payment Processing Continuity | Sets alternatives for card, online, direct debit and cash collection. | Both | Retail, hospitality, e-commerce, subscriptions and professional services. | Finance, payments lead or operations manager. |
Customer Service Continuity | Maintains customer support, complaints handling and priority service channels. | Business Continuity | Contact centres, utilities, SaaS, online retail and regulated services. | Customer service director or operations manager. |
Optional | ||||
Complaints And Vulnerable Customers | Keeps complaint routes and support for vulnerable customers available. | Business Continuity | Financial services, utilities, housing, care and public-facing services. | Customer experience, compliance or complaints manager. |
Recommended | ||||
Data Centre Or Hosting Recovery | Defines failover, hosting resilience, access and infrastructure recovery steps. | Disaster Recovery | Hosted platforms, SaaS providers, data centres and MSPs. | Infrastructure manager or hosting provider manager. |
Core | ||||
Application Restoration Runbooks | Provides step-by-step technical recovery for critical applications. | Disaster Recovery | ERP, CRM, finance, booking, e-commerce and line-of-business systems. | Application owner or IT operations lead. |
Recommended | ||||
Emergency Access Management | Controls emergency administrator access, break-glass accounts and logging. | Disaster Recovery | Cyber recovery, cloud administration and out-of-hours system restoration. | IT security manager or identity access manager. |
Core | ||||
Alternative Communications Channels | Lists fallback channels if email, phones or collaboration tools fail. | Both | Email compromise, telecoms outage, cloud downtime and site loss. | IT and communications lead. |
Plan Distribution And Access | Controls who receives the plan and how offline copies are accessed. | Both | Cyber outages, premises loss and out-of-hours activation. | Business continuity manager and information security manager. |
Recommended | ||||
Plan Confidentiality And Security | Protects sensitive contact, security, supplier and system information. | Both | Plans containing personal data, security controls or privileged contacts. | Information security manager or data protection officer. |
Core | ||||
Testing And Exercise Programme | Schedules tabletop, technical, call tree and live recovery exercises. | Both | Annual assurance, cyber drills, supplier tests and audit evidence. | Business continuity manager or resilience lead. |
Recommended | ||||
Call Tree Test Procedure | Tests emergency contact accuracy and speed of staff notification. | Business Continuity | Out-of-hours teams, lone workers, distributed sites and crisis teams. | HR or business continuity coordinator. |
Core | ||||
Disaster Recovery Test Plan | Defines technical restoration tests, success criteria and evidence capture. | Disaster Recovery | Backup restores, failover, ransomware recovery and cloud resilience tests. | IT disaster recovery manager. |
Post-Incident Review And Lessons Learned | Captures root causes, performance gaps and improvement actions. | Both | After outages, cyber incidents, exercises and near misses. | Incident manager, risk manager or internal audit. |
Plan Maintenance And Review Schedule | Sets review frequency, triggers, update responsibilities and approval route. | Both | Annual reviews, organisational change, new systems and supplier changes. | Business continuity manager. |
Training And Awareness | Ensures staff understand roles, procedures and emergency communication methods. | Both | New starters, crisis teams, remote staff and annual refresher training. | HR, learning and development or resilience lead. |
Recommended | ||||
Audit And Assurance | Checks plan completeness, control effectiveness and evidence of testing. | Both | Internal audit, client assurance, certification and regulated oversight. | Internal audit, risk or compliance team. |
Appendices And Supporting Documents | Stores detailed contacts, maps, templates, checklists and runbooks. | Both | Keeping the main plan concise while retaining operational detail. | Business continuity coordinator. |
Optional | ||||
Site Maps And Access Information | Provides site layouts, access points, shut-offs and hazard locations. | Business Continuity | Warehouses, factories, schools, labs and multi-tenant offices. | Facilities manager or site manager. |
Crisis Contact Cards | Provides portable quick-reference contacts and activation steps. | Both | Executives, duty managers, site leads and out-of-hours responders. | Business continuity coordinator. |
Recommended | ||||
Deputy And Succession Arrangements | Ensures continuity roles have trained alternates and authority coverage. | Both | Holidays, illness, senior absence and small management teams. | HR and senior management. |
Optional | ||||
Mutual Aid And Partner Support | Documents agreed support from group companies, partners or neighbours. | Business Continuity | Charities, local businesses, franchise networks and public service partners. | Operations director or partnership manager. |
Group Company Escalation | Defines escalation to parent, subsidiaries or overseas group functions. | Both | UK subsidiaries, shared services, international groups and franchises. | UK managing director or group risk team. |
Civil Contingencies Interface | Aligns relevant plans with local resilience and civil protection duties. | Business Continuity | Local authorities, NHS bodies, utilities and public sector contractors. | Emergency planning officer or resilience manager. |
Public Sector Business Continuity Duty | Records duties for certain responders to maintain continuity arrangements. | Business Continuity | Category 1 responders and organisations supporting statutory responders. | Resilience manager or public sector governance lead. |
Core | ||||
Invocation Checklist | Provides immediate checklist for first-hour actions after activation. | Both | Fast-moving incidents where responders need concise prompts. | Business continuity manager or incident manager. |
Stand-Down And Return To Normal | Defines criteria and steps for ending response and resuming normal operations. | Both | Post-outage recovery, reopening premises and closing temporary workarounds. | Crisis management team lead or operations director. |
What Sections Should A UK Business Continuity Plan Include?
A robust UK business continuity plan normally needs more than an incident response checklist. Core sections should define scope, governance, activation criteria, communication routes, business impact analysis, recovery priorities, critical processes, resource requirements, roles, contact details, and testing arrangements. Disaster recovery content should also define IT recovery objectives, backup arrangements, restoration priorities, cyber incident procedures, and supplier dependencies.
Which UK Legal And Regulatory Issues Affect Business Continuity Planning?
Many business continuity sections are not directly mandated by one universal UK law, but specific duties often make them necessary in practice. Employers should align people safety and evacuation content with health and safety duties, data breach and cyber recovery sections with UK GDPR reporting expectations, and financial services plans with FCA and PRA operational resilience requirements where applicable.
How Detailed Should A Business Continuity Plan Be?
The dataset shows that the most useful plans combine concise decision-making sections with detailed annexes. Keep activation, roles, communications, recovery priorities, and escalation rules easy to use during a disruption, while storing longer contact lists, supplier details, site information, call trees, and technical recovery runbooks as appendices that can be updated frequently.
Who Should Own Each Part Of The Plan?
Ownership should be split across the business. Senior management should approve policy, scope, risk appetite, activation authority, and prioritisation. Operations should own process recovery sections, IT should own disaster recovery and cyber restoration sections, HR should own people and welfare content, facilities should own premises sections, and legal, compliance or data protection teams should review regulatory notification and records sections.
Why Should Testing And Maintenance Be Treated As Core Sections?
For UK organisations, especially regulated firms, a plan that is not exercised can be difficult to rely on. Include test schedules, scenario exercises, lessons learned, plan review dates, version control, training records, and evidence of approvals so the organisation can show that continuity arrangements are current, proportionate and actively maintained.

FAQs
You Might Also Be Interested In











