A Business Continuity Plan is the document that answers one question: when something goes wrong, how do we keep serving customers this week? It is broader than an Emergency Action Plan — it covers the full spectrum of disruption, from a single key system going down to a multi-week facility loss. For a small business the temptation is to write a 60-page binder that nobody reads; the better move is one tight document the leadership team can mark up in an hour and a floor supervisor can act on under stress. That document has three sections: the risks, the impact, and the response.
Start with the risk register, not the response
Most small businesses draft their continuity plan from the response side: 'if the server dies, we move to the cloud.' That skips the harder question — what are the realistic risks for our specific business, and which ones would actually stop us? A useful first pass lists 8 to 12 risks (one risk per row), each rated on likelihood (low/medium/high) and impact (low/medium/high). Examples: extended power outage, single-vendor dependency on a critical supplier, loss of a key employee, ransomware event, severe weather, fire at the primary facility, supply chain disruption, and a public-relations incident. The matrix tells you which three deserve real plans and which seven deserve a paragraph.
The business-impact analysis (BIA)
For each critical product or service line, the BIA answers three questions. How quickly do customers need it back (Recovery Time Objective, RTO)? How much data or work can you afford to lose (Recovery Point Objective, RPO)? What dependencies — people, systems, vendors, facilities — would have to come back online for it to function? Most small businesses get to a useful BIA in two afternoons with the leadership team. The output is a one-page matrix that reads like a priority list: row 1 is the product line that can't be down for a day; row 8 is the internal tool that can be down for a week.
What a small-team RTO actually looks like
- Tier 1 (RTO: <4 hours): revenue-critical services that customers hit directly.
- Tier 2 (RTO: <24 hours): important back-office or fulfillment operations.
- Tier 3 (RTO: <5 business days): internal-only tools and historical reporting.
Anything you cannot recover within the RTO is a gap, not a wish-list item — gaps mean the plan is incomplete, not that you need a bigger budget. Resolve a gap either by reducing the dependency (move that workload to a vendor with geographic redundancy), by accepting slower recovery (rewrite the RTO), or by building the redundancy in-house. Most small businesses close two or three Tier 1 gaps per year and never fully close the rest.
Response procedures, not abstractions
A useful BCP names roles for the first 72 hours: incident commander (decision rights), operations lead (keeps the lights on for what's still running), communications lead (owns the customer and employee messaging — see the companion Crisis Comms Plan), and finance lead (cash flow and insurance). Each role has a one-page action checklist, not a 10-page narrative. The compiled plan lives in two places: a printed binder next to the alarm panel, and a shared drive that works on a personal phone if the office is offline.
Test it the way you'd use it
“A plan you test quarterly is a plan; a plan you test annually is a wish.”
Schedule a tabletop twice a year — a one-hour meeting where you walk through one scenario on paper. Pick something realistic: the primary vendor for a key component is offline for three days. The leadership team says out loud what they would do. The gaps that surface (no vendor list, no alternate source, no authority to spend $20,000 on an emergency order without owner approval) drive the next quarter's work. Two annual tabletop cycles move most small teams from a binder nobody has read to a working document with three to five named gaps closed per year.