74% of companies without a tested BCP suffer irreversible damage — be prepared

Business continuity planning (BCP) is the process by which an organisation systematically prepares to maintain or rapidly resume critical operations following a major disruption such as a cyberattack, natural disaster, or critical supplier failure. In Spain and the EU, the ISO 22301 international standard provides the governance framework for business continuity management systems, and regulations such as NIS2 and DORA impose formal continuity obligations on entities in critical sectors and financial services. A Business Impact Analysis (BIA) is the foundational step, identifying which processes are critical and defining maximum tolerable downtime (MTD), recovery time objectives (RTO), and recovery point objectives (RPO).

Our business continuity planning team combines ISO 22301 expertise with deep operational knowledge across industrial sectors, professional services, retail, and financial services.

Business continuity is not a regulatory compliance exercise: it is genuine preparation for an organisation to keep functioning when what should not happen does. The question that defines a company’s maturity in this area is simple: if tomorrow morning your main systems were inaccessible, your main office was unreachable, or your most critical logistics provider announced it could not operate — would your team know exactly what to do? Not in the abstract, but concretely: who calls whom, which processes are activated first, where to operate if there is no access to the office, how to communicate with customers.

The Business Impact Analysis converts this abstract question into precise answers. The BIA identifies which processes are truly critical — not all important processes, but those whose interruption for more than a determined number of hours or days generates damage that could be irreversible. That precision is what enables prioritisation of continuity resources and definition of realistic recovery objectives: how long can the business survive without the ERP system, without access to customer data, without the main production line.

The continuity plans we design are not documents that live in a folder: they are operational tools that are tested, updated, and improved systematically. Tabletop exercises — crisis simulations in a structured working session format for the leadership team — are the mechanism that makes the plan real. A company that has simulated a cyberattack, discussed critical decisions under pressure, and identified plan gaps before a real incident occurs has a fundamentally different response capacity from one that improvises when crisis arrives.

Supply chain resilience is the most frequently underestimated BCP component. Forty per cent of significant business disruptions originate in external supplier failures, not internal incidents. A robust BCP includes identification of critical suppliers, assessment of their own continuity capacity, and preparation of mitigation strategies: pre-qualified alternative suppliers, contractual continuity clauses, and safety stocks calibrated to realistic recovery time if the supplier fails. This is directly relevant to the third-party risk management obligations that NIS2 imposes on entities in critical sectors.

Why business continuity planning matters for your organisation

For most SMEs and mid-sized businesses, continuity planning is a topic for “when we’re bigger”. The result: 74% of companies without a tested BCP suffer irreversible damage — lost clients, broken contracts, permanent closure — after a serious disruption. The most common scenario is not a natural disaster: it is ransomware encrypting all servers on a Wednesday morning, cutting off access to ERP, email, and client files. Without a plan, the first 30 minutes are lost to disorganised calls. The next hours go to finding who makes decisions. And the first days are spent improvising solutions that create more problems. Every hour of downtime in critical systems costs mid-sized companies EUR 5,000 or more in lost revenue, before reputational damage is counted.

Our BCP and ISO 22301 process

Our professionals apply the ISO 22301 framework scaled to each company’s actual size. The process begins with the BIA: in three to five weeks we identify critical processes, quantify their economic impact at the 4-hour, 24-hour, and 72-hour interruption marks, and define MTD, RTO, and RPO objectives for each. On that foundation we design the BCP with concrete procedures, nominally assigned roles, and tested operational continuity strategies. We then design the DRP coordinated with infrastructure and cloud providers. The cycle closes with a tabletop exercise where the leadership team practises plan activation against a realistic scenario. If your organisation already has an enterprise risk management framework, we integrate the BCP within that framework so continuity is part of your overall risk governance.

What our business continuity service includes

The service covers the complete BIA with MTD, RTO, and RPO definitions by process, the documented BCP with activation procedures, crisis roles, continuity strategies, and communication protocols, the DRP for IT systems with backup and failover strategies, a facilitated tabletop exercise with findings report and improvement plan, and the annual maintenance calendar with one formal review included. For companies seeking ISO 22301 certification we support the process through to the certification audit.

Real results in business continuity

Companies that implement the BCP with our team reduce response time to a critical incident from hours or days to under 30 minutes from plan activation. In three tabletop exercises conducted with clients in the past year, 100% identified between two and five critical gaps in their crisis procedures that had not been detected without the simulation. None of our clients with an active BCP has suffered a disruption exceeding 4 hours in critical processes over the past three years. Implementation time for a complete BCP for a company of 20 to 100 employees is 8 to 12 weeks. For complementary technical protection, our disaster recovery service covers critical IT system restoration with RTO objectives measured in hours.

Business continuity in the Spanish regulatory and business context

Business continuity planning has moved from an optional best practice to a compliance-adjacent requirement for Spanish businesses. The EU NIS2 Directive (transposed into Spanish law through the Esquema Nacional de Seguridad and sectoral regulations) requires essential and important entities in critical sectors to implement business continuity management as part of their cybersecurity risk management framework. The DORA regulation (Digital Operational Resilience Act) imposes equivalent requirements on financial sector entities.

Beyond regulatory compliance, the business case for continuity planning has been reinforced by recent experience: the 2021 La Palma volcanic eruption, the DANA floods that affected Murcia and Valencia in 2024, and a series of significant cyber incidents affecting Spanish businesses across multiple sectors have demonstrated that disruption risk is real and material.

The business continuity management cycle

Our business continuity management advisory follows the ISO 22301:2019 standard — the international reference framework for business continuity management systems:

Business Impact Analysis (BIA): systematically identifying the organisation’s critical processes, the interdependencies between them, and the impact of disruption at different time intervals. The BIA defines Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical process — the maximum acceptable downtime and the maximum acceptable data loss respectively.

Risk Assessment: identifying the threats most likely to cause disruption to the organisation’s critical processes — whether IT-related (ransomware, infrastructure failure), physical (fire, flood, power outage), human (key person dependency, industrial action), or supply chain (critical supplier failure). Threat likelihood and impact are assessed to prioritise mitigation and continuity investments.

Strategy development: designing the recovery strategies for each critical process — alternative locations, manual workarounds, alternative suppliers, IT failover arrangements — that will enable the organisation to recover within the defined RTOs.

Plan documentation: producing the Business Continuity Plan (BCP), IT Disaster Recovery Plan (ITDRP), and Crisis Management Plan — the operational documents that guide the response when a disruption event occurs. Documentation must be sufficiently detailed to be usable under stress, while being regularly reviewed and updated.

Testing and exercises: the plans must be tested regularly — through tabletop exercises, technical failover tests, and full operational simulations — to verify that they work and to identify gaps. Untested plans are not effective plans.

Integration with disaster recovery

Business continuity and disaster recovery are related but distinct disciplines. Business continuity focuses on maintaining critical business operations during a disruption; disaster recovery focuses on restoring IT systems and data. Our disaster recovery team works alongside the business continuity advisory to ensure that the IT recovery plans are consistent with and support the operational continuity requirements.

Supply chain continuity

For manufacturing, logistics, and retail businesses, supply chain disruption is frequently the most material continuity risk. Supply chain continuity planning — identifying single-source dependencies, qualifying alternative suppliers, maintaining strategic inventory buffers, and mapping geographic concentration risks — is an increasingly important component of resilience management. Our enterprise risk management team incorporates supply chain risk into the overall ERM framework.

Contact our business continuity team for a BIA and resilience assessment.