The question is not whether a major incident will occur, but whether your organization will come through it in good order. That is the whole point of business continuity. ISO 22301 provides the reference framework. Three acronyms keep coming up, often confused: BIA, BCP and DRP. Let’s put each one in its place.
The BIA: knowing what actually matters
The Business Impact Analysis is the starting point of any serious approach. First, it identifies the company’s critical activities. Next, it assesses their interruption over time. From there, it derives two structuring parameters. The RTO sets the maximum tolerable downtime. The RPO sets the maximum acceptable data loss. Without a BIA, a continuity plan protects at random. As a result, it over-protects the incidental and under-protects the essential.
The BCP: keeping the business running
The Business Continuity Plan organizes the continuation of critical activities during the crisis. Concretely, it covers degraded modes and manual workaround procedures. It also plans fallback sites, team reassignment and communication, both internal and external. Above all, this is a company plan, not an IT plan. So it mobilizes the business lines, HR, communications and top management.
The DRP: rebuilding the IT
The Disaster Recovery Plan is the technical component. It restores systems, applications and data within the timeframes the BIA sets. Here, backups and their isolation matter, notably against ransomware. Standby environments, system restart order and failover procedures complete the plan. In short, the DRP turns theoretical RTOs and RPOs into an actual capacity to rebuild.
What ISO 22301 brings to business continuity
The standard ties these blocks into a full management system. It covers management commitment, risk analysis, a methodical BIA, continuity strategies and documented plans. Above all, it mandates continuous improvement. Indeed, it requires what organizations most readily forget: testing. So the standard calls for at least one crisis exercise a year, realistic scenarios, and lessons that teams capture then correct.
The classic mistake: the binder
Many organizations have a BCP that is formally complete, yet practically unusable. Someone drafted it three years ago and never tested it. It now lists outdated contacts and procedures that assume systems long gone. Yet in a real crisis, the binder does not answer the phone. The real measure of a capability is the date of its last exercise, not the thickness of the documentation.
Business continuity: the takeaway
The BIA says what to protect. Next, the BCP keeps the business running. As for the DRP, it rebuilds the IT. Finally, ISO 22301 holds the whole together over time. In an M&A context, business continuity must also survive the separation or the integration. Indeed, a BCP that the entity inherited from the seller’s group no longer protects it once autonomous.