Governance, Risk Management, and Compliance blog

The three golden rules of a business continuity plan

[fa icon="calendar"] Monday, 30 May 2022 / by Jakob Holm Hansen

By Jakob Holm Hansen, our CEO

"How long should a business continuity plan be?" This is a question we often hear from our customers. My answer usually is: "As short as possible!" The truth is that the perfect business continuity plan (if such a thing exists) should be three - sometimes contradictory - things at once:

  • Comprehensive 
  • Short 
  • Operational

As implied above, we don't live in a perfect world, and sometimes we must create a balance between the three. Let's take a closer look at the three "golden rules of a business continuity plan".


The business continuity plan must be comprehensive. Or at least adequate. Please note that I write comprehensive - not long. The business continuity plan must cover the critical processes and systems, otherwise, it is worth nothing. This is one of the reasons we always recommend starting with a risk assessment.

So that's the first golden rule. The business continuity plan should include what is critical and important to our business, otherwise, it does not fulfill its sole and main function: to protect ourselves against unacceptable losses as a result of an incident.


But the business continuity plan should still be short. Very often we see business continuity plans of 150 pages or more. Although it is an impressive piece of work, some of the time spent typing it up might have been better spent.

But why is it so important to keep the plan short and simple? We have to keep in mind when and under what circumstances we will be needing the plan. In an emergency situation, the business continuity team should only be presented with the information they need in this situation. If they are handed a 150-page plan, one of two things will happen: 

  • Business continuity is slow, inefficient and inflexible
  • The business continuity plan will be scrapped, and the situation will be handled "ad hoc".

If this happens, it is obviously wasted effort writing a business continuity plan to begin with.


Finally, our business continuity plan must be operational. Unfortunately, many business continuity plans start with page after page of general considerations, such as introduction, purpose, objectives, stakeholders, approvals, references to standards and legislation, etc. As I mentioned earlier, the business continuity plan will be used in emergency situations and must be operational from page 1! This is why these kinds of general considerations, even if they are justified, should be removed from the plan. One way to do this is to create a separate "Business Continuity Policy" - or at least place these as the last part of the plan.

To make the business continuity plan operational, it is important that we give some thought to the structure and flow of the plan. We don't want the business continuity team to have to turn page after page to find what they are looking for and thus lose track. Therefore, it is important to start the plan with a flow chart so that they can always return to this in order to get an overview. I am a big believer in the "one-page management" concept, where the entire business continuity flow is described on one page. This can be a difficult exercise, but the rewards of being structured and doing the as simple as possible can benefit your operational abilities.

You should also consider which style and language to use in the plan. Short, clear messages, preferably, in bullet form, are much better than long, convoluted chapters. Keep in mind that there is limited time and quite an amount of stress involved when experiencing an emergency situation.

So... Remember the three golden rules and keep your business continuity plan Comprehensive, Short, and Operational.


Connect with Jakob on LinkedIn here.

With our GRC tool you can improve your business continuity planning and make sure that your plans are always up to date. Read more about business continuity here.

Emner: Business Continuity Planning, Information Security Management, IT risk assessment, information security policies, SecureAware BCP, ISMS, BCP

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts