In my experience as a tutor and auditor of ISO 22301 BCM systems, it's vital to get the business impact analysis and risk assessment right. These activities identify and prioritize the key business processes that must be preserved through a disruptive incident, and risks that bear upon BC planning. It's important to understand that BC planning cannot be driven by risk assessment alone.
For example, electric power is an essential resource for most organizations. Whilst one could enumerate all the hazards that could interrupt power (power station runs out of coal, electric cables break, bill not paid, fuses blown by incompetent electrician, etc.) the impact of electric failure is that work stops. So we plan anyhow for electric failure, for example with supplies from two alternative power stations, uninterruptible power supplies, diesel generators and so forth. Risk analysis might tell us whether lightning is a significant threat and, if so, we might install lightening conductors - as well as the BC arrangements like backup generators. If you like, business continuity plans are for use when risk assessment and mitigation fail.
It's important also to understand that ISO 22301 doesn't talk of DR planning. Rather, it expects plans for (a) dealing with the immediate consequences of a disruptive incident, (b) plans for continuing vital processes while (c) longer term recovery plans restore things back to normal. Organizations differ in their understanding of what DR planning actually means, so the standard offers a common vocabulary - which avoids arguments by not using the DR term.
Another common error is to see BC planning as an IT issue. While IT is almost certainly involved, so too are people and operational processes. For example, if the call centre is essential, IT DR planning alone won't be enough. There must be plans for, e.g., firing up an alternative call centre location, for getting the right staff to it, and for providing them with food and drink.
While templates can be useful and are available from several vendors I think they have limited value because, as anyone with real experience of serious disruptive incidents knows, the key factors are the people on the ground dealing with the incident, its consequences, and maintaining service while recovery proceeds.
For example, while BP may have had templates in their BC plans for what executives should say in public, they didn't stop Tony Hayward making insensitive comments about his yachting vacation just after his company flooded the Gulf with oil.
And when the Costa Concordia sank off the coast of Italy having struck a rock its Captain reportedly said should not have been there, true leaders emerged such as the dancer who herded her allocated passengers together and timed the rate at which water was rising, watching the rescue boats, so she could tell her charges to swim if the boats didn't reach them in time - but they did, so her group survived. I think one learns that a critical element of BC planning is getting the right people leading aspects of incident management, and empowering them to make it up as they go along if necessary.
If an organization goes for formal certification to ISO 22301, the CB will expect a regular, planned exercise programme that demonstrates the system will likely work if called upon, and that leads to corrective actions and improvements in BC planning, including the BIA and risk assessment activities as appropriate. This is worth mentioning because many organizations find BC exercises expensive and disruptive and resist doing them properly. In my experience CBs may insist that some 66% of the system had been exercised by Stage 2 (and 33% by stage 1) - and that the results are being acted upon.
How seriously one takes all this depends upon the impact upon life and death of one's activities. BC planning is clearly more vital for a hospital than a fish and chip shop - except, for the latter, the business is mom and pop's livelihood, so they plan as much as they need to, e.g. so that they have sufficient power for the lights and fryers to feed the local community through a power cut.
Which raises another aspect: BC isn't just about survival, it can also bring competitive edge. If mom and pop can feed people fish 'n chips through a power outage, and the burger joint next door has its lights and fryers out, who wins more long term customers when power returns?
Here's some UK Government guidance that might be helpful:
https://www.gov.uk/resilience-in-so...ommunities-and-businesses#business-continuity
http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/
It refers in some places to BS 25999 which was ISO 22301's predecessor. In concept the two are similar; ISO 22301 benefitted from practical experience gained with BS 25999.
It helps, perhaps, to understand that BS 25999 was introduced here in the UK after we were hit hard by some major incidents. For example, in the 7/7 bombing incidents in London, the emergency services learned that (a) they had not prepared for several similar incidents at the same time (so the response to the second bomb was delayed because incident managers thought that the people calling it in were referring to the first bomb) and that (b) police, fire and ambulance services could not properly co-ordinate because their different radio systems could not inter-communicate. Thus, BS 25999 and now ISO 22301 were designed, not just to help organizations survive disruptive incidents but, with common vocabulary, concepts and processes, to co-ordinate joint planning, amongst organizations, especially in critical national infrastructure, hence the rather clumsy "societal security" terminology.
Hope this helps,
Pat