Need a bone to throw at a customer (Business Continuity/Contingency Plan)



Hello everyone,

Here is my problem: we have a client (actually two!) who ask a BCP.

We started to look at it. Our approach was that, given the complexity of the thing (there is sufficient material on this subject that a standard - ISO 22301 ? has been developed!), we did not believe in a "document" submitted to the customer who should be of any practical use if a major incident occurred. We rather believed that we should consider the BCP as a long-term process, a "living" process one, involving different actors who have fully participated in the program and support it).

Although we have started to develop our system and have written some procedures, our client is getting impatient (for him, having a plan is one of the requirements for the award of a contract) and he wants to see a plan (formed ?filled ").

Some risks have in already been identified for one of our two customers (or are a concern for at least one):

? Risk of the business being sold by the main shareholder;
? Risk of a strike;
? Risk linked to parts supply chain (we are in electronics and some parts are end of life);
? Fire risk (plant).

Those are the 4 most concrete cases we have on a first pass.

The question is: "How can I (and in what form) present something that would satisfy my client? ".

In what form, I mean "content" and "container". I remind you that I?m starting from scratch.

Examples would be great.

Thank you in advance to all!


Wes Bucey

Prophet of Profit
Re: Need a bone to throw at a customer

Confirm "BCP" (Business Continuity Plan or Business Contingency Plan) is requested by prospective customer before approving your organization as a supplier.

Identifying risks are really only part of the process. This is essentially a FMEA (Failure Mode & Effects Analysis) exercise.

  1. The organization identifies potential failure issues
  2. Organization assesses likelihood of occurrence
  3. Organization has plan to overcome or minimize damage done by failure

The point being:
Merely identifying the potential risks is worthless unless you can do an insurance underwriter's job and figure the probability of it happening and determining a setaside of money to cure the situation if it should occur.

The setaside of money can either be a cash fund or an insurance policy to repair or replace the damaged segment of the business (getting new customers, employees, vendors, designs, physical plants and/or equipment, and numerous other details too numerous to detail here in the Cove.) Some economic analyses I have participated in ran to dozens of pages, dependent on the complexity and scope of the target business.


Re: Need a bone to throw at a customer

[...] we did not believe in a "document" submitted to the customer who should be of any practical use if a major incident occurred [..]

Why would you think that?


Re: Need a bone to throw at a customer

Hello feldpath ... Because too many scenarios could occur ...

Phil P

Re: Need a bone to throw at a customer

I imagine that your customer is looking for a document that shows you have a system in place.

From experience I would do the following:

Generate a scope (operations of your business) and purpose (to maintain production for customers) to provide direction
Hold team meetings to identify risks (supplier failure, fire, flood, chemical release, industrial action, key equipment failure etc.)
Produce a risk register which uses occurrence, severity and recoverability to rate the risks
Detail the actions to be taken in the event of each risk occurring
Produce a DRP which lists roles and responsibilities in the event of a disaster
Produce a summary document listing recovery times for customers
Place copies of all DRP docs into a secure online server (so you can access them remotely)

Hope that helps,


Mike S.

Happy to be Alive
Trusted Information Resource
Money is not the only way to handle or mitigate risks in a BCP. For example, maybe you have a second plant or approved subcontractor that could take on work from your plant if a tornado wiped you out. If your electric power went out maybe you have backup generators you own or could rent or borrow. If your computers are hacked you have full backups off-site. Etc.


As Phil P indicates you need to have a document to demonstrate you have a plan in place. We have a full BCP we can test using the various types of scenarios indicated. To go with this we have our Business Continuity Policy, maybe having one of these would be acceptable to you customers i.e.

Business Continuity Policy


The impact of any disaster can be reduced through a considered assessment of threat, vulnerability & risk. Such residual level of risk can be mitigated by the adoption of Business Continuity Planning and Management.
The benefits of undertaking Business Continuity Planning and Management within ACME are:

  • Maintenance of key cash flows and profit streams post-event to ensure long-term survival of the Group is not put at risk
  • The Group meets its contractual and governance obligations
  • Improved credibility for ACME as an organisation and greater confidence in the Group from all stakeholders.
  • This policy outlines the approach to business continuity planning and management, its implementation and recovery processes and incident communication within the Group.

  • To ensure that ACME has a workable continuity plan that will enable acceptable standards of service to be provided to business critical groups within defined and agreed timescales, following either the total and/or partial loss of vital services or facilities.
  • To establish an effective 'crisis management’ and communications structure that will operate in the event of a disaster at ACME.
  • To establish a process for developing, maintaining and testing business continuity plans.
Policy Statement

In line with management best practice, ACME is committed to reducing business risk to acceptable levels wherever possible. To ensure that the group as a whole remains viable in the event of disaster ACME must maintain a business continuity plan, describing the actions to be taken in the event of crisis or disaster. Priorities and time scales for recovery must be agreed within the business and must be clearly identified and included in the plan. The plan must be subjected to periodic testing.


This policy applies to all ACME companies and functions within the Group.

Hope this helps.


Richard Regalado

Trusted Information Resource
Hello LesPiles.

Attached is a typical BCMS project implementation plan I use for my projects. Would be kind to show me where you are? What have you done?

Have you done your BIA? Do you have RTO? MBCO? MAO?

Come back here and we talk some more.



  • IP-1556-FSCI-BCMS6-R1.pdf
    68.9 KB · Views: 456

Mike S.

Happy to be Alive
Trusted Information Resource
Money is the only way to handle such issue.

Really? If all of your data is wiped out and no backups exist, how is money gonna help? Unless it is enough to pay-off all the resulting damages and lawsuits and help you build a new business to start over, money alone is not the answer.
Top Bottom