Business Continuity
Planning and capability to maintain service during disruption: site loss, system failure, key staff absence, supply chain breaks.
Definition
Business continuity is the planning and capability to maintain critical service during disruption: site loss, system failure, cyber incident, key staff absence, supply chain breakdown. Public sector contracts often require evidence of business continuity capability at the bid stage and continuity plans tested during delivery. ISO 22301 is the international standard for business continuity management systems and is increasingly required for higher-value or critical public sector contracts. The Civil Contingencies Act 2004 imposes specific continuity duties on category 1 responders (emergency services, NHS, local authorities, environment agency).
How it works in practice
A business continuity plan typically covers four areas. First, risk identification: what could disrupt service, with likelihood and impact assessment. Second, response: how the organisation will respond to each scenario, including roles, communication, and decision authorities. Third, recovery: how service will be restored, including recovery time objectives (RTO) and recovery point objectives (RPO). Fourth, testing: how the plan is exercised, typically through annual tabletop exercises plus periodic technical tests of recovery procedures. Public sector contracts often require specific continuity commitments: maximum tolerable outage by service area, backup site or alternative service mode, named continuity manager, evidence of plan testing, and integration with the buyer's wider continuity planning (especially for category 1 responders). Cyber incidents are an increasingly important continuity scenario: ransomware, data exfiltration, and supply chain compromise can shut down operations as effectively as physical incidents. The 2017 WannaCry attack on the NHS and subsequent ransomware incidents on local authorities have driven much higher continuity expectations in public sector contracts. Bidders should treat continuity as an evidence-backed bid section (tested plan, named manager, recent exercise outcomes, ISO certification where held) rather than aspirational language.
Common questions
Is ISO 22301 required for public sector contracts?
Increasingly required for higher-value or critical contracts (health, emergency services, critical infrastructure). For routine services certification may not be mandatory but evidence of continuity capability (named plan, recent exercise, RTO commitments) is widely expected.
What are RTO and RPO?
Recovery Time Objective (RTO) is the maximum tolerable time before service is restored after disruption. Recovery Point Objective (RPO) is the maximum tolerable data loss measured backwards from the disruption (a 1-hour RPO means at most 1 hour of data can be lost). Both should be specified per service area in the bid and contract.
How often should continuity plans be tested?
Tabletop exercises annually as a minimum; technical tests of recovery procedures (failover, restore from backup) at least annually and after significant change. Real incidents (any P1 incident, any security incident) count as tests; the post-incident review should explicitly evaluate continuity response. Plans that have not been tested for over a year typically degrade in effectiveness.