Organizations are seeing a more threatening and volatile operating environment.

Executives report an increase in risks across multiple areas, including cyber-enabled fraud, phishing, and supply chain disruptions, according to the World Economic Forum’s 2026 Global Cybersecurity Outlook report.

At the same time executives are increasingly worried about how artificial intelligence, digital interdependencies, geopolitics, and today’s complex operating environment increase risk to securing their organization’s technology and ensuring business continuity.

Two-thirds (66%) of organizations have increased financial or resource support for business continuity and resilience in response, according to the 2025 State of Continuity and Resilience report from the Business Continuity Institute.

Even so, business leaders are bracing for increasingly more frequent impactful incidents, making a solid business continuity plan more critical than ever.

“Every business should have the mindset that they will face a disaster, and every business needs a plan to address the different potential scenarios,” says Goh Ser Yoong, CISO at Ryt Bank and a member of the Emerging Trends Working Group at ISACA.

A business continuity plan gives organizations the best shot at navigating a disaster by providing ready-made directions on who should do what tasks in what order to keep the business viable.

Without such a plan, the organization will take longer than necessary to recover from an event or incident — if it recovers at all.

What is a business continuity plan?

A business continuity plan (BCP) is a strategic playbook created to help an organization maintain or quickly resume business functions in the face of disruption, whether it is caused by a natural disaster, civic unrest, cyberattack, or any other threat to business operations.

“Continuity is about knowing the minimum time or loss an organization can absorb and still be viable and conduct business. It’s about how quickly it can come back up before it gets bad for its clientele or business, and what systems and processes it has to bring back up and in what order,” says Matt Chevraux, managing director of FTI Consulting.

As such, a business continuity plan outlines the procedures the organization must follow to minimize downtime, covering business processes, assets, human resources, business partners, and more.

A business continuity plan is not the same as a disaster recovery plan, which focuses on restoring IT infrastructure and operations after a crisis. Still, a disaster recovery plan is part of the overall strategy to ensure business continuity, and the business continuity plan should inform the action items detailed in an organization’s disaster recovery plan. The two are tightly coupled, which is why they often are linked together as BCDR.

Business continuity differs from resilience, too, although they are also interrelated. Business continuity focuses on restoring operations in the event of a disruption, whereas business resilience speaks to an organization’s strategy for responding to all sorts of internal and external forces to ensure its long-term survival and success.

Elements of business continuity planning today

Disruptive events are inevitable, according to researchers, risk leaders, and executive advisers.

“Gone are the days when organizations used business continuity or resilience programs as a kind of insurance in case something failed. Now, organizations must face the reality; it’s only a matter of time until a catastrophic incident occurs and affects customers,” Forrester Research writes in its Business Continuity Management Software Landscape, Q1 2026 report.

Executives are not only operating in an environment where the risk of a catastrophic incident is not-an-if-but-when scenario, they’re also working in a world where the complexity of business operations has increased dramatically.

Now organizations must consider as part of their continuity plans a growing volume of AI uses, vendors, and third parties’ digital connections, says Ross Tisnovsky, a partner at Everest Group and leader of the firm’s CIO research and advisory practice.

For example, plans today must address AI availability as well as its accuracy and its cyber risks, such as the threat of prompt injection attacks, he explains, noting that today’s continuity plan must account for more novel concerns. “The concern with infrastructure and applications was availability, but what if AI is giving you junk? That degrading quality of output is a continuity concern.”

Similarly, organizations must evaluate and address their ever-growing operational reliance on third parties, whether they’re hyperscalers or LLM providers, a factor that also adds more complexity to business continuity plans, Tisnovsky says.

“We now have all these providers, and on top of it we’re relying on APIs and the service mesh way more. We’re relying on potential connections we don’t even know about it,” he explains. “That can create exposure you cannot control.”

All these considerations are in addition to the myriad conventional risks that a business continuity plan has always had to address, Tisnovsky adds.

Building (and updating) a business continuity plan

Whether building the organization’s first business continuity plan or updating an existing one, the process involves multiple essential steps.

Assess business processes for criticality and vulnerability: Business continuity planning starts with understanding what’s most important to the business. Assess business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, a week, or more.

“Start with a business impact analysis: What are the critical things that make the business run,” says Lawrence Bilker, CIO of Lift Solutions Holdings. “Identify the business processes and systems that make the company work.”

This assessment is more demanding than ever due to the complexity of today’s hybrid workplace, the modern IT environment, and reliance on business partners and third-party providers to perform or support critical processes.

As a result, assessment requires an inventory of not only key processes but supporting components — including IT systems, networks, people, and outside vendors — as well as the risks to those components, Goh says.

Determine your organization’s RTO and RPO: The next step is determining the organization’s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.

Each organization has its own RTO and RPO based its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives must establish.

Some businesses “need to be up all the time without fail, and so they need high availability in place, meaning one or two backups,” Bilker says.

Detail the steps, roles, and responsibilities for continuity: Business leaders should then use RTO and RPO, along with their business impact analysis, to determine specific tasks that need to happen, by whom, and in what order to ensure business continuity.

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.

There’s no need to identify every possible risk to the organization when building or updating a business continuity plan, says Kayne McGladrey, a senior member of nonprofit professional association IEEE.

The list of possible impact scenarios is extensive. Instead of trying to identify them all, McGladrey advises identifying the most likely and most representative types of incidents and then focusing on how such incidents could impact the business. From there, leaders must determine what impacts would be intolerable based on the organization’s risk tolerance.

“Think about business risks, not the technical risks and not causes, but the impacts on the business,” McGladrey says.

The objective, he stresses, is to create a business continuity plan capable of instructing the organization on how to recover from an unexpected event of any kind.

The importance of testing the business continuity plan

Testing and practicing are other critical components of business continuity planning, as they show whether or how well a plan will work. They also help prepare stakeholders for an actual incident, building muscle memory to respond quickly and confidently during a crisis.

“Testing and training for people are critical so everyone knows what to do in an event of a failure,” Bilker says.

They also help identify gaps in the devised plan. For instance, Bilker says testing and training could uncover the lack of backups or alternatives to critical systems, providers, or people.

Additionally, testing and training help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.

Types and timing of tests

Many organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization — its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.

Common tests include tabletop exercises, structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring business units are represented.

In a structured walk-through, team members walk through their components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

Some experts advise a full emergency evacuation drill at least once a year.

Disaster simulation testing — which can be quite involved — should also be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies, and personnel (including business partners and vendors) who would be needed. The simulation helps determine whether the organization can carry out critical business functions during an actual event.

During each phase of business continuity plan testing, include some new employees on the test team. A pair of fresh eyes might detect gaps or lapses of information that experienced team members could overlook.

Reviewing and updating the business continuity plan should be an ongoing process. Otherwise, plans go stale and are of no use when needed.

“How often it needs to be updated should be driven by the business,” Tisnovsky says.

Bring key personnel together at least annually to review the plan and discuss areas that require modification.

Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.

Furthermore, a strong business continuity function calls for reviewing the organization’s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.

Additional best practices

According to management advisers and experienced executives, the following best practices can help organizations with their business continuity planning:

Use AI to help build and maintain the plan: Zach Rossmiller, associate vice president and CIO of the University of Montana, uses a customized generative AI tool to analyze the organization’s processes, procedures, infrastructure, and architecture as well as its business continuity plan to identify potential gaps, such as the need to test generators for the university’s data center. Given the tool’s performance, Rossmiller advises others to use AI for business continuity planning and testing. Chevraux says AI can also be used for data discovery, mapping, and conducting business impact assessments.

Meanwhile, Bilker stresses the importance of including communications plans as part of the business continuity plan.

“It’s difficult during an incident to remember who gets what information when and who distributes information, so the business continuity plan should outline that information,” he says.

Similarly, the plan should identify who owns what roles and responsibilities during and after an incident to speed response and reduce confusion.

Bilker also advises organizations to revisit their continuity plans any time there is a major change to the business. Entering new markets or switching from a key cloud provider to another should trigger an update to business continuity plan.

How to ensure business continuity plan support and awareness

Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.

Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts?

Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.

It’s no stretch to say that most businesses likely feel confident about their cloud strategy today. They have invested heavily in modern platforms, deployed advanced security tools and strengthened identity control.

The environment should look secure, scalable and resilient.

I have seen firsthand where cloud adoption is treated as a modernization milestone and risk reduction strategy. Dashboards turn green, compliance boxes are checked and leadership gets an assurance that the organization is secured since moving to the cloud.

As we move to newer and more modern platforms, the question remains, “How quickly and confidently can your business recover from a cyberattack?”

Cyber recovery in today’s threat landscape determines survival.  The stakes are no longer theoretical. According to IBM’s Cost of Data Breach Report, the global average cost of a data breach is $4.4M globally, and over $10M in the US.

Ransomware has evolved from an IT disruption to a business shutdown event. Industry reports indicate that ransomware is involved in nearly half of the major breaches. According to Sophos’ State of Ransomware report, the average recovery cost now exceeds $2.7 million per incident, excluding reputational damage and lost revenue.

The illusion of a “secure cloud”

Cloud transformation has become synonymous with modernization. Organizations move to the cloud to gain scalability, agility and perceived improvement in security.

Cloud providers invest billions into securing their data infrastructure with capabilities that far exceed what most organizations could build on premises. But here’s where the illusion begins.

Many organizations equate cloud adoption with risk reduction, if migrating workloads inherently makes them more secure. Cloud does not eliminate the cyber risk. It changes its shape and shifts its ownership.

In a cloud environment, many of the risks move up the stack:

• From infrastructure to identity
• From perimeter defense to identity access
• From static system to dynamic API driven architecture

One of the leading causes of cloud breaches is simple misconfiguration. Publicly exposed storage and overly permissive roles continue to create entry points for attackers. These are the failures of implementation and governance.

In a traditional environment, attackers target networks. In the cloud, they target identities. Compromised credentials, privilege escalations and weak access control allow attackers to move laterally across systems.

Once inside, they strategically target backups and recovery systems, ensuring that restorations become difficult or impossible.

The most dangerous aspect of this illusion is the belief that resilience is built in. Cloud platform provides high availability. A system can be highly available but still can have corrupted restore, fail to meet business recovery timelines and reintroduce vulnerabilities during recovery.

Recovery as the KPI

For years, cybersecurity has been built around a single objective, which is prevention. Organizations have invested heavily in firewalls, endpoint protection, identity controls and zero-trust architecture. While these investments remain essential, they are no longer sufficient. The reality is that no organization can prevent every attack.

It’s a fundamental change in thinking:

• From: Can we stop every attack?
• To: How quickly and safely can we recover when an attack succeeds?

When the cyberattack occurs, the initial breach is only the beginning. The real impact unfolds in the hours and days that follow. The system goes offline, operations stall, customers are affected and revenue streams are disrupted. The question is how well the organization is prepared and how quickly they respond when such a scenario occurs.

Speed of recovery is the new competitive advantage. An organization that recovers faster can restore operations with minimal downtime, maintain customer trust and limit financial and reputational damage. Those that don’t face prolonged outages, risk regulator exposures and experience long-term brand erosion. Recovery should be the board-level priority. Traditional technical metrics must be reframed in business terms.

RTO and RPO

Metrics like recovery time objective (RTO) and recovery point objective (RPO) have existed for decades, but at times have been buried in infrastructure discussions. This needs to be changed.

RTO defines how quickly the systems must be restored.

RPO defines how much data loss is acceptable.

Recovery must also be trusted, not just fast

Speed alone is not enough. One of the most overlooked challenges is data integrity. After an attack, organizations must ensure that restored systems are not only operational but clean and uncompromised.

This leads to the question. Can it be restored quickly and safely?

In many incidents, organizations discover that the backups are infected, data was silently corrupted and the recovery process reintroduces vulnerabilities. Data from Veeam shows that when backups were compromised, recovery time increases substantially, often accompanied by higher data loss and extended business outage.

Here is a key insight on attackers increasingly dwelling in the system for weeks and compromising the backup process before triggering ransomware. This leads to backups already containing malicious artifacts and delayed detection and unsafe recovery attempts.

What a modern cyber recovery strategy must include

Building a cyber recovery capability establishes a resilience layer across the organization. At a minimum, this includes:

• Isolated recovery environment: This must be protected from the primary network to prevent lateral movement during an attack. Logical or physical isolation ensures that recovery assets remain intact even when the production system is compromised
• Immutable backups: Data must be protected against deletion or encryption. This ensures that backups cannot be altered, even by privileged users or attackers.
• Clean data validation: Not all backups are safe to restore. Organizations need the ability to scan and validate data before recovery to ensure it is free from malware or corruption
• Orchestrated recovery workflow: The manual recovery process is too slow and error-prone during a crisis. Automated workflow enables faster and more reliable restoration.
• Regular testing and simulation: A recovery plan that hasn’t been tested is a risk. Simulating a cyberattack scenario helps an organization measure readiness, identify gaps and improve response time.

Five questions the business should ask

As cyber threats continue to evolve, businesses should challenge themselves with a new set of questions:

1. Can we recover our most critical systems within a business-defined timeframe after a cyberattack?
2. Do we have an isolated environment to ensure a clean recovery?
3. How do we validate that recovered data is not compromised?
4. When was the last time we tested a full cyber recovery scenario?
5. Who owns cyber recovery as a capability across the organization?

Resilience defines leadership in the cloud era

Cloud has transformed how organizations build, scale and operate technology. It has delivered agility, speed and a new level of architectural resilience. But it has also introduced a more complex and unforgiving risk landscape, where cyber threats are not only inevitable, but increasingly designed to disrupt recovery itself.

Cyber recovery must be treated as a strategic capability, not an operational afterthought.  An organization should not only have a cloud strategy but also a cyber recovery plan.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?