The Cost of an Untested BCP
Most organisations have a Business Continuity Plan in name. Many have one in practice only as a document produced for a compliance audit: never tested, not reflecting current operational reality, and with activation procedures that would not be followed under the stress of a real event.
When a disruption occurs, the absence of validated RTO and RPO targets, unclear crisis activation roles, and untested IT recovery procedures produce extended downtime, financial losses that escalate by the hour, and reputational damage that outlasts the event itself.
For organisations subject to FINMA Circular 2023/1, DORA, or ISO 22301 certification requirements, an untested BCP is also a direct regulatory compliance failure with audit and supervisory consequences, entirely independent of whether a real disruption has occurred.
Scope of Services
The Business Continuity Services
Business Impact Analysis (BIA)
A structured BIA campaign to identify and prioritise critical business processes, quantify the financial and operational impact of disruption across defined time horizons, and define Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO) for each critical function.
Regulatory Alignment
Explicit mapping to ISO 22301 requirements, FINMA Circular 2023/1 operational resilience obligations, and DORA ICT continuity requirements for financial entities in scope.
Business Continuity Profile
A structured BC profile documenting the organisation's resilience posture across all critical assets, systems, and processes, serving as the ongoing reference document for continuity management and regulatory review.
Business Continuity Plan (BCP)
Design and production of the complete Business Continuity Plan: organisational activation structure, escalation procedures, crisis communication protocols, and documented recovery strategies for each critical process.
Disaster Recovery Plan (DRP)
Technical DRP aligned to the BCP, defining step-by-step recovery procedures for IT systems, infrastructure, and data, with validated RTO and RPO targets per system tier.
Crisis Organization and Exercises
Definition of the crisis management structure, activation roles, and decision-making protocols, validated through tabletop and operational exercises. For a comprehensive crisis exercise program, see also the Crisis Management service.
Process
From Asset Inventory to Tested Recovery Capability
1 Scope and critical asset identification
Map the organisation's critical processes, systems, personnel dependencies, and third-party relationships.
2 Business Impact Analysis
Quantify the financial, operational, legal, and reputational impact of disruption across standardized time horizons for each critical function.
3 Strategy development
Design recovery strategies for each critical function based on BIA outputs and explicit cost-benefit trade-offs between recovery speed and investment.
4 BCP and DRP documentation
Produce complete, structured plans with activation procedures, clear role assignments, communication scripts, and technical recovery steps.
5 Testing and validation
Conduct tabletop exercises, IT recovery tests, and operational drills to validate plan effectiveness and identify improvement areas before a real event occurs.
Outcomes
What You Receive
- Business Continuity Profile documenting the full organisational resilience posture
- Complete Business Impact Analysis with MTD, RTO, and RPO per critical function
- Business Continuity Plan with activation procedures, roles, and communication protocols
- Disaster Recovery Plan with technical recovery procedures and validated RTO and RPO targets
- Exercise report with structured lessons learned and formal improvement action plan
Compliance-Ready and Operationally Tested
Our BCP and DRP engagements are built to withstand regulatory scrutiny. FINMA-regulated clients receive documentation explicitly structured to the requirements of FINMA Circular 2023/1. Financial entities subject to DORA receive resilience documentation that maps to DORA's ICT continuity and business impact analysis testing obligations. All plans include version control, defined annual review cycles, and evidence packages structured for external audit presentation.
Next Step
Assess Your Business Continuity Posture
We provide an initial Business Continuity maturity consultation to evaluate your current plan status, identify critical gaps, and propose a pragmatic implementation and testing path. This consultation is typically delivered as a structured half-day workshop.