Without knowing your critical activities, your team wastes time during an outage arguing about what to fix first while customers leave, orders pile up unpaid, and revenue stops. A textile exporter in Tiruppur whose shipping documents system crashes will lose 2-3 days of exports if they don't know that 'issuing bills of lading' must happen even manually—competitors fill their buyer's orders instead. A financial services firm in Bangalore without priority clarity during a ransomware incident spends hours on non-critical work instead of stopping fraudulent transactions, costing lakhs in false debits. Regulatory auditors and large customers (like banks or e-commerce platforms) now explicitly ask: 'What are your critical business functions?'—if you don't have a clear answer, you fail their security checklist.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no documented list of critical activities. When something breaks, the owner makes urgent phone calls and the team scrambles without any plan for what to prioritize.
Initial
You have an informal, verbal understanding of which activities matter most (usually just 'keep the website up' or 'process orders'). No written document exists, and different team members might give different answers.
Developing
You have written down 3–5 critical business processes (e.g., invoice generation, customer support, procurement approvals) and roughly know how long the business can survive without each one. The list exists but is not regularly updated.
Defined
You have a formal Business Continuity Plan document listing all critical processes with recovery time objectives (how fast each must restart). The list is reviewed once a year and tied to IT backup/recovery priorities.
Managed
Your critical process list is integrated into your incident response plan, backup strategy, and IT disaster recovery arrangements. Each critical process has a named owner, a backup manual procedure, and documented RPO/RTO metrics (data loss and downtime limits).
Optimised
Critical process priorities are tested in annual disaster recovery drills, regularly reviewed with changes in business, communicated to all staff, and used to govern investment in redundancy. Recovery procedures are documented, up-to-date, and actively maintained.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Call a 2-hour meeting with the owner, operations manager, and finance head. List on paper: which 3–5 activities, if they stopped for 1 hour, would hurt the business most? Write down answers and share with the team. | Business Owner or Operations Manager | 1 day |
| 1 → 2 | Create a one-page 'Critical Business Functions' document listing each activity, who owns it, and approximately how long you can operate without it (e.g., 'Invoice generation—Finance Manager—max 4 hours'). Share and get sign-off from department heads. | Operations Manager or IT In-charge | 3–5 days |
| 2 → 3 | Develop a formal Business Continuity Plan (2–3 pages) that includes the critical process list, recovery time objectives (how fast to restart each), and manual backup procedures. Have a lawyer or compliance advisor review it once. Schedule annual review. | Compliance Officer or External Consultant | 2–4 weeks |
| 3 → 4 | Map each critical process to specific IT systems, data, and backups. Ensure your IT disaster recovery plan (backup frequency, failover procedures) explicitly addresses each critical process. Document what data loss (RPO) and downtime (RTO) is acceptable for each. | IT In-charge with external technical advisor if needed | 4–6 weeks |
| 4 → 5 | Run a annual disaster recovery drill (simulate a ransomware or server outage) where the team executes recovery procedures for critical processes using backup systems. Update procedures based on lessons learned. Brief all staff on their role in crisis. | IT In-charge and Operations Manager with external consultant | Ongoing (annual drill + quarterly updates) |
Documents and records that prove your maturity level.
- Written list of critical business processes (minimum 3–5 activities) with owner name and function name
- Business Continuity Plan or Disaster Recovery Plan document (1–3 pages minimum) signed off by owner/management
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented for each critical process (e.g., 'Invoice generation: RTO 2 hours, RPO 15 minutes')
- Documented manual or backup procedures for at least 2–3 critical processes (e.g., 'If server down, use offline invoice book and email reconciliation')
- Evidence of review/update: dated sign-off on the critical process list or plan (at least annual) showing it is current
Prepare for these questions from customers or third-party reviewers.
- "Can you show me your list of critical business processes? Which activities would cause your business the most damage if they stopped for 1 hour, 4 hours, 1 day?"
- "What is your Recovery Time Objective (RTO)—how long can each critical process be down before unacceptable damage occurs?"
- "Walk me through what you would do manually if your primary system for [critical process, e.g., invoicing] crashed right now. Who would do it, what document would you use, how long would it take?"
- "When was your Business Continuity Plan last reviewed and updated? Can you show me the date and sign-off?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store your Business Continuity Plan document with version control and review dates | Google Docs (free tier) with shared access and comment history, or LibreOffice Writer | Microsoft 365 (₹2,400–6,000/year per user) for Word with track changes |
| Map critical processes, dependencies, and recovery procedures in a visual format | Lucidchart (free tier for 1–3 diagrams) or draw.io (fully free, open-source) | Lucidchart (₹8,000–15,000/year), Visio (one-time or Microsoft 365) |
| Track and schedule annual Business Continuity reviews, drills, and plan updates | Google Calendar (free) or Trello (free tier for simple task tracking) | Asana (₹80–200/month) or Monday.com (₹1,500–3,000/month) for formal project management |
- Listing 'everything is critical' instead of truly prioritizing—if 10+ processes are equally critical, you have not done the hard thinking and your plan is useless during a real crisis.
- Creating the plan once and never updating it—when your business adds a new product line or key customer, the critical process list becomes outdated and irrelevant within 6 months.
- Focusing only on IT systems and forgetting manual workarounds—a mid-size manufacturing firm in Gujarat assumed only ERP was critical but ignored that without a manual purchase order process, they could not buy raw materials even if servers were restored in 24 hours.
- Not documenting Recovery Time Objectives (RTO) with business input—IT assumes 4 hours is acceptable recovery, but finance needs invoices issued within 2 hours or cash flow breaks; this mismatch causes expensive infrastructure that does not match actual need.
- Never testing the plan with actual staff—on paper you say 'branch manager will manually process invoices,' but that manager has never done it, does not know the procedure, and takes 3 times longer in a real crisis.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Reasonable Security), Section 4(12) (Security of Personal Data) |
| CERT-In 2022 Rules | Guideline 3 (Incident Response and Business Continuity) |
| ISO 27001:2022 | Clause 8.2 (Business Continuity Planning and Testing), Annex A 17.1 (Planning of information security continuity) |
| NIST CSF 2.0 | Govern Function GV.RR (Recovery and Resilience), Respond Function RC.CO (Coordination) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →