HomeGuidesBusiness Continuity & Resilience › BCR-03
BCR-03 Business Continuity & Resilience 4% of OML score

Does the business have a basic plan to continue operations during major disruptions?

Do you have a written plan that explains how your business will keep running if something major goes wrong—like a power failure, internet outage, or key staff member leaving suddenly? This plan should say who does what, where backups are kept, and how quickly you can get back to work.

Why This Matters to Your Business

Without a basic continuity plan, a single disruption can paralyze your entire business for days or weeks, causing you to lose customers and revenue. For example, a Delhi manufacturing business that lost internet for 48 hours could not access its inventory system, could not fill orders, and lost ₹5 lakhs in sales plus a key client who switched suppliers. If you cannot prove to auditors or major customers (like e-commerce platforms or banks) that you have a plan to recover quickly, they may reduce your rating or ask you to find another supplier. Additionally, regulatory bodies increasingly expect even small businesses to have basic disaster recovery plans.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written plan at all. When the power goes out or someone critical leaves, people panic and wait for instructions with no clear idea of what to do.

Level 1
Initial

You have a single document that lists critical systems and key contact numbers, but it is not detailed, not tested, and not regularly updated. It sits in a drawer and nobody really knows what to do with it.

Level 2
Developing

You have a written one-page plan that names who is responsible for what (e.g., IT person restores backups, office manager calls customers, owner handles vendors), identifies your most critical business functions, and lists where your backups are kept. The plan has been shared with relevant staff but has not been tested yet.

Level 3
Defined

Your plan includes clear roles, contact lists, backup locations, and step-by-step recovery procedures for your top 3–5 critical processes. You have tested the plan at least once in the last 12 months and fixed the issues you found. All relevant staff know their responsibilities.

Level 4
Managed

Your plan is detailed, tested every 6 months, and includes recovery time targets (e.g., email back up within 2 hours, accounting system within 4 hours). You maintain offsite backups, have documented procedures for each critical system, and conduct quarterly reviews with staff to keep it fresh.

Level 5
Optimised

Your plan is comprehensive, tested quarterly, regularly updated based on changes in your business, and integrated with your IT security practices. You maintain multiple backup copies in different locations, have alternative suppliers or manual processes ready, measure actual recovery times, and train new staff on the plan as part of onboarding.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Write a simple one-page document listing: (a) your top 5 critical business functions (e.g., email, accounting, inventory, customer orders, payroll); (b) the person responsible for each; (c) where your backups are stored; (d) emergency contact numbers for key staff and IT support. Business owner or IT person 1 day
1 → 2 Expand the document to include step-by-step recovery procedures for each critical function (e.g., 'If internet is down, switch to mobile hotspot and notify customers of delays'). Share it with all relevant staff and get written acknowledgment that they have read it. IT person with input from department heads 1 week
2 → 3 Test the plan by simulating a disruption (e.g., unplug the main internet connection for 1 hour) and follow the recovery steps. Document what went wrong, what worked, and update the plan accordingly. Brief all staff on lessons learned. IT person with management oversight 2–4 weeks (including planning and testing)
3 → 4 Add recovery time targets (RTO—how fast must you recover, e.g., 2 hours) and recovery point targets (RPO—how much data loss is acceptable, e.g., maximum 1 hour of lost transactions) for each critical system. Set up automated offsite backups and document them. Review and test the plan every 6 months. IT person and business owner 1–2 months (including automation setup)
4 → 5 Integrate the continuity plan with your overall IT security strategy, update it quarterly based on business changes, establish alternative manual processes or backup suppliers, conduct tabletop exercises (team discussions of 'what if' scenarios), and measure actual recovery times in tests to confirm your RTOs are realistic. IT person, department heads, and business owner Ongoing (quarterly reviews, 4–8 hours per quarter)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written Business Continuity Plan document (even if just 1–2 pages), dated and signed by the owner or senior manager
  • List of critical business functions ranked by importance, with recovery time targets (RTO) and recovery point targets (RPO) for each
  • Documented contact list for emergency staff, IT support, key vendors, and major customers with phone numbers and email addresses
  • Record of at least one plan test or simulation, including a summary of what was tested, the date, and any issues found and fixed
  • Backup verification log showing that backups are being taken regularly (daily or weekly), stored offsite, and tested to confirm they can be restored
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your business continuity plan. When was it last updated and tested?"
  • "If your main internet connection went down right now, how long would it take you to get back online, and what would you do in the meantime?"
  • "Where are your backups stored, and how do you know they actually work? When did you last try to restore from a backup?"
  • "Who is responsible for executing this plan, and have they been trained or briefed on their role?"
  • "What happens to critical customer data during a disruption, and how do you ensure it is not lost?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Document and store your continuity plan in a shared, version-controlled way so all staff can access it and see updates Google Docs or LibreOffice (open source), Microsoft OneDrive free tier (up to 5 GB) Microsoft 365 Business Basic (₹3,600–5,000/year per user) or Notion (₹3,000–5,000/year)
Automatically back up your critical files and databases to an offsite location so you can recover them if your main server fails Bakaup, Duplicati, or Veeam Community Edition (for servers) Acronis True Image (₹4,000–6,000/year), Carbonite (₹6,000–10,000/year), or AWS S3 (₹500–3,000/month depending on data volume)
Test and document that your backups can actually be restored, and keep a log of backup success/failure Manual monthly restore tests (documented in a spreadsheet) or open-source monitoring tools like Grafana Veeam One (₹20,000–50,000/year) or Commvault (enterprise, typically ₹100,000+/year)
🛡
How This Makes You More Resilient
When you have a clear continuity plan and working backups, a major disruption that could have cost you ₹10 lakhs and lost customers now costs only ₹1–2 lakhs and takes hours instead of days to recover from. Your customers and auditors see that you are serious about protecting their data and your business, making them more likely to trust you and stay with you during tough times.
⚠️
Common Pitfalls in India
  • Creating a plan but never testing it, so when a real disruption happens, you discover the plan is outdated, backups are corrupt, or staff don't know what to do. Test at least once every 6–12 months.
  • Keeping all backups in the same physical location as your main systems (e.g., all servers in the same office). If there is a fire, flood, or theft, both your live data and backups are lost. Always keep one backup copy offsite—use cloud storage or send a hard drive to another location.
  • Focusing only on IT recovery and forgetting about business process continuity (e.g., how to process orders manually if the system is down, how to communicate with customers, who pays staff if the bank is unreachable). A complete plan covers both IT and manual workarounds.
  • Assuming that a backup service you use will handle continuity for you without documenting your own plan and testing it. Vendors can go down, delete your backups by mistake, or have different SLAs than you expect. You are responsible for your own recovery.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8(2)(b)—reasonable security measures to protect personal data; Section 8(3)—data processing agreements with vendors
CERT-In 2022 Direction 7—Organizations must have a documented incident response plan and business continuity measures
ISO 27001:2022 Clause 8.14—Backup and recovery procedures; Clause 8.16—Operational resilience
NIST CSF 2.0 Govern (GV.RR–Recovery and Resilience oversight); Detect (DE.AE–Anomalies and events detected and analyzed)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →