At 2:49 a.m. Eastern on October 20, 2025, a DNS failure in Amazon’s DynamoDB service began cascading through AWS’s us-east-1 region, and roughly 1,000 platforms went down with it: Snapchat, Venmo, Reddit, Coinbase, plus check-in systems at Delta and United. Recovery took about 15 hours.
Companies with no AWS contract lost their morning anyway, through payment processors and logistics tools they had never mapped. What should a business continuity plan include so that morning goes differently? Nine components, and this checklist walks each one, in the order the plan needs them, starting with the people who own it.
| What Should a Business Continuity Plan Include: Key Takeaways |
| A business continuity plan should include nine components: governance and roles, risk assessment, business impact analysis, recovery strategies, response and activation, communication, IT disaster recovery, training and exercising, and maintenance. |
| The October 20, 2025 AWS us-east-1 outage disrupted roughly 1,000 platforms for about 15 hours; the plans that included a cloud-outage annex activated, and the rest improvised. |
| The business impact analysis is the component the other eight depend on: it ranks critical functions and sets the RTO and RPO targets every strategy must meet. |
| Activation needs defined triggers, not judgment calls made at 3 a.m.; write the thresholds, the escalation path, and the command structure before the event. |
| Scenario annexes turn one generic plan into a usable one: hurricane, cyber and cloud outage, pandemic, utility failure, and key-supplier loss each need their own page. |
| Rate the finished plan against the business continuity maturity model, then let exercises and trigger-based reviews keep every component current. |
The components are not new; ISO 22301 and its guidance companion ISO 22313 have carried them for years. What changed is the testing standard: October 20 was a live exam, and CyberCube priced the insured losses at up to $581 million.
The Nine Components a Business Continuity Plan Should Include
Start with the full list, then build depth section by section. Each component is on the list because a real failure mode punishes its absence, and the key elements of business continuity management map the same territory from the management-system side.

Figure 1. The nine components a business continuity plan should include; the sections below take each one in turn.
| Component | What it contains | It proves itself when |
| Governance and roles | Sponsor, coordinator, teams, RACI, escalation | Decisions get made in minutes, not meetings |
| Risk assessment | Scored threats: natural, cyber, supply chain, people | The scenario that hits was already on the list |
| Business impact analysis | Critical functions, dependencies, RTO/RPO/MTPD | Recovery money flows to the right functions first |
| Recovery strategies | Alternate sites, failover, workarounds, mutual aid | An option exists instead of an intention |
| Response and activation | Triggers, thresholds, command structure | The plan starts at 3 a.m. without a debate |
| Communication plan | Contact trees, stakeholder scripts, media protocol | Customers hear from you before the news does |
| IT disaster recovery | Backups, restore sequence, DR sites, cloud plans | Systems return in dependency order, tested |
| Training and exercising | Role-based training, drill ladder, findings log | People execute procedures they have rehearsed |
| Maintenance and review | Triggers, annual cycle, version control | The plan still matches the current organization |
Score the finished set before an incident does. The business continuity maturity model grades each component from ad hoc to optimized, and a maturity gap on paper is far cheaper to discover than the same gap live. Most departments score unevenly, strong on recovery strategies and weak on maintenance.
Why What a Business Continuity Plan Includes Decided October 20
The outage sorted organizations by the contents of their plans. Teams whose business continuity plan included a cloud-region annex failed over or shifted to documented manual workarounds; teams whose plan stopped at fire and flood spent the morning discovering which vendors sat on us-east-1.
The Business Continuity Plan Numbers From One Morning

Figure 2. One morning as a test suite: the October 2025 AWS outage stress-tested every component a business continuity plan should include.
ThousandEyes’ analysis traced the cascade from one DNS race condition through dozens of dependent AWS services, which is the dependency-mapping lesson in miniature. Uptime Institute’s outage research adds the financial floor: most significant outages now cost their victims over $100,000.
Regulators read from the same list. FINRA Rule 4370 tells US broker-dealers what their written plan must address, the FFIEC handbook does it for banks, and HIPAA’s contingency requirements cover healthcare, so the components below double as an examination checklist when the request-for-evidence letter arrives.
One practitioner test beats any statistic: pull the contact tree and dial the first five numbers. In our assessment work the tree fails more often than the technology does, and it is the cheapest component on the whole business continuity plan checklist to fix.
Governance: Who Runs the Business Continuity Plan
Component one is people with authority. Build the planning team from IT, HR, facilities, operations, and finance, add vendor and customer representatives where dependencies justify it, and give the structure three layers so decisions, budgets, and daily work each have an owner.

Figure 3. The governance layer of the business continuity plan: authority flows down, exercise findings flow back up.
| Role | Owns | Fails without it |
| Executive sponsor | Budget, escalation, board reporting | The program starves quietly |
| Steering committee | Appetite, plan approval, major spend | Decisions stall mid-incident |
| BC coordinator | The program day to day, drill calendar | Components drift out of date |
| IT DR coordinator | System recovery order and testing | Restores happen in the wrong sequence |
| Communications coordinator | Staff, customer, media notifications | Silence fills with speculation |
Write the escalation math into the risk appetite statement: which outage duration reaches the sponsor, which reaches the board. Ambiguity about who decides is itself a continuity risk, and it never appears on the register until an incident exposes it.
Fold the governance outputs into the wider risk program. Continuity exposures land on the corporate register through the enterprise risk management framework, which keeps the business continuity plan competing for budget on evidence rather than goodwill, and gives the sponsor a standing agenda slot at the risk committee.
Risk Assessment: What the Business Continuity Plan Should Include First
Component two catalogs what can interrupt the operations the business continuity plan protects. A business continuity plan risk assessment scores natural disasters, cyber-attacks, supply chain failures, utility outages, and human error by likelihood and impact, using the same ISO 31000 discipline as any step-by-step risk assessment.
Source the threat list from more than a workshop. Interviews and brainstorming find the known risks; qualitative and quantitative methods price them; and the ransomware scenarios documented in cybersecurity risk management belong on the list next to hurricanes, because the 2025 evidence says they arrive more often.
The Business Impact Analysis a Business Continuity Plan Depends On
Component three converts the threat list into priorities. The business impact analysis identifies critical processes, maps their dependencies across people, systems, and suppliers, and prices what an hour, a day, and a week of downtime cost each one. It is component three by number and component one by importance.
The BIA hands the business continuity plan three numbers per function. RTO caps how long the function may stay down, RPO caps the data loss measured back from the disruption, and MTPD marks the survival limit, with the difference between RPO and RTO deciding backup frequency and failover spend.
The financial impact evaluation carries the budget argument. Lost revenue, extra expense, reputational harm, and regulatory exposure per function justify each recovery investment, and dependency mapping catches concentrations like us-east-1 before the outage advertises them, including the vendors tracked in third-party risk management.
Recovery Strategies the Business Continuity Plan Must Include
Component four turns targets into options that exist before they are needed. Every strategy is a purchase decision against an RTO: the shorter the target, the more the option costs, which is why strategies come after the BIA rather than before it.
| Strategy | Fits when | Cost and readiness profile |
| Hot site / active failover | RTO under an hour, revenue-critical functions | Highest cost, near-instant cutover |
| Warm site | RTO measured in hours | Moderate cost, staged equipment |
| Cold site | RTO measured in days | Low cost, slow activation |
| Cloud failover, second region | Cloud-hosted workloads with tested runbooks | Pay-as-you-go, needs regular drills |
| Manual workarounds | Short outages of digital processes | Cheap, decays without practice |
| Mutual aid and vendor contracts | Specialized equipment or facilities | Contract cost, external dependency |
Continuity of operations planning stitches the options together: essential functions, the alternate facilities that host them, and the staffing that moves. FEMA’s continuity guidance frames COOP for private organizations as much as agencies, and Ready.gov publishes the small-business version of the same planning frame. For a fill-in starting point, this business continuity plan template for small business maps to the same components.
Implementation: Resourcing the Business Continuity Plan
Strategies only count once resources are assigned to them. Identify the services that keep operations alive during an emergency, including power, water, connectivity, vehicles, and people, then hand each one to a named team inside the business continuity plan, because a department in general is nobody in particular.
Procedures and protocols translate strategy into steps. Develop them with input from employees, customers, and suppliers, keep each one short enough to follow under stress, and review them whenever the business environment shifts, because a procedure written for last year’s org chart misleads this year’s responder.
Response, Activation, and Communication in the Business Continuity Plan
Component five is the switch. Activation protocols define the triggers that start the business continuity plan, the person empowered to pull it, and the command structure that stands up next, because the worst time to design an escalation path is during the event that needs one.
Write triggers as thresholds. A regional cloud outage exceeding thirty minutes, a facility inaccessible past four hours, or a confirmed ransomware detonation each activate specific annexes automatically, and the boundary drawn in incident response plan vs business continuity keeps the cyber trigger from being claimed by two plans at once.
Component six keeps every stakeholder informed while component five works. The communication plan holds contact trees, pre-drafted customer and staff scripts, media protocols, and the social channel decision, and it does its best work in the gap between your outage and your first statement.
Testing, Training, and Maintaining the Business Continuity Plan
Components eight and nine keep the rest of the BCP true. Role-based training gives every employee their specific responsibilities, exercises climb from tabletop discussions through functional drills to full-scale simulations, and each finding is documented with dates, participants, and results, then tracked to closure.

Figure 4. The four-phase cycle that produces and renews the business continuity plan: exercise findings feed the next BIA round.
Maintenance runs on triggers plus a calendar floor. Reorganizations, new systems, vendor changes, and every live incident force an update, how often risk assessments should run sets the annual minimum, and a small key risk indicator set flags drift: drills overdue, findings aging, contact lists bouncing.
Documenting Business Continuity Plan Training and Tests
Documentation converts training into evidence. Record dates, event types, participants, results, feedback forms, and questionnaires for every session and drill, because examiners and certifiers request exactly this file, and a BCP exercise that produced no paper never happened as far as an auditor is concerned.
Scenario Annexes the Business Continuity Plan Should Include
Generic plans fail on specifics, so the final content layer is a short annex per scenario, and a worked business continuity plan example for a dental practice shows how granular these get. Each annex names its trigger, its first-hour actions, and the recovery path, and the 2025 evidence argues for adding cloud concentration to the classic three.
| Scenario annex | Must specify | Example trigger |
| Hurricane / flood / quake | Evacuation, facility protection, remote work switch | Named storm within 72 hours |
| Cyber-attack and ransomware | Isolation steps, offline backups, notification clock | Confirmed encryption event |
| Cloud or SaaS regional outage | Failover runbook, manual workarounds, vendor comms | Provider region down over 30 minutes |
| Pandemic / workforce loss | Remote policies, cross-training, PPE and safety | Public health emergency declared |
| Utility or key-supplier failure | Backup power, alternate suppliers, rationing rules | Outage or supplier default past 4 hours |
CISA’s resilience guidance covers the infrastructure scenarios, and NIST SP 800-34 plus ISO/IEC 27031 give the IT annexes their structure. The pandemic annex, written in anger in 2020, mostly needs pruning rather than invention now, and every annex should fit on two pages or responders will not read it.
Your Business Continuity Plan Questions Answered
What are the essential components a business continuity plan should include?
Nine components cover it: governance and roles, a risk assessment, a business impact analysis, recovery strategies, response and activation protocols, a communication plan, an IT disaster recovery plan, training and exercising, and a maintenance cycle. Emergency contacts and scenario annexes round out the working document.
What key roles does a business continuity plan assign?
An executive sponsor with budget authority, a steering committee for decisions, a business continuity coordinator running the program, an IT disaster recovery coordinator sequencing system restores, and a communications coordinator handling stakeholders. Crisis management and business recovery teams execute during an activation.
How does a business continuity plan differ from a disaster recovery plan?
The business continuity plan covers the whole organization: people, processes, facilities, suppliers, and communication. The disaster recovery plan is the IT subset that restores systems and data after an outage. The DRP nests inside the BCP as component seven of the nine, a boundary disaster recovery vs business continuity plan draws in detail.
What are the four phases of creating a business continuity plan?
Business impact analysis to rank functions and set recovery targets, risk assessment to score the threats, plan development to write strategies and procedures, and testing and maintenance to keep everything current. The phases loop: exercise findings feed the next BIA cycle.
What advantages does a business continuity plan provide?
It shortens downtime because recovery targets and options exist in advance, protects revenue and customer trust during disruptions, satisfies regulators from FINRA to HIPAA, and surfaces single points of failure early. The October 2025 AWS outage separated planned recoveries from improvised ones inside an hour.
What belongs on a business continuity plan review checklist?
Confirm alignment with objectives and risk appetite, verify completeness against the nine components, check the exercise log and finding closures, validate regulatory compliance, and test that contact trees still reach people. Date the review and version the plan so the audit trail survives staff turnover.
Business Continuity Plan Red Flags to Watch
A business continuity plan can hold all nine components and still fail on quality, so inspect for the patterns below. Each red flag pairs with the fix that restores the component to working order before an incident finds it first.
| Red flag | Root cause | Fix |
| Plan lives only in IT | Continuity mistaken for disaster recovery | Executive sponsor plus all-unit planning team |
| No BIA behind the priorities | Recovery order set by opinion | Function-level BIA with RTO/RPO evidence |
| Triggers left to judgment | Nobody wants to over-activate | Written thresholds with named authority |
| Cloud absent from scenarios | Hazard list stuck in the 2010s | Cloud and SaaS annex with failover runbook |
| Contact lists stale | Maintenance without ownership | Quarterly tree test wired to a KRI |
| Exercises never escalate | Tabletops feel safe and sufficient | Climb to functional and full-scale on a calendar |
The Business Continuity Plan Horizon: 2026-2027
Cloud concentration now heads the scenario list. One region failing for 15 hours reached airlines, banks, and hospitals simultaneously, and boards that read the CyberCube estimate are asking whether their own business continuity plan includes a multi-region answer or just a hope.
Regulatory expectations keep hardening into evidence requests. Examiners working from the FFIEC handbook ask for exercise logs and finding closures, SOC 2 availability audits under AICPA criteria reach SaaS vendors, and dated documentation beats confident narrative in every one of those reviews.
Third-party continuity is becoming the harder half of the plan. Your recovery now depends on vendors’ recoveries, so contracts increasingly carry continuity clauses, tested-exit requirements, and evidence rights. The BIA dependency map decides which suppliers get those clauses written in first.
The nine business continuity plan components have not changed since ISO 22301 codified them. What changed is how often they get examined by real events, and October 20, 2025 was simply the largest recent pop quiz; the next one is already scheduled, just not announced.
Complete Your Business Continuity Plan with Risk Publishing
Risk Publishing helps US risk and continuity teams build every component a business continuity plan should include, from the planning process and plan build through the management system and register integration behind it. Explore our services, or contact us and we will start with the component your last incident exposed.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.