Why Your Business Continuity Plan is Probably a "Paper Exercise"—And How to Fix It

1. Introduction: The Illusion of Preparedness

In my experience as an ISO Lead Auditor, I have reviewed countless Business Continuity Management Systems (BCMS) that look perfect on a computer screen but crumble under the slightest scrutiny. Organizations often pride themselves on high-level policies and binders full of strategies, yet they fall into a dangerous trap: the illusion of preparedness. They mistake leadership "endorsement in principle" for actual "support in practice."

Clause 7.1 of ISO 22301 is the ultimate reality check for this illusion. As an auditable requirement, it asks a blunt and decisive question: Has the organization provided what is actually needed to make business continuity work? Without resources—the people, the technology, and the funding—your plan is a work of fiction. From an auditor's perspective, policies are useless if the organization hasn't determined and provided the specific resources required to meet its recovery objectives.

2. Your BCMS is a "Paper Exercise" Without Resources

Clause 7.1 serves as the essential bridge between Clause 5 (Leadership) and the functional reality of recovery. It demands that an organization determine and provide resources for the entire lifecycle of the BCMS: establishment, implementation, maintenance, and continual improvement.

The most common point of failure I see is the "assumption trap." Organizations often assume staff will be available or that infrastructure will magically exist during a crisis without ever formally identifying these needs. In the eyes of an auditor, resources must be determined through logic and evidence—specifically via your Business Impact Analysis (BIA) and Risk Assessment—rather than just assumed. A failure to align these resources with your stated objectives often results in a Major Nonconformity, as insufficient resourcing guarantees the BCMS will fail when it is needed most.

"A BCMS without resources is a paper exercise."

3. Budget Decisions are the Ultimate Proof of Commitment

While ISO 22301 does not strictly mandate a standalone "Business Continuity" line item in your general ledger, auditors use financial allocation as the primary evidence of leadership commitment. Whether it is funding for redundant infrastructure, specialized software tools, or specialist consultancy, budget decisions reveal where an organization’s true priorities lie.

I often hear the excuse that there is "no budget" for specific continuity measures. As an auditor, I only accept "no budget" if the organization’s Risk Assessment formally justifies it. If a critical gap remains unfunded despite a high risk of disruption, it is a clear signal that the BCMS is not a genuine priority. Funding must align with risk; if it doesn't, you aren't managing continuity—you are gambling.

"Budget decisions reveal real priorities."

4. The "Hero" Trap: One Person Cannot Be the Entire System

The "People" component of Clause 7.1 is frequently where organizations are most vulnerable. I regularly encounter systems that suffer from "single-point dependency," where the entire BCMS relies on one dedicated "hero."

A resilient system requires a realistic distribution of workload. This includes not just the BCMS manager, but also Internal Auditors, Technical Recovery Staff, incident management teams, and plan owners. Lead Auditors specifically look for the existence of defined deputies and alternates. If your recovery plan depends on a specific individual who might be unavailable during a widespread regional crisis, your plan is flawed. One person cannot realistically run an enterprise-wide BCMS alone; the system must be staffed to survive even when key individuals are missing.

"One person cannot realistically run an enterprise-wide BCMS alone."

5. Infrastructure and Technology are Risks if Untested

Infrastructure and technology resources are more than just backup servers. Clause 7.1 requires that these resources be suitable and available. This includes physical security measures and basic utilities—such as power, water, and HVAC—that support your recovery sites.

Auditors focus heavily on the alignment between these resources and your Recovery Time Objectives (RTOs). An alternate site that is perfectly equipped but cannot be accessed during a disaster is not a resource; it is a liability. Similarly, technology solutions like data replication or cyber resilience capabilities that have never been tested to verify they meet the required recovery window will be flagged. We look for maintenance and readiness, not just a line item on an inventory list.

"Technology promised but untested is a continuity risk."

6. The Auditor’s Secret Weapon: Traceability

To identify nonconformities, auditors utilize the "Traceability Audit Technique." This is a logical chain that we follow to see if your system holds water:

• Scope: What are you protecting?
• Critical Activities: What must stay running?
• RTO/RPO: How fast must they recover?
• Resources: What is specifically needed to meet those times?
• Availability & Funding: Do those resources actually exist and are they funded?

As an auditor, I care far more about the logic and evidence behind how you determined your resources than the specific software or template you used. To test this, I often use interviews with IT and Facilities leads. Inconsistent answers between what the BCMS manager claims is available and what the Facilities lead says is maintained are a massive red flag. If the chain breaks at the "Resources" step, you have failed to meet Clause 7.1.

7. Conclusion: From Paper to Practice

Organizational resilience is not a static state achieved by writing a document; it is a continuous commitment. This is why Clause 7.1 must be viewed through the Plan-Do-Check-Act (PDCA) cycle. You must identify resources (Plan), provide them (Do), review their adequacy through exercises (Check), and adjust as your risk profile changes (Act).

Adequacy and suitability matter far more than the sheer quantity of resources. As you evaluate your own program, ask yourself: If a disruption occurred tomorrow, would your recovery depend on resources that exist only in your documentation, or resources that are funded, tested, and ready to deploy? If the answer is the former, your plan is just paper—and the audit will reflect that.

Share This Article

Found this useful? Share it with your network: