How to ensure business continuity in an organization in the event of a disruptive incident

Gonzalo Sanz Segovia | 04/02/2026

In light of the increase in disruptive incidents that can severely affect organizations, business continuity management is becoming increasingly important within the strategic plans of organizations.

Business continuity management is a process that helps organizations identify potential threats and the impact they could have on critical business functions. It also establishes a framework to ensure that those operations can continue or be quickly restored during and after a disruptive incident.

On Monday, April 28, 2025, an unprecedented power outage occurred in Spain, triggering a national crisis that affected millions of people and businesses across the country. Hours after the blackout, it became clear that numerous companies—including some considered “essential”—were forced to shut their doors due to their inability to maintain operations and services. In contrast, others, such as public and private hospitals, certain hotel groups, supermarkets, shopping centers, and a number of industrial facilities, managed to sustain at least minimum services, highlighting significant differences in their ability to respond to the emergency.
The rapid response and the minimization of disruptions were made possible thanks to the availability of generators and UPS systems at multiple locations; ISO 22301 certification, for example, in numerous hospitals; the migration of critical information to the cloud with guaranteed remote access; and the implementation and periodic review of drills and crisis plans that ensured effective preparedness for contingencies.
A Business Continuity (BC) system and plan enables companies to anticipate and respond effectively to unforeseen situations, such as a prolonged power outage, ensuring the continuity of essential operations and services during those critical moments.

What is meant by ‘Business Continuity,’ ‘Business Continuity Management System’ (BCMS), and ‘Business Continuity Plan’ (BCP)?

According to ISO 22301:2020 (International Standard that establishes the requirements for a Business Continuity Management System [BCMS]):

• Business Continuity (BC): Ability of an organization to continue providing products and services within acceptable deadlines, with a predefined capacity, during a disruption.
• Business Continuity Management System (BCMS): Framework that helps an organization identify potential threats, manage their impact, and ensure that it can operate continuously, or recover quickly, after a disruptive incident.
• Business Continuity Plan (BCP): A series of documented procedures and strategies aimed at ensuring that an organization can maintain its essential operations during a contingency and recover as soon as possible, reducing the losses that may arise from such disruption.

How are companies affected by an incident?

Organizations may be affected, among others, by:
• Direct or indirect damage to assets.
• Reduction or interruption of activity and the resulting financial loss.
• Difficulty in recovering operations, which may even lead to a full shutdown.
• Damage to reputation and loss of confidence among suppliers and customers.
• Non-compliance with regulations and, as a result, possible penalties.

Why implement a Business Continuity System and Plan? Purpose of the Business Continuity Plan:

Among the objectives and benefits of implementing a Business Continuity Management System are greater organizational resilience through the development and maintenance of plans that ensure the continuity of critical operations; the reduction of economic losses and costs associated with disruptions; the protection of reputation by maintaining the trust of customers and stakeholders; competitive advantages, as it allows the organization to stand out from competitors by demonstrating its ability to manage crises; and regulatory compliance, which helps meet requirements and contractual obligations, avoiding penalties.

The Business Continuity Plan does not aim to immediately restore 100% of the company’s productive and financial capacity. Its primary objective is to ensure the survival of the business under “minimum acceptable conditions,” guaranteeing that critical operations continue and preventing the organization from being severely compromised, while gradually recovering over time.

Key components for the implementation of a Business Continuity Management System and Plan:

Implementing a business continuity management system requires 5 main phases:

Integration within the organization. Consider the business culture and establish the company policy, scopes, roles associated with the process and responsibilities, authorities/governance, the objectives, etc.
Analysis and assessment of the inherent risks to the processes and organizations. Identification of the potential threats that could disrupt the organization’s activity and the possible impacts.
Design of the solutions according to the prioritized risks found. Response planning / Incident Response / Disaster Recovery.
Implementation of plans for loss reduction. Training and awareness.
Validation and maintenance of the system and the business continuity plan testing, validation, and maintenance.

There are different approaches to implementing a Business Continuity Management System, including the UNE-EN ISO 22313:2020 “Security and Resilience – Business Continuity Management Systems – Guidelines for the Application of ISO 22301” (an international standard that sets out the requirements for a Business Continuity Management System) and best practice guides, such as the guide developed by the Business Continuity Institute (BCI) in London.

Below is a general table that shows, as an example, the procedures and strategies that make up a business continuity management system and plan:

Types of threats within an organization and their possible impacts

The types of incidents that can affect an organization are diverse and must be analyzed individually. This analysis will depend, among other factors, on the type of activity, business area/market, the size of the company, its geographical location, as well as the characteristics of its providers and customers.

In general, among the incidents that can affect a company are the following:

Fires/explosions/lightning strikes/machinery breakdown.
Natural disasters, such as earthquakes, flooding due to heavy torrential rains or runoffs, flooded areas or areas close to rivers or the sea, hail, etc.
Geopolitical instability (armed conflicts, diplomatic tensions, abrupt changes in foreign policies, economic sanctions, or social movements).
Global financial
Power outages for one or more days.
Supply chain incidents, or supply chain failures.
Technological and Cyber Incidents.
Workplace accident, an infectious outbreak, or a food poisoning affecting one or more individuals with specific assigned tasks.
Events caused by social risks, such as organized or deliberate disruptions (strikes, riots), sabotage, terrorism, etc.

From a business perspective, once incidents are identified, it is advisable to classify them into different levels according to their impact: those causing minor shutdowns or losses, those generating significant disruptive effects, those compromising operational continuity, and those causing destructive damage.

To do this, two analysis techniques are used: the Business Impact Analysis (BIA) and the Risk Assessment (RA).

The Business Impact Analysis estimates the impacts of a disruption over time to determine the organization’s response, recovery priorities, and resource requirements.
The Risk Assessment identifies the level of risk for interruptions to the organization’s priority activities.

The results of the BIA and RA are used as inputs for the solution design phase of the BCMS. Therefore, the quality and outcomes of the BIA and RA processes are extremely important.

‘Action plans’ against a threat that may affect business continuity

Action plans, in the event of a disruptive incident (threat) affecting the business continuity of a company or organization, are strategic documents that define procedures, resources, and responsible parties to respond to unexpected events (asset damage, natural disasters, cyberattacks, technological failures, reputational crises). They focus on immediate response and rapid recovery to minimize the impact on the business. These action plans provide a structured response and prevent improvisation during critical moments following a disruptive event.

Among the action plans in the event of a disruptive incident affecting business continuity are:

Sometimes, the terms Emergency Plan (EP), Contingency Plan (CP), and Business Continuity Plan (BCP) are used interchangeably, although they are not the same. Below is a general and simple example illustrating the difference between them:

Emergency plan: series of actions contemplated to reduce or eliminate the incident.

For example: In the event of a fire in a plant’s main transformer, action to extinguish it using manual and/or automatic means to limit the damage.

Contingency plan: specific actions to minimize the impact of an adverse incident. Focuses on “what to do if X occurs.”

For example: In the event of a fire in the plant’s main transformer resulting in total damage and the partial or total shutdown of activity, the transformer would be replaced with a new one in good condition. This would save at least a few hours and up to several days.

The Business Continuity Plan ensures that the organization can continue operating (even if partially) during and after a serious incident. It defines how to maintain essential services; it includes strategies such as remote work, alternative suppliers, technological redundancy; it is activated in the case of prolonged events (natural disasters, cyberattacks, large-scale failures).

For example: In the event of a fire at the plant’s main transformer resulting in total damage and the partial or complete shutdown of operations, a Business Continuity Plan should include a contingency plan with a spare transformer in good condition and well-maintained. This backup transformer can replace the existing one and prevent any impact on the plant’s revenue loss.

Conclusion

Having a business continuity system and plan is key to ensuring the resilience and operational stability of an organization. Both allow anticipating risks, minimizing the impact of interruptions, protecting critical assets, and ensuring the rapid recovery of essential services. This combination strengthens the trust of customers and partners, complies with regulations, and ensures competitiveness in the face of any contingency.

Autoría del texto:

María Teresa Queralt

Senior Risk Engineer at MAPFRE Global Risks

Artículos

Ignasi Belda, director of AESIA: “Spain is designing AI governance in Europe”

Spain leads the way in the ethical supervision of AI in Europe with the creation of AESIA, the Spanish Agency for the Supervision of Artificial Intelligence (Agencia Española de Supervisión de la Inteligencia Artificial). This body is charged with implementing...

Mapfre Global Risks unveils its updated brand

The Mapfre Group is experiencing a historic moment. After undergoing an intense internal transformation process, we needed to reflect this evolution in our brand. Mapfre’s taking a decisive step forward to better project who we are to the world: a human, innovative...

The navigable route of the Arctic: opportunity or extreme risk

The Arctic route poses technical challenges, regulatory challenges, and insurance challenges, but offers an opportunity to streamline maritime trade and navigate geopolitical risks. We analyze the pros and cons of the journey with Inmaculada Pinel, senior Transport...

Más información

Category