Jamie Lees, Senior Business Resilience Consultant at Databarracks, examines what a supplier’s Business Continuity Plan can and cannot tell you, and why stronger assurance often depends on more than the document alone.
When an organisation wants to assess the resilience of a supplier, one of the first requests is usually for its Business Continuity Plan (BCP). That is a sensible place to start. A BCP is easy to request, straightforward to review and widely understood across procurement, risk and assurance teams. It can also provide useful initial context, showing how the organisation expects to respond to disruption, who is meant to do what, and how recovery is intended to be approached.
The problem begins when the BCP is treated as more than that. A plan can be informative, but it cannot on its own be taken as a direct view of capability. It can show how recovery is expected to work on paper. It cannot prove that the supplier can recover in the way you need, within the timeframe you need, under the pressures of a real incident.
That distinction matters most where supplier continuity oversight is unavoidable. Concentration risk, deep outsourcing and regulatory expectations all push organisations towards greater scrutiny. The question is not simply whether a supplier has a BCP. It is whether the approach set out in that plan addresses the risks you are concerned about, and whether there is enough supporting evidence to give confidence it would work in practice.
Why the BCP is a useful place to start
There are straightforward reasons why the BCP has become a standard request. It gives you something concrete to review, fits neatly into assurance processes and usually uses language that both buyers and suppliers recognise.
At its best, a BCP can tell you:
- How responsibilities are structured and who is expected to act
- How incidents are expected to be managed in principle
- How recovery is intended to be approached and sequenced
- Whether continuity appears to have been treated seriously or left as an afterthought
- Whether stated recovery objectives appear to align with your requirements
For some suppliers, and for some services, that may be enough to support a lighter-touch review. But that only works if you have already decided that this level of assurance is proportionate to the risk. If you have not, the document can appear to answer more than it really does.
What the BCP cannot tell you
The issue is not that the BCP is the wrong document to review. It is that the plan on its own does not show whether the underlying analysis, assumptions and recovery arrangements are sound.
A plan cannot tell you:
- Whether strategies have been tested against real capacity and constraints
- How competing priorities would be handled under pressure
- What has been left out, particularly where the most sensitive aspects are not shared
- Whether the organisation has put in place the arrangements and capabilities needed to meet those recovery objectives
That gap matters. A supplier may state recovery objectives that appear to align with your expectations, but that is not the same as showing they can actually achieve them. Describing how systems would be restored, suppliers would be replaced, or work would be redirected is not the same as demonstrating that the people, resources and dependencies behind those actions are genuinely in place.
That is why the BCP should be read as one part of the picture, not the whole of it. Where the risk justifies deeper scrutiny, you usually need some view of the analysis behind the plan as well, whether through BIA information, understanding of key dependencies, evidence of exercising, ownership, review or discussion grounded in the service you rely on.
Why the BCP only shows part of the picture
There is a practical reason the picture is often incomplete. The more closely a BCP reflects how an organisation would respond to disruption, the more sensitive it becomes. A mature plan can reveal dependencies, trade-offs and points of weakness. That often means buyers are given something more limited, such as extracts, summaries or sanitised versions.
Where arrangements are less developed, plans are often generic and easier to share. Where they are more developed, suppliers are usually more cautious. The same applies to the material behind the plan. BIA information, dependency mapping and recovery assumptions may tell you more about whether the planning is sound, but they are also the things suppliers are least comfortable disclosing.
That also shapes behaviour. If detailed plans are requested as a matter of routine, suppliers have an incentive to produce documents that are easier to hand over rather than documents that are most useful in practice. It also creates handling issues, because material of this kind can end up being managed like standard procurement documentation, even though it may need tighter controls. For high-impact services, that level of disclosure may still be justified, but it usually needs a clearer review process and closer engagement with the supplier. For lower-risk or readily substitutable services, it may simply be more than is needed.
Where standards fit
One response to that gap is to require ISO 22301 certification. That can be a stronger control than reviewing a BCP in isolation, because it gives some assurance that a Business Continuity Management System (BCMS) exists, with governance, defined processes and external audit against a recognised standard.
But it also has limits. Certification does not tell you whether the supplier’s recovery capability matches your tolerance for disruption, or how priorities would be managed in the context of the service you depend on. It is evidence of a management system, not proof that a particular service will recover in the way you need.
It is also not always proportionate. Some suppliers run effective continuity arrangements without pursuing certification because the commercial case is not there. Making certification a blanket requirement can narrow the field without necessarily improving the quality of assurance.
Beyond the BCP
The real question is whether the level of assurance matches the level of risk.
If a service creates material concentration risk, supports important operations, or is difficult to replace, a deeper review may be justified. But that decision should be made before requesting detailed material, not after reviewing whatever happens to come back.
Start by defining what level of disruption is actually unacceptable to you, what recovery outcome you need from the supplier, and whether that justifies deeper scrutiny. Without that clarity, supplier review becomes abstract. You can see how recovery is intended to work, but not whether it meets your needs.
Where deeper scrutiny is genuinely needed, it usually has to be built into the relationship. That may mean contractual provisions, tighter handling arrangements, defined review points, and a clearer process for how sensitive material will be shared, reviewed and protected.
A supplier’s BCP remains a sensible place to start. But where the risk is material, real assurance comes from understanding not just the plan, but the analysis, capability and governance behind it.