For Sales: 888-800-4644  For Support: 973-777-7227                     “YOUR TECHNOLOGY MANAGED”
BIA · BCP Authoring · DR Runbooks · Tabletop Programs

Business Continuity Planning ServicesStrategy, BIA, and BCP · Aligned to ISO 22301 and NIST SP 800-34

A real continuity program starts with a Business Impact Analysis, derives defensible RTOs and RPOs, and produces a written BCP, system-by-system DR runbooks, and a tabletop exercise cadence that proves the plan works. On-Site Technology designs and authors that program for mid-market businesses, then partners with your IT team or ours to execute the technology underneath. Strategy delivered remotely across the United States; on-site activation support from our NJ HQ and FL office.

Talk to a BCDR ConsultantCall (973) 777-7227
ISO 22301 alignedNIST SP 800-34 Rev.1Remote nationwideRegional activation NJ · NY · PA · FL
Request a Continuity Strategy Call
Tell us about your environment, regulators, and timeline. We will respond with a scoped proposal. We typically reply within 4 business hours.

    Your Name (required)

    Your Email (required)

    Subject

    Your Message

    Your info stays with us. No resale.


    Quick Answer

    Business continuity planning services are consulting engagements that produce the strategy, written plans, and exercise programs a business needs to keep operating through a major disruption. The work begins with a Business Impact Analysis to quantify the cost of downtime per process, derives defensible Recovery Time and Recovery Point Objectives, then authors the Business Continuity Plan, system-level DR runbooks, and a tabletop exercise cadence aligned to ISO 22301, NIST SP 800-34 Rev. 1, and the FFIEC BCM Handbook. On-Site Technology delivers these engagements remotely for mid-market businesses across the United States, with regional engineering depth in Northern NJ, the NYC metro, Pennsylvania, and South Florida for on-site activation support. The technology that backs the plan, including image-based BCDR appliances and SaaS backup, lives in our companion Managed Backup & Disaster Recovery service.



    8–12 wk
    Typical BIA
    and BCP cycle
    100%
    Remote-delivered
    strategy U.S. nationwide
    Annual
    Tabletop exercise
    cadence we recommend
    24/7
    Activation hotline
    during a declared event


    Six Failure Modes We See Repeatedly

    Where Most BCDR Programs Fail

    A binder of policies is not a continuity program. The recurring failures are programmatic, not technical, and the auditors and insurers who underwrite this risk now look directly for these patterns. Each one has a fix that lives upstream of the technology.

    Plan-on-a-Shelf

    A 200-page BCP authored two years ago, signed by an executive who has since left, and never read since. In an actual incident, no one knows which system to bring up first or who has authority to declare. The plan exists for the auditor, not the operator.

    RTO/RPO Set in a Vacuum

    Recovery objectives picked by IT alone, without a Business Impact Analysis to back them. Often, finance accepts a 24-hour RTO for the ERP not knowing the order desk loses six figures per hour offline. Defensible RTO/RPO comes from quantified business impact, not infrastructure preference.

    No Tested Runbook

    A BCP that says “restore from backup” is not a recovery procedure. A real DR runbook lists every system in dependency order, names the owner, specifies the credentials, and has been walked through end-to-end. Without it, recovery time depends on whichever engineer happens to be awake at 2 AM.

    Tabletop = Annual Lunch

    A once-a-year “tabletop” that is really a slide review with no injects, no time pressure, and no after-action report. NIST SP 800-84 sets a higher bar: scenario-driven discussion, escalating injects, captured decisions, and a documented gap list that feeds plan updates.

    Vendor Single-Point-of-Failure

    The plan assumes every third party stays up. In practice, the payment processor, the EHR vendor, the M365 region, or the upstream payroll provider takes a multi-day hit and the BCP has nothing to say about it. So a real plan maps critical vendors and lists workarounds for each one.

    No BIA-to-Strategy Linkage

    Some businesses have a BIA. Others have a backup product. Almost no one connects the two. As a result, the recovery technology gets sized by salesperson, not by the impact analysis. Bridging that gap is the entire point of a continuity strategy engagement.



    Four Programmatic Deliverables

    What a Real BCDR Program Includes

    A continuity program lives in four written artifacts plus an exercise cadence that keeps them honest. Each one has an audience, a maintenance owner, and a place in the audit trail. We build all four, then teach your team to operate them.

    Business Impact Analysis

    The quantified foundation everything else rests on. We inventory critical processes, score impact across financial, regulatory, reputational, operational, and safety dimensions, then derive defensible MTPD, RTO, and RPO targets the executive team will actually sign.

    • Process inventory and ownership map
    • Multi-dimension impact scoring
    • Maximum Tolerable Period of Disruption
    • RTO and RPO derivation per process
    • Upstream and downstream dependency map

    Business Continuity Plan

    The written program that names who decides, who acts, and how the business runs while systems are down. Authored to ISO 22301 structure, sized to your business, and written so an on-call manager can actually follow it under pressure.

    • Governance, ownership, succession
    • Activation criteria and authority matrix
    • Communication tree and crisis comms
    • Critical vendor map with workarounds
    • Plan maintenance and review cadence

    Disaster Recovery Runbooks

    System-by-system recovery procedures, written to NIST SP 800-34 templates and ordered by dependency. Each runbook lists the named operator, the credentials path, the validation step, and the success criterion. Walked through end-to-end before sign-off.

    • Per-system step-by-step procedure
    • Dependency-ordered recovery sequence
    • Named operator and credential path
    • Dry-run protocol and evidence capture
    • Validation and success criteria

    Tabletop Exercise Program

    A NIST SP 800-84 aligned exercise cadence: facilitator-led discussion-based scenarios with timed injects, captured decisions, and a written after-action report that drives plan updates. Annual minimum; quarterly for regulated industries.

    • Scenario library across six threat classes
    • Facilitator and inject design
    • Discussion-based, functional, full-scale
    • After-action report and gap log
    • Plan-update feedback loop


    The OST BCDR Methodology

    From BIA to Tested Plan in Five Phases

    Mapped to the ISO 22301 BCMS lifecycle and the NIST SP 800-34 Rev. 1 contingency planning process. Phases run in sequence on first engagement, then loop annually for ongoing programs.

    1

    Discover

    Stakeholder interviews across operations, finance, legal, and IT. We scope the engagement, identify the steering committee, and inventory critical processes before any analysis work begins.

    2

    Analyze

    Business Impact Analysis plus risk assessment. We score impact, derive MTPD, RTO, and RPO per process, and run threat scenarios across cyber, physical, vendor, and key-person dimensions.

    3

    Design

    Strategy options memo: which processes get hot-site, warm-site, cold-site, or manual workaround treatment. Gap analysis against current technology. The technology bill of materials lives downstream in backup & DR.

    4

    Author

    Written BCP, DR runbooks, communication trees, vendor map, and executive summary. Draft, review with the steering committee, revise, and capture executive sign-off as the plan-of-record.

    5

    Exercise & Maintain

    Tabletop one within 30 days of plan sign-off. Annual full simulation. Plan refresh on a documented cadence and after every actual incident, organizational change, or major vendor swap.



    Business Impact Analysis Methodology

    How We Derive Defensible RTO and RPO

    RTO and RPO numbers are a financial commitment, not an IT preference, and ISO 22301 Clause 8.2.2 plus the FFIEC BCM Handbook both require a Business Impact Analysis as the basis. Here is how we run that analysis end-to-end.

    Process Inventory and Impact Scoring

    We start with a structured workshop, then validate through individual process-owner interviews. Every critical process gets scored on five dimensions: financial loss per hour, regulatory or contractual exposure, reputational damage, operational disruption, and any safety implications. Quantitative where the data allows, qualitative where it does not.

    The output is a ranked list of processes with a defensible Maximum Tolerable Period of Disruption per process. MTPD is the outer bound, the point past which surviving the disruption stops being feasible. RTO sits inside MTPD with a safety margin; RPO is the data-loss tolerance, derived separately because the cost of stale data is rarely the same as the cost of being offline.

    Dependency Mapping

    A process never recovers in isolation. We map upstream dependencies (the systems and vendors a process needs to come back), peer dependencies (other processes that share resources), and downstream consumers (customers, regulators, integration partners). Dependency mapping is what turns a list of RTOs into a sequenced recovery plan.

    Threat Scenarios and Risk Assessment

    Impact alone is not enough. We pair the BIA with a focused risk assessment across four threat classes: cyber (ransomware, destructive attack, credential compromise), physical (facility loss, regional outage, weather), vendor (SaaS outage, payment processor failure, key supplier disruption), and key-person (succession, knowledge loss, single-operator dependency).

    Each scenario is rated for likelihood and consequence, then mapped to which strategy option (hot-site, warm-site, cold-site, manual workaround, accept) is appropriate for which process. The result is a strategy memo the executive team can ratify, not an IT shopping list.

    Executive Ratification

    RTO and RPO numbers carry a cost. The fastest recovery option is rarely the most expensive overall, but the tradeoff has to be visible. We close the BIA with an executive readout that pairs each RTO/RPO with the strategy investment it implies, so the sign-off is informed and the audit trail is complete.



    NIST SP 800-84 Aligned

    Tabletop Exercise Programs That Actually Test the Plan

    A plan that has never been exercised is a hypothesis. We facilitate three exercise types from the NIST SP 800-84 framework, plus a six-scenario library calibrated to the threats your insurer and auditor are now asking about explicitly.

    Type 1

    Discussion-Based

    Half-day facilitated walk-through of a scenario with the BCP steering committee. Designed to surface plan gaps, role ambiguity, and decision-authority confusion. Lowest cost, highest frequency. Most engagements run two to three of these per year.

    Type 2

    Functional Exercise

    Live exercise of a single recovery component without disrupting production. Restore a backup to an isolated network, fail over a workload to the DR target, or run the communication tree end-to-end. Validates the runbook actually works under timed conditions.

    Type 3

    Full-Scale Simulation

    A multi-team, multi-hour drill that exercises the BCP from declaration through recovery and stand-down. Includes timed injects, captured decisions, real communications, and a formal after-action report. Annual cadence for regulated industries; biennial otherwise.

    Six-Scenario Library

    Scenarios are tailored to your industry, regulators, and recent threat intelligence. Each one comes with timed injects, role-specific decision points, and an evaluator’s rubric.

    Cyber
    Ransomware Encryption Event

    Domain-wide encryption Friday at 4 PM. Tests declaration authority, communication tree, isolation decisions, and recovery sequencing under regulator-notification pressure.

    Physical
    Regional Power and Connectivity Outage

    Multi-day loss of primary facility plus carrier. Tests work-from-home activation, payroll continuity, and customer-facing service degradation choices.

    Key Person
    Sudden Loss of Critical Operator

    The one person who knows the legacy ERP integration is unreachable. Tests succession, runbook coverage, and the depth of cross-training that exists on paper versus in practice.

    Vendor
    Primary SaaS or Payment Processor Outage

    Multi-day outage at a critical third party. Tests the workaround playbook, manual processing capacity, and the contractual posture for SLA credits and customer notifications.

    Compound
    Cyber Incident During Physical Disruption

    A breach declared in the middle of a regional weather event. Tests command structure when the leadership team is dispersed and the usual coordination tools are degraded.

    Change
    M&A Integration Day or Cloud Cutover

    A planned change goes wrong: integration day, cloud migration cutover, or major application upgrade. Tests rollback authority, customer communications, and fallback runbooks.



    Framework Crosswalk

    Built for the Standards Your Auditors Will Cite

    Each of these frameworks specifies a continuity capability your program will be measured against. We design engagements so the deliverables map cleanly to the controls you have to evidence.

    Standard

    ISO 22301:2019

    The international BCMS standard. Our BCP authoring follows the ISO 22301 Plan-Do-Check-Act lifecycle and Clause 8.2.2 BIA requirements.

    Federal Guidance

    NIST SP 800-34 Rev. 1

    Contingency Planning Guide for Federal Information Systems. Our DR runbooks follow the NIST SP 800-34 template structure for activation, recovery, and reconstitution.

    Exercise Standard

    NIST SP 800-84

    Test, training, and exercise programs for IT plans. Our tabletop methodology, inject design, and after-action reporting follow the SP 800-84 framework.

    Banking Examiner

    FFIEC BCM Handbook

    The handbook examiners use to assess BCM at FFIEC-regulated institutions. We map governance, BIA, risk assessment, and resilience deliverables to the booklet’s sections.

    Regulation

    HIPAA Contingency Plan

    45 CFR §164.308(a)(7). Healthcare-covered entities must have data backup, disaster recovery, emergency mode operation, and testing/revision procedures. We deliver each.

    SaaS Audit

    SOC 2 CC9.1 + A1.2

    Risk mitigation through business continuity (CC9.1) and availability commitments (A1.2). Our deliverables provide the auditor evidence package both controls require.

    Defense Industrial Base

    CMMC 2.0 L2 — CP Family

    The Contingency Planning control family (CP.L2-3.6.x) for Level 2. We deliver the policy, plan, training, and exercise evidence the C3PAO assessor will look for.

    All-Hazards

    NFPA 1600

    The U.S. Standard on Continuity, Emergency, and Crisis Management. Used when an organization needs an all-hazards program covering people, facilities, and operations beyond IT.



    Engagement Deliverables

    What’s Included in Every Engagement

    • Stakeholder scoping interviews across operations, finance, legal, IT, and the executive sponsor.
    • Business Impact Analysis workshop with quantified impact scoring across financial, regulatory, reputational, operational, and safety dimensions.
    • RTO/RPO ratification readout with the executive team, including the cost-of-recovery tradeoff per process.
    • Written Business Continuity Plan authored to ISO 22301 structure, with governance, activation criteria, and authority matrix.
    • Disaster Recovery runbooks for top-priority systems, written to NIST SP 800-34 templates and walked through end-to-end.
    • Crisis communication tree and vendor map with workaround procedures for critical third parties.
    • First tabletop exercise facilitated within 30 days of plan sign-off, with formal after-action report.
    • Plan-maintenance handoff with a documented review cadence, owner assignments, and trigger events for plan updates.
    • Regulator-ready evidence package mapped to the frameworks above so audit responses do not require a scramble.
    • 24/7 activation hotline during a declared event for clients on the ongoing program tier.


    Three Engagement Models

    Pick the Engagement That Matches Where You Are

    Every engagement is scoped to your environment, regulators, and timeline. Pricing is contact-gated because the variables (process count, regulatory regime, system complexity) move every quote. Talk to us and we will scope a proposal.

    Tier 1 · 4–6 weeks

    BIA + Strategy Sprint

    A defensible RTO/RPO baseline and strategy memo, fast. Designed for companies that need the upstream analysis before investing in DR tooling.

    Includes
    • Stakeholder scoping interviews
    • BIA workshop and impact scoring
    • RTO/RPO derivation per process
    • Strategy options memo
    • BCP outline (full plan in Tier 2)
    • Executive readout
    For: companies that need a defensible RTO/RPO baseline before investing in DR tooling, or to satisfy a near-term audit gate.
    Most Common
    Tier 2 · 10–14 weeks

    Full BCP Build

    The full program in writing: BIA, BCP, DR runbooks, communication tree, vendor map, and the first tabletop facilitated.

    Includes
    • Everything in Tier 1, plus
    • Full written BCP (ISO 22301 structure)
    • DR runbooks for top-priority systems
    • Communication tree and vendor map
    • First tabletop exercise facilitated
    • Plan governance handoff
    For: companies with no current BCP, an outdated plan, or a major change like M&A, cloud migration, or a new compliance regime.
    Tier 3 · Quarterly retainer

    Ongoing BCDR Program

    A continuity program that stays current as the business changes. Ideal for regulated industries and board-level continuity mandates.

    Includes
    • Plan-of-record maintenance
    • Annual BIA refresh
    • Quarterly tabletop cycle (rotating scenarios)
    • Regulator-ready evidence package
    • 24/7 activation hotline
    • Post-incident plan updates
    For: healthcare, finance, defense industrial base, or any organization with a board-level continuity mandate or recurring audit cadence.


    Frequently Asked Questions

    Business Continuity Planning: FAQs

    The questions executives, compliance officers, and IT directors ask us most often before scoping an engagement.

    What is the difference between a BCP and a DR plan?

    A Business Continuity Plan (BCP) is the business-wide playbook for keeping operations running during a disruption. It covers people, processes, facilities, vendors, and communications. A Disaster Recovery (DR) plan is the technical subset that focuses on restoring IT systems and data. The DR runbooks are an appendix inside the larger BCP. The BCP answers “how does the business keep functioning?” while the DR plan answers “how do we get the systems back?” A complete program needs both, and the technology to back them lives on our Managed Backup & Disaster Recovery page.

    Do I need a Business Impact Analysis before I buy backup software?

    In most cases, yes. The BIA is what produces defensible RTO and RPO numbers, and those numbers determine which backup architecture, retention strategy, and recovery tooling actually fit. Buying the technology first usually means either over-spending on a recovery target the business does not need, or under-spending on a system the business cannot survive without. ISO 22301 Clause 8.2.2 and the FFIEC BCM Handbook both require the BIA as the basis for strategy, and most cyber insurers now ask for it during renewal underwriting.

    What is a realistic RTO and RPO for my business?

    It depends on the process. A customer-facing transaction system might justify a one-hour RTO and a fifteen-minute RPO. An internal HR system might be fine at a 24-hour RTO and a 24-hour RPO. The cost of recovery technology rises sharply as the targets tighten, so the right answer is per-process, not per-business. The BIA is what produces the defensible answer; we typically run it in 8 to 12 weeks for a mid-market business of 200 to 500 employees.

    How long does a BCP project take?

    A focused BIA + Strategy Sprint runs 4 to 6 weeks. A Full BCP Build with DR runbooks and the first tabletop typically lands in 10 to 14 weeks. Ongoing programs operate on quarterly cadences after that. The pace is set by stakeholder availability for interviews and workshops, not by drafting time, so businesses with strong executive sponsorship usually finish at the faster end of the range.

    We have a BCP from 2019. Is it still valid?

    Almost certainly not. A BCP authored before 2020 was written for a different threat landscape (pre-ransomware-as-a-service), a different workforce model (mostly on-site), and a different regulatory environment (pre-CMMC 2.0, pre-NIST CSF 2.0, pre-FFIEC 2019 booklet revision). We typically recommend a refresh BIA plus a partial rewrite, sized to a Tier 1 or Tier 2 engagement depending on how much of the original document still maps to current operations.

    What is a tabletop exercise and how often should we run them?

    A tabletop exercise is a facilitated, scenario-driven walk-through of the BCP with the people who would actually execute it. Done well, it surfaces gaps a paper review never finds: role ambiguity, decision-authority confusion, missing escalation paths, broken vendor contacts. NIST SP 800-84 is the standard reference. Annual is the minimum for most businesses; quarterly is appropriate for regulated industries (healthcare, finance, defense industrial base) and any organization with a board-level continuity mandate.

    Does HIPAA require a business continuity plan?

    HIPAA’s Security Rule requires a Contingency Plan under 45 CFR §164.308(a)(7), which has five required components: Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operation Plan, Testing and Revision Procedures, and Applications and Data Criticality Analysis. The last one is effectively a BIA. Our BCP deliverable is mapped to satisfy each of these. For broader healthcare cybersecurity context, see our Managed Cybersecurity Services page.

    How does ISO 22301 differ from NIST SP 800-34?

    ISO 22301 is the international Business Continuity Management System standard. It is broad, organization-wide, and certifiable, covering people, processes, and facilities. NIST SP 800-34 Rev. 1 is the U.S. federal Contingency Planning Guide, narrower in scope and focused on IT systems. Most of our engagements use ISO 22301 as the structural template for the overall BCP and NIST SP 800-34 templates for the DR runbooks and IT contingency procedures inside it. The two complement each other; we rarely use one without the other.

    Do you handle BCDR program work for FFIEC-regulated banks and credit unions?

    Yes. We map the engagement deliverables to the FFIEC IT Examination Handbook Business Continuity Management booklet, which is the document examiners use during reviews. That covers governance and senior-management responsibilities, the BIA, risk assessment, business continuity strategies, resilience, data backup and replication, third-party service provider management, and the testing program. The Tier 3 ongoing program is the typical engagement model for financial-services clients because of the recurring exam cadence.

    Can OST run our BCDR program ongoing, or is this a one-time engagement?

    Both. The BIA + Strategy Sprint and Full BCP Build engagements are project-based with a defined finish line and a handoff. The Ongoing BCDR Program is a quarterly retainer that maintains the plan, runs the tabletop cadence, refreshes the BIA annually, and stays on call as the activation partner during a declared event. Many clients start with a project tier and convert to the ongoing program after the first plan is in place.

    Do you deliver these services outside New Jersey?

    Yes. The strategy work (BIA, BCP authoring, DR runbook design, tabletop facilitation) is delivered remotely via Teams or Zoom and is available to businesses across the United States. We have deepest engineering capacity in Northern NJ, the NYC metro, Pennsylvania, and South Florida, which becomes an advantage if you need on-site recovery activation support during a declared event in those regions. For purely remote consulting engagements, location is not a constraint.

    How is a BCDR consulting engagement priced?

    Pricing is contact-gated because the variables move every quote: number of critical processes, regulatory regime, number of physical locations, system complexity, urgency, and whether OST is also delivering the technology underneath. The Tier 1 BIA + Strategy Sprint is the typical entry point and the smallest commitment; the Tier 3 retainer is the long-term engagement model. Talk to us through the form on this page and we will scope a proposal within one to two business days, typically.



    Related Services

    Continuity Planning Sits Inside a Bigger Stack

    A BCP is the strategy layer. The technology, security, and operational services it depends on live in our adjacent practices.

    Managed Backup & Disaster RecoveryThe execution layer that runs the plan: backup architecture, recovery testing, 24/7 monitoring.Managed CybersecurityThe security stack that prevents and contains the incidents your BCP plans to recover from.Managed IT ServicesDay-to-day IT operations and helpdesk for the systems your BCP needs to keep running.Penetration TestingExternal and internal testing that informs the threat scenarios in your BIA risk assessment.CMMC Compliance ReadinessDefense industrial base contingency planning under the CMMC 2.0 Level 2 CP control family.Managed Cloud InfrastructureAzure and AWS architecture, region planning, and resilience patterns that satisfy the BCP’s cloud requirements.


    Ready to Scope an Engagement?

    Tell Us About Your Continuity Program

    Share your environment, regulators, and timeline. We will reply with a scoped proposal for the engagement tier that fits. We typically respond within 4 business hours.

      Your Name (required)

      Your Email (required)

      Subject

      Your Message

      Your info stays with us. No resale.


      Build a Plan You Can Actually Execute

      Find Out What Your Plan Would Actually Do

      Bring us a binder, a draft, or a blank page. We will scope a BIA, a full BCP build, or an ongoing program that matches where your business actually is.

      8–12 wk
      BIA Cycle
      5-Phase
      Methodology
      100%
      Remote Strategy
      24/7
      Activation Hotline