Business Continuity Plan (India)
BUSINESS CONTINUITY PLAN
Company: [Company Name]
Registered Address: [Company Address]
Effective Date: [Effective Date] | Sector Regulator: [Sector Regulator]
BCP Manager: [BCP Manager] | Crisis Director: [CEO Name]
Last BCP Test: [Last Test Date] | Next Scheduled Test: [Next Test Date]
This Business Continuity Plan ("BCP") is adopted by [Company Name] ("Company") pursuant to the Companies Act 2013 (directors' duty of care under Section 166), applicable sector-specific regulatory requirements ([Sector Regulator]), and international business continuity management standards (ISO 22301). This BCP is approved by the Board of Directors.
1. BUSINESS IMPACT ANALYSIS AND RECOVERY OBJECTIVES
1.1 The Business Impact Analysis (BIA) identifies the critical processes and systems of the Company, the impacts of disruption (financial, regulatory, reputational, operational), and the Maximum Tolerable Period of Disruption (MTPD) for each.
1.2 Critical Systems and Recovery Time Objectives: [Critical Systems].
1.3 Recovery Point Objective (RPO): [Data RPO]. Backup and replication systems are configured to achieve this RPO for all critical systems.
1.4 DR Site: The Company maintains a Disaster Recovery (DR) site at [DR Site], with IT systems replicated to achieve the stated RTOs. DR site configuration and recovery capabilities are verified through regular testing.
2. CRISIS MANAGEMENT TEAM
2.1 Crisis Director: [CEO Name] — responsible for activating the BCP, making major resource decisions, and communications with the Board and key stakeholders.
2.2 Business Continuity Coordinator: [BCP Manager] — responsible for day-to-day crisis management, coordinating workstream leads, and maintaining the incident log.
2.3 The full Crisis Management Team (CMT) includes: Technology Lead (CIO/CTO), Operations Lead (COO), HR Lead (CHRO), Financial Lead (CFO), Legal and Compliance Lead (General Counsel), and Communications Lead. Contact details, alternates, and CMT meeting protocols are maintained in the CMT Contact Directory, reviewed and updated quarterly.
2.4 The Crisis Management Centre is located at the Company's [Company Address], with a backup location at the DR site ([DR Site]), or virtual (secure conferencing platform) where physical access is unavailable.
3. BCP ACTIVATION AND RESPONSE
3.1 BCP Activation Triggers: The BCP shall be activated when: (a) a Category 2 or 3 security incident occurs (cross-reference to the Cybersecurity Incident Response Plan); (b) a natural disaster (flood, earthquake, cyclone) affects the Company's primary operating location; (c) an extended power outage or utility failure (>4 hours) affecting critical systems; (d) a pandemic or public health emergency preventing normal operations; (e) loss of a key supplier or data centre; or (f) the Crisis Director determines that a significant disruption warrants BCP activation.
3.2 Within 1 hour of BCP activation: (a) Crisis Director confirms activation; (b) CMT assembled (in person or virtual); (c) Technology Lead commences DR site activation assessment; (d) Communications Lead prepares initial employee notification; (e) Legal Counsel assesses regulatory notification obligations.
3.3 Within 4 hours of activation: (a) DR site activation commenced if required; (b) CERT-In notification submitted if cybersecurity incident (six-hour deadline); (c) Sector regulator ([Sector Regulator]) notified if required; (d) Remote working capabilities activated; (e) Customer and partner communications issued.
4. SPECIFIC DISASTER SCENARIOS
4.1 Cybersecurity Incident: Activate the Cybersecurity Incident Response Plan (CIRP). For incidents causing operational disruption, escalate to full BCP activation per Section 3. Submit CERT-In six-hour notification for reportable incidents.
4.2 Natural Disaster (Flood/Earthquake/Cyclone): Ensure employee safety (Factories Act 1948 / OSHWC Code 2020 obligations). Activate DR site for affected locations. Coordinate with local authorities (State Disaster Management Authority under the Disaster Management Act 2005).
4.3 Pandemic/Public Health Emergency: Activate remote working plan. Maintain regulatory compliance (filing deadlines, SLAs) through remote operations. Monitor MoHFW and state health authority advisories. Refer to COVID-19 learnings from the 2020–2022 period.
4.4 Key Person Risk: Designated alternates for all Critical CMT roles are identified in the CMT Contact Directory. Board succession is governed by the Companies Act 2013 (director appointment provisions).
5. REGULATORY NOTIFICATIONS AND TESTING
5.1 For listed companies (SEBI): Material BCP events (e.g., significant system outages, operational disruptions affecting the company's ability to function) may constitute price-sensitive material information requiring disclosure under SEBI LODR Regulation 30 within 24 hours.
5.2 For regulated financial entities ([Sector Regulator]): Notify the sector regulator per applicable guidelines — RBI: 2–6 hours for major incidents; SEBI MIIs: as per SEBI BCP Framework.
5.3 BCP Testing: This BCP shall be tested [Test Frequency] through tabletop exercises and DR simulation tests. Test results must be documented and reported to the Board or relevant Board Committee (Risk Committee / IT Committee). The next scheduled test is [Next Test Date]. Post-test findings shall be used to update this BCP.
5.4 This BCP is governed by the laws of India and the laws of the State of [Governing State]. This BCP shall be reviewed and updated at least annually, after any material incident, and after any significant change to the Company's operations or IT infrastructure.
Crisis Director / CEO
________________
Signature
Business Continuity Manager
________________
Signature
What Is a Business Continuity Plan (India)?
A Business Continuity Plan in India sets out the rights and obligations of the parties on the matter it concerns and records the terms they have agreed.
The COVID-19 pandemic (2020-2022) was a landmark stress-test of BCPs across all Indian industries. Organisations with documented, tested BCPs were able to transition to remote working, maintain regulatory compliance, and serve customers with minimal disruption. Those without BCPs faced chaotic ad hoc responses, regulatory scrutiny, and significant business losses. The pandemic transformed BCP from a niche compliance exercise to a board-level priority.
A thorough BCP is built on a Business Impact Analysis (BIA) that identifies critical processes, their dependencies, and the maximum acceptable recovery time and data loss (RTOs and RPOs). The BIA drives decisions about DR infrastructure, backup systems, alternate work sites, and the minimum resource requirements for critical function recovery.
The BCP covers the Crisis Management Team (CMT) structure, the BCP activation triggers and escalation procedure, recovery strategies for technology and business operations, communication protocols (for employees, customers, regulators, and media), regulatory notification obligations (including the CERT-In six-hour rule for cybersecurity incidents and SEBI material event disclosures for listed companies), and the BCP testing and maintenance programme.
The legal framework governing the Business Continuity Plan (India) in India draws on several key statutes and regulatory bodies. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Parties executing a Business Continuity Plan (India) in India should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Indian Contract Act, 1872 sets the foundational requirements.
When Do You Need a Business Continuity Plan (India)?
A Business Continuity Plan is mandatory for banks (RBI BCP Guidelines 2019), insurance companies (IRDAI), and market infrastructure institutions (SEBI BCP Framework). It is implicitly required by the Companies Act 2013 directors' duties and sector-specific regulatory expectations for all regulated entities.
Any organisation that has experienced a significant disruption — fire at a data centre, flood, extended power outage, or COVID-19-style pandemic — should have a formal BCP in place before the next disruption.
Organisations with operations in natural disaster-prone areas of India (cyclone-prone coastal states, earthquake-prone zones, flood-prone river basins) are at elevated risk of natural disaster disruption and need BCPs calibrated to local risk profiles.
Organisations that have made significant commitments to customers (uptime SLAs, service level agreements, regulatory filing deadlines) need BCPs that demonstrate they can meet these commitments even during a disruption — or manage the consequences of non-compliance.
Organisations seeking ISO 22301 (Business Continuity Management System) certification need a BCP as a core certification requirement.
Organisations in supply chains of large enterprise customers or government agencies — where vendor due diligence includes BCP capability assessment — need documented BCPs as a commercial prerequisite.
Organisations seeking D&O (Directors and Officers) insurance or business interruption insurance are increasingly required to demonstrate BCP capability as an underwriting requirement.
Parties in India should prepare a Business Continuity Plan (India) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Business Continuity Plan (India)
A thorough Business Continuity Plan for an Indian company should contain the following essential elements.
BCP Policy Statement: Board-endorsed commitment to business continuity, designating a Business Continuity Manager and establishing the governance framework.
Business Impact Analysis (BIA) Summary: Critical processes, their RTOs and RPOs, maximum tolerable periods of disruption, and critical resource requirements.
Threat and Risk Assessment: An assessment of the specific natural disaster, infrastructure, cyber, pandemic, and other risks applicable to the company's locations and operations in India.
Crisis Management Team (CMT): Defined CMT composition, roles, responsibilities, contact details, alternates, and the Crisis Management Centre location and backup.
BCP Activation Procedure: Clear criteria and authority for activating the BCP, escalation levels, and the initial crisis response checklist.
Recovery Strategies: Technology DR strategy (primary and backup data centres, cloud DR, RTOs/RPOs for each critical system); business operations recovery (alternate work sites, remote working capabilities, minimum staffing levels); and supply chain contingency (alternate suppliers for critical inputs).
Regulatory Notification Obligations: Specific notification requirements for CERT-In (six hours for cyber incidents), SEBI (material events for listed companies), RBI (for regulated entities), and contractual notification obligations to customers and partners.
Communication Plan: Pre-approved templates and protocols for employee, customer, media, and regulator communications during and after a BCP event.
BCP Testing Programme: Annual testing schedule (document review, tabletop, DR simulation), test reporting requirements (to Board and sector regulators), and post-test update procedure.
BCP Maintenance: Procedures for updating the BCP following material changes to the business, post-incident, and on a defined schedule (at least annually).
Additional compliance elements for a Business Continuity Plan (India) used in India include: Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Forms-legal.com provides this template as a starting point for India-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Business Continuity Plan (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/policies/business-continuity-plan-india
"Business Continuity Plan (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/policies/business-continuity-plan-india.
@misc{formslegal-business-continuity-plan-india,
author = {{Forms Legal}},
title = {Business Continuity Plan (India) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/business/policies/business-continuity-plan-india}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}
Frequently Asked Questions
A Business Continuity Plan (BCP) is mandatory for certain categories of Indian companies under sector-specific regulations, and is strongly recommended — and implicitly required — for all companies under the Companies Act 2013 and the duties it imposes on directors. For banks and financial institutions, the Reserve Bank of India (RBI) has issued comprehensive BCP and Disaster Recovery (DR) guidelines. The RBI's IT Framework for Banks (2011), revised through multiple circulars, requires banks to have documented BCPs and DR capabilities, conduct periodic DR drills, and ensure that core banking operations can be recovered within defined Recovery Time Objectives (RTOs). The Business Continuity Management Guidelines for Banks (2019) provide detailed requirements for BCP frameworks, DR sites (with distance requirements), and testing frequencies. For insurance companies, the Insurance Regulatory and Development Authority of India (IRDAI) has issued BCP guidelines requiring insurers to maintain BCPs and DR capabilities for critical systems, with annual testing and board oversight. For stock exchanges, depositories, and market infrastructure institutions (MIIs), SEBI requires BCPs and BCP testing under SEBI's Framework for Business Continuity Plan (2019). SEBI MIIs must demonstrate the ability to resume critical operations within defined RTOs and conduct full-scale DR drills periodically.
A Business Impact Analysis (BIA) is the foundational analytical process that underpins every effective Business Continuity Plan. It systematically identifies and quantifies the impacts of disruptions to business processes and IT systems, and determines the recovery priorities, Recovery Time Objectives (RTOs), and Recovery Point Objectives (RPOs) that the BCP must achieve. For Indian organisations, the BIA process involves the following steps. Business Process Inventory: Catalogue all significant business processes and functions — revenue-generating activities, regulatory compliance functions, customer service operations, supply chain processes, IT systems, and supporting infrastructure. For each process, identify the resources it depends on: people, technology, facilities, data, and third-party suppliers. Impact Assessment: For each business process, assess the impact of a disruption (ranging from 1 hour to 1 month) on: (a) financial performance (revenue loss, cost of recovery, penalties for SLA breaches); (b) regulatory compliance (penalties for filing delays, violation of sector regulator requirements); (c) reputational damage (customer attrition, media coverage, investor confidence); and (d) operational dependencies (impacts on other processes that depend on the disrupted process). Maximum Tolerable Period of Disruption (MTPD): The maximum time a business process can be unavailable before the disruption causes unacceptable consequences. In RBI and SEBI guidance, the MTPD drives the determination of RTOs and RPOs.
An effective Crisis Management Team (CMT) for an Indian company's Business Continuity Plan should be structured to enable rapid, authoritative decision-making during a crisis event, while ensuring that regulatory reporting obligations (to CERT-In, SEBI, RBI, MCA, or other authorities) are met in a timely manner. Crisis Management Team Structure:
Crisis Director (CEO or designated senior executive): The overall crisis commander, responsible for activating the BCP, declaring a business continuity event, making major resource allocation decisions, and communicating with the Board. In the absence of the CEO, a pre-designated alternate must be named in the BCP. Business Continuity Coordinator (Head of Business Continuity/COO): Responsible for day-to-day management of the crisis response, coordinating workstream leads, maintaining the incident log, and running the Crisis Management Team meetings (typically held every 2–4 hours during an active crisis). Technology Lead (CIO/CTO): Responsible for IT system recovery and DR activation. Coordinates with the IT operations team on recovery of critical systems to meet RTOs. Also the primary contact for the Cybersecurity Incident Response Team (CSIRT) if the BCP event was triggered by a cybersecurity incident. Operations Lead (COO/Head of Operations): Responsible for recovering critical business operations — activating alternate sites, managing supply chain disruptions, and coordinating with facilities management.
A Business Continuity Plan that is not regularly tested is a compliance document rather than an effective operational tool. Indian sector regulators — particularly the RBI for banks and SEBI for market infrastructure institutions — have been explicit that BCPs must be tested with defined frequency and that test results must be reported to the Board. Types of BCP Tests:
Document Review: The simplest form of testing — a structured review of the BCP document by the CMT and IT teams to verify that contact details are current, procedures are up to date, and the plan reflects the current operating environment. Should be conducted at least quarterly. Tabletop Exercise: A scenario-based discussion exercise in which the CMT and key staff walk through a simulated crisis scenario (e.g., flood damage to primary data centre, ransomware attack, sudden loss of key personnel) and discuss their responses. No actual systems are invoked. Effective for testing the clarity of procedures, decision-making logic, and communication protocols. Should be conducted at least annually. Walkthrough/Component Test: Testing specific components of the BCP in isolation — e.g., testing the backup power generator, testing the backup communication systems, or testing the remote access capabilities for a subset of employees. Identifies single-point failures in specific components without the complexity of a full test. Full DR Simulation (Parallel or Failover Test): The most rigorous form of DR testing — activating the full DR site and recovering all critical systems within the target RTOs.
An Indian Business Continuity Plan must be designed for a wide range of threat scenarios, reflecting the specific risk landscape of the Indian subcontinent — which combines natural disaster risks (earthquake, flood, cyclone, heat wave), infrastructure risks (power outages, telecom disruptions), public health risks (pandemics, as demonstrated by COVID-19), cybersecurity risks, and socio-political risks. Natural Disasters: India is among the world's most disaster-prone countries, with exposure to: (a) earthquakes (Seismic Zone V covers the Himalayan region, northeast India, and the Andaman and Nicobar Islands; significant portions of peninsular India are in Zone III); (b) floods (annual monsoon floods in Assam, Bihar, Uttar Pradesh, Maharashtra, and coastal states cause significant disruption); (c) cyclones (the Bay of Bengal and Arabian Sea coasts are regularly impacted by cyclones, as seen with Cyclone Fani, Amphan, and Tauktae in recent years); (d) heat waves (increasingly frequent in central and northern India, affecting employee health and infrastructure); and (e) landslides (a significant risk in the northeast, Uttarakhand, and Western Ghats). Power and Utility Disruptions: Extended power outages are a significant business continuity risk, particularly in manufacturing states. The BCP should specify backup power capabilities (UPS, diesel generators, solar backup) and their capacity to support critical systems through defined outage durations. Telecommunication and IT Failures: Failures of internet connectivity, cloud services, or core IT systems.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Cybersecurity Incident Response Plan (India)
A comprehensive Cybersecurity Incident Response Plan compliant with the IT Act 2000, CERT-In Directions 2022, and Digital Personal Data Protection Act 2023. Covers incident classification, response teams, notification timelines (6-hour CERT-In rule), containment, and post-incident review.
Environmental Compliance Policy (India)
A comprehensive Environmental Compliance Policy for Indian businesses under the Environment Protection Act 1986, Water (Prevention & Control of Pollution) Act 1974, Air Act 1981, and NGT Act 2010. Covers regulatory compliance, waste management, energy efficiency, and ESG reporting obligations.
Code of Conduct (India)
A comprehensive Code of Conduct for Indian companies compliant with the Companies Act 2013 (Section 149, Schedule IV), SEBI LODR Regulations 2015, and National Guidelines on Responsible Business Conduct 2019. Covers director and employee obligations, conflicts of interest, and ethical business standards.