Business Continuity Plan (Kenya)
BUSINESS CONTINUITY PLAN
[Organisation Name]
CBK Prudential Guideline CBK/PG/19 | Data Protection Act No. 24 of 2019 | ISO 22301
BCP Owner: [BCP Owner]
Board Approved: [Board Approval Date]
Next Review Date: [Review Date]
BRS Registration Number: [BRS Number]
Regulatory Licence: [Regulatory Licence]
1. SCOPE AND OBJECTIVES
1.1 Organisation: [Organisation Name] (BRS No: [BRS Number]), operating in [Industry Sector].
1.2 Scope: This Business Continuity Plan covers [BCP Scope].
1.3 Critical Business Functions: [Critical Functions].
1.4 Recovery Time Objective (RTO): [RTO].
1.5 Recovery Point Objective (RPO): [RPO].
1.6 This BCP has been prepared in compliance with the Central Bank of Kenya Prudential Guideline on Business Continuity Management (CBK/PG/19), the Data Protection Act No. 24 of 2019 (enforced by the Office of the Data Protection Commissioner, ODPC), and the principles of ISO 22301:2019 (adopted by Kenya Bureau of Standards as KS ISO 22301).
2. RISK ASSESSMENT
2.1 The following key threats have been identified through the Business Impact Analysis (BIA) process:
[Key Threats]
2.2 Each threat has been assessed for likelihood (High / Medium / Low) and impact on critical business functions. The BIA results are maintained separately by the BCP Owner and are reviewed at each annual BCP review.
3. RECOVERY STRATEGIES AND PROCEDURES
3.1 Alternative Operating Site / Remote Work: [Alternative Site].
3.2 IT Disaster Recovery and Data Backup: [IT Recovery Procedure]. Personal data stored in IT systems is protected in accordance with Section 25 of the Data Protection Act No. 24 of 2019 (ODPC), which requires appropriate technical and organisational measures to protect data against accidental loss or destruction.
3.3 Crisis Management Team: [Crisis Team]. The BCP Owner activates the Crisis Management Team immediately upon identification of a qualifying incident.
3.4 Regulatory Notifications: [Regulatory Notification]. The ODPC must be notified within 72 hours of a personal data breach under Section 41 of the Data Protection Act No. 24 of 2019.
4. TESTING, REVIEW, AND MAINTENANCE
4.1 Testing Schedule: [Testing Schedule].
4.2 This BCP shall be reviewed at least annually and after any significant operational incident, major organisational change, or regulatory requirement change. The BCP Owner is responsible for initiating each review and presenting findings to the Board.
4.3 Version Control: All amendments to this BCP shall be recorded in the version history log, including the date, nature of change, and the identity of the person approving the change.
5. BOARD APPROVAL
5.1 This Business Continuity Plan has been reviewed and approved by the Board of Directors of [Organisation Name] on [Board Approval Date].
5.2 The Board acknowledges its responsibility for the organisation's operational resilience and confirms that adequate resources have been allocated to implement, test, and maintain this BCP in accordance with the Central Bank of Kenya's Prudential Guideline CBK/PG/19 and the Data Protection Act No. 24 of 2019.
Signed on behalf of the Board of Directors of [Organisation Name]:
Board Chairperson
________________
Signature
Chief Executive Officer
________________
Signature
BCP Owner
________________
Signature
What Is a Business Continuity Plan (Kenya)?
A Business Continuity Plan in Kenya documents the business continuity plan in a form the parties and authorities can rely on.
In Kenya, BCP requirements are imposed by several regulatory frameworks. The Central Bank of Kenya (CBK), exercising its powers under the Central Bank of Kenya Act (Cap. 491) and the Banking Act (Cap. 488), has issued the Prudential Guideline on Business Continuity Management (CBK/PG/19) applicable to all licensed banks, microfinance banks, and payment service providers. Regulated institutions must maintain a documented, tested BCP and submit BCP certificates to CBK as part of their annual compliance submissions. The Insurance Regulatory Authority (IRA), under the Insurance Act (Cap. 487), similarly requires IRA-licensed insurers to maintain BCPs as part of their operational resilience obligations.
The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data — including measures to restore data availability following a physical or technical incident. Section 41 of the Data Protection Act requires notification to the ODPC within 72 hours of a data breach. A BCP that includes IT disaster recovery and data backup procedures directly supports compliance with these ODPC obligations.
The Capital Markets Authority (CMA) of Kenya, under the Capital Markets Act (Cap. 485A), requires licensed stockbrokers, investment advisers, and fund managers to maintain BCPs as part of their operational risk management frameworks. The Communications Authority of Kenya (CA) imposes BCP obligations on licensed telecommunications operators. The Energy and Petroleum Regulatory Authority (EPRA) requires energy sector licensees to maintain emergency response plans consistent with BCP principles.
Beyond regulatory requirements, a Kenya BCP is a critical governance document for any organisation seeking ISO 22301:2019 (Business Continuity Management Systems) certification — the international standard adopted by Kenya Bureau of Standards (KEBS) as KS ISO 22301. ISO 22301 certification is increasingly required by multinational clients, development finance institutions such as the African Development Bank (AfDB), and international procurement processes. A BCP aligned with ISO 22301 demonstrates organisational maturity and operational resilience to investors, lenders, and counterparties. Under Kenya law, Section 3 of the Companies Act 2015 (No. 17 of 2015) and Section 2 of the Law of Contract Act (Cap 23) govern the core requirements for this type of document.
The legal framework governing the Business Continuity Plan (Kenya) in Kenya draws on several key statutes and regulatory bodies. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Parties executing a Business Continuity Plan (Kenya) in Kenya should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Central Bank of Kenya Prudential Guidelines on Business Continuity Management sets the foundational requirements.
When Do You Need a Business Continuity Plan (Kenya)?
A Kenya Business Continuity Plan is required by regulation or strongly recommended by best practice in several distinct circumstances.
A BCP is required when an organisation holds a licence from the Central Bank of Kenya (CBK) — including commercial banks, microfinance banks, Forex bureaus, and mobile money operators — under the Central Bank of Kenya Act (Cap. 491) or the Banking Act (Cap. 488). CBK Prudential Guideline CBK/PG/19 mandates a documented, board-approved BCP with annual testing and review.
A BCP is needed when a company registered with the Business Registration Service (BRS) via the eCitizen portal processes personal data of customers or employees and is therefore a data controller or processor under the Data Protection Act No. 24 of 2019. The ODPC's data breach notification obligation within 72 hours under Section 41 of the Act cannot be met without a pre-planned incident response procedure documented in a BCP.
A BCP is required when an organisation is bidding for a public procurement contract under the Public Procurement and Asset Disposal Act No. 33 of 2015. The Public Procurement Regulatory Authority (PPRA) may require evidence of business continuity capacity as part of technical evaluation criteria for contracts in ICT, healthcare, security, and infrastructure sectors.
A BCP is needed when an organisation operates in a sector subject to significant operational disruption risk — including logistics companies managing supply chains across Mombasa Port, Nairobi's Industrial Area, and upcountry distribution networks; hospitals and clinics subject to the Medical Practitioners and Dentists Act (Cap. 253); and schools regulated by the Basic Education Act No. 14 of 2013.
A BCP is required when a company seeks a loan facility from a development finance institution such as the Kenya Development Corporation (KDC), the East African Development Bank (EADB), or an international lender, where operational risk assessment forms part of the lender's due diligence.
A BCP is needed after any organisation has experienced a significant operational disruption — such as the 2007/2008 post-election violence, the 2023 el-Niño flooding affecting road networks and warehouses, or a ransomware attack — and management wants documented procedures to prevent recurrence and accelerate future recovery.
What to Include in Your Business Continuity Plan (Kenya)
A Kenya Business Continuity Plan covering critical operations under applicable CBK prudential guidelines and the Data Protection Act No. 24 of 2019 must include the following essential elements.
Organisation Profile and Scope: The name, BRS registration number, industry sector, and geographic locations of the organisation. The scope statement identifies which business functions, products, services, locations, and systems are covered by the BCP. Regulated entities should cross-reference the applicable CBK, IRA, or CMA licence number.
Risk Assessment and Threat Identification: A structured assessment of internal and external threats — natural disasters (flooding, fire, earthquake), cyber threats (ransomware, phishing, data breaches), infrastructure failures (Kenya Power outages, telecommunications disruption), civil unrest, supply chain failures, and pandemic health emergencies. Each threat is assessed for probability and impact using a defined risk matrix.
Business Impact Analysis (BIA): Identification of mission-critical business functions, the maximum tolerable period of disruption (MTPD) for each function, the recovery time objective (RTO — how quickly each function must be restored), and the recovery point objective (RPO — how much data loss is acceptable). The BIA findings drive prioritisation of recovery resources.
Recovery Strategies and Procedures: Step-by-step procedures for activating the BCP, relocating to an alternative operating site or enabling remote work, restoring IT systems from backup, communicating with staff, clients, regulators (including the ODPC within 72 hours for data breaches), and suppliers during an incident. Procedures should name specific staff members and their alternates.
IT Disaster Recovery and Data Backup: The backup schedule, backup media, off-site storage location, and the procedure for restoring systems from backup. Section 41 of the Data Protection Act No. 24 of 2019 requires personal data to be protected against accidental loss or destruction. The BCP should specify the cloud backup provider, the encryption standard used, and the frequency of backup testing.
Crisis Communication Plan: Contact lists for all staff (with alternates), key clients, suppliers, CBK or other regulatory contacts, and public communications channels. The plan should designate the authorised spokesperson for external communications and define the protocol for notifying the Office of the Data Protection Commissioner (ODPC) and other regulatory authorities of incidents.
BCP Testing and Exercise Schedule: The schedule for tabletop exercises (at least annually), simulation drills (at least annually), and full failover tests. CBK Prudential Guideline CBK/PG/19 requires tested BCPs — a plan that has never been tested does not satisfy the regulator's requirements.
Governance and Maintenance: The BCP owner (typically the Chief Risk Officer or equivalent), the board approval date, the review schedule (at least annually and after every significant operational incident), and the change control procedure. Forms-legal.com provides this Business Continuity Plan template as a starting framework for Kenyan organisations seeking compliance with CBK guidelines and ISO 22301 principles. Organisations in regulated sectors should engage a qualified business continuity professional — certified under the Business Continuity Institute (BCI) or the Disaster Recovery Institute International (DRII) — to validate the plan before submitting it to a regulator. Under Kenya law, Section 3 of the Companies Act 2015 (No. 17 of 2015) and Section 2 of the Law of Contract Act (Cap 23) govern the core requirements for this type of document. Under Kenya law, Section 15 of the Employment Act 2007 (No. 11 of 2007) and Section 24 of the Land Registration Act 2012 (No. 3 of 2012) govern the core requirements for this type of document.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Business Continuity Plan (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/corporate/business-continuity-plan-kenya
"Business Continuity Plan (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/corporate/business-continuity-plan-kenya.
@misc{formslegal-business-continuity-plan-kenya,
author = {{Forms Legal}},
title = {Business Continuity Plan (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/corporate/business-continuity-plan-kenya}},
note = {Free legal document template}
}
Frequently Asked Questions
Whether a Business Continuity Plan (BCP) is legally required in Kenya depends on the organisation's industry and regulatory status. For licensed banks, microfinance banks, and payment service providers, a documented BCP is mandatory under the Central Bank of Kenya (CBK) Prudential Guideline on Business Continuity Management (CBK/PG/19), issued under the Central Bank of Kenya Act (Cap. 491). The Insurance Regulatory Authority (IRA), under the Insurance Act (Cap. 487), imposes similar requirements on licensed insurers. The Capital Markets Authority (CMA) requires BCPs from licensed fund managers and stockbrokers under the Capital Markets Act (Cap. 485A). For organisations outside regulated financial services, a BCP is not legally compulsory but is strongly recommended. Any organisation that is a data controller or processor under the Data Protection Act No. 24 of 2019 must implement technical and organisational measures to protect data — including IT disaster recovery — which effectively requires BCP-equivalent planning. Non-compliance with the Data Protection Act exposes organisations to enforcement action by the Office of the Data Protection Commissioner (ODPC), including fines up to KES 5 million or 1% of annual gross turnover.
A Recovery Time Objective (RTO) is the maximum acceptable period of time within which a specific business function, system, or process must be restored after a disruption. For example, a Nairobi bank may set an RTO of 4 hours for its core banking system and 24 hours for its non-critical reporting functions. RTOs are determined through the Business Impact Analysis (BIA) process, which maps each function to the financial, regulatory, reputational, and operational consequences of its unavailability. Functions with the shortest RTOs — such as payment processing, customer data access, and regulatory reporting — receive priority recovery resources. The Central Bank of Kenya's Prudential Guideline CBK/PG/19 requires regulated institutions to set RTOs for all critical systems and validate them through periodic testing. A complementary metric is the Recovery Point Objective (RPO), which defines the maximum amount of data loss acceptable — for example, an RPO of 1 hour means that the most recent backup is no more than 1 hour old. Together, RTO and RPO drive the design of IT infrastructure, backup frequency, and alternate site capacity in a Kenya Business Continuity Plan.
For regulated institutions in Kenya, board approval of the Business Continuity Plan is a regulatory requirement. The Central Bank of Kenya's Prudential Guideline CBK/PG/19 requires the board of directors of every licensed institution to approve the BCP, review it annually, and receive regular reports on BCP testing outcomes and incidents. The board is responsible for setting the organisation's risk tolerance and confirming that the BCP adequately protects depositors, policyholders, and other the parties involved. The Capital Markets Authority (CMA) imposes similar board governance obligations on licensed capital markets intermediaries. For private companies registered under the Companies Act No. 17 of 2015 that are not subject to specific sectoral regulation, board approval of the BCP is a governance best practice rather than a legal requirement — but development finance institution lenders and international procurement processes increasingly require evidence of board-approved BCPs as part of their operational risk assessments. The board resolution approving the BCP should record the date of approval, the review cycle, and the designated BCP owner.
A Kenya Business Continuity Plan and the Data Protection Act No. 24 of 2019 are directly connected. Section 41 of the Data Protection Act requires a data controller to notify the Office of the Data Protection Commissioner (ODPC) of a personal data breach within 72 hours of becoming aware of it. Section 25 requires data controllers to implement appropriate technical and organisational measures to protect personal data against accidental loss, destruction, or damage. A BCP satisfies both obligations by documenting the IT disaster recovery procedures that protect data availability, and the incident response protocol — including the ODPC notification procedure — that activates the moment a breach is detected. Without a pre-planned BCP, organisations typically miss the 72-hour notification window because staff are improvising their response rather than executing documented procedures. The ODPC may impose fines of up to KES 5 million or 1% of annual gross turnover on data controllers that fail to implement adequate security measures. A well-documented and tested BCP is the most effective evidence of compliance with Section 25 of the Data Protection Act in the event of an ODPC investigation or audit.
A Kenya Business Continuity Plan should be tested and reviewed on a regular, documented schedule. The Central Bank of Kenya's Prudential Guideline CBK/PG/19 requires regulated institutions to test their BCPs at least annually using a combination of tabletop exercises, simulation drills, and — at least every two years — full failover tests that activate the alternate site and IT recovery systems. Testing results must be documented, gaps identified, and remediation plans implemented before the next review cycle. Beyond regulatory requirements, the Business Continuity Institute (BCI) Good Practice Guidelines recommend three levels of exercise: tabletop reviews (quarterly), functional exercises (biannually), and full simulation exercises (annually). A BCP must be reviewed — and updated as necessary — after every significant organisational change (new system implementation, new location, major staffing change), after every real incident, and at least annually regardless of changes. The review date, reviewer, and any changes made should be recorded in the BCP's version control log. An untested or outdated BCP is unlikely to function effectively during a real crisis and will not satisfy the CBK's requirements for a valid business continuity compliance submission.
A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are related but distinct documents. A BCP covers the full scope of an organisation's response to a disruption — people, premises, processes, suppliers, communications, and technology — and addresses how critical business functions will continue to operate during and after an incident. A Disaster Recovery Plan (DRP) is a subset of the BCP that focuses specifically on IT systems and data recovery — it details how servers, applications, databases, and network infrastructure will be restored after a failure. In Kenya, the Central Bank of Kenya's Prudential Guideline CBK/PG/19 requires both documents as components of an institution's Business Continuity Management (BCM) framework. The BCP sets the recovery time objectives (RTOs) and recovery point objectives (RPOs) for all business functions, and the DRP provides the technical procedures by which the IT team achieves those objectives for systems. Organisations that have only a DRP — addressing IT recovery — are typically unprepared for non-IT disruptions such as the loss of premises, a key personnel crisis, or a supply chain failure. The ISO 22301:2019 standard, adopted by Kenya Bureau of Standards (KEBS) as KS ISO 22301, provides a detailed framework for integrating the BCP and DRP into a unified Business Continuity Management System.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement (Kenya)
A Kenya Non-Disclosure Agreement protecting confidential business information, governed by the Law of Contract Act Cap. 23 and the Data Protection Act No. 24 of 2019, enforceable in Kenya courts.
Employment Contract (Kenya)
A Kenya Employment Contract setting out terms and conditions of employment, compliant with the Employment Act No. 11 of 2007, NSSF Act 2013, SHIF Act 2024, and the Housing Levy obligations.