Business continuity planning is often treated as a technical or operational exercise — but it should be a matter of strategic concern at board level. Trustees and non-executive directors are not expected to write continuity plans themselves, but they do have a role in asking the right questions, seeking assurance, and ensuring that continuity is embedded into the organisation’s governance and risk framework.
This guide outlines how board members can engage meaningfully with business continuity and resilience — even if they are not continuity specialists.
The Board’s Legal and Strategic Role in Continuity
For charities and companies alike, the board carries legal responsibility for managing the organisation’s affairs and ensuring it can continue to meet its objects or deliver services. This includes planning for significant disruption, safeguarding assets, and protecting reputation.
UK charity law and company law both emphasise the duty to act with reasonable care, skill and diligence. That includes ensuring that business continuity plans are:
- Proportionate to the scale and nature of the organisation
- Linked to core risks
- Reviewed and tested
- Known and understood by those who would activate them
Continuity should also be seen as a component of good risk management and strategic planning — not a separate technical function.
What Questions Indicate an Informed Board?
A board member does not need to be an expert in emergency planning to add value. The most important contribution is thoughtful scrutiny. Helpful questions include:
- What are the key risks that could disrupt our services or operations?
- Do we have documented business continuity plans that are reviewed regularly?
- Who owns those plans — and who is responsible for activating them?
- How would we communicate with stakeholders in a crisis?
- When was the last time our continuity arrangements were tested?
- Do our continuity plans link to our disaster recovery plan and IT dependencies?
- Is continuity built into how we work — or left to chance?
By asking these questions, board members model the seriousness with which continuity should be treated — and help set the tone for an organisation that is genuinely resilient.
How to Read a BCP Without Getting Lost
Business continuity plans can vary in length and detail. A trustee or non-executive director need not absorb every operational step — but should understand the broad structure and strategic implications.
Look for:
- A clear activation process (how and when the plan is triggered)
- Defined roles and responsibilities
- Prioritised critical activities or business processes
- Communications strategies for internal and external audiences
- Continuity arrangements (e.g. remote working, relocation, manual processes)
- A link to the business impact analysis (if one exists)
- Evidence of recent testing or exercising
- Review schedules and named owners
If these elements are missing, fragmented, or out of date, assurance is likely to be weak.
Red Flags in Continuity and Resilience Planning
The board should take notice if any of the following are observed:
- Continuity plans are not documented or are out of date
- Key personnel are unaware of their roles in a crisis
- No link between continuity and IT recovery or cyber risk
- Testing is overdue or purely theoretical
- Continuity is siloed in one team with no organisational buy-in
- Dependencies on third parties (e.g. suppliers, landlords) are undocumented
- Staff assume continuity “will be handled by someone else”
These are not just technical issues — they are governance risks. Boards must be confident that continuity planning is grounded, tested, and embedded in operational culture.
Linking Continuity to Financial and Reputational Risk
Continuity failures often have severe financial consequences — from lost revenue and contractual breaches to grant clawbacks and insurance disputes. They also damage public trust, donor confidence, and regulatory standing.
Board members should consider:
- Whether continuity risks are reflected in the risk register
- The adequacy of reserves and liquidity planning
- Insurance coverage and business interruption provisions
- The reputational impact of service failure or poor incident response
- Whether continuity risks feature in strategic decision-making (e.g. taking on new premises, merging, digital transformation)
Resilience is not just about reacting to crisis — it is about making decisions with downstream consequences in mind.
When to Seek Assurance from Third Parties
In some cases, independent assurance may be appropriate. This might include:
- Commissioning a business continuity or resilience review
- Asking auditors or internal governance teams to assess readiness
- Requesting a desktop exercise or scenario test with board observation
- Engaging legal or risk specialists to map compliance duties
Boards may also want to confirm that key partners — such as IT providers, contractors, or grant recipients — have their own continuity arrangements in place. A well-managed dependency can quickly become a single point of failure if not tested.