Back to all our Insights
The Role of BCP
Knowledge

The Role of BCP in Facing Disruptions Such as Demonstrations and Unexpected Events

No one wants to start the day with news that the streets are closed due to large-scale demonstrations. Yet in reality, access to the office can be blocked, teams scattered, and client service schedules still waiting. At times like this, improvisation often leads to panic. A Business Continuity Plan (BCP) ensures that business operations do not stop by providing clear, measurable, and actionable guidance.

What Is BCP?

A Business Continuity Plan (BCP) is a plan developed by an organization to ensure business continuity, particularly to keep critical or essential operational processes running despite disruptions. The focus is not only on recovery but also on the ability to continue delivering operational services. In best practice, BCP is aligned with standards such as ISO 22301, where the plan does not depend on individuals but on a documented management system that is regularly tested and updated.

Why Is BCP Important During Demonstrations & Unexpected Events?

Social disruptions, such as demonstrations, often arise suddenly, as occurred at the end of August 2025. These situations limit physical access, require rapid decision-making, and demand clear coordination of communication and operational instructions to avoid confusion. Without a BCP, organizational responses tend to be reactive. With a BCP, however, organizations have measurable scenarios that ensure services remain operational, data and systems are protected, and recovery is carried out according to realistic Recovery Time Objectives (RTO), without exceeding the tolerance limit acceptable to stakeholders, known as the Maximum Allowable Outage (MAO).

Key Foundations & Components of BCP Based on ISO 22301

  • Business Impact Analysis (BIA): Mapping of critical processes, identifying dependencies (applications, vendors, locations), and assessing potential impacts if processes are disrupted. (Download BIA)

  • Maximum Allowable Outage (MAO): The tolerance limit of downtime acceptable to stakeholders when the organization cannot operate.

  • Recovery Time Objective (RTO) & Recovery Point Objective (RPO): Agreed recovery targets for time and data loss tolerance for each service, across functions.

  • Alternative Operations Strategy: Options for maintaining operations, such as work-from-anywhere, backup site/cloud usage, work area recovery, or capacity redirection.

  • IT Disaster Recovery (DR): Includes encrypted backups, regular restore testing, recovery guidelines (BCP), access controls (VPN, MFA), and compliance with the Personal Data Protection Law (UU PDP).

  • Crisis Communication Plan: Escalation channels, spokesperson appointments, update frequency, and ready-to-use message templates.

  • Critical Vendor Management: SLA provisions during crises, emergency contacts, and ensuring vendor BCP/DRP compatibility with the organization.

  • Governance & Roles: Decision-making structures and authorities during crises, e.g., Incident Commander, IT Recovery Lead, Crisis Management Team.

What Needs to Be Ensured When Running BCP?

Organizations must ensure proper storage and regular testing of all elements supporting business continuity, including: cross-functional and critical vendor emergency contact lists; secure repositories of emergency access and credentials (VPN, MFA, admin accounts); simple and operational priority service recovery BCPs; standard communication references for employees, key clients, and the public; alternative capacity (e.g., backup site/cloud, telephony or ticketing backup); and quick decision lists regarding which activities can be postponed without breaching contracts or SLAs. All these elements should be centralized and easily accessible during crises, rather than scattered across hard-to-track channels.

BCP KPIs and Metrics

The readiness level of a BCP can be monitored through several indicators, including: declaration time (interval from incident occurrence to BCP activation), compliance rate with RTO/RPO for each service, recovery duration compared to target, number of drill findings resolved each quarter, and client satisfaction scores after incidents. Trend analysis of these metrics provides management with the basis for determining additional investments—whether in capacity enhancement, recovery automation, or strengthening cross-functional coordination.

BCP vs DRP

A Business Continuity Plan (BCP) focuses on sustaining business processes—including services, customers, human resources, communication, and operations—to keep business running despite disruptions. Meanwhile, a Disaster Recovery Plan (DRP) focuses on restoring IT capabilities, such as servers, databases, applications, networks, and data, so that the technological foundation returns to normal.

In essence, the difference lies in their roles: BCP determines service priorities and recovery sequences, while DRP executes technical recovery steps according to those priorities. Therefore, both must be designed, tested, and executed in an integrated manner to complement each other in safeguarding organizational continuity.

Common Mistakes

Many business continuity plans fail during crises because they were developed without a Business Impact Analysis (BIA), making them generic and impractical. Other common mistakes include setting overly ambitious RTO/RPO targets without sufficient technical support; never conducting drills, leaving the BCP unused until panic strikes; neglecting vendor readiness, which often becomes the weakest link in the service chain; and leaving documents outdated despite changes in systems or organizational structure.

Conclusion

Disruptions and crises never wait for the “right time” or for organizations to be fully prepared. With a Business Continuity Plan (BCP), uncertainty can be translated into concrete steps: services remain operational, teams understand their roles, and clients feel supported. The most honest question for every organization is: “If tomorrow morning the office is inaccessible due to a demonstration, will your services still run?”

Need practical, tested Business Continuity Management (BCM) tailored to your business context? Robere & Associates (Indonesia) is ready to support you, starting from initial identification, conducting Business Impact Analysis (BIA) (Download BIA) and Risk Assessment, defining RTO/RPO, drafting the BCP, training your teams, to conducting drills in line with ISO 22301 standards.

Contact Robere & Associates today, so when disruptions happen, your business keeps running without interruption.

OTHER INSIGHT POSTS
Good Governance Is Not a Choice, but a Necessity for Business Success Knowledge
What Is ISO 37001: How Modern Organizations Build Integrity and Trust Knowledge
Consult with us