Business Continuity Planning for Charities: A Practical Guide | LegalDocuments.co.uk
We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.
Running a charity means carrying responsibility for people who depend on you, beneficiaries, staff, volunteers, funders and the wider public. When something goes wrong, whether that's a cyber incident, a funding shock, a key staff departure or a physical emergency at your premises, the trustees are expected to have thought ahead.
A business continuity plan (often shortened to BCP) is the document and process that shows you have. This page, written from my experience working with charity trustees and operations leads, walks through what a continuity plan actually needs to cover, where the legal expectations come from, and how to build one that is proportionate to the size and complexity of your organisation.
It is aimed at trustees, CEOs, and operations managers of registered charities and charitable incorporated organisations (CIOs) in England and Wales.
Overview
A business continuity plan for a charity is a written framework that sets out how the organisation will keep critical functions running when something disrupts normal operations. It is not the same as a disaster recovery plan (which tends to focus narrowly on IT systems) and it is not the same as a risk register (which lists threats without necessarily saying what you will do about them).
A BCP sits between the two: it identifies the services and activities that absolutely must continue, the minimum resources needed to keep them going, and the people who will make decisions when the pressure is on. For charities specifically, the plan needs to reflect the charitable objects.
If your mission is to feed vulnerable people or provide emergency accommodation, continuity is not just an operational preference, failing to deliver may mean real harm to beneficiaries. The Charity Commission expects trustees to manage risk in a way that is proportionate to the charity's size, income and activities.
A small community group does not need the same 80-page document as a national charity with multiple sites, but both need something written down, tested, and reviewed.
Key steps
- Identify your critical activities. Start by listing every service, activity and function the charity delivers, then mark which ones cannot stop without causing significant harm to beneficiaries, breaching funder agreements, or damaging the charity's reputation. Be honest, not everything is critical, and trying to protect everything equally means protecting nothing well. This prioritisation is the foundation of the whole plan.
- Assess the threats that matter to your charity. Work through the realistic scenarios that could disrupt those critical activities: loss of premises, IT failure or ransomware, loss of a key member of staff, supply chain failure, a safeguarding incident, funding withdrawal, or a reputational crisis. For each, think about likelihood and impact. A charity with one paid member of staff faces very different risks from one with fifty, and your plan should reflect that reality rather than a generic template.
- Decide on mitigation and response measures. For each significant risk, set out what you will do to reduce the chance of it happening and what you will do if it does. This might include cloud backups, dual signatories on bank accounts, cross-training between staff, reserves policies, insurance cover, alternative premises arrangements, or pre-agreed communications templates. The point is to make decisions in calm conditions so you are not improvising in the middle of a crisis.
- Set clear roles, communications and escalation routes. A plan that does not say who does what is not really a plan. Identify who leads in a disruption, who deputises if they are unavailable, how trustees are notified, and how you will communicate with beneficiaries, staff, funders, regulators and the press. Include out-of-hours contact details and a documented process for reporting serious incidents to the Charity Commission where the reporting threshold is met.
- Test, review and record. A continuity plan that sits in a drawer is worse than useless because it creates false confidence. Run tabletop exercises at least annually, update the document after any real incident or significant change to the charity, and present it to the trustee board for formal review. Keep a dated version history so you can evidence that the trustees are actively managing risk, which is what the Charity Commission expects to see.
Common questions
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.
Common questions
Q Is a business continuity plan legally required for charities?
There is no single statute that says every charity must have a BCP by that name. However, trustees have a general duty to manage risk proportionately, and the Charity Commission's published guidance on risk management makes clear that identifying and responding to threats to the charity's activities is part of running a well-governed organisation. In practice, most funders, insurers and regulators will expect to see some form of continuity planning.
Q How detailed does our plan need to be?
The Charity Commission's expectation is proportionality. A small unincorporated charity with a handful of volunteers may only need a short document covering the main risks, key contacts and critical activities. A larger charity with employees, premises, service users and restricted funding should have something more substantial, including scenario testing and trustee-level review. The test is whether the plan genuinely reflects how your charity operates, not how long it is.
Q Who should write and own the continuity plan?
Ultimate responsibility sits with the trustees as part of their governance duties, but day-to-day ownership is usually held by the CEO, operations lead or a designated trustee. In small charities, a trustee with relevant experience often drafts it. What matters is that the board formally adopts the plan, reviews it regularly, and that at least two people other than the author understand how to use it in a crisis.
Q How does a BCP interact with our risk register?
They work together but serve different purposes. The risk register lists the risks the charity faces with an assessment of likelihood and impact. The continuity plan translates the most serious of those risks into actionable responses, what we will do, who does it, and how we keep critical services running. One without the other tends to leave gaps. Trustees should review both at the same meeting where possible.
Q Do we need to report serious disruptions to the Charity Commission?
The Commission expects trustees to report serious incidents that have caused or could cause significant harm to beneficiaries, staff, property, finances or the charity's reputation. A major disruption may trigger this duty depending on the facts. Your continuity plan should flag when a situation crosses that threshold and set out who makes the report. Check the current serious incident reporting guidance on gov.uk for detail on what qualifies.
Q How often should we test and review the plan?
A minimum of annually for review, with a practical test, such as a tabletop exercise walking through a scenario, at least once a year as well. You should also refresh the plan after any real incident, a significant change in activities, a change in premises, or a change in senior personnel. Version control and dated trustee minutes help you evidence that the plan is alive rather than ornamental.
Q What is the difference between a BCP and a disaster recovery plan?
Disaster recovery tends to focus on restoring IT systems and data after a technical failure. Business continuity is broader, it covers how the whole organisation keeps delivering its charitable purposes when anything material goes wrong, including people, premises, funding and reputation. A good BCP will reference disaster recovery for IT, but it should not be limited to it. For most charities the wider operational view is what trustees are accountable for.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.
Sources
This guide is based on primary UK law and official guidance.
- Guidance · UK GovCharity Commission, Charities and risk management (CC26)gov.uk
- Guidance · UK GovCharity Commission, Report a serious incident in your charitygov.uk
- Guidance · UK GovThe essential trustee: what you need to know, what you need to do (CC3)gov.uk
- Guidance · UK GovHealth and Safety Executive, Guidance for charities and voluntary organisationshse.gov.uk
Legal helpline
Unsure where to start with your charity's continuity plan?
Continuity planning sits at the intersection of trustee duty, operational reality and funder expectation, and it is easy to either over-engineer it or miss something important. An experienced legal adviser can help you think through what a proportionate plan looks like for your charity based on what you describe on the call.
- A plain-English conversation about trustee duties around risk and continuity
- Practical perspective on what a proportionate plan looks like for your size of charity
- Help thinking through the specific risks you describe and how to prioritise them
- Clarity on when a disruption might trigger serious incident reporting
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.