Disruption is no longer the exception in Kenya’s business environment. It is the operating condition. The boards that protect company performance are not the ones that react fastest, they are the ones that planned before the crisis arrived.

What Is a Business Continuity Plan and Why It Is a Board Responsibility

A business continuity plan (BCP) is a documented, board-approved framework that defines how an organisation will maintain critical operations, protect key assets, and recover core business functions during and after a disruptive event. According to Gartner, business continuity planning is a broad disaster recovery approach whereby enterprises plan for recovery of the entire business process, including workspaces, telephones, workstations, servers, applications, network connections, and any other resources required in the business process.

But the BCP definition does not capture its full strategic weight. For Kenyan boards, a business continuity plan is not primarily a technical document. It is a governance instrument, one that determines whether the organisation can sustain revenue, retain customers, meet regulatory obligations, and protect its reputation when everything is going wrong at once.

Business continuity planning is a board-level responsibility because the consequences of its absence land squarely at the board level: regulatory sanctions, shareholder losses, reputational damage, and in extreme cases, institutional failure.

The Kenyan Context: Why BCP Has Never Been More Urgent

Kenya’s business environment in 2025 presents a risk profile that demands structured continuity planning at every level of the organisation, from the front line to the boardroom.

Kenya’s economy showed resilience with growth hovering around 4.8% in 2025, but commercial banks are operating in a challenging environment characterised by tight cashflows, weak business activity, and mounting public sector arrears, with non-performing loans climbing to 17.6% of gross loans by end-August 2025, up from 16.4% at end-2024.

Analysts warn that elevated credit risks, high interest rates, delayed government payments, and an unfavourable business environment will continue to pose challenges for the sector in the short term; even as the Central Bank of Kenya maintains that the banking industry remains adequately capitalised and well-positioned to withstand shocks.

Beyond financial sector pressures, the broader risk landscape includes cybersecurity threats, climate shocks particularly relevant given agriculture’s 24.4% share of GDP, infrastructure vulnerabilities, political disruptions, and the accelerating complexity of digital operations. The CBK’s regulatory focus has expanded in 2025 to include risk-based supervision, AML/CFT obligations, digital payment oversight, and climate risk reporting; signalling that regulators expect boards to be managing a far wider risk surface than a decade ago.

Each of these risks is a BCP trigger. A board without a tested business continuity plan is operating without a safety net in an environment that has made falls more frequent.

What a Business Continuity Plan Must Contain

A business continuity plan is not a crisis communications document or a disaster recovery checklist. It is a comprehensive management framework. For Kenyan boards, a BCP that meets both regulatory expectations and operational realities must contain the following components:

1. Business Impact Analysis (BIA)

The BIA is the analytical foundation of every effective business continuity plan. It identifies the organisation’s critical business functions, maps the dependencies that support them; people, processes, technology, third-party vendors, and physical premises and quantifies the impact of their disruption in terms of revenue loss, regulatory exposure, reputational damage, and operational paralysis.

Gartner’s operational resilience framework emphasises going beyond traditional risk assessments to incorporate an end-to-end view of dependencies; analysing that view within a risk control self-assessment methodology and applying the insights gained to the existing BIA (Business Impact Analysis) framework to ensure operations recovery strategies align with business continuity and disaster recovery plans.

Without a current, accurate BIA, a BCP is built on assumptions that will fail under pressure.

2. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

Every critical business function identified in the BIA must have a defined RTO; the maximum acceptable time to restore the function after disruption, and an RPO; the maximum acceptable data loss measured in time. These are board-approved parameters, not technical decisions. They reflect the organisation’s strategic priorities and risk appetite, and they anchor every recovery strategy in the plan.

3. Business Continuity Arrangements for Each Critical Function

The core of the BCP is the set of specific arrangements, alternative workspaces, backup systems, emergency staffing protocols, supplier redundancy, communication cascades, that enable each critical function to continue or be restored within its RTO. PwC’s enterprise resilience framework identifies the Minimum Viable Company (MVC) analysis as a central element; defining the smallest set of critical business services and capabilities essential for survival and recovery, and testing those components to gain clear visibility into risk exposure and strengthen strategic decision-making.

For Kenyan boards, MVC thinking is particularly powerful: it forces a board-level conversation about what the organisation absolutely cannot lose, and directs continuity resources accordingly.

4. Crisis Management and Communication Protocols

A business continuity plan must include clear protocols for crisis declaration, command structures, stakeholder communication, internal and external and media management. In Kenya’s connected information environment, reputational damage during a crisis can move faster than operational recovery. Boards that have not pre-approved crisis communication frameworks are improvising in the worst possible moment.

5. BCP Testing and Maintenance Schedule

PwC’s resilience advisory practice cautions that simply performing check-the-box compliance resilience steps rarely actually helps organisations when true disruption hits; emphasising that truly building a programme with effective resilience in mind is critical, and that if organisations do this well, they will be ready when disruption hits.

A BCP that is written but not tested is a false assurance. Kenyan boards must mandate regular BCP testing; including tabletop exercises, simulation drills, and full activation tests, and receive results directly, with evidence that gaps are being closed.

The Board’s Specific Responsibilities in Business Continuity Planning

Business continuity management is a board accountability, not a management delegated function. Gartner’s BCM governance framework establishes that without a governance framework in place, BCM programme improvement and maturity will not progress as needed in the desired timeframe, and BCM professionals must use governance frameworks to establish oversight according to the organisation’s business model and availability needs.

This translates into five specific board obligations:

Approve the BCP and review it annually. The business continuity plan is a board-approved document. It is not approved once at formation and left to gather institutional dust. Kenya’s risk environment changes materially year to year, what was adequate in 2023 may be critically inadequate in 2025.

Set the organisation’s risk appetite for disruption. The board must define explicit tolerance levels for downtime, data loss, revenue impact, and service degradation. These parameters drive every technical and operational decision in the BCP.

Ensure BCP is integrated with enterprise risk management. Operational resilience, a more mature level of resilience than disaster recovery and BCP alone requires a strong framework that integrates operational risk management and business continuity programmes, moving beyond isolated points of failure to encompass the full spectrum of factors that support continuous product and service delivery. Boards that treat BCP as separate from ERM are managing risk in silos.

Receive and act on BCP test results. Testing without board-level review is theatre. The board must see test outcomes, challenge failure points, and hold management accountable for closing gaps within defined timeframes.

Ensure regulatory compliance. The Business Laws (Amendment) Act, 2024 empowers the CBK to impose penalties for non-compliance with the banking act, prudential guidelines, or CBK directives of up to KSh 20 million or three times the monetary gain; whichever is higher. Business continuity arrangements are increasingly a regulatory expectation, not a voluntary best practice. Boards in regulated sectors must ensure their BCP meets CBK, CMA, and sector-specific requirements. The Kenya Times

Business Continuity Planning and Company Performance: The Direct Link

The case for BCP investment is not only about surviving crises. It is about protecting the performance trajectory that boards are accountable for delivering.

According to a McKinsey Global Survey, 60% of executives now cite building operational resilience as a top strategic priority, overtaking traditional drivers like cost control and even innovation,with the COVID-19 pandemic, geopolitical instability, inflation shocks, supply chain disruption, and rapid technological change having exposed the fragility of conventional operating models.

PwC research found that only 33% of respondents are very confident in their current resilience capabilities to help them navigate a range of disruptions — a figure that should concern every Kenyan board, given that the organisations in that 67% majority are carrying continuity risk they may not have quantified.

Research on Kenyan organisations specifically confirms the performance link. Business continuity planning plays a critical role in the performance and success of organisations; helping institutions prepare for unexpected disasters and crises, enabling them to continue operations in the event of such incidents, minimise disruptions, ensure continued operations, and protect their long-term interests, contributing to better business performance.

The same research found that some managers in Kenyan organisations lack strategies to design and implement suitable, adequate, and effective business continuity management systems; a governance gap that boards are uniquely positioned and obligated to close.

ISO 22301: The International Standard Kenyan Boards Should Know

The global benchmark for business continuity management is ISO 22301, the international standard for Business Continuity Management Systems (BCMS). It provides a structured methodology for planning, implementing, monitoring, and improving an organisation’s ability to protect against, reduce the likelihood of, respond to, and recover from disruptive incidents.

For Kenyan boards, ISO 22301 alignment signals governance maturity to institutional investors, international partners, and regulators. It also provides the testing and audit discipline that turns BCP from a static document into a dynamic operational capability. Organisations operating in sectors with high continuity expectations; banking, insurance, telecommunications, public services, should treat ISO 22301 certification as a board-level priority, not a technical team initiative.

What High-Performing Kenyan Boards Do Differently on Business Continuity

The boards that protect company performance through disruption are not simply the ones with the thickest BCP binders. They are the ones where continuity thinking is embedded in how the board operates:

They treat BCP as a strategic asset, not a compliance artefact. The business continuity plan is reviewed in the same cycle as the strategic plan, because disruption scenarios directly affect which strategic objectives are achievable and at what cost.

They demand living BCPs, not static documents. Plans are updated after every material change to the business;new markets, new technology platforms, workforce changes, regulatory shifts, not only after a crisis or a failed audit.

They build continuity into vendor and partner governance. Third-party failures are among the most common BCP triggers. Boards must ensure supplier contracts include continuity requirements, and that third-party BCPs are audited alongside the organisation’s own.

They connect BCP to board-level crisis readiness. True operational resilience allows an organisation to maintain critical operations during disruption and requires the integrated activation of various types of response plans and escalation up to the crisis management plan — with disruptions creating ripple effects across companies’ strategic plans and supply chains, forcing companies to rethink revenue growth, financial performance, sourcing strategies, cost structures, and operations. Boards that have rehearsed their crisis protocols, including their own decision-making roles, respond faster and more decisively when disruption materialises.

They invest in resilience for strategic reasons, not compliance ones. PwC‘s resilience advisors consistently observe that measuring current enterprise resilience capabilities and tracking them regularly is important both for board and customer confidence, and will also help with readiness for regulatory compliance. Resilience built for strategic reasons delivers compliance as a byproduct. Compliance-built resilience rarely delivers strategic value.

A business continuity plan is not what your operations team produces to satisfy a regulator. It is what your board approves to protect everything the organisation has built; its revenue, its reputation, its people, and its ability to serve its customers when it matters most.

In Kenya’s current environment with rising NPLs, tightening CBK requirements, cybersecurity threats accelerating, and climate risk growing; disruption is not a remote possibility to be planned for hypothetically. It is a recurring operating condition to be governed for strategically.

The boards that understand this are building continuity plans that are tested, current, board-owned, and directly connected to company performance. The boards that do not understand this are one significant disruption away from finding out the cost of that gap.