The average small business owner has heard “you need a business continuity plan” roughly a hundred times and done nothing about it. The reason isn’t laziness — it’s that every template they find looks like a government procurement document. Thirty-seven sections. Appendices. A dedicated paragraph on “plan governance.” Nobody is reading that under pressure.
Here’s the honest truth: a business continuity plan that lives in a binder on a shelf is worse than useless because it creates false confidence. What actually works is a single, laminated page — or a shared document pinned to your team’s Slack channel — that answers five questions clearly and fast. This article walks you through building exactly that, with the specific fields that matter and the ones you can safely ignore.
1. Start With Your Three Worst Scenarios, Not a Hundred
Most contingency plan templates ask you to catalog every conceivable risk. Flood, cyberattack, pandemic, power outage, key employee departure, supply chain collapse, earthquake, vendor bankruptcy — the list becomes paralyzing. Instead, identify the three scenarios most likely to actually interrupt your specific business operations in the next 12 months.
A Fort Lauderdale restaurant should prioritize hurricane disruption, a sudden health inspection closure, and the loss of a head chef. A Naples-based financial advisory firm should focus on a ransomware attack, the death or incapacitation of a principal, and a critical software vendor going down. A one-person e-commerce shop in Portland needs to think about fulfillment partner failure, a website outage, and personal illness. These aren’t generic — they’re yours. Write them down as three named scenarios at the top of your one-pager. This constraint forces clarity and makes the plan usable.
The Federal Emergency Management Agency’s Ready.gov business continuity resources offer a solid risk-identification checklist if you want a structured starting point. But don’t let the full checklist become your plan — use it to pick your three, then move on.
2. Define Your Recovery Time Objective in Plain Numbers
A Recovery Time Objective (RTO) is simply the maximum amount of time your business can be down before the damage becomes unacceptable. Not “as soon as possible” — an actual number. Four hours. Two days. One week. Different operations within the same company can have different RTOs, which is why you need to be specific.
For most small businesses, the critical functions break into three tiers. Tier one is revenue-generating activity — taking orders, processing payments, delivering services. These typically need to resume within 24 to 48 hours or you start losing customers permanently. Tier two is communication — being able to reach clients, staff, and vendors. This needs to happen within hours. Tier three is everything administrative — invoicing, payroll processing, reporting. These can usually wait three to five business days without catastrophic consequence.
Write your RTO as a two-column table on your one-pager: function on the left, maximum downtime on the right. Five rows maximum. If you’re tempted to list twenty functions, you’re writing a different document. Keep it to the ones where a wrong answer costs you clients or cash.
3. Name One Human Responsible for Each Scenario
Every business continuity plan that fails in practice fails for the same reason: it says “the team will” instead of “Maria will.” Distributed responsibility is no responsibility. For each of your three worst-case scenarios, one person’s name goes on that page as the decision-maker and coordinator. Not a job title — a name.
This person doesn’t have to do everything. They have to make calls, assign tasks, and communicate status. In a five-person company, this might be the owner for two scenarios and the operations manager for one. In a solo operation, it’s you, and that’s a signal you need a backup contact — a trusted colleague, a business attorney, or a spouse — who knows where your passwords and vendor contracts live.
The named-person model also surfaces a hidden risk most contingency plans ignore: what if that person is the one who’s incapacitated? Write a secondary contact for each scenario. Two names, not a committee. This single habit — naming humans instead of roles — is what separates plans that get executed from plans that get ignored.
4. List Your Five Most Critical Vendor and Tool Dependencies
Business continuity risk doesn’t always come from dramatic events. It often comes from a SaaS platform going down, a supplier going out of business, or a payment processor freezing your account. Your one-pager needs a short inventory of the external dependencies that would stop your business cold if they disappeared tomorrow.
Limit this to five. Be ruthless. For a typical small business, the list looks something like: point-of-sale or e-commerce platform, cloud storage or backup provider, primary supplier or manufacturer, business bank account, and communications tool (email, phone system, or both). Next to each one, write the name of an immediate alternative — a competitor platform you’ve already researched, a secondary supplier you’ve already contacted, a backup bank account you already have open.
The word “already” is doing a lot of work in that sentence. Researching alternatives during a crisis is exponentially harder than doing it now. A company in Naples that relies on a single HVAC parts distributor for its service contracts should have that second-source vendor relationship established before hurricane season, not during it. Thirty minutes of research today is worth hours of scrambling later.
5. Write Your First 90-Minute Checklist
When something goes wrong, cognitive load spikes and decision quality drops. The most valuable thing your business continuity plan can provide is a scripted first 90 minutes — a short checklist of actions that happen before anyone has to start improvising. Think of it as the pre-flight checklist pilots use not because they don’t know the steps, but because checklists prevent skipped steps under stress.
Your 90-minute checklist should have no more than eight items. A reasonable version for a small service business looks like this: (1) Confirm scope and severity of disruption — is this a two-hour problem or a two-week problem? (2) Notify the named scenario coordinator. (3) Send a brief status message to all active clients with an expected update time. (4) Assess whether staff should report in or stand down. (5) Check whether your backup systems are functional. (6) Contact your top three vendors to flag potential delays. (7) Document what happened and when. (8) Set a check-in time two hours out. That’s it. Eight steps, written in imperative language, executable by anyone on your team.
The U.S. Small Business Administration’s emergency preparedness guide has a useful framework for thinking about client communication during disruptions — worth reading once as you draft your checklist language.
6. Schedule a 20-Minute Annual Review
A business continuity plan written in 2021 that names a vendor you stopped using in 2022 and an employee who left in 2023 is actively misleading. The one-page format only stays useful if it stays current, and the only way it stays current is if you put a recurring calendar event on your schedule to review it.
Twenty minutes, once a year, is genuinely sufficient for a one-pager. Check that the named humans are still in their roles. Verify that the vendor alternatives are still in business and that you still have accounts with them. Confirm that your RTOs still reflect how your business actually operates — a company that doubled in size may now have a 12-hour RTO where it once had a 48-hour one. Update any phone numbers, account credentials references, or tool names that have changed.
If you want to go further, run a tabletop exercise once a year: sit down with your team for 30 minutes and walk through one of your three scenarios out loud. Ask “what would we actually do?” and see where the plan holds and where it doesn’t. This isn’t complicated risk management theater — it’s just a conversation. The gaps it reveals are almost always fixable before they become expensive.
A one-page business continuity plan won’t cover every edge case, and it’s not supposed to. Its job is to give your business a fighting chance in the first 48 hours of a real disruption — when clarity is scarce, stress is high, and the decisions you make set the trajectory for everything that follows. Build it lean, keep it honest, and make sure the people who need it know exactly where to find it. That’s the whole game.