Business continuity planning is not just about backups!

/ Technical
May 21st, 2010

business continuity is not just about backups

The number of businesses I speak to who don’t have a Business Continuity Plan (BCP) is horrendous. I usually get the stock reply of “but we do backups”. Creating backups is not preparing your business for all potential eventualities that could hinder, damage or destroy your operations.

Anyway, regarding backups – the problem is that it can take days to get a business up and running again using normal data/system backups. And that’s even if you have the spare hardware (servers, etc) to restore onto at hand. What if you don’t have spare hardware to hand? Actually, if you haven’t recently tested restoring your systems, how can you be sure you’ll get operational at all?

We all know the scarily high statistics about companies without Business Continuity Plans going to the wall, so I’m still surprised by how many companies are prepared to take huge risks by not having trusted plans in place.

What to include in a business continuity plan

Here are an initial six things to start thinking about when business continuity planning comes onto your agenda:

1. Determine how long you can live without data and systems

Deciding this will directly influence your Recovery Time Objective (RTO) which is a key variable in your BCP. You probably have an understanding of the time you can afford to lose with no access to key systems and data, and how many hours or days of lost data you could arguably manage without. Once you define this, you can effectively balance desired recovery times and risk tolerance against a budget.

2. Plan for all eventualities

Downtime, whether it rears its head through a fire, flood, power outage, chemical leak, transport strike, malware attack, hardware failure, terrorism or even a flu pandemic, will hurt your business financially. You should consider all possibilities and have a documented strategy in your business continuity plan a documented strategy to deal with identified risks.

3. It’s more than just IT

As part of your business continuity planning process, you should be identifying key information, systems, people and processes, and how they all interact to keep your business running. Then envisage what would happen were you to lose any, or all, of these key ‘assets’. It’s easy to think that your IT infrastructure becoming unavailable is what would cause a lockup of business processes but key personnel becoming unavailable is just as impactful.

4. Scrutinise your suppliers

In business, it’s not just about you; you’re almost certainly reliant to some degree on other companies. It’s fine to have a well-thought-out continuity plan but do your key suppliers (cloud software vendors, IT providers, communication providers e.t.c.) have plans of their own in place? Can they ensure they can still deliver a service to you if they encounter problems or downtime? Send them an email or phone them up and ask.

5. Understand the technologies available

A few years ago, the only effective technologies to protect businesses from a disaster were notoriously expensive, typically aimed at large multinationals with generous budgets. Now virtualisation, replication and vaulting technologies will fit the SME budget. And if you’re astute, you’ll find you can implement some without charge due to the savings you’ll make from increased uptime.

6. Test & communicate the plan

There’s no point defining your business continuity plan and leaving it in a drawer. To be able to trust it, you need to prove it and tell people about it. Test it regularly, perhaps every 3 to 6 months or at the very least once a year. If the first time you test your plan is when an emergency occurs, then you could be in trouble.

You need to ensure that the human side of the business continuity plan is tested and proven, not just the IT parts: make sure everyone in the organisation is aware of the procedures and what part they must play should the business continuity plan be invoked. The more you test, the more routine it will become and the slicker your recovery will be – saving you money and perhaps even the business itself.


The above is in no way a comprehensive list of items to consider – it’s just a number of elements to demonstrate there are other areas that need to be considered. You’ll find plenty of other resources on the QuoStar blog to help you plan. If you want to take things a step further then get in touch and we’ll see how we can help.

Here’s another way to think about it: You pay for insurance policies, you lock the server room, you close your windows, you put the building alarm on… but you don’t know how you’ll deal with a disaster? Madness!