Disaster Recovery Is Not Business Continuity
Many businesses confuse disaster recovery (DR) with business continuity planning (BCP). Disaster recovery focuses on restoring IT systems after an incident. Business continuity is broader â it ensures your entire business can continue operating during and after a disruption, whether that disruption is a cyber attack, natural disaster, supply chain failure, or loss of key personnel.
For Australian SMEs, a business continuity plan is not a luxury. Bushfires, floods, pandemics, and cyber attacks have all demonstrated that disruptions can strike any business at any time.
What a Business Continuity Plan Covers
A comprehensive BCP addresses critical business functions â which processes must continue for the business to survive, dependencies â what systems, people, suppliers, and facilities each function relies on, recovery strategies â how each function will continue if its dependencies are disrupted, communication plans â how you will communicate with staff, clients, and suppliers during a disruption, and testing and maintenance â regular exercises to ensure the plan works when needed.
Identifying Critical Functions
Not every business function is equally critical. A business impact analysis (BIA) ranks your functions by how quickly they must be restored. For a construction company, active project management and site safety may be critical within hours, while HR administration can wait days. For a law firm, client communication and trust account access are immediate priorities, while marketing activities can be deferred.
Rank each function with a maximum tolerable downtime. This drives your recovery strategy and resource allocation.
Common Disruption Scenarios
Cyber attack: Ransomware encrypts your systems. Can your business operate on paper or alternative systems while IT recovers? How do you communicate with clients if email is down?
Office inaccessibility: Fire, flood, or building damage prevents access to your workplace. Can staff work remotely? Do you have cloud-based systems accessible from any location?
Key person unavailability: Your only IT administrator, senior partner, or project manager is suddenly unavailable. Is their knowledge documented? Can someone else perform their critical tasks?
Supply chain failure: A critical supplier or service provider goes offline. Do you have alternative suppliers identified?
IT Considerations for Business Continuity
IT underpins most business functions. Your BCP should ensure cloud-based systems for accessibility from any location, tested backups with documented recovery procedures, alternative communication channels if primary systems fail, remote work capability for all critical staff, and documented IT procedures so recovery does not depend on a single person.
If your business still relies on on-premises servers for critical functions, consider the risk: a fire or flood at your office takes out both your workplace and your IT infrastructure simultaneously.
Communication During a Crisis
Communication is often the first casualty of a disruption. Establish an emergency contact list with personal mobile numbers and alternative email addresses. Identify a crisis communication lead â someone authorised to make decisions and communicate on behalf of the business. Prepare template communications for common scenarios (system outage notification, data breach notification, office closure). Consider an out-of-band communication tool â if your email and Teams are down, how do you reach staff? A simple group text message or WhatsApp group can serve as a backup.
Testing Your Plan
A plan that has never been tested is a plan that will fail. Schedule annual testing, starting with tabletop exercises (walk through a scenario and discuss responses), progressing to functional exercises (actually test specific procedures like restoring from backup), and eventually full simulation exercises (simulate a real disruption and execute the plan).
After each test, document what worked, what failed, and what needs updating. The plan is a living document â review and update it at least annually or whenever significant business changes occur.
Getting Started
You do not need a 100-page document. A practical BCP for an SME can be 10 to 15 pages covering your critical functions, recovery strategies, and communication plan. The important thing is that it exists, is tested, and is accessible when needed. Contact TechAssist to develop a business continuity plan for your organisation.
