Business Continuity Planning for Australian SMBs: A Practical Guide
A ransomware attack locks you out of your systems at 8am. Your backup was last tested six months ago. You don’t have a documented recovery process. Your manager asks: “How long until we’re back up?” You don’t have an answer.
This is the moment a business continuity plan (BCP) proves its worth—or the moment you realise you should have written one.
Most Australian SMBs approach business continuity in reverse: they wait for a disaster, panic, and then make decisions under pressure. A BCP flips that. You decide in advance what systems matter, how quickly you need them back, and exactly how you’ll restore them. When disaster hits, you follow the plan instead of improvising.
Business Continuity vs Disaster Recovery: What’s the Difference?
Disaster Recovery (DR) is purely technical. It answers: “If our systems go down, how do we get them running again?” It’s about backups, failover systems, and recovery procedures.
Business Continuity Planning (BCP) is broader. It asks: “If disaster strikes, how do we keep the business running?” That includes IT recovery, but also alternative work locations, communication plans, supply chain alternatives, and how to keep clients informed.
A disaster recovery plan gets your servers back online. A business continuity plan gets your business back to normal.
What Should Your BCP Actually Cover?
A minimum viable BCP for an Australian SMB should address:
- Critical systems: Which IT systems must be restored first, and what’s the maximum acceptable downtime for each?
- Recovery procedures: Step-by-step instructions for restoring each system. Who does what, in what order?
- Backup and restore: Where are backups stored? How often are they tested? How long does a full restore take?
- Communication: How will you tell clients, staff, and suppliers what’s happened and when you’ll be back?
- Alternative work arrangements: If your office is inaccessible, where will people work? What systems do they need?
- Third-party dependencies: Which cloud services or external providers are you relying on? What happens if they’re down?
- Testing schedule: When and how will you test the plan?
- Contact lists: Who do you call first? Vendors, clients, insurance company, regulatory bodies?
You don’t need a hundred-page document. A five-page BCP covering these basics is infinitely better than no plan at all.
RTO and RPO: The Two Numbers That Matter Most
If you’re new to disaster recovery, you’ll hear about RTO and RPO. These are genuinely important—they shape your entire recovery strategy.
RTO (Recovery Time Objective) is the maximum acceptable downtime. If your email goes down at 9am, what’s the latest you can have it running again before the business suffers unacceptable damage?
For a marketing agency, email RTO might be 4 hours. For a ticketing company or emergency service, email RTO might be 30 minutes.
RPO (Recovery Point Objective) is the maximum acceptable data loss. If your system is restored from backup, how much recent work are you willing to lose?
If your RPO is 24 hours, you’re okay losing the last day’s worth of work. If your RPO is 1 hour, you need backups every hour.
For most SMBs: Email: RTO 4 hours, RPO 1 hour. Financial systems: RTO 2 hours, RPO 30 minutes. File storage: RTO 4–8 hours, RPO 1–4 hours. Website: RTO 24 hours, RPO 24 hours.
Write down your RTO and RPO for each critical system. Then make sure your backup and recovery plan can actually meet them.
Testing Your Plan: Why “We Have Backups” Isn’t Good Enough
The single biggest mistake SMBs make is assuming backups work. They don’t test, so they don’t know.
Testing doesn’t mean doing a full disaster recovery every month (that’s disruptive). But you should:
Monthly: Test restoring a random file from backup. Confirm it works. This takes 15 minutes.
Quarterly: Restore a non-critical system or a test copy of a critical system from backup. Time how long it takes. This reveals whether your RTO is realistic.
Annually: Run a full disaster recovery exercise. Treat it like the real thing. Mobilise your team, follow your procedures, and measure how long recovery actually takes.
Most SMBs find their first full recovery test is humbling. You discover that passwords aren’t documented, backups are corrupt, recovery takes three times longer than you thought, your RTO is unrealistic, and key staff don’t know the recovery procedure.
That’s why you test. Fix these problems now, not during a real emergency.
Common Business Continuity Gaps in Australian SMBs
No RTO/RPO targets. The plan says “restore quickly” but doesn’t specify four hours or two hours.
Backups not tested. Files haven’t been restored in years. When disaster hits, the backup is corrupt or the process is broken.
No alternative work arrangements. If the office is inaccessible (fire, flooding, lockout), staff work from nowhere.
Cloud dependency unaddressed. You rely on Office 365 or Xero but your plan assumes those services are always available.
Single points of failure. One person knows how to restore the critical system. They’re on holiday when the disaster hits.
No communication plan. You don’t have a list of client phone numbers, supplier contacts, or staff communication channels.
Outdated contact information. The plan lists a mobile number that’s no longer in use, email addresses for people who left the business.
Regulatory Requirements for Australian Businesses
Privacy Act 1988 (Cth): If you handle personal data, you have a responsibility to protect it and ensure you can continue processing it if systems fail.
Financial services: If you’re an AFS licensee or handle client money, ASIC expects documented procedures for managing operational risk, including business continuity.
Health sector: Australian Privacy Principles require a BCP if you handle health information.
Insurance: Your public liability or cyber insurance may require a BCP, or may exclude claims if you don’t have one. Check your policy.
Cloud vs On-Premises Recovery: What Actually Works for SMBs
Most SMBs face a choice: run IT on-premises (on servers in your office) or in the cloud (Office 365, AWS, etc). This affects your recovery strategy.
Cloud-first: Most new SMBs should start here. Cloud services (Office 365, Xero, Google Workspace) handle a lot of business continuity for you. Microsoft maintains backups, redundancy, and disaster recovery. You pay for the convenience, but it’s usually worth it for SMBs without in-house IT expertise.
Hybrid: You use cloud for some systems (email, file storage) and on-premises for others (accounting system, database).
On-premises: You run everything on local servers. You own the hardware and data, but you own the recovery problem too.
For an SMB, the simplest and safest approach is usually: cloud-first for email and file storage (Office 365 or Google Workspace), cloud backups for critical data, and documented recovery procedures for everything else.
Building Your Minimum Viable BCP: The Practical Steps
Step 1: List critical systems. Write down every system the business actually needs to function. For most SMBs, this is: email, file storage, accounting software, and your primary business application.
Step 2: Set RTO and RPO for each. For each system, ask: “How long can this be down?” and “How much data loss can we tolerate?”
Step 3: Check your backup situation. Where are your backups stored? How old are they? When did you last restore from one?
Step 4: Document recovery procedures. For each critical system, write down the steps to restore it.
Step 5: Create contact lists. List everyone you’d need to call: IT provider, cloud service support, key staff, critical clients, your accountant, your insurer.
Step 6: Describe alternative work arrangements. If your office is inaccessible, where will people work? Who has VPN access?
Step 7: Schedule testing. Plan a monthly file restore test, quarterly system restore test, and annual full recovery exercise.
Step 8: Get feedback. Review the plan with your IT provider and your key staff.
Related reading: risk assessment | insurance coverage | threat preparedness
Step 9: Distribute and archive. Give copies to key staff and your IT provider. Keep a copy somewhere safe that you can access even if your office is down.
The Real Reason to Do This
Business continuity planning isn’t about checking a compliance box. It’s about protecting your ability to serve clients and keep your staff employed.
A plan means that when something goes wrong—and something will—you respond calmly instead of panicking. You have clear procedures, you know your recovery time, and you can honestly tell your clients when they’ll be back to normal.
