What to Look for in a Business Continuity Plan

Most small businesses don't have a business continuity plan. They have a vague assumption that "IT will figure it out" if something goes wrong. That's not a plan - that's a prayer.

A business continuity plan (BCP) is a documented strategy for keeping your business operational when something goes seriously wrong - a ransomware attack, a natural disaster, a major hardware failure, or even a key employee suddenly leaving. Here's what a real one looks like.

BCP vs. Disaster Recovery: What's the Difference?

People use these terms interchangeably. They shouldn't.

Disaster Recovery (DR) is specifically about IT systems - getting your servers, data, and applications back online after an outage. It's a technical plan.

Business Continuity (BC) is broader. It covers everything: how your team communicates, how you serve clients, how operations continue, and how you recover as a business - not just as an IT department.

You need both. Most businesses have neither.

The Two Numbers That Drive Everything

Every BCP starts with two metrics:

Recovery Time Objective (RTO) - how quickly do you need to be back online? Can your business survive 4 hours of downtime? 24 hours? A week? Be honest. The answer determines how much you invest in redundancy and recovery capability.

Recovery Point Objective (RPO) - how much data can you afford to lose? If your last backup was 24 hours ago and you lose a day of transactions, invoices, and client communications - can you survive that? RPO determines your backup frequency.

For most Orange County businesses we work with, realistic targets are: RTO of 4-8 hours, RPO of 1-4 hours. That means you need systems that can recover within a business day and backups running at least every 4 hours.

What a Real BCP Contains

1. Risk Assessment

What are your actual threats? For businesses in Southern California:

• Ransomware and cyberattacks (the #1 risk for most businesses today)
• Hardware failure (servers, firewalls, switches)
• Internet/ISP outages
• Power outages (especially during Santa Ana wind events)
• Earthquake (we live on fault lines - plan for it)
• Key person dependency (what happens if your only IT person gets hit by a bus?)

2. Critical Systems Inventory

Rank every system by business impact:

• Tier 1 (Critical): Email, internet, phone system, line-of-business applications, payment processing
• Tier 2 (Important): File shares, printers, secondary applications
• Tier 3 (Nice to have): Internal wikis, non-essential tools

Tier 1 gets recovered first. Tier 3 can wait. This prioritization prevents chaos during an actual incident.

3. Communication Plan

When systems are down, how does your team communicate? If email is gone and Teams is offline:

• Who calls whom? (Phone tree with personal cell numbers)
• How do you notify clients? (Template communications, alternative channels)
• Who talks to vendors, insurance, and law enforcement?
• Who is the decision-maker if leadership is unavailable?

4. Backup and Recovery Strategy

This is the technical core of your plan:

• What's backed up, how often, and where?
• Are backups stored off-site or in the cloud? (On-site only = one flood away from total loss)
• Are backups tested regularly? When was the last successful restore test?
• Can you spin up critical systems in the cloud if your office is inaccessible?

Modern cloud-based disaster recovery can spin up virtual copies of your servers in minutes. This has made sub-4-hour RTO achievable for businesses that previously couldn't afford it.

5. Vendor Contact List

During a crisis, you need to reach people fast:

• ISP (account number, support line, escalation contacts)
• IT provider / MSP (emergency line, SLA details)
• Cyber insurance carrier (policy number, claims process)
• Software vendors (license info, support contacts)
• Hardware suppliers (for emergency replacements)

6. Roles and Responsibilities

Who does what during an incident? This needs to be assigned before the crisis, not during it. Common roles:

• Incident Commander (usually the business owner or operations lead)
• IT Recovery Lead (your MSP or internal IT)
• Communications Lead (client-facing updates)
• Documentation Lead (logging decisions and actions for insurance/legal)

The Biggest Mistake: Not Testing It

A plan that's never been tested is a document, not a strategy. At minimum, you should:

• Tabletop exercise annually - walk through a scenario with your team. "It's Monday morning and every screen shows a ransom note. What do we do?" You'll be amazed at the gaps this reveals.
• Backup restore test quarterly - actually restore files and verify they're complete and usable.
• Failover test annually - if you have DR infrastructure, test the failover. Make sure it actually works under pressure.

What Happens Without a Plan

We've seen it firsthand with businesses across Orange County. Without a BCP:

• A ransomware attack turns a 4-hour recovery into a 2-week nightmare
• A server failure means discovering your "backups" haven't been running for 6 months
• A key employee leaves and nobody knows the passwords to critical systems
• An internet outage paralyzes the entire office because there's no failover

Every one of these is preventable with a documented, tested plan.