Why Every Small Business Needs a Continuity Plan
Most small businesses have some form of backup. Far fewer have a plan for what happens when everything goes wrong at once — the server crashes during a client deadline, ransomware locks your files on a Friday afternoon, or a power outage takes your whole office offline.
The businesses that recover quickly from these events aren't lucky — they planned for them. The ones that struggle didn't.
A business continuity plan (BCP) answers three questions:
- What can go wrong? — Identify the realistic threats to your operations
- What do we do when it happens? — Documented procedures, not improvisation
- How fast do we need to recover? — Different systems have different urgency levels
The 5 Pillars of Business Continuity
1. Data Protection (Backup)
Your data is your business. The 3-2-1 backup ruleis the minimum standard: 3 copies of your data, on 2 different storage types, with 1 copy offsite. For businesses handling sensitive data, consider 3-2-1-1-0: add 1 immutable copy (ransomware can't encrypt it) and 0 errors (verified through regular testing).
Critical point: Microsoft 365 does not back up your data. Microsoft provides infrastructure uptime but does not protect against accidental deletion, malicious insiders, or ransomware affecting your tenant. You need a dedicated backup solution for M365.
2. System Recovery (Disaster Recovery)
Backup protects your data. Disaster recovery protects your ability to operate. DR answers: "How do we get the servers, applications, and network running again?"
This is where RPO and RTO matter:
- RPO (Recovery Point Objective) — How much data can you afford to lose? If your RPO is 4 hours, backups must run at least every 4 hours.
- RTO (Recovery Time Objective) — How fast do you need to be operational? A 4-hour RTO means critical systems must be restored within 4 hours.
Not every system needs the same targets. Email might need a 1-hour RTO while your archive server can wait 24 hours. Define these per system based on business impact.
3. Communication Plan
When your systems are down, how does your team communicate? If your email server is the thing that failed, emailing instructions doesn't work.
- Emergency contact list — printed, not just digital. Include IT provider, ISP, key clients, insurance.
- Alternate communication channel — personal cell phones, WhatsApp group, or a backup communication tool that doesn't depend on your infrastructure.
- Client communication template — a pre-written message for clients explaining the situation and expected resolution. Writing this under pressure leads to poor communication.
4. People and Roles
Who does what when disaster strikes? Define roles in advance:
- Incident commander — makes decisions, coordinates response
- IT lead — works with your MSP or internal IT on technical recovery
- Communications lead — handles client, vendor, and employee updates
- Business operations lead — manages workarounds to keep revenue-generating activities going
For small businesses, one person may wear multiple hats. The important thing is that everyone knows their role before the crisis.
5. Regular Testing
An untested plan is barely better than no plan. Test quarterly at minimum:
- Tabletop exercise — walk through a scenario on paper. "It's Tuesday at 2pm, ransomware encrypts your file server. What do you do first?"
- Backup restoration test — actually restore data from backup to verify it works. Check that files are intact and applications function.
- Full DR test (annually) — spin up your disaster recovery environment and verify critical systems can run from it.
Building Your BCP: Step by Step
Identify Critical Systems
List every system your business depends on: email, file storage, accounting software, CRM, phone system, internet. Rank them by how quickly you need each one back.
Define Recovery Targets
For each critical system, set RPO (how much data loss is acceptable) and RTO (how fast you need it back). Be realistic — faster recovery costs more.
Document Current State
Map your IT environment: servers, cloud services, network, vendors, passwords, licenses. This documentation is the foundation of your recovery procedures.
Build Recovery Procedures
Write step-by-step instructions for restoring each critical system. Include: who does it, what tools they need, what order things come back, and who to call for help.
Implement Backup & DR Infrastructure
Deploy the backup and disaster recovery tools that meet your RPO/RTO targets. This includes cloud backup, immutable copies, and potentially standby infrastructure.
Test and Refine
Run your first tabletop exercise. Identify gaps. Fix them. Schedule recurring tests. Update the plan after every major change to your IT environment.
Backup vs Disaster Recovery: What You Actually Need
These are not the same thing, and most businesses confuse them:
- Backup = copies of your data. If you delete a file, you can get it back. Cost: $5-15/user/month.
- Disaster Recovery = the ability to run your business from backup infrastructure. If your server dies, you can spin up a replacement. Cost: $20-60/user/month.
Most small businesses need backup at minimum. Businesses where downtime costs money (which is most of them) need DR as well. Read our backup vs disaster recovery comparison for a detailed breakdown, or learn about our BDR services.
Cloud Continuity: What Changes When You're in the Cloud
Moving to the cloud eliminates some risks (no physical servers to fail) but creates new ones:
- Internet dependency — if your internet goes down, cloud applications are unreachable. Solution: redundant internet from a second ISP with automatic failover.
- Vendor outages — Microsoft 365, Google Workspace, and AWS all have occasional outages. Solution: know what your fallback is (can your team work offline? switch to personal hotspots?).
- Account compromise — if an attacker gets admin access to your cloud tenant, they can delete everything. Solution: MFA on all accounts, break-glass admin procedures, and dedicated cloud backup.
- Data sovereignty — Canadian businesses should verify data is stored in Canadian data centers for PIPEDA compliance. Our cloud services use Azure Canada regions by default.
Testing Your Plan: How to Know It Actually Works
The most common reason business continuity plans fail is that they were never tested. Here's a practical testing schedule:
- Monthly: Verify backup jobs completed without errors
- Quarterly: Run a tabletop exercise with your team (30 minutes)
- Quarterly: Restore a random file or mailbox from backup to verify integrity
- Annually: Full disaster recovery test — restore critical systems to DR environment
- After changes: Test after any major infrastructure change (new server, cloud migration, office move)
Document every test: what you tested, what worked, what didn't, and what you fixed. This documentation is valuable for compliance and insurance purposes.
How Much Does Business Continuity Cost?
For a 25-person office, expect $500–$1,500/month total for backup + DR. See our pricing page for current rates.
When to Get Professional Help
You can build a basic BCP yourself using this guide. Consider professional help when:
- Your business handles regulated data (healthcare, legal, financial) with compliance requirements
- You have complex IT infrastructure (multiple locations, hybrid cloud, legacy systems)
- Your cyber insurance requires documented BCP and DR testing
- You need faster recovery targets than basic cloud backup can provide
- You've experienced an incident and realized your current plan is inadequate
Our IT consulting team helps Calgary businesses build and test business continuity plans, and our backup and disaster recovery services provide the technical infrastructure to make recovery possible.
Frequently Asked Questions
How long does it take to create a business continuity plan?
For a typical 25-50 person business, expect 2-4 weeks to create a basic BCP. This includes identifying critical systems, defining recovery targets, documenting procedures, and running an initial test. A more detailed plan with vendor coordination and full testing takes 4-8 weeks.
What is the difference between business continuity and disaster recovery?
Business continuity is the overall plan for keeping your business operational during any disruption — IT failure, power outage, office inaccessibility, or key person absence. Disaster recovery is the technical subset focused specifically on restoring IT systems and data. You need both: DR gets your servers back, BCP keeps your business running while that happens.
How often should we test our business continuity plan?
At minimum, run a tabletop exercise (walking through the plan on paper) quarterly and a full recovery test annually. Also test after any major infrastructure change — new server, cloud migration, office move. Many compliance frameworks require documented testing at least twice per year.
Do we need business continuity planning if we are in the cloud?
Yes. Cloud reduces some risks (no physical servers to fail) but introduces others (internet dependency, vendor outages, account lockouts). Your BCP should address: what happens when your internet goes down, how you work if Microsoft 365 has an outage, and how you recover if your cloud account is compromised.
How much does business continuity planning cost?
A professional BCP engagement for a 25-50 person business typically costs $3,000-$8,000 for the plan itself. Ongoing costs depend on your recovery targets: cloud backup runs $5-15/user/month, full disaster recovery infrastructure costs $20-60/user/month. The cost of NOT having a plan — extended downtime, data loss, lost clients — is almost always higher.
What are RPO and RTO?
RPO (Recovery Point Objective) is how much data you can afford to lose, measured in time. If your RPO is 4 hours, you need backups at least every 4 hours. RTO (Recovery Time Objective) is how fast you need systems back online. A 4-hour RTO means critical systems must be restored within 4 hours of an incident.
Related Resources
- Backup & Disaster Recovery Services — Automated backups, immutable storage, and tested recovery
- Backup vs Disaster Recovery Guide — Understand the difference and what you need
- Cloud Services — Cloud migration with Canadian data residency
- Managed IT Services — 24/7 monitoring and proactive maintenance
- IT Security Guide — Security controls that prevent incidents in the first place
- Ransomware Emergency Guide — What to do right now if ransomware hits
- Server Down Emergency Guide — Immediate steps when your server crashes
- Free IT Security Assessment — Score your current IT resilience in 5 minutes