A plain-English deep dive into business continuity and disaster recovery (BCDR) for small and mid-sized businesses. Explains the difference between BCP and DR, the main causes of downtime (ransomware, hardware failure, human error, and why cloud is not a backup), the two numbers that drive everything (RTO and RPO), and how to build a plan that actually works. Backups are not a plan until they are tested.
Business continuity and disaster recovery, explained
Nobody plans for the day the systems go down, until it happens. Here is what business continuity and disaster recovery actually mean, the two numbers that drive the whole thing, and how to build a plan you can rely on.
The short version
Business continuity is the plan for keeping the business running through a disruption. Disaster recovery is the technology part: getting your systems and data back.
Two numbers drive everything: how fast you need systems back (RTO) and how much data you can afford to lose (RPO). Set those, and the rest of the plan follows.
And the single most important point: a backup you have never tested is not a plan. The businesses that recover well are the ones that practised before they had to.
Business continuity vs disaster recovery
Business continuity (BCP)
The whole picture of keeping the business operating through a disruption: your people, your processes, how you communicate with clients, and where the team works if the office is unavailable. It answers "how do we keep trading?"
Disaster recovery (DR)
The technology piece that sits inside the continuity plan: restoring your systems, data, and access after something goes wrong. It answers "how do we get the systems back, and how fast?"
What you are actually protecting against
Ransomware
The most common cause of serious downtime for Australian SMEs. Files are encrypted and held to ransom, and without clean backups you are stuck.
Hardware failure
Drives and servers die, usually without warning and usually at the worst time. Old kit fails more often than people expect.
Human error
Someone deletes the wrong folder or overwrites a file. It is mundane, and it is one of the most frequent reasons data goes missing.
Cloud is not a backup
Microsoft 365 and Google Workspace keep your data available, but they do not protect you from deletion, ransomware, or a compromised account. That is on you.
RTO and RPO, without the jargon
These two acronyms sound technical, but they are just business decisions. Get them right and the rest of the plan almost designs itself.
RTO: how fast back?
Recovery Time Objective is how long you can tolerate a system being down before it seriously hurts. For your email that might be an hour. For an archive nobody touches daily, a day or two is fine. Shorter RTOs cost more, so you match effort to what matters.
RPO: how much data can you lose?
Recovery Point Objective is how much data you can afford to lose, measured in time. An RPO of one hour means you back up at least hourly, so the most you ever lose is the last hour of work. Tighter RPOs mean more frequent backups.
Building a plan that actually works
-
1Work out which systems and data the business genuinely cannot run without.
-
2Agree how quickly each needs to come back (RTO) and how much data you can afford to lose (RPO).
-
3Put backups in place that match those targets, on-premises and in the cloud.
-
4Test the recovery, not just the backup. An untested backup is a hope, not a plan.
-
5Document who does what during an incident, so nobody is improvising under pressure.
-
6Review it as the business changes, because last year's plan may not fit this year's systems.
The takeaway
Business continuity and disaster recovery are not about predicting the future. They are about deciding, in advance and calmly, what you would do when something goes wrong, so that on the day you are following a plan instead of panicking.
For most businesses the work is not glamorous: sensible backups, clear recovery targets, and testing that proves it all works. But it is the difference between a bad afternoon and a threat to the business. If you want a hand putting it in place, that is exactly what our disaster recovery service is for.
Common questions
What is the difference between business continuity and disaster recovery?
Business continuity (BCP) is the whole plan for keeping the business running through a disruption, including people, processes, and communication. Disaster recovery (DR) is the technology part: getting your systems and data back. DR sits inside BCP.
What are RTO and RPO?
Recovery Time Objective (RTO) is how quickly a system needs to be back after an incident. Recovery Point Objective (RPO) is how much data you can afford to lose, measured in time, so an RPO of one hour means backups at least hourly. Setting these two numbers drives the whole plan.
Isn't Microsoft 365 already backed up?
Not in the way most people assume. Microsoft keeps your data available and handles their own infrastructure, but under their shared responsibility model, protecting your data from accidental deletion, ransomware, or a compromised account is your responsibility. A dedicated backup covers that gap.
How often should backups be tested?
Regularly, and on a schedule, not just when something breaks. We test client backups so that if a recovery is ever needed, there are no surprises. An untested backup has a habit of failing exactly when you rely on it.