Disaster recovery is one of those subjects that every business owner knows is important but hopes they will never need. Like insurance, its value is only truly appreciated when disaster strikes — and by then, it is too late to wish you had planned better. For UK small and medium-sized enterprises, the consequences of not having a disaster recovery plan can be existential. Research consistently shows that a significant proportion of small businesses that suffer a major data loss or prolonged IT outage without adequate recovery plans never recover.
A disaster recovery plan is not just about technology — although technology is a critical component. It is a comprehensive strategy that ensures your business can continue operating, or resume operations as quickly as possible, following any event that disrupts your IT systems. This includes obvious scenarios like server failures and ransomware attacks, but also less obvious ones like fire, flood, power outages, ISP failures, and even the loss of key personnel who hold critical knowledge about your systems.
This guide provides a practical, step-by-step approach to disaster recovery planning that is specifically tailored for UK SMEs — businesses that need robust protection but may not have the budget or in-house expertise for enterprise-grade solutions.
What Constitutes a Disaster?
Before creating your plan, you need to understand the range of events it should cover. In the IT context, a disaster is any event that causes significant disruption to your technology systems and threatens your ability to operate. For UK businesses, the most common disaster scenarios include hardware failure (server, storage, or networking equipment), ransomware and other cyber attacks, power outages or electrical damage, fire, flood, or other physical damage to premises, ISP or telecommunications failure, human error (accidental deletion, misconfiguration), and software corruption or update failures.
Key Concepts: RTO and RPO
Two metrics form the foundation of every disaster recovery plan: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Understanding these concepts — and defining them for your business — is the most important step in the planning process.
Recovery Time Objective (RTO) is the maximum acceptable amount of time that your systems can be down before the impact on your business becomes unacceptable. If your RTO is four hours, it means your disaster recovery plan must be capable of restoring critical systems within four hours of a disaster occurring.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. If your RPO is one hour, it means your backup strategy must ensure that you never lose more than one hour's worth of data. An RPO of one hour requires backups at least every hour; an RPO of zero (no data loss) requires real-time replication.
Aggressive RTO/RPO (Mission-Critical)
- RTO: Less than 1 hour
- RPO: Less than 15 minutes
- Requires real-time replication and hot standby
- Automated failover with minimal manual intervention
- Cost: £500–2,000+ per month
- Best for: Financial services, healthcare, e-commerce
Standard RTO/RPO (Most SMEs)
- RTO: 4–24 hours
- RPO: 1–24 hours
- Daily or hourly backups with cloud recovery
- Some manual steps in recovery process
- Cost: £100–500 per month
- Best for: Professional services, retail, general office
Building Your Disaster Recovery Plan
Step One: Business Impact Analysis
The first step is understanding which systems are critical to your business operations and what the impact would be if they were unavailable. Create a register of all your IT systems and for each one, document what business functions it supports, how many people depend on it, what the financial impact of downtime would be (per hour and per day), and whether there is a manual workaround that could be used temporarily.
This analysis will naturally create a priority list. Systems that support revenue-generating activities, client-facing services, and regulatory compliance will typically be at the top. Systems that support internal administration or non-time-sensitive functions will be lower priority.
| System | Business Function | Users | Hourly Cost of Downtime | RTO Target | RPO Target |
|---|---|---|---|---|---|
| Email (Microsoft 365) | Client communication | All staff | £800 | 1 hour | 0 (cloud-native) |
| Accounting (Sage/Xero) | Invoicing, payroll | Finance team | £500 | 4 hours | 1 hour |
| CRM system | Sales, client management | Sales team | £350 | 4 hours | 4 hours |
| File server | Document storage | All staff | £600 | 2 hours | 1 hour |
| Phone system (VoIP) | Client calls | All staff | £400 | 1 hour | N/A |
| Website | Lead generation | External | £200 | 8 hours | 24 hours |
Step Two: Define Your Backup Strategy
Your backup strategy must align with your RPO targets. The 3-2-1 backup rule remains the gold standard: maintain at least three copies of your data, on at least two different types of media, with at least one copy stored off-site. For UK SMEs, a modern implementation of this rule typically looks like the primary data on your production systems, a local backup on a dedicated backup device (NAS or backup appliance), and a cloud backup to a UK-based data centre.
For businesses with aggressive RPO targets, consider continuous data protection (CDP) solutions that capture every change in near-real-time, or cloud-based disaster recovery services that replicate your entire server environment to the cloud.
Three copies of your data: the original plus two backups. Two different media types: for example, local NAS storage plus cloud storage — this protects against a single technology failure affecting all copies. One off-site copy: this is critical for protection against physical disasters like fire or flood that could destroy your premises and any local backup devices. For UK GDPR compliance, ensure your cloud backup provider stores data in UK data centres and provides appropriate contractual safeguards as a data processor. Popular UK-compliant backup solutions include Datto, Veeam Cloud Connect with a UK partner, and Microsoft Azure Backup with UK South/West regions.
Step Three: Document Recovery Procedures
A disaster recovery plan is only useful if it contains clear, step-by-step procedures that can be followed under pressure — potentially by someone who is not your primary IT contact. For each critical system, document the exact steps required to restore it, including where the backup data is stored and how to access it, the order in which systems should be restored (dependencies matter), the credentials needed for restoration, the expected restoration time, and verification steps to confirm that the restored system is functioning correctly.
Write these procedures assuming that the person following them is competent but unfamiliar with your specific environment. Include screenshots where helpful, and avoid assumptions about prior knowledge. Store the plan in multiple locations — do not rely solely on a digital copy that might be inaccessible during the very disaster you are planning for. Maintain a printed copy in a secure location and a digital copy in a cloud service that is separate from your primary IT infrastructure.
Step Four: Assign Roles and Responsibilities
Your plan must clearly identify who does what during a disaster. Define a disaster recovery team with specific roles: an incident commander (typically the business owner or managing director) who has authority to make decisions and allocate resources, a technical lead (your IT manager or IT support provider) who is responsible for executing the technical recovery, a communications lead who handles internal and external communications during the incident, and department representatives who verify that their team's systems are functioning correctly after recovery.
Testing Your Disaster Recovery Plan
A disaster recovery plan that has never been tested is little more than a collection of assumptions. Testing validates that your procedures actually work, that your backups are recoverable, that your team knows their roles, and that your RTO and RPO targets are achievable in practice.
There are three levels of testing, each increasing in realism and value. A tabletop exercise involves walking through the plan with your DR team, discussing each step and identifying gaps — this is low-risk and takes a few hours. A partial restoration test involves actually restoring one or more systems from backup to verify that the process works and the data is intact. A full simulation involves simulating a real disaster scenario and executing the complete recovery plan from start to finish, including communications, decision-making, and system restoration.
We recommend conducting a tabletop exercise quarterly, a partial restoration test monthly, and a full simulation annually. After each test, document what worked, what did not, and what needs to change in the plan.
Cloud-Based Disaster Recovery for UK SMEs
Cloud-based disaster recovery (DRaaS — Disaster Recovery as a Service) has made enterprise-grade disaster recovery accessible and affordable for small businesses. Instead of maintaining expensive secondary hardware, DRaaS replicates your critical systems to the cloud, where they can be spun up rapidly if your primary environment becomes unavailable.
For UK SMEs, popular DRaaS options include Azure Site Recovery (for businesses already using Microsoft Azure), Datto (which combines backup and instant virtualisation), and Veeam with a UK cloud partner. Costs vary depending on the amount of data protected and the recovery speed required, but a typical UK SME can implement a robust DRaaS solution for between £200 and £800 per month — a fraction of the cost of a single hour of unplanned downtime.
Regulatory Considerations
UK GDPR requires that businesses implement appropriate technical and organisational measures to ensure the resilience of processing systems and services, and the ability to restore the availability and access to personal data in a timely manner following a physical or technical incident. This means that having a disaster recovery plan is not just good practice — it is a regulatory requirement for any business that processes personal data, which is virtually every business in the UK.
The ICO expects that your disaster recovery plan includes provisions for the protection and recovery of personal data, and that you can demonstrate regular testing of your recovery procedures. Failure to have adequate measures in place could be considered a breach of Article 32 of UK GDPR, potentially resulting in enforcement action.
Need a Disaster Recovery Plan?
Cloudswitched helps UK SMEs design, implement, and test disaster recovery solutions that protect your business without breaking the budget. From cloud backup configuration to full DRaaS implementation, we ensure your data and systems are protected against any eventuality.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.