Business continuity planning is the process of creating systems and procedures that enable an organisation to continue operating during and after a disruptive event. While business continuity encompasses many aspects of an organisation — from premises and personnel to supply chains and communications — information technology sits at the very heart of modern business continuity. Without functioning IT systems, the vast majority of UK businesses simply cannot operate at all.
Despite this critical dependency, many organisations treat IT as an afterthought in their business continuity planning, or worse, assume that having a backup constitutes a complete IT continuity strategy. A backup is one component of IT business continuity, but it is far from sufficient on its own. True IT business continuity requires a comprehensive understanding of your technology dependencies, clearly defined recovery objectives, tested disaster recovery procedures, and the infrastructure to support rapid recovery.
This article explores how IT underpins business continuity, the key frameworks and concepts involved, and provides a practical guide to building an IT business continuity plan that actually works when you need it most.
Understanding RTO and RPO
Two concepts are fundamental to IT business continuity planning: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Every business owner and IT decision-maker should understand these terms, as they directly determine the technology and investment required for your continuity strategy.
Recovery Time Objective (RTO) is the maximum acceptable amount of time that a system can be down after a disruption before the impact on the business becomes unacceptable. An RTO of four hours means that if your email server goes down, you need it restored within four hours. An RTO of zero means the system must be available continuously with no downtime at all.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. An RPO of one hour means you can tolerate losing up to one hour of data. If your backup runs every hour and a disaster strikes, you lose at most one hour of work. An RPO of zero means no data loss is acceptable, which requires real-time replication technology.
Different systems within your organisation will have different RTOs and RPOs based on their criticality. Your email system might have an RTO of two hours, while your customer database might need an RTO of 30 minutes. Your accounting system might tolerate an RPO of 24 hours (because transactions can be re-entered), while your trading platform might require an RPO of zero.
| System | RTO | RPO | Recovery Method | Estimated Cost |
|---|---|---|---|---|
| Email (Microsoft 365) | 1 hour | 0 (cloud-hosted) | Cloud failover | Included in licence |
| File Server | 4 hours | 1 hour | Backup restore to standby | £200-500/month |
| Line-of-business application | 2 hours | 30 minutes | VM replication | £300-800/month |
| Customer database | 30 minutes | 5 minutes | Real-time replication | £500-1,500/month |
| Website | 1 hour | 24 hours | CDN failover / rebuild | £50-200/month |
| VoIP phone system | 30 minutes | N/A | Cloud failover | Included in service |
Business Impact Analysis for IT Systems
A Business Impact Analysis (BIA) is the formal process of identifying which IT systems are critical to your operations and quantifying the impact of their unavailability. This is the starting point for any serious IT business continuity plan and should involve input from every department in your organisation, not just IT.
For each IT system, the BIA should determine: what business processes depend on this system, what happens if this system is unavailable for one hour, four hours, one day, one week, what is the financial impact of each duration of outage, are there manual workarounds available, and what is the maximum tolerable period of disruption before the business suffers irreversible harm.
The results of the BIA directly inform your RTO and RPO for each system, which in turn determines the technology and investment required. Systems with aggressive RTOs and RPOs (close to zero) require expensive high-availability solutions such as real-time replication and automatic failover. Systems with more relaxed objectives can be protected with simpler, less expensive backup and restore procedures.
A Virtual CIO (vCIO) brings strategic IT leadership to businesses that do not have a full-time Chief Information Officer. In the context of business continuity, a vCIO conducts the business impact analysis, designs the continuity strategy, selects appropriate technologies, manages the budget, coordinates testing, and ensures the plan evolves as your business changes. For UK SMEs spending between £50,000 and £500,000 annually on IT, a vCIO service typically costs £1,000 to £3,000 per month and delivers strategic value that far exceeds this investment.
Key Components of an IT Business Continuity Plan
Data Backup and Recovery
Backup is the foundation of IT business continuity but must be implemented correctly to be effective. Follow the 3-2-1 rule: maintain three copies of your data, on two different types of media, with one copy stored off-site. For UK businesses, off-site typically means a UK-based cloud data centre, ensuring your data remains within UK jurisdiction for GDPR purposes.
Your backup strategy must align with your RPO for each system. If your RPO for a file server is one hour, your backups must run at least hourly. If your RPO for a database is five minutes, you need continuous data protection or transaction log backups every five minutes. Test your restores regularly — a monthly restore test of critical systems is the minimum acceptable frequency.
Disaster Recovery Infrastructure
Backup alone does not address your RTO. Having a backup of your file server is useless if you do not have replacement hardware to restore it to. Disaster recovery infrastructure provides the compute, storage, and network resources needed to bring your systems back online within your RTO.
For many UK SMEs, cloud-based disaster recovery offers the best balance of capability and cost. Services such as Azure Site Recovery or Veeam Cloud Connect allow you to replicate your servers to a cloud data centre, where they can be started as virtual machines within minutes of a disaster. You pay only for the storage used during normal operations, plus compute costs during an actual failover event.
Cloud-Based Disaster Recovery
- Lower upfront investment
- Pay-as-you-go compute costs
- Geographic separation from primary site
- Rapid scalability during a disaster
- Automated failover capabilities
- Regular testing without disruption
- UK data centre options available
Traditional On-Premise DR
- High capital expenditure for standby hardware
- Ongoing maintenance and power costs
- Requires a second physical site
- Fixed capacity limits
- Manual failover processes
- Testing disrupts production
- Hardware depreciates regardless of use
Communication Systems
During a disaster, communication is critical. Your business continuity plan must ensure that staff, clients, and suppliers can be reached even if your primary office and IT systems are unavailable. Cloud-based communication systems — Microsoft Teams, cloud-hosted VoIP, and mobile devices — provide resilience that traditional on-premise phone systems cannot match.
Ensure that key contact information is accessible outside your IT systems. A printed contact list stored securely off-site, or a contact list synced to personal mobile phones, ensures that your crisis management team can be assembled even if email and the corporate directory are unavailable.
Remote Working Capability
The ability for staff to work remotely is a powerful business continuity tool. If your office is inaccessible due to fire, flood, or building damage, remote working allows operations to continue from staff homes or temporary locations. This requires cloud-hosted applications (or VPN access to recovered systems), laptops rather than desktops for key staff, and tested remote access procedures.
Testing Your IT Business Continuity Plan
An untested business continuity plan is not a plan — it is a collection of assumptions. Testing reveals gaps, outdated procedures, misconfigured systems, and unrealistic expectations that would otherwise only become apparent during an actual disaster, when the stakes are highest and the pressure is greatest.
There are several levels of testing, each with increasing rigour and realism. A tabletop exercise involves walking through a disaster scenario on paper, discussing each step of the response and identifying gaps. This is low-cost and low-risk but limited in what it can validate. A component test involves testing individual elements — restoring a server from backup, failing over to cloud DR, or activating remote access for all staff. A full simulation involves declaring a simulated disaster and executing the entire continuity plan as if it were real, measuring actual recovery times against your RTOs.
UK businesses should conduct tabletop exercises quarterly, component tests monthly, and a full simulation at least annually. After each test, document lessons learned and update the plan accordingly. The plan should also be reviewed and updated whenever there is a significant change to your IT infrastructure, business processes, or organisational structure.
Regulatory Requirements for Business Continuity in the UK
Several UK regulations and standards require or strongly recommend business continuity planning with an IT component. The FCA requires regulated financial services firms to have business continuity arrangements proportionate to the nature, scale, and complexity of their activities. The SRA expects law firms to have business continuity plans that protect client data and ensure continuity of service. The NHS requires healthcare providers to maintain business continuity plans that include IT systems critical to patient care.
ISO 22301, the international standard for business continuity management systems, provides a comprehensive framework that many UK organisations use as the basis for their planning. While certification is not mandatory for most businesses, following the ISO 22301 framework ensures a thorough and structured approach to business continuity that will satisfy most regulatory requirements.
Cyber Essentials, while primarily a cybersecurity certification, indirectly supports business continuity by requiring controls that reduce the likelihood of cyber incidents causing business disruption. The NCSC also publishes specific guidance on business continuity planning, recommending that organisations identify critical services, assess the impact of disruption, and implement measures to ensure recovery within acceptable timeframes.
Build Your IT Business Continuity Plan
Cloudswitched provides Virtual CIO services that include comprehensive IT business continuity planning, from business impact analysis through to disaster recovery implementation and regular testing. Protect your business against disruption with a plan that actually works.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.