Most business continuity plans are 40 pages long, written by a consultant, and last opened the day they were signed off. You do not need that. You need a plan that fits on one page, lives somewhere everyone can find it, and gets tested twice a year.
The three questions
Before any plan, answer three things in writing.
How long can you be down? Not “we cannot be down”. Every business can be down for some window. An hour, a day, three days. Pick a number per service. Email might be an hour. The warehouse management system might be four hours. The marketing site might be three days. That number is your recovery time objective.
How much data can you lose? An hour? A day? Your backups run at a frequency. If they run nightly, your RPO is 24 hours. That might be fine for a small accountancy. It is not fine for a warehouse running live stock.
What is actually critical? Not everything is. Most businesses have three or four systems that keep the business alive and a hundred that would be irritating to lose. Rank them.
Those three answers, for the top five to ten systems, are 80 percent of a continuity plan.
What to back up, properly
Microsoft 365 data. Yes, still. Microsoft does not back it up for you.
Line-of-business applications. Including the databases behind them. Including the configurations.
File shares, endpoints that are not synced to OneDrive, and anything else your staff are storing locally.
The 3-2-1 rule still applies. Three copies, two media, one offsite. In cloud terms that means: production, a second region or provider, and an immutable copy that a ransomware attacker cannot wipe even with admin credentials.
What to document
The one-pager. Who is in charge when things break, their mobile number, the first three calls they make, the credentials they need, the vendor support numbers.
A short list of scenarios and the first 60 minutes for each. Ransomware, extended Microsoft 365 outage, office inaccessible, key person unavailable. Bullet points, not prose.
Where the backups are, how to restore them, and who has the keys.
What to test
Twice a year, do a real restore. Not “we verified the backup job completed”. Actually restore a file server, a mailbox, and a critical database. Time it. Record what broke. Fix it. Do it again.
Once a year, do a tabletop. Everyone on the call, here is a scenario, walk through the first two hours. You will find the gaps.
What to skip
A 40-page document. A risk register the size of a novel. A business impact analysis priced like a legal settlement. None of it makes you more resilient if nobody reads it.
The pragmatic path
If you have never done this, block out a day. Write the one-pager. List the top five systems and their RTO/RPO. Confirm backups are actually running and immutable. Schedule a test for 90 days from now. Done.
If you want help, our projects team runs BCP workshops for SMBs on a fixed fee. Two days of our time, one page out the other end that your auditor will respect.