What is a Business Continuity Plan?

A Business Continuity Plan (BCP) is a documented system of prevention and recovery procedures that ensures critical business functions can continue during and after a disaster or major disruption.

How often should a BCP be tested?

Tabletop exercises should be conducted quarterly, simulations bi-annually, full failover tests annually, and backup restoration tests monthly. The plan should also be reviewed after any significant business change.

What is the difference between BCP and disaster recovery?

Disaster recovery (DR) focuses specifically on restoring IT systems and data. Business Continuity Planning is broader, covering how your entire business continues to operate, including people, processes, premises, and technology. DR is a subset of BCP.

Do Australian SMEs legally need a BCP?

While not all industries legally require a BCP, Australian businesses have obligations under WHS laws for emergency planning, and the Privacy Act requires reasonable steps to protect personal information. Regulated industries like finance have additional requirements under APRA.

How long does it take to create a BCP?

A basic BCP for a Sydney SME typically takes 2-4 weeks to develop, including the business impact analysis, risk assessment, recovery strategies, and initial testing. It should then be continuously maintained and updated.

Business Continuity Planning: Complete Guide for Sydney SMEs

Name: Infraworx
Address: 122 Arthur Street, North Sydney, NSW, 2060, AU
Telephone: 1300 277 211

Why Every Sydney SME Needs a Business Continuity Plan

If the last few years have taught Sydney businesses anything, it’s that disruption can come from anywhere — pandemics, extreme weather events, cyberattacks, supply chain failures, or even a burst water main in your office building. Yet a staggering number of Australian SMEs still don’t have a formal Business Continuity Plan (BCP).

According to research from the Australian Bureau of Statistics, only 28% of small businesses have a documented plan to deal with major disruptions. The consequences of being unprepared can be devastating: lost revenue, damaged client relationships, regulatory penalties, and in the worst cases, permanent closure.

This guide provides a practical, step-by-step framework for creating a Business Continuity Plan tailored to Sydney SMEs. Whether you’re in professional services, healthcare, retail, or any other sector, these principles apply.

What Is Business Continuity Planning?

Business Continuity Planning (BCP) is the process of creating a system of prevention and recovery to ensure that critical business functions can continue during and after a disaster. It goes beyond just IT disaster recovery — it encompasses your people, processes, premises, and technology.

BCP vs Disaster Recovery: What’s the Difference?

Disaster Recovery (DR) focuses specifically on restoring IT systems and data after a disruption
Business Continuity Planning (BCP) is broader — it covers how your entire business continues to operate, including manual workarounds, communication plans, and alternative operating procedures

Think of DR as a subset of BCP. You need both.

Step 1: Conduct a Business Impact Analysis (BIA)

The BIA is the foundation of your entire plan. It identifies which business functions are critical and quantifies the impact of losing them.

How to Conduct a BIA

List all business functions: Sales, finance, customer service, operations, HR, IT, etc.
Identify dependencies: What systems, people, and processes does each function rely on?
Quantify the impact: What’s the cost per hour/day of each function being unavailable? Consider revenue loss, regulatory penalties, reputational damage, and contractual obligations.
Determine RTOs and RPOs: Recovery Time Objective (how quickly must it be restored?) and Recovery Point Objective (how much data can you afford to lose?)
Prioritise: Rank functions by criticality — this determines your recovery sequence

Step 2: Identify Risks and Threats

Sydney businesses face a unique set of risks. Your BCP should account for:

Natural Disasters

Flash flooding (particularly in western Sydney and low-lying areas)
Severe storms and hail events
Bushfire smoke events affecting air quality and operations
Extreme heat events causing infrastructure strain

Cyber Threats

Ransomware attacks (the #1 threat to Australian SMEs)
Business Email Compromise (BEC) scams
Supply chain attacks through compromised vendors
Data breaches triggering Notifiable Data Breach obligations under the Privacy Act

Operational Risks

Key person dependency (what if your only accountant is unavailable?)
Supplier or vendor failure
Power outages or internet connectivity loss
Premises becoming inaccessible

Step 3: Develop Recovery Strategies

For each critical function identified in your BIA, develop strategies to maintain or rapidly restore operations.

Technology Recovery

Cloud-first approach: Host critical applications in the cloud so they’re accessible from anywhere
Automated backups: Implement the 3-2-1 rule (3 copies, 2 media types, 1 offsite)
Failover systems: For mission-critical applications, consider hot standby environments
Cybersecurity incident response: Documented procedures for containing and recovering from cyber incidents

People and Premises

Remote work capability: Ensure all staff can work from home at short notice with secure access to all systems
Cross-training: No critical function should depend on a single person
Alternative premises: Identify co-working spaces or partner offices that could serve as temporary locations
Communication tree: A documented chain for rapidly contacting all staff, clients, and suppliers

Step 4: Create Your BCP Document

Your Business Continuity Plan should be a practical, actionable document — not a dusty binder on a shelf. Key sections include:

Essential Components

Activation criteria: What triggers the BCP? Who decides to activate it?
Team roles and responsibilities: Who does what during a crisis? Include alternates for each role.
Communication plan: Templates for staff notifications, client communications, and supplier updates
Recovery procedures: Step-by-step instructions for restoring each critical function, in priority order
Contact lists: Emergency contacts for staff, key clients, suppliers, insurers, IT providers, and emergency services
Resource requirements: Equipment, access credentials, and materials needed for recovery

Important: Store your BCP in a location accessible even if your primary systems are down. Cloud storage with offline copies is recommended.

Step 5: Implement Technical Safeguards

Your IT infrastructure is the backbone of most modern business operations. Technical safeguards should include:

Automated backup verification: Don’t just back up — verify that backups can actually be restored
Network redundancy: Secondary internet connection from a different provider
UPS and power protection: Uninterruptible power supplies for critical equipment
VPN and secure remote access: Pre-configured for all staff, not set up in a panic during an emergency
Endpoint security: Managed detection and response across all devices
Email continuity: Ensure email keeps flowing even if primary servers fail

Step 6: Test Your Plan

A plan that hasn’t been tested is just a theory. Regular testing reveals gaps before a real disaster exposes them.

Types of Testing

Tabletop exercise: Walk through scenarios verbally with your team (low cost, do quarterly)
Simulation: Announce a scenario and have teams execute their procedures without actually taking systems offline (do bi-annually)
Full test: Actually fail over to backup systems and work from them (do annually for critical systems)
Backup restoration test: Restore data from backups to verify integrity (do monthly)

After Each Test

Document what worked and what didn’t
Update the BCP based on lessons learned
Re-train staff on any changed procedures

Step 7: Maintain and Update

Your BCP is a living document. It must evolve as your business changes. Schedule reviews:

Quarterly: Review contact lists and ensure they’re current
Bi-annually: Review recovery procedures and test results
Annually: Full review of BIA, risk assessment, and recovery strategies
After any significant change: New office, major system change, acquisition, or key staff departure

Australian Compliance Considerations

Depending on your industry, you may have specific business continuity obligations:

Privacy Act 1988: You must take reasonable steps to protect personal information, which includes having incident response plans for data breaches
APRA CPS 234: Financial services firms must maintain information security capabilities, including incident response
Essential Eight: While not mandatory for all businesses, the ASD’s Essential Eight maturity model is increasingly expected by government contracts and enterprise clients
Work Health and Safety: Emergency planning is a WHS obligation under Australian law

Common BCP Mistakes to Avoid

Making the plan too complex — keep it practical and actionable
Not involving all departments — BCP isn’t just an IT problem
Storing the plan only on internal servers (which may be unavailable during a disaster)
Never testing the plan
Assuming insurance covers everything — business interruption policies have limits and exclusions
Forgetting about supply chain dependencies

Getting Started: Your First 30 Days

Don’t try to build a perfect BCP overnight. Here’s a realistic 30-day kickstart plan:

Week 1: Conduct a basic BIA — identify your top 5 critical functions
Week 2: Document recovery procedures for those 5 functions
Week 3: Set up or verify backups, remote access, and communication channels
Week 4: Run a tabletop exercise, refine the plan, and assign ongoing ownership

Need help building a Business Continuity Plan that actually works? Talk to Infraworx about our managed IT services that include BCP development and testing as standard.

Get a personal consultation.

Call us today at 1300 277 211

Request a Quote

Business Continuity Planning: A Complete Guide for Sydney SMEs