StormDotCom Logo
Back to Cloud & Continuity

Cloud & Continuity

Business Continuity Planning 101 for South African SMEs

Load shedding, a stolen laptop, a ransomware hit, a burst pipe in the server room — disruption is a question of when, not if. A simple continuity plan is what stands between an inconvenience and a crisis.

Published: June 202611 min read

The honest starting point

Big companies have entire business continuity teams. Small businesses have you — and a to-do list that's already full. The good news is that a workable continuity plan for an SME doesn't need to be a hundred-page document. It needs to answer a few clear questions, be written down, and be tested. This guide walks you through the essentials.

What business continuity actually means

Business continuity is your ability to keep operating — or recover quickly — when something goes wrong. Disaster recovery (getting your IT systems and data back) is part of it. But continuity is broader: it's about people, premises, suppliers, and process too. The aim is simple: minimise downtime and data loss when disruption hits.

The threats South African businesses face are real and varied — and some are uniquely local. Load shedding alone has forced more businesses to think about continuity than any other single factor. Add ransomware, hardware theft, internet outages, and accidental data loss, and the case for a plan becomes obvious.

Know your two key numbers

Every continuity plan rests on two targets, agreed per system. Before you can plan, you need to know what “acceptable” actually means for your business.

RTO

Recovery Time Objective

How quickly do you need a system back online after an incident? Four hours? By the next morning? Your RTO drives decisions about backup infrastructure, spare hardware, and support response times.

RPO

Recovery Point Objective

How much data can you afford to lose? If your last backup was 24 hours ago and a system fails now, could you rebuild today's work? Your RPO determines how frequently backups need to run.

1

Assess your risks

List what could realistically disrupt your business and how likely each scenario is. In South Africa, that list almost always starts with load shedding and power instability. Add hardware failure, theft, ransomware, internet outages, and human error.

You don't need to plan for everything equally — focus your effort on threats that are both likely and damaging. A scenario that is extremely unlikely but catastrophic (office burns down) still deserves a basic plan. A scenario that is common but trivial (internet drops for 10 minutes) just needs a workaround.

2

Protect your data

Data is the one thing you often can't recreate. The industry-standard starting point is the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored off-site. This ensures that no single failure — whether a ransomware attack, hardware failure, or physical disaster — can take out all your copies at once.

3

Copies of your data

2

Different media types

1

Copy stored off-site

Make sure Microsoft 365 — including email, OneDrive, SharePoint, and Teams — is covered by an independent backup. Microsoft's own retention features protect against infrastructure failures, but sync is not the same as backup. If ransomware encrypts your OneDrive files, sync faithfully replicates the damage everywhere.

Critically: test that you can actually restore, not just that backups are running. A backup you've never tested is an assumption, not a safety net.

3

Plan for power and connectivity

Load shedding is a business continuity issue, not just an annoyance. Every South African SME needs a clear answer to: “How do essential staff stay online during an outage?”

  • UPS units: Uninterruptible power supplies give you 15–30 minutes to ride out short outages and shut down equipment cleanly. Essential for servers and networking equipment.
  • Inverter or generator capacity: For key sites or longer outages, an inverter with battery bank or a generator keeps critical systems running. Size it to your actual load, not an estimate.
  • Mobile data failover: A 4G/5G router as a backup to your fixed-line internet connection. When the ADSL or fibre drops, staff automatically switch to mobile data without interruption.
  • Cloud-based systems: If your systems live in Microsoft 365, staff can work from anywhere the lights are on — a coffee shop, home, a client's office. No VPN required, no local server needed.
4

Enable work-from-anywhere recovery

If your systems and files live in Microsoft 365, a lost office or a dead laptop doesn't stop the business. Staff can pick up on another device within minutes — but only if you've set this up before you need it.

Standardised cloud storage

No critical files saved only on local drives. OneDrive and SharePoint should be the default save location for everyone.

Documented logins protected by MFA

Every account secured with multi-factor authentication. Login details stored in a password manager, not a spreadsheet — and accessible to the right people in an emergency.

A known device provisioning process

When a device fails, who orders the replacement? Who sets it up? How long should it take? Document this before you need it.

5

Write it down and share it

A plan in someone's head isn't a plan. Capture the essentials in one accessible document — somewhere staff can find it even if the office is unreachable.

  • Who does what when an incident happens — and their backup person
  • Key contacts: IT support, internet provider, insurers, landlord
  • Where backups are located and how to restore them
  • Login and access details, stored securely in a password manager — not a spreadsheet
  • Your RTO and RPO targets for each critical system
6

Test it

An untested plan is a guess. At least once a year, run a simple drill. It doesn't need to be a full-scale simulation — even a short tabletop exercise surfaces gaps while they're cheap to fix.

💾

Restore a file from backup

Confirms backups are actually usable

💻

Simulate a lost laptop

How quickly can staff be back on a new device?

🏢

"Office unreachable on Monday"

Walk through exactly who does what, step by step

Keep it alive

Your business changes — new staff, new systems, new suppliers. Review your continuity plan when something significant changes, and at least annually. Continuity planning isn't a one-off project; it's a habit that quietly protects everything you've built. The businesses that recover fastest from disruption aren't the ones that got lucky — they're the ones that planned ahead.

Not sure where your gaps are?

We can review your current setup — data protection, power resilience, remote access, and documentation — and give you a clear picture of where you're exposed. No jargon, no pressure.

Book a free continuity review

Your business continuity checklist

Work through this checklist to identify where your plan is solid and where the gaps are. Every “no” is a risk worth addressing.

BCP Essentials — 12 steps
1.Define your RTO and RPO for each critical system
2.Identify your top 5 most likely and most damaging risks
3.Confirm your backup follows the 3-2-1 rule (3 copies, 2 media types, 1 off-site)
4.Verify Microsoft 365 (email, OneDrive, SharePoint) has an independent backup — not just sync
5.Test that you can actually restore from backup — not just that backups are running
6.Ensure critical staff can work remotely if the office is unreachable
7.Install UPS units on servers and networking equipment
8.Set up a mobile data failover for your internet connection
9.All accounts protected by MFA; logins stored in a password manager
10.Write your continuity document: who does what, key contacts, restore steps
11.Run at least one test drill per year — restore a file, simulate a device failure
12.Schedule an annual review to keep the plan current

Frequently Asked Questions

What is the difference between business continuity and disaster recovery?

Disaster recovery is a subset of business continuity. Disaster recovery focuses specifically on restoring IT systems and data after an incident. Business continuity is broader — it covers people, premises, suppliers, and processes too. A full continuity plan asks 'how do we keep operating?' not just 'how do we get our systems back?'

Does a small business really need a formal continuity plan?

Yes — but it doesn't need to be formal in the sense of long or complex. A one-page document that answers 'what do we do if X happens?' is a continuity plan. The goal is to avoid making critical decisions under pressure. Even a basic written plan, tested once a year, gives you a significant advantage over having nothing.

What should our RTO and RPO actually be?

That depends on your business. A good starting question: 'How many hours of downtime would seriously harm us, and how many hours of data loss is recoverable?' For most SMEs, an RTO of 4 hours and an RPO of 1–4 hours is achievable with cloud-based systems and proper backup. If your business can't tolerate any data loss, you need near-continuous backup, which is achievable but more costly.

How does load shedding factor into a continuity plan?

Load shedding is one of the most common and predictable disruptions South African businesses face, so it deserves specific attention in your plan. The key decisions: what systems must stay running during an outage (UPS or generator), what systems can wait (most office equipment), and how staff continue working if the office loses power for an extended period (cloud-based systems and mobile hotspots).

How often should we test our continuity plan?

At minimum, once a year — but a short quarterly check is better. Full simulations don't need to be disruptive. Restoring a test file from backup, checking that remote access works, and walking through your incident contact list takes 30–60 minutes and surfaces problems before they matter.

Is Microsoft 365 enough on its own for business continuity?

Microsoft 365 is an excellent foundation for continuity — cloud storage, cloud email, and remote access are built in. But it's not complete on its own. Microsoft's Shared Responsibility Model is clear: Microsoft protects the infrastructure; you are responsible for your data. A ransomware attack or mass accidental deletion that affects your Microsoft 365 data requires a separate backup solution to recover from. Sync is not backup.

Want to know where your continuity gaps are?

We can review your data protection, power resilience, and remote access setup — and give you a clear, practical picture of your exposure. No jargon, no pressure, no obligation.

Book a Free Continuity Review