Let’s be real: No one has a perfect business continuity and disaster recovery (BCDR) plan. And that’s okay because perfection isn’t the goal—resilience is.
A client once told me they had a mature BCDR plan. Then a hurricane hit. Their primary data center flooded. Admins needed to reach a backup site in another state, but flights were grounded, roads iced over, and their own homes were underwater too.
Suddenly, you’re asking people to choose between their jobs and their families. That’s not just a logistics problem; it’s a human one, reminding us that even the best plans can fall apart in practice.
But while FEMA estimates that one in four businesses never reopen after a disaster, you can take steps to avoid becoming that statistic.
BCDR today isn’t just about systems and backups. It’s about people, priorities, and preparation. And while no plan is perfect, I still see the same five challenges tripping up organizations. The difference now? The stakes are higher. Cyberattacks can paralyze your entire business. And AI, while promising, isn’t a silver bullet.
So, let’s talk about how to get your BCDR house in order.
1. Identity management: Who’s really on call?
We used to travel to incident sites, plug in some cables, and run recovery drills. Now, it’s all remote—opening the door to new threats when your business is most vulnerable.
I’ve seen attackers sneak into recovery calls using fake identities, with names just one letter off from real employees. They’ll log into calls, listen, disrupt, and make a bad day worse.
This is a human vulnerability. Having the right people in place and properly accounted for—from IT to legal—is still critical. Especially when a cyberattack can take down your entire IT infrastructure rather than a single facility.
Step to take: Build identity verification into your BCDR runbooks. Don’t assume your Teams or Zoom login is enough.
2. Prioritization: What’s your minimum viable company?
You can’t recover everything at once, so don’t try.
Nearly half of organizations need more than a week to recover from a cyberattack. In that time, you’re not making products, and your stakeholders are losing faith.
I’ve seen companies try to bring back every system simultaneously. It never works. Focus on what matters most and build from there.
Start first with a business impact analysis (BIA) to figure out what keeps the lights on. That’s your minimum viable company and what you need to recover first. Everything else can wait.
Step to take: Run a BIA. Use it to define your recovery priorities and align them with your recovery time and point objectives. This helps you understand how quickly you need to be back up and running and how much data you can afford to lose. This is foundational to any serious BCDR strategy.
3. Incomplete recovery: Backups aren’t a plan
Many clients think, “We’ve got backups, so we’re good.” No, you’re not.
Backups are just data. If you don’t have the configurations and environments to use that data, it’s useless. I’ve seen clients with pristine backups, and no way to run them. That’s not recovery, it’s a false sense of security.
You also need to consider:
- Systems available to process that data;
- Where the data is stored because it may be gone;
- The environment, since moving on-premises data to the cloud is difficult even on a good day.
Step to take: Map out your recovery scaffolding—identity, network, infrastructure—and test it. Tools can help automate this, but you need to know what “usable” recovery looks like for your business.
4. Documentation: Living plans, not dusty binders
Ask your team where the BCDR plan is. If they point to a binder, you’ve got a problem.
IT environments change daily, and your plan needs to change with them. That means version control, real-time updates, and integration with your infrastructure workflows, whether in the cloud, a data center, or at the edge. A static document is a liability.
Step to take: Treat your BCDR plan like code—versioned, updated, and tested. Use automation where possible, but keep people in the loop.
5. Testing: If you haven’t tried it, you don’t have a plan
Because BCDR plans change so often, you need to test them regularly. If you don’t, it’s more theory than plan, and things will invariably go wrong when you need it most.
Testing reveals the gaps. It’s where you find out if your plan works or cracks under pressure. Think of it like a military exercise. You don’t just write the battle plan. You run it. You red-team it. You revise it.
Quarterly or semiannually testing is the sweet spot. Any less than that, you’re out of date. More than that, you’re probably overdoing it or not automating enough.
Ask your teams when they last ran a full BCDR test. If it’s not in the last six months, it’s time to knock off the rust. The best plans just get more sophisticated along with all the technological advances we implement, and it may be advisable to lean on an outside consultant who can help you troubleshoot without bias.
Step to take: Schedule regular tests; quarterly is ideal. Include realistic scenarios, not just happy paths. And bring in your comms, legal, and HR teams. BCDR isn’t just an IT exercise.
PRESSURE TEST IT NOW
At the end of the day, BCDR isn’t about checking boxes. It’s about protecting people, preserving trust, and proving your business can take a hit and keep going.
Ask yourself: If disaster strikes tomorrow, would our plan hold—or would it fold? Don’t wait to find out. Pressure-test it now, while you still have the luxury of time.
Juan Orlandini is CTO of North America at Insight Enterprises.
