Business Continuity for IT
itPlatform engineering and SRE
Business Continuity for IT
Business continuity keeps essential work running through a disruption. For an IT team, that means understanding which business activities depend on technology, how long those activities can tolerate interruption, and what recovery the organization can afford.
The plan does not begin with servers. It begins with business outcomes. Payroll may need identity, banking connectivity, employee data, and a working approval path. An online store may need more than its website. Orders can also depend on payment, inventory, fulfillment, customer support, and third-party services.
This dependency view changes the question. You stop asking, “How quickly can we restore every system?” You ask, “Which services support essential work, in what order, and to what usable level?”
Continuity and recovery are related, not identical
A business continuity plan describes how the organization sustains essential functions during and after a disruption. It includes people, facilities, suppliers, communications, records, manual workarounds, and technology.
An IT disaster recovery plan describes how the organization restores technology services, applications, infrastructure, and data. Ready.gov advises developing this plan with the business continuity plan. Technology recovery must meet the needs of business recovery.
An information system contingency plan narrows the scope further. It provides procedures for recovering one system or a related set of systems. NIST uses this form to connect system recovery with broader continuity and emergency plans.
Incident response also has a different job. It contains and manages an incident. Continuity sustains essential work, while recovery restores affected capabilities. One event can activate all three disciplines, so their roles and handoffs must agree.
Start with a business impact analysis
A business impact analysis, or BIA, identifies essential business processes, the resources that support them, and the consequences of interruption. It gives technology teams recovery priorities based on business need.
For each process, identify:
- the outcome the process produces;
- the process owner and recovery decision maker;
- the effect of interruption over time;
- the applications, data, infrastructure, people, facilities, and suppliers it requires;
- upstream and downstream dependencies;
- legal, contractual, safety, financial, and operational constraints;
- acceptable manual workarounds; and
- the minimum service level needed during recovery.
The BIA is not an asset popularity survey. A quiet identity service may be more important than a visible application because many other services depend on it. A low-volume supplier connection may block every shipment. Map dependency chains before assigning recovery order.
Translate business tolerance into recovery objectives
Three measures help connect business impact to technical design:
- Maximum tolerable downtime is the longest disruption a process can accept before the effect becomes unacceptable.
- Recovery time objective, or RTO, is the target time for restoring a system or resource after disruption.
- Recovery point objective, or RPO, is the point in time to which data must be recovered after an outage.
These measures answer different questions. RTO concerns elapsed recovery time. RPO concerns tolerable data loss measured in time. Neither measure promises an outcome by itself.
Keep the objectives consistent. A system RTO must support the business process that depends on it. The recovery sequence must also fit inside the process tolerance. If a service has a four-hour RTO but needs six hours of prerequisite recovery, the design cannot meet the stated objective.
Objectives create cost and architecture decisions. Shorter recovery times may require standby capacity, automation, alternate connectivity, or prearranged facilities. Shorter recovery points may require more frequent backups or replication. The BIA supplies the reason for that cost.
Design a continuity strategy
A continuity strategy combines preventive controls, alternate ways of working, and recovery capabilities.
Preventive controls reduce the chance or effect of disruption. Examples include power protection, redundancy, environmental controls, secure backups, spare components, and resilient telecommunications.
Alternate processing keeps essential work moving while normal technology is unavailable. A team might use a manual intake process, a restricted emergency service, or an alternate provider. A workaround needs its own capacity, security, data-capture, and reconciliation rules.
Recovery capabilities restore the required technology. They can include backups, replicated data, rebuild automation, alternate sites, replacement equipment, vendor support, and documented restoration procedures. Select them against the recovery objectives rather than against a preferred product.
Dependencies remain decisive. A recovered application is not usable if identity, name resolution, network routing, secrets, certificates, or external integrations are still unavailable. Build a recovery sequence from prerequisites to business service.
Write for decisions under pressure
A usable plan tells people what to do, who can decide, and what evidence confirms success. NIST contingency-plan templates organize recovery into three phases:
- Activation and notification — assess the disruption, activate the plan, notify the right people, and establish authority.
- Recovery — restore capabilities in the approved order and verify each dependency.
- Reconstitution — return to normal operations, validate the restored environment, reconcile temporary work, and close the event.
Record roles by function, not only by a person’s name. Include alternates and current contact methods. Store an accessible protected copy away from the environment that may fail. Document decision criteria for activation, failover, degraded operation, and return to normal service.
Each recovery procedure needs prerequisites, inputs, expected results, validation steps, rollback or escalation conditions, and an owner. “Restore the database” is not a procedure. It does not name the source, target, credentials, sequence, integrity check, or business validation.
Exercise the capability
A written plan is an untested hypothesis. Training prepares people for their roles. Exercises rehearse decisions and coordination. Tests verify that systems and components operate as required.
Use several forms of evidence:
- a document review to find stale contacts and missing dependencies;
- a tabletop exercise to walk through decisions with a scenario;
- a functional exercise to perform coordinated recovery actions;
- a technical recovery test to restore data or rebuild a service; and
- a failover test when the risk and environment permit it.
Define objectives before the event. Observe decisions, timing, technical results, communications, and safety controls. Record gaps with owners and due dates. Update the plan, architecture, training, or recovery objective when the evidence shows a mismatch.
Exercises must not create an uncontrolled production incident. Set boundaries, approvals, stop conditions, and rollback plans. Protect sensitive plan details and test data throughout the event.
Maintain one operational capability
Business continuity changes whenever the business or its technology changes. New suppliers, identity platforms, network designs, data stores, staffing models, and regulations can invalidate an old plan.
Connect continuity review to normal change processes. Review the BIA and plan after major system or organizational changes, after exercises, and after real disruptions. Track recovery readiness as evidence: current ownership, successful restores, measured recovery time, unresolved findings, and dependency coverage.
Business continuity is not the promise that nothing will fail. It is a managed capability to sustain the most important work, restore technology in a justified order, and learn from evidence.
