Maintaining business operations even during a crisis
Imagine your central ERP server goes down. Not for an hour, not for a day, but for an entire week. No orders, no invoices, no delivery notes. How long does your company survive before the financial damage becomes existential? This question is at the heart of business continuity management, and the honest answer is sobering for many mid-market companies. This topic page shows you how to protect your business against operational disruptions and how to quickly regain the ability to act in an emergency.
Business impact analysis: where does it hurt the most?
The first step toward functioning emergency management is the business impact analysis, or BIA. It answers the central question: which business processes are so critical that an outage has immediately noticeable effects? And how long can each of these processes be down before the damage becomes unbearable?
The BIA forces you to view your company from a perspective that often gets lost in day-to-day operations. You identify dependencies between processes, systems and resources that you are not even aware of during normal operations. Perhaps you discover that production depends not only on the ERP system but also on a small specialized system maintained by a single employee and documented nowhere. Such insights are invaluable because these hidden dependencies are exactly what become bottlenecks in an emergency.
RPO and RTO: the two most important metrics
Two terms come up again and again in business continuity management: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). The RPO defines how much data loss you can tolerate at most. If your RPO is four hours, you need to create a backup at least every four hours. The RTO defines how quickly a system must be available again after an outage. If your RTO for the ERP system is eight hours, your recovery plan must ensure that you can restore a functioning state within that time.
These two values are not technical details that you can delegate to IT. They are business decisions because they determine how much you need to invest in backup infrastructure, redundancy and emergency preparedness. An RPO of zero requires synchronous data replication and costs significantly more than an RPO of 24 hours, which can be achieved with daily backups.
Backup strategy: more than just copying data
Many companies have backups. Few have a well-thought-out backup strategy. The difference only shows in an emergency: is the backup complete? Is it readable? How long does the restoration take? The BSI recommends the 3-2-1 rule as a minimum: three copies of your data, on two different media types, with one copy stored off-site. Additionally, immutable backups are gaining traction — backups that cannot be modified or deleted after the fact, even if an attacker gains access to your network.
But even the best backup strategy is worthless if you never test the restoration. Restore tests are among the most frequently neglected tasks in IT. Yet a backup that you cannot restore is not a backup. Our article on bare-metal recovery testing shows you how to conduct regular restoration tests and ensure that your emergency processes actually work.
Disaster recovery and resumption
A disaster recovery plan goes beyond individual system restorations. It defines the sequence in which systems are restored, accounts for dependencies between services, and describes the organizational framework for crisis operations. Who coordinates the recovery? Where does the team work if the office building is inaccessible? How are customers and partners informed?
Practice, practice, practice
An emergency plan that only sits on a shelf is of little help in a real emergency. Regular tabletop exercises where you walk through scenarios with your team are the most effective way to find weaknesses in your emergency processes. These exercises do not need to be elaborate: one to two hours, a realistic scenario, the right people at the table. Our article collection shows you how to plan and conduct such exercises, and provides you with the IT emergency card — a practical tool that displays the most important immediate actions at a glance during an emergency.
