How long does a disaster recovery planning engagement take?

For a typical SME (25–150 staff, single primary site) the full engagement — BIA, RTO/RPO definition, technical review, documented runbooks and tabletop exercise — takes four to six weeks. Larger or multi-site organisations take longer; we scope this in week one.

What is the difference between RTO and RPO?

RTO (Recovery Time Objective) is how quickly a system must be back online after an incident. RPO (Recovery Point Objective) is how much data loss is acceptable, measured in time — for example a 1-hour RPO means you accept losing up to 1 hour of data. Setting these per system is the foundation of any credible DR plan.

Isn't a backup the same as a disaster recovery plan?

No. A backup is one component of recovery; a DR plan is the strategy, decisions, runbooks, roles and tested procedures that get the business operating again. Backups answer "do we still have the data?". A DR plan answers "how, in what order, by whom and how quickly do we get back to work?".

Do you test the plan, or just write it?

We test it. The initial engagement includes a tabletop exercise. Where clients retain us on an ongoing basis we run twice-yearly live recovery tests against real workloads in isolated infrastructure, with a written report on measured RTO/RPO outcomes.

Will the plan satisfy our cyber-insurance and Cyber Essentials Plus requirements?

Yes. The documentation we produce is written to satisfy the recovery and continuity questions in standard cyber-insurance proposal forms, Cyber Essentials Plus assessments, ISO 27001 audits and most enterprise supplier questionnaires.

Disaster Recovery Planning for UK SMEs | BIA, RTO/RPO & Runbooks

Why most SME DR plans fail when they're needed

When we audit incoming clients, four patterns come up again and again: the backup runs but nobody has restored from it in a year; the “DR document” is a two-page PDF that names people who left in 2021; the cloud platform is assumed to handle continuity (it doesn’t); and the recovery targets — how quickly the business needs to be back, and how much data it can afford to lose — have never actually been agreed with the business.

Our Disaster Recovery Planning service fixes all four. It’s a structured engagement, not a template — we work with you to produce a plan that reflects how your business actually operates and that your team can execute without us in the room.

What the engagement covers

Business Impact Analysis (BIA) — we sit down with department leads to identify critical processes, the systems they depend on, and the cost of downtime per hour. This is what turns “everything’s important” into a defensible priority list.
RTO and RPO targets — for each system we agree a Recovery Time Objective (how fast it must be back) and Recovery Point Objective (how much data loss is acceptable). These numbers drive every downstream technical decision.
Risk & threat assessment — ransomware, hardware failure, cloud outage, supplier failure, building loss, key-person absence and accidental deletion. We score likelihood vs impact and prioritise mitigations.
Technical architecture review — backup coverage, immutability, off-site copies, replication, failover capability and your Microsoft 365 / Azure / on-prem estate. We map what you have against what your RTOs and RPOs actually require.
Documented runbooks — step-by-step recovery procedures per system, with named roles, decision points, contact trees and supplier escalation paths. Written for the person on call at 2am, not the architect who designed it.
Communications plan — internal updates, customer notifications, regulatory reporting (where applicable) and an agreed spokesperson.
Tabletop exercise — we walk your leadership team through a realistic scenario (typically a ransomware outbreak) and stress-test the plan against it.

Ongoing testing — the part most people skip

A plan that has never been tested is a guess. As part of an ongoing arrangement we run twice-yearly recovery tests against your live environment — restoring real workloads to isolated infrastructure, measuring actual RTO and RPO, and producing a short report you can share with auditors, insurers or your board.

Annual review of the BIA as your business changes
Twice-yearly DR test with measured outcomes
Runbook updates after every material infrastructure change
Evidence pack for Cyber Essentials Plus, ISO 27001 and cyber-insurance renewals

Who this is for

This service is right for you if any of the following is true: you handle customer or financial data, you have a cyber-insurance policy with a recovery clause, you’re pursuing Cyber Essentials Plus or ISO 27001, you operate in a regulated sector, or you’ve been asked for a DR plan in a supplier questionnaire and don’t have one that would survive scrutiny.

How it fits with the rest of your stack

Planning is the upstream service. Once the plan is agreed, the underlying technology is delivered through our Disaster Recovery and Cloud Backup offerings, with day-to-day oversight as part of our Managed Cloud Services. You can engage us for planning alone, or as a single end-to-end programme.

Disaster Recovery Planning

Why most SME DR plans fail when they're needed

What the engagement covers

Ongoing testing — the part most people skip

Who this is for

How it fits with the rest of your stack

Frequently asked questions

Ready to talk?