Business Continuity Planning for Irish SMEs: A Practical Guide

Business continuity planning is no longer optional for regulated Irish businesses. NIS2 Article 21 explicitly requires business continuity as a security measure. DORA mandates documented ICT continuity plans and requires them to be tested. ISO 27001 Annex A includes business continuity management as a control domain.

Despite this, most Irish SMEs either have no BCP or have a document that was written once and has never been used. This guide explains what a practical BCP needs to contain, how to structure it without a dedicated team, and how to test it before you need it.

What Is Business Continuity Planning?

Business continuity planning is the process of identifying threats to your organisation's operations, understanding their potential impact, and putting in place procedures that allow you to continue delivering critical services — or recover them quickly — when a disruption occurs.

It is distinct from but related to disaster recovery (DR). Disaster recovery is typically focused on restoring IT systems and data. Business continuity is broader — it covers all the processes, people, facilities, and communications needed to keep the organisation functioning.

For most SMEs, an integrated BCDR (Business Continuity and Disaster Recovery) approach makes practical sense rather than maintaining two separate documents.

What Your BCP Must Cover

1. Business Impact Analysis (BIA) Identify your critical business functions — the activities whose loss would most severely affect the organisation. For each critical function, document: - The maximum tolerable downtime (how long you can survive without it) - The recovery time objective (RTO — how quickly you need to restore it) - The recovery point objective (RPO — how much data loss is acceptable) - Dependencies — systems, people, suppliers, physical locations

2. Threat and risk scenarios Document the disruption scenarios your BCP is designed to address. For most SMEs these include: ransomware or major cyber incident, loss of key personnel, supplier failure, loss of primary premises, extended power or connectivity outage.

3. Response procedures For each scenario, a documented step-by-step response procedure: who is notified first, who makes decisions, how communications are managed internally and externally, what workarounds or fallback processes exist while primary systems are unavailable.

4. Roles and responsibilities Named individuals (and backups) for each role in the continuity response. The BCP must not depend on a single individual being available.

5. Communication plan How you will communicate with staff, customers, suppliers, and regulators during an incident. Includes escalation contacts, approved communication templates, and social media/public communications guidance.

6. IT recovery procedures Documented backup and restore processes for critical systems, with tested RTOs and RPOs. Includes cloud service dependencies, access to backups during an incident, and procedures for rebuilding systems from scratch if required.

7. Testing and review schedule How and when the plan will be tested, and who is responsible for maintaining and updating it.

How to Test Your BCP

A BCP that has never been tested is a risk, not a control. Three testing approaches:

Tabletop exercise — the most practical for SMEs. Walk the relevant team through a simulated scenario (e.g. "you've just discovered ransomware on your primary server at 9am on a Monday") and talk through the response step by step. Document what works, what's unclear, and what's missing.

Technical recovery test — restore from backup in a test environment to validate your actual RTO and RPO. Many organisations discover their backup restoration is slower or more complex than their BCP assumes.

Full simulation — for organisations with higher resilience obligations (DORA significant entities, larger NIS2 entities), a full simulation exercise where teams respond as if the incident is real, including communications and supplier notifications.

At minimum, tabletop exercises should be conducted annually and after any significant change to the organisation's systems, suppliers, or structure.

Common BCP Failures in SMEs

Single points of failure in the plan itself. The BCP lists one person responsible for each function with no backup named. When that person is unavailable during an actual incident, the plan collapses.

RPOs and RTOs that haven't been validated. The plan states a 4-hour RTO for the primary database but nobody has ever actually attempted a restore. The real RTO turns out to be 18 hours.

Outdated supplier and contact information. Phone numbers and escalation contacts are 3 years old. Suppliers have changed. The plan sends people to numbers that no longer exist.

No integration with incident response. The BCP and the incident response plan exist as separate documents with no clear point of handoff between the two.

How ShieldIQ Supports Business Continuity

ShieldIQ includes a BCDR testing module where you can document tabletop and technical exercises, record outcomes and action items, and maintain a structured log of BCP test history. BCP controls are linked to your NIS2 and ISO 27001 compliance posture, and gaps surfaced through testing can be added directly to your remediation action board.

Run a free NIS2 assessment to see your business continuity posture →