Skip to main content
株式会社オブライト
Business DX2026-07-13

An Introduction to IT-BCP: How Many Days Could Your Company Survive a System Outage?

A basic guide to IT-BCP (IT Business Continuity Plan): outage scenarios to plan for, how to map business dependencies, and how to think about recovery targets — starting with a single sheet of paper.


What Is IT-BCP?

IT-BCP (IT Business Continuity Plan) refers to a plan prepared in advance for continuing operations — or recovering as quickly as possible — when a company's information systems become unavailable due to a system failure, cyberattack, disaster, or similar event. Thinking through in advance how long a company can withstand a one-day system outage significantly changes the speed and quality of decisions made when an outage actually happens. This article introduces the basic thinking behind IT-BCP and a practical approach that even SMBs without a dedicated IT department can start with a single sheet of paper.

Why SMBs Need IT-BCP Now

As cloud services have become more widely used, it's no longer unusual for an SMB's entire operation to grind to a halt when its own systems go down. At the same time, 'BCP' tends to bring to mind a company-wide plan focused on natural disasters, and IT-specific planning is often pushed aside. For a broader view of IT risk, see our Complete Guide to IT Risk Management for SMBs — IT-BCP is the part of that picture focused specifically on how to keep operating once systems go down.

IT-BCP looks similar to, but serves a different purpose from, initial response after a data breach. For what to do immediately after a breach occurs, see Initial Response to a Data Breach. That article focuses on the steps to take right after an incident happens, whereas IT-BCP is about working out in advance how long a system outage of a given duration would affect operations, so you can keep the business running — or get it running again quickly.

Outage Scenarios Worth Planning For

When working on IT-BCP, start by listing out the reasons your systems could go down. Since recovery time and available responses differ by cause, it's important to plan for multiple scenarios.

- Ransomware attack: your servers or PCs are encrypted and data or systems become unusable
- Cloud service outage: an external service you rely on (email, accounting, a core business system, etc.) goes down
- Natural disaster or power outage: an earthquake, flooding, or an extended power outage makes your office or server equipment unusable
- Key staff unavailable: the person familiar with your systems suddenly goes on leave or resigns, leaving no one able to respond

Building a Dependency Map: What Stops When a Given System Goes Down

One of the most common stumbling blocks in IT-BCP planning is not having a clear picture of which business processes depend on which systems. For example, if order processing depends on a specific cloud service, or invoicing depends on software running on a specific PC, building a plan without first visualizing these relationships produces a plan that won't actually be usable when an outage happens.

- List out your business processes (order processing, invoicing, customer support, production/site management, etc.)
- Write down which systems or services each process uses (distinguishing cloud, on-premises, or a specific PC)
- Estimate how much and for how long each process would be affected if that system went down
- Give each process a rough rating of impact if it stopped — high, medium, or low
- Identify systems that multiple processes depend on at once, since these represent concentrated risk

Thinking Through Recovery Targets

Once you've mapped the dependencies, the next step is to think about how quickly you'd want each process restored. Not every process needs to be treated the same way — the acceptable downtime varies with how critical the process is. A one-day outage of a customer support line might have a major impact, while a few days' delay in monthly accounting work might not be critical. Setting a tentative 'acceptable downtime' for each process gives you the foundation for prioritizing recovery efforts.

Process / system exampleApproximate impact if stoppedRough recovery time guideline
Customer inquiry channelHigh (directly affects trust and lost opportunities)Consider a target of a few hours to within one day
Order and inventory management systemMedium to high (core to operations)Consider a target of one day to a few days
Monthly accounting/invoicingMedium (impact is limited if restored before the closing date)Consider a target of a few days to about a week
Internal support toolsLowRecovery priority can typically be set relatively lower

Starting BCP with a Single Sheet of Paper

IT-BCP tends to conjure images of a thick planning document, but you don't need to aim for perfection from the start. It's more practical to begin by organizing the minimum information onto a single A4 sheet.

1. Write down two or three outage scenarios you want to plan for (ransomware, cloud outage, disaster, key staff unavailable, etc., as above)
2. List your main business processes and the systems each depends on (a simplified version of the dependency map above)
3. Set a tentative acceptable downtime for each process
4. Decide, at minimum, who does what first when an outage occurs — including contact details and fallback options
5. Set a review cadence in advance, such as once every six months to a year

Practical Checklist

- [ ] Have you listed multiple outage scenarios to plan for?
- [ ] Have you mapped your main business processes to the systems they depend on?
- [ ] Have you set a tentative acceptable downtime for each process?
- [ ] Have you clarified who to contact first and what fallback options exist when an outage occurs?
- [ ] Have you set a schedule for reviewing the plan?

Frequently Asked Questions

What's the difference between IT-BCP and BCP (Business Continuity Plan)?

BCP often refers to a company-wide continuity plan covering things like natural disasters and pandemics, while IT-BCP is the part of that focused specifically on system outages. Depending on a company's size and structure, IT-BCP may be developed as a standalone plan or positioned as part of a company-wide BCP.

Can an SMB without a dedicated IT department create one?

Yes. There's no need to aim for a fully polished plan from the outset — you can start by using a single A4 sheet to map your main processes' dependencies and set tentative acceptable downtimes.

Once created, does it need to be revisited?

Yes, it should be revisited. The systems and processes you use change over time, so reviewing the plan periodically, such as every six months to a year, is generally considered good practice.

Summary

IT-BCP is a plan for thinking through, in advance, how long your company could withstand a system outage. There's no need to build a perfect document from day one — you can start with a single A4 sheet by listing likely outage scenarios, mapping the dependencies between processes and systems, and setting a tentative acceptable downtime for each process. A good place to start is simply writing down which systems your main business processes depend on.

Feel free to contact us

Contact Us