| A business continuity plan (BCP) is a documented, tested framework that defines how your organisation will continue operating and recover from a significant disruption — whether that is a ransomware attack, a natural disaster, a power failure, or a key supplier going offline. In 2026, having a BCP is not the challenge. Having one that actually works when tested is. |
Most NZ businesses believe they are prepared for a major disruption. The research says otherwise.
NZ cyber security research covering over 200 NZ security leaders found that only 30% of NZ organisations have a business continuity or cyber incident response plan in place. At the same time, 73% said they had sufficient visibility of risks and 78% said they had the internal resources to deal with an attack. The confidence is real. The preparation is not.
This gap — between believing you are ready and having a tested plan that proves it — is where most NZ businesses are sitting in 2026. This guide covers what a business continuity plan actually needs to contain, why the tested-plan distinction matters more than ever, and how to build one that works when disruption arrives.
| NZ research 2026: only 30% of NZ organisations have a business continuity or cyber incident response plan. Four in 10 NZ businesses expect to recover from a major cyber incident within days. Actual recovery from serious incidents takes weeks to months. 90% of small businesses that cannot restore operations within five days close permanently within a year. |
What Is a Business Continuity Plan and What Should It Cover?
A business continuity plan is not a backup strategy. Backups protect your data. A BCP protects your entire business — your people, your communication channels, your suppliers, your systems, and your ability to serve customers during and after a disruption.
The distinction matters because most NZ businesses that have invested in backup think they have continuity covered. They do not. A backup tells you where your data is. A BCP tells you what your finance manager does on day one of a ransomware attack, who communicates with your clients, which systems get restored first, and how you notify the Office of the Privacy Commissioner if personal data has been compromised. For context on how backups fit within a broader continuity framework, our data backup strategy guide covers the technical foundation in detail.
| BCP Component | What It Covers | Why It Matters in 2026 |
| Risk Assessment | Identify the threats most likely to disrupt your operations — cyber attacks, natural disasters, power failures, supplier loss, staff unavailability | AI-accelerated attacks now compress attack timelines from weeks to hours. Risk assessment must reflect the current threat speed, not 2022 assumptions |
| Business Impact Analysis | Define which systems and functions are critical, set Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each | Downtime costs NZ businesses from $10,000 per hour for SMEs upward. Knowing your RTO before an incident removes guesswork during the worst moment |
| Recovery Procedures | Step-by-step instructions for restoring critical systems, prioritised by business impact | Ransomware now targets backups first. Recovery procedures must account for compromised backup scenarios and staged system restoration |
| Communication Plan | Who contacts staff, clients, suppliers, regulators, and insurers — and in what order, using what channels | When primary systems are down, communication channels may also be affected. Off-system contact lists and pre-drafted notifications are essential |
| Roles and Responsibilities | Named individuals responsible for each recovery function with backups for key roles | Staff changes mean responsibility maps go stale. Plans must be reviewed when key people join or leave |
| Tested Restore Procedures | Regular tests confirming that backup data can actually be restored within the RTO | 58% of backups fail during recovery. A backup that has never been tested is not a backup — it is an assumption |
The Tested-Plan Distinction: Why It Matters More Than Ever in 2026
The most important sentence in any business continuity planning conversation is this: a plan that has never been tested is not a plan. It is a document.
NZ research found that four in ten NZ and Australian organisations expected to recover from a major cyber incident within days. Real-world incidents tell a different story. A 2025 ransomware attack on a major UK manufacturer halted production for five weeks, with full recovery taking nearly five months. Not because they lacked a plan — but because the plan had never been tested under realistic conditions.
Testing exposes the gaps that paperwork hides: backup systems that are corrupted, communication channels that go down with primary systems, staff who do not know their roles, and recovery procedures that assume tools or people that are no longer available. Our BCDR guide covers the specific difference between having a recovery plan and having one that performs under pressure.
What effective testing looks like
- Tabletop exercises — walk your response team through a realistic scenario (ransomware hits the file server at 9am on a Monday) and identify decision points, gaps, and communication failures in a low-stakes environment
- Backup restore tests — actually restore data from your backups quarterly, not just confirm the backup ran. Verify the restored data is complete, uncorrupted, and restorable within your RTO
- Communication drills — test your off-system contact lists and notification procedures without relying on systems that may be offline during an actual incident
- Full simulations — at least annually, run a realistic disruption scenario involving multiple functions to test how the plan holds up across the full organisation
The Ransomware Threat to Business Continuity in 2026
No disruption has reshaped business continuity planning more dramatically than ransomware. Understanding how modern ransomware operates is essential to building a BCP that actually addresses the current threat.
Attackers target your backups first
Modern ransomware operators spend an average of 24 days inside a network before triggering encryption. During that time, they identify and target your backup systems — either encrypting them alongside everything else or deleting them to eliminate your recovery options. A business continuity plan that assumes backups will be available and clean after a ransomware attack is built on an assumption that attackers specifically work to destroy.
The response is immutable and air-gapped backups — copies that cannot be altered or deleted via compromised credentials, and offline copies inaccessible to network-level attacks. Research shows organisations with uncompromised backups recover within a week 46% of the time, compared to just 25% when backups are compromised. That gap is the difference between a contained incident and an existential one. Our cyber resilience guide covers how backup strategy fits within the broader resilience framework.
Recovery takes longer than most businesses expect
More than a third of ransomware victims take longer than a month to fully recover — up from 24% the previous year. For NZ SMEs, that timeline is often catastrophic. Businesses that cannot restore operations within five days have a 90% failure rate within a year. A business continuity plan built around an optimistic recovery timeline is not providing realistic protection.
Realistic RTOs and tested restore procedures — not hoped-for ones — are the only reliable foundation for business continuity planning in the current environment.
Building a Business Continuity Plan: A Practical Framework for NZ Businesses
Every business continuity plan will look different depending on the size, industry, and risk profile of the organisation. The following framework applies across all of them.
Step 1: Identify your critical functions and systems
Start with the question: if everything went offline right now, what would you need to restore first to keep the business operating at all? For most NZ businesses, this includes financial systems, customer records, email and communication, and core operational software. Rank them by impact and build your RTO and RPO around those rankings.
Step 2: Assess your realistic threats
NZ businesses face a specific threat profile: ransomware and cyber attacks are the leading cause of business disruption, followed by power and connectivity failures, extreme weather events, and supplier or key-person loss. Your risk assessment should weight these proportionally rather than treating all threats equally.
Step 3: Build your recovery procedures around worst-case scenarios
Most BCPs are built around optimistic scenarios — the attack is caught early, backups are clean, key staff are available. Build yours around the realistic ones: backups compromised, key decision-maker unavailable, primary communication systems offline. A plan that works in the worst case works in all cases.
Step 4: Document roles, not just procedures
Every procedure in your BCP must have a named person responsible for executing it — and a named backup. Recovery procedures that say ‘IT will restore the file server’ fail when your IT person is on leave. Named individuals with documented alternates are the only way to ensure coverage.
Step 5: Test quarterly, review annually
Run backup restore tests every quarter. Run tabletop exercises every six months. Run a full simulation at least once a year. Review the entire plan annually and after any significant change to your systems, staff, or threat environment. A plan reviewed annually is current. A plan reviewed every three years is history.
Step 6: Align with NZ Privacy Act obligations
If a disruption results in a data breach involving personal information likely to cause serious harm, the NZ Privacy Act 2020 requires notification to the Office of the Privacy Commissioner. Your BCP must include a clear notification protocol, designated contact for regulatory communication, and pre-drafted notification templates. Building this in before an incident means you are not making these decisions under pressure. Our cybersecurity risk assessment guide covers the compliance landscape in more detail.
Common Business Continuity Plan Failures NZ Businesses Should Avoid
Confusing a backup with a BCP
Backups are one component of a business continuity plan. They protect your data. They do not tell your team who makes decisions during an outage, how you communicate with clients, which systems come back first, or what your regulatory obligations are. Treating them as equivalent leaves critical gaps.
Building the plan and never testing it
Documentation is not readiness. A business continuity plan that has never been tested will fail in ways that testing would have exposed — corrupted backups, stale contact lists, staff who do not know their roles, recovery procedures that reference tools or people that no longer exist.
Setting unrealistic recovery targets
A business continuity plan that promises recovery in 24 hours when your actual restore capacity takes 72 is not protecting you — it is giving you false confidence. Recovery targets must be based on tested restore times, not aspirational ones.
Failing to update after changes
A BCP written when you had 10 staff, on-premises systems, and a single office is not fit for purpose when you have 40 staff, cloud infrastructure, and remote workers. Major changes to your people, systems, or locations should trigger an immediate plan review — not wait for the annual cycle.
Does Your Business Continuity Plan Actually Work?
Exodesk helps South Island businesses build, test, and maintain business continuity plans that perform under real conditions. Our teams in Christchurch and Dunedin integrate continuity planning with your managed IT services, cloud infrastructure, and cyber security — so your BCP is not a separate document but a tested capability embedded in how your technology environment operates.
If your current plan has not been tested in the past 12 months, or if it was written before 2024, it may not reflect the current threat environment or your current systems. We offer a no-obligation review to identify what needs updating.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions About Business Continuity Plans
What is a business continuity plan?
A business continuity plan is a documented, tested framework that defines how an organisation will continue operating and recover from a significant disruption. It covers people, communication, systems, suppliers, and regulatory obligations — not just technology. Unlike a backup strategy, which protects data, a BCP protects the entire business operation and provides a clear roadmap for restoration.
What is the difference between a business continuity plan and a disaster recovery plan?
A disaster recovery plan focuses specifically on restoring IT systems and data after a disruption. A business continuity plan is broader — it covers how the entire organisation keeps functioning during a disruption, including staff responsibilities, client communication, supplier relationships, and regulatory obligations. Most NZ businesses need both, integrated into a single operational framework.
Why do only 30% of NZ businesses have a business continuity plan?
NZ research shows the gap is not awareness — 73% of NZ security leaders say they have sufficient visibility of risks. The gap is between recognising the risk and formalising a tested response. Business continuity planning is often deprioritised in favour of prevention and detection investment, until a disruption makes the absence of a plan impossible to ignore.
What should a business continuity plan include?
A complete business continuity plan should include a risk assessment, business impact analysis with RTO and RPO targets, recovery procedures prioritised by business impact, a communication plan covering staff, clients, and regulators, named roles and backups for every recovery function, tested backup restore procedures, and NZ Privacy Act notification protocols for data breach scenarios.
How often should a business continuity plan be tested?
Backup restore tests should run quarterly. Tabletop exercises covering realistic scenarios should run every six months. Full simulations should run at least annually. The full plan should be reviewed annually and immediately after significant changes to systems, staff, or the threat environment. A plan that has never been tested is not a plan — it is a document.
How does ransomware affect business continuity planning?
Ransomware has fundamentally changed business continuity planning because attackers now specifically target and destroy backup systems before triggering encryption. A BCP that assumes backups will be available and clean after a ransomware attack is built on a false premise. Effective continuity planning requires immutable and air-gapped backups, staged recovery procedures, and realistic recovery timelines based on worst-case rather than best-case scenarios.
What is an RTO and RPO in a business continuity plan?
RTO — Recovery Time Objective — defines the maximum acceptable time for restoring a system or function after disruption. RPO — Recovery Point Objective — defines the maximum acceptable data loss, measured in time. For example, an RPO of four hours means you can accept losing up to four hours of data. Both should be defined for every critical system and validated through testing, not assumed.
What are immutable backups and why do they matter for business continuity?
Immutable backups are backup copies that cannot be altered, encrypted, or deleted — even by a compromised administrator account. They matter because ransomware operators specifically target and destroy accessible backups before triggering their attack. Organisations with uncompromised backups recover within a week 46% of the time, compared to 25% when backups are compromised. Immutable and air-gapped backup copies are now a non-negotiable component of any effective business continuity plan.
Do NZ businesses have legal obligations under the Privacy Act after a disruption?
Yes. If a disruption results in a data breach involving personal information that is likely to cause serious harm, the NZ Privacy Act 2020 requires notification to the Office of the Privacy Commissioner and, in most cases, to affected individuals. Business continuity plans should include pre-drafted notification templates, a designated regulatory contact, and clear triggers for when notification obligations apply.
How does Exodesk help NZ businesses with business continuity planning?
Exodesk works with South Island businesses from our offices in Christchurch and Dunedin to build, test, and maintain business continuity plans integrated with managed IT services, cloud infrastructure, and cyber security. This includes backup architecture review, recovery procedure documentation, tabletop exercise facilitation, and Privacy Act compliance support. Our fixed-price managed IT model means continuity planning is an embedded part of your IT environment rather than a separate one-off project.
