Every organisation depends on technology to function. When that technology fails — and at some point, it will — the question is not whether your operations will be affected. The question is how badly, and for how long.
A Business Continuity Plan (BCP) is your organisation’s answer to that question. It is the documented, tested, and practised set of procedures that keeps your operations running when systems go down, data is compromised, or a disaster — natural or man-made — disrupts normal working.
In South Africa, the stakes are particularly high. Load shedding, cybercrime, ageing infrastructure, and the operational complexity of serving distributed communities create continuity risks that are more frequent and more varied than in many other environments.
This guide explains what a BCP must cover, how to build one, and what South African organisations — in both the public and private sectors — need to get right.
What Is a Business Continuity Plan?
A Business Continuity Plan is a documented framework that enables an organisation to continue delivering critical functions during and after a disruptive event.
It is not the same as a disaster recovery plan, though the two are closely related. Disaster recovery focuses specifically on restoring technology systems and data after a failure. Business continuity covers the broader picture — people, processes, facilities, communications, and systems — to ensure that the organisation as a whole can keep operating.
A complete BCP addresses three phases.
Response covers the immediate actions taken when a disruption occurs — who does what, in what order, and how quickly.
Recovery covers the steps taken to restore normal operations — bringing systems back online, relocating staff if needed, and resuming service delivery.
Resumption covers the return to full normal operations, including any lessons learnt and improvements made as a result of the incident.
Why Business Continuity Planning Matters in South Africa
South African organisations face a set of continuity risks that are both unique and persistent.
Load shedding is the most obvious. Eskom’s rolling power cuts affect organisations of every size and sector. Without adequate backup power and tested failover procedures, even a few hours without electricity can halt operations, corrupt data, and damage equipment.
Cybercrime is a growing threat. South Africa is consistently ranked among the countries most targeted by cyber attacks. Ransomware, data breaches, and phishing campaigns have already brought down systems in government departments, banks, and private companies. The cost of recovery — financial, reputational, and operational — is severe.
Infrastructure failures affect connectivity, water supply, and physical facilities in ways that are less predictable than in more stable environments. Fibre cuts, municipal outages, and facility damage all create continuity risks that are higher here than in many comparable economies.
Regulatory requirements are also a factor. Government departments are required to have BCPs in place under various public sector governance frameworks. Financial services firms face requirements under the Prudential Authority and the Financial Sector Conduct Authority. Failure to comply can result in regulatory action — on top of the damage caused by the disruption itself.
For all these reasons, business continuity planning in South Africa is not a theoretical exercise. It is a practical necessity.
The Core Components of a Business Continuity Plan
A BCP that works in practice — not just on paper — must cover the following components.
Business Impact Analysis
The Business Impact Analysis (BIA) is the foundation of your BCP. It identifies your organisation’s critical functions — the processes, systems, and services that must continue no matter what — and assesses the impact of disrupting each one.
For each critical function, the BIA establishes two key parameters.
The Recovery Time Objective (RTO) is the maximum time your organisation can tolerate being without that function. A payroll system, for example, might have an RTO of 24 hours. A patient records system in a health facility might have an RTO of two hours.
The Recovery Point Objective (RPO) is the maximum amount of data loss your organisation can tolerate. If your RPO for a critical database is four hours, your backup systems must be capable of restoring data to within four hours of the disruption.
Without a BIA, you are guessing at what matters most. With one, you can prioritise your recovery efforts and invest your continuity budget where it counts.
Risk Assessment
Your BIA tells you what to protect. Your risk assessment tells you what you are protecting against.
A thorough risk assessment identifies the threats most likely to affect your organisation, the vulnerabilities those threats could exploit, and the controls you have in place — or need to put in place — to reduce your exposure.
In the South African context, your risk assessment should specifically address load shedding and power failure, cyber attack and data breach, connectivity loss, key staff unavailability, physical facility damage, and supply chain disruption.
For each risk, assess both the likelihood of occurrence and the potential impact. This gives you a risk matrix that helps you prioritise your continuity investments and response planning.
Recovery Strategies
Once you know which functions are critical and which risks threaten them, you can design your recovery strategies. These are the specific technical and operational measures you will put in place to keep critical functions running or restore them quickly after a disruption.
Common recovery strategies for South African organisations include the following.
- Uninterruptible power supplies (UPS) and generator backup for critical systems and facilities.
- Cloud-based or offsite data backup with tested restoration procedures.
- Redundant internet connectivity using multiple service providers or technologies.
- Remote working capability for key staff, with secure access to critical systems.
- Alternative processing sites or arrangements for critical operational functions.
- Manual workarounds for essential processes when digital systems are unavailable.
Your recovery strategies must be proportionate to your risks and your RTOs. A strategy that looks good on paper but cannot actually restore your systems within your required recovery time is not a strategy — it is a false sense of security.
Roles, Responsibilities, and Communication
When a disruption occurs, people need to know what to do, who is in charge, and who to contact. This sounds obvious. In practice, it is one of the most common areas where BCPs fail.
Your BCP must clearly define the following.
- Who is responsible for declaring a continuity event and activating the plan.
- The members of your Business Continuity Team and their specific roles.
- The chain of command for decisions during a disruption.
- How staff will be notified and kept informed during an incident.
- How customers, suppliers, regulators, and the public will be communicated with, and by whom.
Contact details for all key personnel — including after-hours numbers — must be kept current and accessible. A contact list that lives only on a server that is down during the incident is useless.
ICT-Specific Continuity Measures
For most organisations, ICT is the backbone of continuity. Your BCP must include detailed ICT-specific measures covering the following areas.
Data backup and recovery. How often is data backed up? Where are backups stored? How long does restoration take? Who is responsible for initiating and verifying a restore? These questions must have clear, tested answers.
System failover. For critical systems, what happens when the primary environment fails? Is there an automated failover to a secondary environment, or does recovery require manual intervention? How long does each step take?
Cybersecurity incident response. A cyber attack is a continuity event. Your BCP should include a specific response procedure for ransomware, data breaches, and other cyber incidents — including who to notify, how to isolate affected systems, and how to begin recovery without reinfecting clean environments.
Vendor and third-party dependencies. Many organisations depend on third-party providers for critical ICT services. Your BCP must account for the possibility that these providers are also affected by a disruption. Know what your contracts require of them, and have contingency plans for when they cannot deliver.
Building Your BCP: A Step-by-Step Approach
Step 1: Get Executive Buy-In
A BCP without leadership commitment is a document without teeth. The process must be sponsored at executive level — by the CEO, Accounting Officer, or equivalent. Without that backing, the plan will not get the resources, the organisational attention, or the authority it needs.
Step 2: Conduct Your Business Impact Analysis
Bring together the heads of each critical business function and work through the BIA systematically. Identify critical processes, establish RTOs and RPOs, and document the dependencies — people, systems, and facilities — that each critical function relies on.
Step 3: Complete Your Risk Assessment
Work through the threats most relevant to your organisation and your operating environment. Be honest about your vulnerabilities. The purpose of a risk assessment is not to produce a clean report — it is to understand where you are exposed.
Step 4: Design and Document Your Recovery Strategies
For each critical function, define and document the specific steps and measures that will be used to maintain or restore it. Make sure each strategy is technically feasible and achievable within your RTO.
Step 5: Write the Plan
Document your BCP clearly and in plain language. It must be usable by the people who will implement it — under pressure, possibly without access to their usual systems, and potentially in the middle of the night. Avoid jargon. Use checklists and step-by-step procedures wherever possible.
Step 6: Test It
A BCP that has never been tested is a BCP that will fail when it matters most. Testing should include tabletop exercises — where the team walks through a simulated incident — and live tests where recovery procedures are actually executed.
Test at least once a year. Test after any significant change to your systems, facilities, or team. And test the specific scenarios most likely to affect your organisation — not just the generic ones.
Step 7: Maintain and Update It
A BCP is not a once-off project. Your organisation changes. Your systems change. Your risks change. Your BCP must keep pace.
Assign a named owner for the BCP. Set a review schedule. Update the plan whenever there is a material change to the business, the technology environment, or the risk landscape. And re-test after any significant update.
Common Mistakes to Avoid
Writing a plan for the auditors, not for the team. A BCP that satisfies a compliance requirement but cannot be used in a real incident is worse than useless — it creates false confidence.
Focusing only on ICT. Technology recovery is critical, but it is not the whole picture. People, facilities, communications, and processes must all be covered.
Never testing the plan. Testing is not optional. Untested plans fail. Test yours before you need it.
Keeping the plan in one place. If your BCP is stored only on a server that goes down in the incident, you cannot access it when you need it most. Keep physical copies and store digital copies in multiple accessible locations.
Ignoring load shedding as a trigger. In South Africa, power disruption is not an edge case. It is a regular operational reality. Your BCP must treat it as such.
How ZongeTech Can Help
ZongeTech provides Business Continuity Planning and ICT security services to government departments, state-owned enterprises, and private sector organisations across South Africa.
Our team has built and tested BCPs in some of South Africa’s most demanding operating environments — including national health facilities, financial services institutions, and distributed government operations. We understand the regulatory requirements, the local risk landscape, and the practical realities of continuity management in this country.
We help organisations conduct Business Impact Analyses, design recovery strategies, build and document their BCPs, and run testing programmes that give leadership genuine confidence in their plans.
If your organisation does not have a current, tested BCP — or if you have one that has never been put to the test — we can help you fix that.
