How to Build a Disaster Recovery Plan.

A practical step-by-step guide for South African businesses — from RTO targets to POPIA compliance.

Published: 7 July 2026  |  By AOLC

Every South African business owner knows that things go wrong. A ransomware attack encrypts your files on a Friday afternoon. Load shedding causes a power surge that kills your server. A flooded server room, a disgruntled employee, a botched software update — disasters come in many forms, and they do not wait for a convenient time. The question is not whether your business will face a serious IT disruption. The question is whether you will be ready when it does.

A disaster recovery plan (DRP) is your documented, tested blueprint for restoring your IT systems and data after a disruption. Without one, your team will waste critical hours figuring out what to do — while your business haemorrhages revenue and your customers lose confidence. With one, you can recover in a controlled, predictable way. This guide will walk you through exactly how to build a plan that works for a South African business.

Most South African SMEs have a backup — but fewer than 1 in 5 have a documented, tested disaster recovery plan. A backup without a plan is a filing cabinet without a key.

What Is a Disaster Recovery Plan?

A disaster recovery plan is a formal document that describes how your business will respond to — and recover from — an IT disaster. It covers what qualifies as a disaster, who is responsible for what, which systems must come back first, and exactly how they will be restored.

It is often confused with a business continuity plan (BCP), which is broader and covers how the whole business operates during a disruption (not just IT). A DR plan focuses specifically on your technology — servers, data, applications, connectivity, and endpoints.

Your managed IT provider should help you build and maintain this document. It should be reviewed at least annually and after any significant infrastructure change.

Understand Your RTO and RPO.

Before you can build a DR plan, you need to answer two critical questions that will shape every decision you make:

R350k+

Average cost of a single day of downtime for a South African SME — including lost revenue, staff downtime, and recovery labour costs. (Veeam Data Protection Report, 2025)

Different systems have different RTO and RPO requirements. Your point-of-sale system may have an RTO of 30 minutes and an RPO of zero — you cannot afford to lose a single transaction. Your email archive may tolerate an RTO of 24 hours and an RPO of 24 hours. Map every critical system before you write a single line of your plan.

Six Steps to Build Your Plan.

A solid disaster recovery plan does not need to be 100 pages long. It needs to be accurate, actionable, and actually read by the people who will use it. Here is a proven six-step framework:

Tip

Store your DR plan in at least two locations — ideally one on-premise and one in the cloud (such as a SharePoint or OneDrive folder with offline sync). If your primary office is inaccessible, you still need access to the recovery procedures.

Backup Is Not the Same as Disaster Recovery.

This is the most common misconception we encounter. A backup is just one component of a disaster recovery strategy. On its own, it is not enough.

Consider this scenario: your file server fails catastrophically at 9 a.m. on a Monday. You have backups — they run nightly to an external drive attached to the same server. The drive is also dead. Or the backups ran fine, but nobody has ever tested a restore, and it turns out the backup software has been silently failing for six weeks.

Disaster recovery is the end-to-end process — including the backup, the verified restore procedure, the fallback environment, the communication plan, and the post-recovery validation. If you only have a backup, you have only one piece of the puzzle.

The 3-2-1 backup rule is a good starting point: 3 copies of your data, on 2 different media types, with 1 copy off-site. But tested restores, documented procedures, and defined RTO/RPO targets are what turn that rule into an actual DR plan.

POPIA Compliance and Your DR Plan.

Under the Protection of Personal Information Act (POPIA), South African businesses have a legal obligation to protect the personal data they hold. This extends to your disaster recovery practices. If your business processes personal information — and almost every business does — your DR plan must address how that data is protected during and after a disaster.

Key POPIA considerations for your DR plan include:

Your cloud and security strategy should align with your DR plan — both documents are stronger when they reference each other.

54%

of South African businesses that test their disaster recovery plan discover a critical gap they did not know existed — which is exactly why testing is non-negotiable. (ITWeb, 2025)

Why Testing Your Plan Matters.

A disaster recovery plan that has never been tested is not a plan — it is a wish. Testing is the only way to know whether your recovery procedures actually work, whether your RTO and RPO targets are achievable, and whether your team knows what to do under pressure.

There are two levels of testing you should schedule:

Tip

After each test, update the plan immediately. The worst outcome of a DR test is discovering a gap and not fixing it. Track every test result, every gap found, and every remediation in a running log attached to your DR plan document.


What to Do Next.

If your business does not yet have a documented disaster recovery plan, start today — not because a disaster is imminent, but because building the plan takes time and the best time to do it is before you need it. Here is a practical starting checklist:

If this feels like a lot to take on internally, you do not have to do it alone. An experienced managed IT partner can help you build, document, and test a disaster recovery plan that is matched to your business size, risk profile, and budget — and that accounts for the South African-specific challenges of load shedding and local connectivity.

Get a Free IT Assessment.

Not sure where to start with disaster recovery? We will assess your current environment, identify your gaps, and help you build a plan that works for your business and budget.

Contact Us

← Back to Blog