Disaster Recovery Planning for 10–30 Person Businesses: A Practical Template

A disaster recovery plan doesn't need to be a 50-page document. A 15-person business only needs 4–6 clear pages and one practice run to be genuinely prepared.

Why 80% of SMBs Don't Have a Recovery Plan

We've asked over 50 business owners in Da Nang the same question:

"If your main server failed at 8 a.m. on a Monday, who does what in the first 30 minutes?"

Most hesitate. Some say "call IT." When asked "call who exactly?", they reach for a notebook to find the number.

That is evidence of no plan.

No plan = chaos + wasted time + wasted money

A 2025 study found: businesses with a documented recovery plan recover 60% faster than those without — with the exact same backup infrastructure.

The Two Most Important Metrics: RTO and RPO

Before writing a plan, you need to define two numbers:

RTO — Recovery Time Objective

"How long can we afford to be down?"

Examples:

Accounting firm: RTO = 4 hours (client deadlines)
Restaurant with POS system: RTO = 2 hours (dinner service starts at 5 p.m.)
Small construction company: RTO = 1–2 days (less IT-dependent)
E-commerce platform: RTO = 30 minutes (every minute = lost revenue)

RPO — Recovery Point Objective

"How much data can we afford to lose?"

Examples:

Financial transactions: RPO = 0 (cannot accept losing any transaction)
HR data: RPO = 1 day (nightly backup is sufficient)
Design files: RPO = 1 day (infrequent changes, recovering yesterday's version is acceptable)

Exercise: Fill in this table for your business:

System / Data	RTO (max downtime)	RPO (max data loss)
Email (Microsoft 365)	_____	_____
File server / NAS	_____	_____
Accounting software	_____	_____
Website / e-commerce	_____	_____
Customer data / CRM	_____	_____

Simple DRP Structure for an SMB

A recovery plan doesn't need to be complex. The minimum structure:

Section 1: Emergency Contact Directory

Who to call, in what order:

Role	Name	Phone	Email	When to Contact
IT Provider (Vietify IT)	_____	0914 985 772	support@vietify.vn	Immediately on any incident
Director / Business Owner	_____	_____	_____	Within 15 minutes
Accounting Manager	_____	_____	_____	If financial data is affected
Internet Service Provider	_____	_____	_____	If connectivity is lost
Cyber Insurance Company	_____	_____	_____	For serious incidents

Section 2: Incident Classification

Helps staff categorise severity immediately:

Level 1 — Minor Incident (1 person, 1 system)

Individual laptop failure → IT department handles
Accidental file deletion → Restore from local backup
Application crash → Restart

Level 2 — Moderate Incident (1 server, 1 department)

Main file server fails → Activate server recovery plan
Internet lost → Switch to mobile hotspot, notify ISP
Microsoft 365 email inaccessible → Check Microsoft status, contact IT

Level 3 — Disaster (full system, data encrypted)

Ransomware → Shut down all computers, contact IT emergency line IMMEDIATELY
Fire / flood / physical damage → Evacuate, ensure safety, then contact IT
Mass hardware failure → Activate full DRP

Section 3: Recovery Procedures by System

If a User's Computer Fails:

Call IT: _____ (phone number)
Provide computer name and describe symptoms
IT will provide a spare machine within _____ hours
Data restored from OneDrive / NAS backup within _____ hours

If the NAS File Server Fails:

Call IT: _____ (phone number) — 24/7
Do not attempt to power cycle the device yourself
IT assesses recovery options within 30 minutes
If hardware failure: spare device activated
If data lost: cloud backup restore begins within _____ hours

If Ransomware Is Suspected:

IMMEDIATELY — Disconnect the entire office from the internet (unplug the WAN cable or shut down the router)
Do not power off infected computers — unplug the network cable, keep power on
Call IT: _____ — THIS IS AN EMERGENCY
Do not pay any ransom before consulting your IT provider
Photograph any ransom note displayed on screen

Section 4: Backup Locations and Access Information

(This section must be kept secure — only IT and the director should hold this)

Backup Type	Location	Access Information	Responsible
Office NAS	Server room	Rack #2, config in IT cabinet	IT Manager
Cloud backup	Wasabi / Backblaze	In KeePass password manager	IT Manager
Offsite backup	Director's cabinet	WD My Cloud drive, black USB	Director
Microsoft 365 backup	Dropsuite dashboard	In password manager	IT Manager

DRP Drills: Non-Negotiable

An unpractised plan is a plan that won't work.

Minimum Practice Schedule:

Drill Type	Frequency	Time Required	Who Participates
Single file restore	Monthly	30 minutes	IT + 1 staff member
Single system recovery	Quarterly	2–4 hours	IT team
Full disaster simulation	Annually	Half a day	Full leadership team

Document the results: How did actual recovery time compare to RTO targets?

Quarterly recovery drills expose gaps before a real disaster does.

Common DRP Mistakes in SMBs

❌ Outdated contact lists — phone numbers change but the document isn't updated ❌ Access credentials locked in a compromised email account — can't access when you need it most ❌ Only one person knows the DRP — what if that person is unavailable? ❌ Never practised — looks great on paper, fails in reality ❌ Not updated after infrastructure changes — new server bought, but DRP still describes old setup

Vietify IT Supports Your Business

We provide Disaster Recovery Planning services for SMBs in Da Nang:

Assess specific RTO/RPO targets for each system
Write a practical DRP tailored to your size and industry
Deploy backup and recovery infrastructure
Train staff on response procedures
Run recovery drills annually with documented results
Annual review and update as infrastructure evolves

Get a Free DRP Template. Book a consultation with Vietify IT — we'll review your infrastructure and provide a customised DRP template for your business.

Call: 0914 985 772 | vietify.vn/contact

Vietify IT Services — Disaster Recovery Planning and Data Protection for SMBs in Da Nang.