You’ve got backups. You’ve tested your restores. Your clients have signed off on your disaster recovery policy. So you’re covered if the worst happens, right?
Well, maybe.
The problem with most business continuity and disaster recovery (BCDR) playbooks isn’t what’s in them, but what’s not. MSPs often check all the boxes from a technical standpoint. But then, they overlook the human, communication, and practical variables that can make or break a real-world recovery.
Let’s walk through a few of the most commonly missed elements in BCDR planning and why addressing them now could save your team hours of chaos later.
Client Communication Plans
When disaster strikes, every minute counts. So does every word. Yet, most BCDR plans focus on restoring systems, not managing the people impacted by the outage. That’s a problem.
You need predefined, templated communication protocols to:
- Inform the client quickly.
- Provide regular updates during recovery.
- Explain what happened in clear, nontechnical language after the fact.
Jay Ferron
Communication and reporting may include third parties. Breaches affecting customers that have broader public repercussions likely need more public outreach and communication, according to Jay Ferron, CIO of Interactive Security Training. It’s important for MSPs to keep track of those requirements. “If you miss them, an insurance company may refuse the claim or fines may follow,” he cautioned.
Having this mapped out in advance keeps panic down and trust intact. Bonus: Assign a designated communicator (not a tech) to manage client relations during high-pressure events.
Role Assignments During a Crisis
In theory, everyone on your team knows what to do when the alarm sounds. But in reality, people freeze, step on each others’ toes, or burn out juggling too many tasks. Your plan needs clearly defined roles as well as backups for each role.
That means someone owns:
- Communications
- Backup verification
- Vendor coordination
- Documentation of actions taken
- Client liaison
Also make sure that if someone’s out sick or on PTO, you’ve got an understudy ready.
Vendor Contact Info and Escalation Paths
Your stack likely involves third-party vendors for backup solutions, cloud infrastructure, and security tools. When was the last time you verified a direct support contact for each?
Include up-to-date vendor support lines, account reps, and escalation contacts in your BCDR runbook. You don’t want to be fumbling around a portal while a client’s server is down.
Post-mortem Procedures
Too many BCDR playbooks end when the systems come back online. However, recovery isn’t over until you’ve documented what happened, what went well, and what needs to improve.
Schedule a formal post-mortem within 48–72 hours of any incident to determine:
- Did we follow the plan?
- Where were the delays or bottlenecks?
- What feedback did the client give us?
- Do we need to revise any part of our BCDR documentation?
Carl Mazzanti
Those involved must thoroughly discuss and dissect the event after the dust settles, advised Carl J. Mazzanti, CEO of eMazzanti Technologies. “Have a conversation with the affected firm as well as internally at your MSP about ways to refine and improve future responses. Address technology changes, policy and procedure updates, and how to improve training and awareness.”
Then, update the plan.
Nontechnical Recovery Needs
If a client’s office is destroyed by fire or flood, restoring servers won’t help them work if they have no desks, phones, or connectivity. Think beyond bytes and backups.
A solid BCDR plan should consider:
- Remote work fallback options
- Printer/scanner availability (some industries still rely on these)
- Replacing end-user devices
- Accessing SaaS tools from new locations or networks
Think about how people get their work done, not just how data gets restored.
Regular Testing, Not Window Dressing
Many MSPs test backups. Few actually simulate full-blown scenarios. Even fewer involve the client in testing. That’s a mistake. A real BCDR test should mimic actual pressure. It should include a full recovery of production systems under time constraints with communications flowing as they would in a live event.
Don’t just restore a file and call it a day. Practice recovering a line-of-business server, launching a temporary environment, or triggering your failover plan. Find holes now, rather than mid-crisis. This is not only better for a client, but for your business, too.
Align Cyber Insurance and Compliance Requirements
Clients increasingly have cyber insurance, and nearly all of them are signing contracts with BCDR or uptime clauses. If your plan doesn’t reflect those legal realities, you may end up in hot water after an event.
Double check that your playbook aligns with:
- Cyber insurance expectations for recovery time and documentation
- Industry-specific compliance frameworks (HIPAA, CMMC, etc.)
- SLA obligations you’ve signed with your clients
Mike Semel
This also means you must find council that understands MSPs. “Not all lawyers understand the MSP business,” said Mike Semel, owner of cybersecurity compliance consulting firm Semel Consulting. “Find one that ‘speaks MSP,’ and understands how to handle incidents. Your attorney should be experienced in the services you deliver, how cybersecurity responsibility is shared with your clients and vendors, and incident management.”
Without this, you risk losing a client or facing potentially serious liabilities.
Don’t Wait for the Fire Drill
A BCDR playbook is more than just a checkbox. It’s the plan you bet your business on. The best MSPs treat it like a living document, evolving with their stack, client needs, and threat landscape.
The gaps outlined here don’t take long to fix. That said, ignoring them could turn a manageable incident into a disaster. So, pull out your playbook and walk through these sections with your team. If a client’s office burned down tomorrow, are you ready?
If you’re a little unsure, now is the time to act. Don’t wait until the smoke starts rising.
Next Steps
- Want more helpful guidance? Check out our Compliance and Regulations Answer Center.
- Have a question for our experts? Send it to editors@channelpronetwork.com
ChannelPro has created this resource to help busy MSPs streamline their decision-making process. This resource offers a starting point for evaluating key business choices, saving time and providing clarity. While this resource is designed to guide you through important considerations, we encourage you to seek more references and professional advice to ensure fully informed decisions.
Image credit: DALL-E
