How to determine critical IT systems for an IT service continuity plan

A photo of a tablet set up on a tablet. Several graphs and charts regarding web traffic and interactions are displayed on the screen.

What happens if, suddenly, one of your IT systems fails? Who do you call? How do you respond? How long until you can come back online and continue working?

If you don’t create response plans for IT system failures and emergencies, you could lose valuable data, time, reputation, and profits while gaining immense frustration. To avoid these losses, you must learn what IT systems are critical for your business and create an IT continuity plan to minimize downtime and lost profits.

For over 25 years, WEBIT Services has helped clients develop successful IT strategies, including IT continuity plans. WEBIT believes knowledge is power and is passionate about educating clients on effective IT and cybersecurity practices.

By the end of this article, you will know what an IT continuity plan is, how to identify critical systems, and how to use this information to create an IT continuity plan.

What is an IT continuity plan?

An IT continuity plan outlines what to do when an IT system suddenly fails and how to get it online as quickly as possible with minimal interruption to productivity (a process known as IT continuity).

An IT continuity plan is the IT-specific part of the larger Business Continuity Plan. However, IT continuity focuses on crucial IT systems, workflows, and data locations instead of business functions, facilities, and personnel.

Essentially, a continuity plan requires that you know:

  • Which IT systems are “critical systems” (IT systems your business needs to function).
  • How these systems interact with each other and how employees use them.
  • Where data is stored within these systems.

A continuity plan asks and addresses the questions,

  • What happens if this system goes down? What processes are affected?
  • How long can this system be down before there are significant losses?
  • What can we do to bring this system back before losses occur?

Why identifying critical systems matters for IT continuity

It is important to identifying your organization’s critical IT systems before creating your IT continuity plan.

You don’t need continuity for every single system in your organization. This could create an unnecessary expense. Yes, your entire system will have minimum downtime, but it would require significant funds, time, processes, and equipment to do so.

Therefore, creating continuity plans for critical systems is best to avoid overcomplication and overspending.

For example, let’s say a tech helpdesk’s payroll software goes down and will take 24 hours to restore. For this business, that’s acceptable downtime for this program. It may be important software overall, but productivity does not halt with this software down.

However, this company uses an online ticketing system to track and address customer requests daily. If the ticketing system fails, it halts productivity. As a result, the company will be unable to communicate with customers and, therefore, unable to bring in profit.

In our example, the ticketing software is a critical IT system. To avoid significant losses, the ticketing software will need a continuity plan to minimize downtime.

So how can you determine what systems are critical for your business? We have eight questions to help you identify your company’s critical IT systems.

8 Questions to help you identify critical IT systems

First, it’s important to note that businesses generally use critical IT systems in the three core business pillars:

  1. Operations
  2. Finance
  3. Sales

As you ask the following questions, consider answering with each pillar in mind. All three may use a critical system, or a single pillar may use it.

1. Is this something you use daily?

Is this technology—hardware, software, process, etc.—something that any of the pillars use daily? If they can’t use it one day, what happens?

It is a critical system if any pillar cannot accomplish its daily goals and would incur loss without this technology.

2. Can it cause significant financial loss if it’s not working?

Is this an IT system that helps you maintain or gain profits? If it goes down, how long before unacceptable losses are incurred?

IT systems that would create financial losses if they’re down could be considered critical systems.

3. How long is its window of acceptable downtime?

The timeframe for acceptable downtime is also known as its “Recovery Time Objective” or “RTO.”

To determine your RTO, consider how much one hour of downtime costs your organization. How many hours of productivity can you sacrifice?

If a system has a small window of acceptable downtime (i.e., the time before it creates unacceptable financial loss), it can be considered a critical system.

4. How much data needs to be retained?

This is known as a “Recovery Point Objective” or “RPO” and determines how often the system is backed up. How far back in time do you need to go to recover lost data?

A critical system will need frequent backups to retain as much data as possible. This is because critical systems carry information vital to your organization. This could include client records, product developments, and other confidential data.

If a system does not require frequent backups or its lost data does not create any significant loss, it is unlikely to be a critical system.

5. What legally needs to be retained?

Does the IT system or the information in the system have legal ramifications if lost? If the answer is “yes,” this is a critical system that requires a continuity plan. Continuity will help prevent data loss and, in this case, legal action.

In this case, a legal advisor can recommend standards to be followed, and the IT provider or internal IT department can assist with building IT systems and procedures to meet those standards to prevent legal action.

6. Can the data be recreated?

Does this IT system hold data that is easily recreated or not? What are the ramifications (legal or otherwise) if this information is lost and cannot be recreated?

Critical systems hold data that cannot be recreated and would have significant risk if lost forever.

7. Is this system or data part of your industry’s compliance standards?

If a particular IT system is part of your compliance standards or helps with compliance procedures, it could be considered a critical system.

If your business is part of a regulated industry (i.e., finance, healthcare, etc.), it will have IT compliance standards. These standards will involve processes like encryption, data retention (how often it is backed up and how long it is retained), and system monitoring.

The goal of regulated IT compliance is to protect both the business and its clients.

Breaking compliance standards not only endangers confidential data but often leads to legal action and loss of your business’s reputation.

If a system is required to meet compliance standards, it should likely be part of your IT continuity plan.

8. What is your acceptable risk level, and how does this system factor in?

Each company must determine its own level of acceptable risk. Some businesses prefer to prevent as much risk or potential damage as possible. Others are all right with a little risk, while some are comfortable with significant risk.

To help determine if an IT system is considered a critical system and if it needs IT continuity, you must decide where it falls on your risk scale.

If this system goes down for a day, what level of damage or loss would it create? Are these levels acceptable for you?

If you are comfortable with the potential losses a failed system may create, it is unlikely that this is a critical system, and it would not require an IT continuity plan.

However, if you are uncomfortable with these losses, this system may qualify as a critical system and benefit from an IT continuity plan.

Next steps for creating your IT continuity plan

Once you’ve answered these eight questions, you should know which IT systems are critical for your business’s success and which ones are not.

You should know:

  1. If you use the system every day.
  2. If losing the system could create unacceptable losses.
  3. How long the system can be down before you accrue unacceptable losses.
  4. How much system data you need to retain.
  5. Whether or not losing the system or its data could result in legal action.
  6. If the system data can be recreated.
  7. If the system and its data help keep your company within industry compliance standards.
  8. The acceptable level of risk for this system and its data.

Next, you must establish a budget and communicate your needs and expectations for continuity.

This will include your calculated acceptable downtime for each critical system. Once you have this information, you can talk to your IT provider or internal IT department about the next steps in your IT continuity plan.

Armed with this information, your IT provider can help you determine what equipment, systems, or services can create the continuity you need to keep your downtime to an acceptable minimum.

Remember: acceptable downtime is defined by the client.

Outside of legal and compliance responsibilities, only business leaders can determine acceptable downtime for the organization. Quality IT providers recognize this and tailor their plans accordingly.

If your provider has a standardized, one-size-fits-all continuity system for all its clients—regardless of size, compliance standards, or budget—it may not meet your continuity needs. Your IT continuity plan should be as unique as your business.

For over 25 years, WEBIT Services has helped hundreds of happy customers create and execute IT continuity plans to prevent loss and frustration.

If you are looking for a new IT provider or have questions about managed IT services, schedule a free 30-minute consultation with WEBIT services to see if it can help.

If you are not ready to make a commitment but would like to learn more about IT strategies like IT continuity plans, we recommend the following articles: