Without scenario planning, when a cyber incident happens—like ransomware locking your files or a server crash during GST filing season—you'll lose money, miss deadlines, and disappoint customers. A Delhi manufacturing MSME that didn't plan for server failure lost ₹8 lakhs in a single week when their accounting system went down and they couldn't issue invoices. Regulatory audits and customer audits often ask for this plan, and you won't have it. Your staff won't know what to do in a crisis, leading to panic decisions that make things worse.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written or discussed scenarios for what happens if systems fail. When someone asks 'what if our internet goes down?', people shrug and no one has a clear answer.
Initial
You've had a casual conversation about disaster scenarios, maybe over chai, but nothing is written down. People remember different versions of what was discussed, and there's no formal document.
Developing
You have a one-page document listing 3-4 realistic scenarios (power outage, internet down, ransomware, key person unavailable) with rough notes on what you'd do. It's been shared with your IT person and one manager, but not formally tested.
Defined
You have a formal Business Continuity Plan document with realistic scenarios, estimated recovery times, backup procedures, and contact lists. It's been reviewed and signed off by leadership, and you've done at least one desktop walkthrough where people discussed what they'd actually do.
Managed
Your plan is detailed with roles, responsibilities, communication trees, backup systems tested quarterly, and documented recovery time objectives for each critical function. You've run a simulated incident at least once in the past year and fixed issues found during the test.
Optimised
Your scenarios and response plans are regularly tested with full simulations (twice yearly minimum), lessons learned are captured, plans are updated based on real incidents or near-misses, and new employees are trained on their roles in the plan during onboarding.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Schedule a 90-minute workshop with your IT person, finance lead, and operations manager. Write down answers to: What are your 5 most critical business functions? What would stop each one? What would be the cost per hour of each being down? Save as a simple document. | Business owner or Operations manager | 1 day |
| 1 → 2 | Create a one-page scenario matrix covering: (1) Server/system failure, (2) Ransomware attack, (3) Internet/power outage, (4) Office/facility loss, (5) Key person unavailable. For each, write estimated recovery time, who decides what, and basic backup steps. Share with your IT vendor. | IT person with business owner input | 1 week |
| 2 → 3 | Expand to a formal Business Continuity Plan (2-3 pages minimum). Include: critical functions list, scenario details, role assignments, communication tree (phone, WhatsApp, email sequence), backup locations/systems, vendor contact list. Get it reviewed and signed by your business owner. Hold one desk-based walkthrough discussion with the team. | IT person and Operations manager, approved by business owner | 2-4 weeks |
| 3 → 4 | Run a tabletop simulation (half-day workshop) where you role-play a ransomware scenario: call someone on the decision tree, see if they know what to do, check if backups are actually available, test the communication plan. Document what didn't work and fix it in the plan. Create a recovery time objective (RTO) and recovery point objective (RPO) document for each system. | IT person, Operations manager, key staff from each department | 1-2 months (including preparation and follow-up fixes) |
| 4 → 5 | Conduct a full simulation drill twice yearly (e.g., January and July). Rotate participants so more staff learn their roles. After each drill, hold a retrospective meeting, update the plan with lessons learned, and document all changes. Include new scenario types based on actual incidents seen in your industry. Brief new hires on their role in the plan during onboarding. | IT person and business owner leading, with rotating participation from all departments | Ongoing (1-2 days per drill plus 2-3 hours per quarter for updates) |
Documents and records that prove your maturity level.
- Business Continuity Plan document (2+ pages) with scenario descriptions, roles/responsibilities, contact trees, and recovery procedures
- Critical functions list showing which business activities would cause the most damage if stopped (e.g., customer billing, GST filings, manufacturing control)
- Backup and recovery procedures document showing how you'd restore systems and data, where backups are stored, how often they're tested
- Test records: notes from at least one tabletop walkthrough or simulation drill in the past 12 months, including what was tested, who participated, and what was learned
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) document showing target recovery times for each critical system and acceptable data loss limits
Prepare for these questions from customers or third-party reviewers.
- "Walk me through what would happen if your main server crashed today. Who would you call first, and what would they do?"
- "Show me your written Business Continuity Plan. When was it last updated and who has signed off on it?"
- "Have you ever tested your disaster recovery plan? What happened, and what did you learn?"
- "How often do you test your backups to confirm they actually work? Can you show me records of the last test?"
- "If a ransomware attack locked all your files tomorrow, how long would it take to get your critical systems working again?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store Business Continuity Plan document with version control and access tracking | Google Docs (shared with your team) or LibreOffice Writer saved on shared drive | Microsoft Word 365 (₹250-500/month) or Confluence (₹1,500-3,000/year for small team) |
| Document and track regular backup testing to prove your backups actually work | Spreadsheet (Google Sheets or Excel) listing backup dates, what was restored, and test results | Backup management software like Vembu or Acronis (₹20,000-50,000/year for small business) |
| Create a visual decision tree and communication flow for who contacts whom in a crisis | Google Drawing, Lucidchart free tier (3 diagrams), or yEd (open source) | Lucidchart paid (₹4,000-8,000/year) or Microsoft Visio |
- Writing a plan and then never looking at it again: your plan becomes useless because the system names, staff phone numbers, and procedures have all changed. Update it every 6 months and after any major incident.
- Not testing backups: many Indian MSMEs have backup software running but never actually tried to restore from it. When they need it, they discover the backups are corrupted or incomplete. Test restoration at least quarterly.
- Assuming 'the IT guy knows what to do': if your IT person is unavailable (illness, resignation, vacation), no one else knows the recovery steps. Write procedures down and cross-train at least one other person.
- Overlooking power and internet as critical: rolling blackouts and ISP outages happen regularly in India. Your plan should include what you do if you have no electricity or internet for 4-8 hours.
- Creating a plan only for cyber incidents: a factory fire, flood, or earthquake can also stop your business. Scenario planning must cover multiple types of disasters, not just cyber.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) requires safeguards including preparation for security incidents; Section 4(f) expects reasonable security practices |
| CERT-In 2022 | Direction 4 requires incident response and continuity planning for entities handling sensitive data |
| ISO 27001:2022 | Clause 8.14 (Redundancy) and Annex A 8.34 (Continuity of information security) require planning and testing |
| NIST CSF 2.0 | Govern (GV.RR: Resilience planning) and Manage (RC.RP: Response planning) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →