Key takeaways
- A business continuity plan does not need to be a 200-page document. For most middle market companies, a one-page response playbook per critical risk scenario is sufficient and far more likely to be used.
- The three highest-probability disruption scenarios for middle market businesses are: a key system outage (ERP, payment processing, communication tools), a facility disruption (fire, flood, power loss, lease termination), and a key person absence (founder illness, sudden resignation of a critical employee).
- Recovery time objective (RTO) is the maximum acceptable time to restore a function after a disruption. Defining RTO before an event forces the company to build the redundancy required to meet it rather than discovering the gap under pressure.
- Cyber incidents are now the most common cause of business interruption for mid-size companies, accounting for more than 40 percent of material operational disruptions.
- Buyers evaluate business continuity preparedness during diligence, particularly for PE acquisitions. A business with no documented continuity plans is viewed as carrying operational risk that is not reflected in EBITDA.
In this article
40%
Share of material mid-market operational disruptions caused by cyber incidents
$125K–$850K
Estimated cost of a 3-day ERP outage for a $15M–$30M business
72 hours
Typical RTO target for critical business functions in middle market companies
60%
Of mid-size businesses that experience a significant disruption never fully recover their pre-disruption revenue trajectory
Business continuity planning has a reputation for being a large-company exercise: something that Fortune 500 firms with dedicated risk teams and compliance requirements pursue, not something a 50-person distribution company needs to worry about. That reputation is both wrong and expensive.
The scenarios that break middle market businesses are not exotic. They are the ERP that goes down during month-end close and cannot be restored for four days. The primary operations facility that floods on a Tuesday and cannot be occupied for three weeks. The CFO who gives two weeks notice with no documented successor and no one else who knows the bank login, the payroll system, or the lender reporting requirements. These events happen. The question is whether the business is prepared to respond.
The three scenarios every middle market business must plan for
The three highest-probability business continuity scenarios
Scenario 1: Critical system outage
An ERP, payment processing platform, CRM, or communication system becomes unavailable for 24 to 72 hours or longer. At $15M annual revenue, a 72-hour loss of order processing capability costs approximately $123K in direct revenue plus the downstream cost of customer dissatisfaction and expedited recovery.
Scenario 2: Facility disruption
The primary office, warehouse, production facility, or customer service center becomes unavailable due to fire, flood, power failure, HVAC failure, or lease termination. For businesses that require physical presence, a facility disruption without an alternate site plan creates immediate operational stoppage.
Scenario 3: Key person sudden absence
A founder, CFO, head of operations, or other critical individual becomes unavailable suddenly, whether through illness, accident, resignation, or termination. If that person is the only one who knows how a critical function operates, their absence creates a capability gap that cannot be filled quickly.
For each scenario, the business continuity plan answers three questions: What exactly has gone wrong? What is the immediate response in the first two hours? What is the recovery path over the next 72 hours and beyond?
System outage: building technical redundancy
A system outage plan requires two things: a recovery time objective (RTO) for each critical system, and a documented recovery procedure that allows someone other than the original system administrator to execute it.
System resilience requirements by function
ERP and accounting system
RTO: 4 hours for read access, 24 hours for full write access. Recovery requirements: cloud backup with point-in-time restore capability; documented restore procedure tested at least annually; secondary access credentials stored outside the primary system.
Payment processing
RTO: 2 hours. Recovery requirements: secondary payment processor configured and tested; manual invoicing procedure documented for interim use; customer communication template ready.
Communication (email, phone, messaging)
RTO: 1 hour. Recovery requirements: mobile fallback numbers for key staff; documented communication tree for reaching all employees; personal email contacts for top 20 clients.
CRM and customer data
RTO: 8 hours. Recovery requirements: daily export of active customer and opportunity data to an accessible location; documented manual process for logging customer interactions during an outage.
Payroll system
RTO: 48 hours (tied to pay cycle). Recovery requirements: prior payroll file exported and stored; backup payroll processor identified; manual payment authorization process documented.
Untested recovery procedures are not recovery procedures. If the last time someone executed the ERP restore process was three years ago, and the system has been upgraded twice since then, the procedure is likely wrong. Test each critical recovery procedure at least once per year.
Working through this yourself?
Kolton works directly with founders on M&A readiness, deal structure, and AI implementation — one advisor, not a team of generalists.
Schedule a conversation →Facility disruption: alternate site and remote work protocols
A facility disruption plan identifies where the business will operate if the primary location is unavailable, how staff will be notified and redirected, and what minimum physical resources are required to sustain operations at the alternate location.
Facility disruption plan components
Alternate site identification
Where will staff work if the primary facility is unavailable? Options: a secondary owned or leased facility; a shared workspace or coworking arrangement with a confirmed reservation capability; a remote-first protocol for all non-production roles. Document the address, access instructions, and available capacity.
Critical physical equipment inventory
What equipment must physically move to the alternate site for operations to continue? Identify the minimum viable equipment set and confirm it can be transported within the RTO.
Vendor and supplier communication
Which vendors must be notified within 24 hours of a facility disruption? Document the contact, the nature of the notification, and any alternative delivery or pickup arrangements required.
Customer communication template
A pre-written message that explains the disruption without alarming customers, provides a timeline for restoration, and identifies an alternate point of contact. Having this drafted before an event eliminates the blank-page problem during a crisis.
Lease and insurance coordination
Confirm the business interruption insurance coverage period and trigger conditions. Review the commercial lease for the landlord's obligations in the event of a covered damage event.
"A $17M food distribution company experienced a pipe burst in their primary warehouse in January. No alternate site plan existed. The first 36 hours were spent identifying temporary cold storage, arranging emergency carrier contracts, and personally calling the top 40 customers to explain delayed deliveries. The direct cost of the disruption was $280K in spoiled inventory, lost orders, and emergency logistics. The operational cost, six weeks of partial capacity while the facility was repaired, was harder to quantify but was estimated at $190K in reduced contribution margin. The company implemented an alternate site agreement with a neighboring facility within 60 days of the event for $2,400 per month."
Key person absence: documentation and succession
Key person risk is the most common and most neglected business continuity gap in middle market companies. It does not require a formal succession plan. It requires that every critical function be documented well enough that a competent person can execute it without the original owner present.
Critical knowledge to document for key person resilience
Financial access and credentials
Bank login procedures, wire transfer authorization protocols, lender portal access, and payroll system credentials. Stored securely (not in the departing person's email) and accessible to at least one backup individual.
Vendor and lender relationships
The primary contact, account number, and communication history for each significant vendor and lender. A new person taking over a function should be able to find who to call and what the relationship context is.
Customer relationship context
For each of the top 20 customers, the key contact, the relationship history, any open issues or commitments, and the pricing or contract terms. This is typically in the CRM but is often not maintained.
Regulatory and compliance deadlines
Sales tax filing dates, payroll tax deadlines, license renewal dates, and any industry-specific compliance obligations. A function owner who leaves without this information creates immediate compliance risk.
Process documentation for each critical function
A one-page process description for each function that cannot stop: month-end close, weekly payroll, order fulfillment, customer billing, and lender reporting.
The test for adequate key person documentation is this: could a qualified person you hired today execute this function within one week using only the documentation that exists? If the answer is no, the documentation is insufficient.
Building a one-page continuity playbook
The reason most middle market companies do not have business continuity plans is not that they lack concern. It is that they believe the plan must be comprehensive to be useful. A one-page playbook per scenario is sufficient for most disruptions and far more likely to be used than a 50-page document that lives in a drawer.
One-page continuity playbook template
Scenario
Name the specific event: "ERP system unavailable for more than 4 hours"
Immediate response (first 2 hours)
Who is notified, what is checked first, what interim process is activated
Recovery path (hours 2–72)
Specific steps to restore the function; who owns each step; what external support is needed
Communication plan
Who tells customers, vendors, and staff what, and when
Recovery time objective
The maximum acceptable time to restore full function
Owner
The named person responsible for executing this playbook when the scenario occurs
A business with five playbooks, covering ERP outage, facility disruption, key person absence, cyber incident, and payment processing failure, has addressed the scenarios that account for more than 80 percent of material middle market operational disruptions. Each playbook can be drafted in two hours. The set can be reviewed annually in a single half-day session.
Work with Glacier Lake Partners
Build Operational Resilience Into Your Business
We help middle market operators build the documentation and redundancy that protects business value.
Start a Conversation →Research sources
Disclaimer: Financial figures and case studies in this article are illustrative, based on representative middle market assumptions, and are not guarantees of outcome. Statistical references are drawn from cited third-party research; individual transaction and operational results vary based on business characteristics, market conditions, and deal structure. This content is for informational purposes only and does not constitute legal, financial, or investment advice. Consult qualified advisors for guidance specific to your situation.
Explore adjacent topics
