← Back to Insights

The Exit Ready Series · Post R.22

View the full series →

The Backup That Wasn't There

The buyer's IT team asks one question about disaster recovery. The answer tells them everything they need to know about how Meridian thinks about risk.

The buyer's IT diligence team asks Kevin Downer a question on the second morning of their site visit.

"Walk us through your disaster recovery plan."

Kevin is Meridian's IT manager — the only one. He manages the network, the servers, the email system, and the phones. What he cannot handle himself, he outsources to a local IT services company. He has been at Meridian for eleven years. He has survived two server crashes, a ransomware scare, and a building flood that took out the network closet for three days. He handled each one. The business recovered each time.

He does not have a disaster recovery plan.

"We back up to an external drive every Friday," Kevin says. "And the IT company backs up the shared network drive to the cloud."

The consultant writes this down. Then he asks the follow-up.

"When was the last time you tested a restore from either backup?"

"We haven't."

The pattern

Think about the smoke detector in your hallway. The battery is probably fine. You press the test button every now and then. But if you have never actually had a fire drill — never grabbed the kids, walked out the front door, and timed how long it took — then you do not have a fire plan. You have a battery.

That is The Backup That Wasn't There. A business has a backup routine but no recovery capability. The backup exists. The ability to restore from it has never been tested. The two are not the same thing.

The buyer's IT team is not asking whether Meridian has experienced a disaster. They are asking whether Meridian would survive one. They are underwriting operational continuity post-close. A service business with active dispatch and SLA commitments that loses its customer records for a week does not just lose productivity. It loses contracts.

The Friday drive

The artifact the IT consultant spends the most time on is a consumer-grade portable hard drive sitting on a shelf in Kevin's office. He bought it at Best Buy in 2019. Every Friday he plugs it in and copies the Operations folder from the shared network drive. Forty minutes. He has been doing it for six years.

The consultant asks what is on it. The fourteen workbooks that run Meridian's operations, the job folders, the customer files, the accounting exports. He asks what is not on it. The accounting system itself — hosted elsewhere. The email archive. Diane's pipeline — which lives on a legal pad and in her head, as covered in The Pipeline That Lived in Someone's Head.

He asks whether the IT company's cloud backup has been verified. Kevin says he assumes it is working because the vendor has never told him otherwise. He has no access to the backup dashboard. No confirmation reports. No knowledge of the retention period or backup scope.

The consultant's note: Unverified consumer-grade local copy. Unmonitored third-party cloud backup with unknown scope. No recovery plan. No tested restore. Recommend remediation prior to platform migration.

No documented recovery plan. No tested restore. No Recovery Time Objective. No business continuity plan. Four items on the IT checklist. Meridian fails all four.

What Ready Looks Like

Document a disaster recovery plan. One page. What is backed up, how often, where the backup lives, who owns the restore, and the target RTO. Review annually.

Test a restore once a year. Simulate a full system failure. Time the recovery. Document what broke. Gaps found in a test are free. Gaps found in a real disaster are not.

Move the backup off Kevin's shelf. Automated, monitored, off-site, with confirmation reporting. The technology costs less than $5K per year for a business Meridian's size.

For Meridian, none of these were true.


Ed's attorney reads the summary back to him.

"No documented plan. No tested restore. The Friday backup is a consumer hard drive in your IT manager's office."

Ed asks the question he has asked before. "What does that mean for the deal?"

"It means the buyer is carrying continuity risk they didn't expect. If that drive fails on a Thursday and the cloud backup is incomplete, Meridian loses its dispatch records, its job-costing data, and its inventory system in one event."

Ed thinks about Kevin's external drive. Six years of Friday afternoons. The habit was there. The discipline was not.

What this cost Ed: $0.

The disaster recovery gap does not produce a separate line item on the deduction list. But $0 on the list does not mean the buyer ignores it. A sophisticated buyer uses a finding like this to push for stronger reps and warranties around data integrity — or to justify a small purchase-price haircut at the table. "We'll need to invest to fix this" is a sentence Ed's attorney will hear more than once.

The finding also does something else. It confirms the pattern the IT consultant has been documenting across two days: a business that operates on institutional memory, maintained by specific people, with no documented process for what happens when those people or systems are unavailable.

The disaster recovery gap is not expensive on its own. It is evidence. Every finding that confirms the pattern makes the next finding easier to price.

Don't be Ed.