Cyber-attacks and other major threats are top of mind right now, which means everyone is creating a Disaster Recovery (DR) plan. It is important to have a DR plan, but while many companies prioritize being prepared for force majeure they ignore disaster recovery’s little sister, Business Continuity Planning (BCP).
DR vs BCP
Disaster Recovery: how your business-critical items (think servers, data, files, etc.) are restored after a damaging event.
Business Continuity Planning: how to maintain operations when there’s an outage, malfunction, or loss.
As you can see, disaster recovery is how you move on after an unexpected event that results in damage, but BCP is how to continue and protect against loss. The umbrella for BCP is huge – almost every department has a role to play and as such, needs to create and maintain their portion of the business continuity plan. Of course, one of the largest stakeholders in BCP is the Information Technology department, but finance & payroll, operations, facilities, compliance/risk, and even the Board of Directors (if applicable) all play a role in creating a holistic, all-encompassing BCP plan.
How to Create a Business Continuity Plan
There are many ways to go about creating a plan, and there are many great templates out there to get you started (check out this template from FEMA to understand how in-depth your continuity plan should be). But for a tailor-made plan, try this approach: BCDR – business impact, current resources, develop a plan, revisit. First, run through the five major scenarios that effect your business (data loss/breach, power loss, network outage, physical events [fire, hurricanes, etc.], and emergency communication) and identify how each event would impact a certain department. For example, a network outage at the payroll company’s site would mean your employees are unable to get paid. Finance, HR, and legal would see the biggest impact.
Once you have a wide range of events that could impact the company, see what you may have on hand to create a solution. If you’re planning for an executive’s abrupt departure, is there someone who has been working closely under them for years and could step in at a moment’s notice? If there is a power outage, is the building already equipped with a generator or backup power source large enough to handle your business functions? If not, then it’s on to step 3, developing a plan.
What, you mean we haven’t even developed a plan yet? Well, sort of. You’ve identified potentially impactful events, what the business impact will be, and what you currently have in place to respond in such events. But now is the time to put it all together, create a centralized resource, and make any necessary purchases. If, through the data loss scenario, you found out that your data isn’t backed up or you don’t have a failover server, start the process of purchasing those extra items. Then compile all the scenarios, solutions, and resources into one resource that can be accessed by the necessary business stakeholders.
The last step can seem menial, but it is just as important as the steps preceding. Your BCP is not going to be much help if it’s six years old, does not account for new technologies (cloud), and you’re in a completely new building. Stakeholders should frequently revisit the plan to ensure its accuracy and that it meets regulatory standards. This revisit step also includes training and retraining employees. Think drills and testing, but also ensuring that anyone with a designated role such as taking over in the event another employee leaves is up-to-speed and still able to fulfill that role.
Testing Your Plan
Remember step 4, revisit? Now is the time to revisit your plan J. It is crucial to do a thorough test of your business continuity plan to identify any weaknesses or holes. A great way to test is to do a simulation. For extra relevance and resources, try doing a simulation of an event that happened to another company (like NotPetya or the Texas grid failure). By recreating events that happened, you can see how other companies responded and maybe get some other ideas on how to approach the situation.
These tests are the safest way to see how you can improve your plan. As they say, hindsight is 20/20, and simulations allow you to gain a bit of hindsight without business impact. It is important to include the right stakeholders during the tests, too. If you’re responding to a mock tornado, there is not much IT can do until the site is deemed safe; facilities would play a critical role.
A BCP Scenario Happened… Now What?
The moment you’ve been planning for is here – a large hurricane swept through your area, knocking out the power grid for miles. Since there is no power, you also have no internet or AC. This is where your plan kicks in. Your BCP officer (whether official or unofficial) should reference the resource creating in the planning stage and follow the steps outlined. Hopefully during the planning stage, you coordinated a generator that allows your systems to proceed as normal after a brief outage. Now your business is up and running, but it’s also important to check on your most important asset, your employees. Especially with work from home, it’s crucial to make sure your employees are okay. Are they in the office and need to rush home because they need to ensure their family is okay? Find a safe way to help them home if possible. If it looks like anyone who came to the office is stuck there, how will they get food? Humans will always be one of the biggest variables. Hopefully your business continuity plan is strong and can take over the business functions so you can focus on your employees and dealing with any unplanned variables. Even the strongest BCPs will have gaps and flaws, there’s no way to predict every possible event. But by putting in the initial work to get as granular as possible, your business will have the strongest chance of staying up during an event.
Final Thoughts & Reminders
While no business wants to deal with a data breach, most companies have systems in place to prevent and/or recover in case a breach or loss happens. However, the less flashy and scary events like natural disasters or outages tend to be overlooked. Hopefully this blog provides a good starting point to reflect on how prepared your business is and what to do if you have not created a business continuity plan.
When it comes to your data, you don’t want to take any chances. Our BCDR solutions offerings can be tailored to fit your business needs and ensure your data is protected when it is most vulnerable. Contact us today and we’ll get you in touch with the right person that can understand your organization’s business continuity needs.
Would you like to learn more about Disaster Recovery & Business Continuity? Learn more how we can build custom Disaster Recovery (DR) solutions tailored to your unique IT operations.
Comments