A Guide to Business Continuity & Disaster Recovery Planning
As we know business is very competitive and therefore the best prepared and organised businesses will thrive while others will flounder. Here are a few key points to consider when thinking about how your business can continue to operate effectively if a major business disruption takes place.
Business Continuity Plan
The Business Continuity (BC) plan must list all the procedures and steps that need to be performed to keep the systems and processes operating to maintain business operations in the event of an emergency. Of course, these situations could be very wide-ranging, from natural disasters, public health emergencies, infrastructure failures or even human error. We have produced a separate article ‘IT Business Continuity and Disaster Recovery – So what can go wrong, what can you do and why should you? ‘ giving an overview of various scenarios. However, the raison-d’être being “What happens If”?” and of course we must always remember Murphy’s Law, which is typically stated as “Anything that can go wrong will go wrong!”.
The COVID 19 pandemic has focussed everyone’s mind on how to continue to work effectively with disruption to workplace access, supplies and deliveries as well as access to information. While most businesses have put stop gaps in place many are still trying to come to terms with the changes and in many cases, only parts of the business are operating as normal.
Even under normal working situations businesses managers very often do not appreciate the risks systems and information are exposed to. Furthermore, when an event occurs additional pressure is placed on staff, systems and processes with a change to operating practices – this means that any weaknesses are further exposed presenting further risks to the business. It is therefore important that the plans make sure all the same resilience and protection remains in place.
Some studies claim that less than 50% of small businesses have a business continuity plan in place. So, while business continuity plans may be alien to most small businesses their importance should not be underestimated. We would always recommend that even a basic business continuity plan is in place because one never knows when an incident could take place. Whatever you do, don’t be put off creating a plan just because it looks difficult or because you don’t have time, once started it won’t seem so bad so we encourage business owners to make time.
We can say that Business Continuity (BC) involves planning to keep all aspects of a business functioning during disruptive events, with the planning typically referred to as Business Continuity Planning (BCP) and the whole process as Business Continuity Management (BCM). Similarly, this can be extended to incorporate Disaster Recovery Management (DRM).
As we all know ICT plays a huge roll in business operations and increasingly so in our “Always Connected” world and it is for this reason that IT Business Continuity Management is often separated out as a significant section of BC. Additionally, Disaster Recovery (DR) is considered as a further sub-set of business continuity, it focuses on the IT or technology systems that support business functions and how these can be restored when a disaster strikes.
It is important for businesses to create an IT Business Continuity & Disaster Recovery Plan (BC-DR Plan) which considers different scenarios that could affect operations and to conduct an impact analysis that considers not just the financial loss but also the impact to Customers, Staff, Suppliers and other Stakeholders. The plan should also become part of the Standard Operating Procedure for the business.
Disaster Recovery assumes that information is not recoverable (at least for some time) and represents a process of restoring data and services to an acceptable level. While we consider the parameters in depth that define this in another article, it is an important part of making sure your business can recover the information it needs and expects within a critical timescale.
As part of our Business Continuity and Disaster Recovery Service (BC-DR Service), we implement resilient systems for businesses as well as security fabric to protect business information from damage or loss. A wide range of replication, backup and restore solutions are matched to a business’s requirements following consultancy and discovery exercises. Continuing support and systems management maintains reliability and availability. However, it must be remembered that the IT Services provider is not responsible for the recovery of business operations from all causes, only the technology.
Depending on your particular business and level of risk, every business will have different primary threats to business as usual. That’s why risk assessments prior to assembling a business continuity plan can be so helpful. It’s also why every plan needs to be bespoke and needs to plan for multiple, potential interruptions to services caused by the unavailability of services, staff, workplaces, and third parties etc.
So, we start with the premise that you need to have a plan.
Creating a Business Continuity Plan (BCP)
Step 1: Create a Business Continuity Team
It’s important to have the right team in place to create and implement a business continuity plan in your organization. Even if your business is small, don’t be deterred, gather your employees and start to work on the plan. Work out the roles and responsibilities of each individual and if you use external resources then they should also be involved – HR, IT and Finance. Try to make sure nothing is missed and roles are not duplicated.
Team members should be given responsibilities for executing the plan and should prepare policies, train additional team members and identify processes to streamline the implementation of the plan. Simply put as – who does what and when. Make sure you explain what you are doing to all people in the organisation and ask for their ideas too. When a crisis hits a business, it affects all staff and so having everyone’s “buy-in” will be vital.
Step 2: Have the Team conduct a Risk Assessment and Impact Analysis
Good analysis is key to gathering the information needed to develop strategies to limit the effects and define recovery plans:
- Identify what types of threats and risks are likely to impact your business. Explore each threat and risk, aim to understand how each impacts your business.
- Identify time-sensitive or critical functions, their weaknesses, the resources that support them and the impact caused in the event of an outage.
- Detail the resources you have vs the resources you need and create a GAP Analysis. This process will help identify the vulnerabilities which can make your assets/resources more susceptible.
Step 3: Make sure the Team identify the Stakeholders and what are the Critical Functions
- Begin by identifying the key stakeholders, critical resources and functions without which the organization cannot function smoothly.
- Consider what controls or preventative measures you may already have in place which can minimise the risk and how these can be improved or other measures adopted.
- Establish contact points with these stakeholders etc and remember other teams may be dependent on them, so map the dependencies.
- Define the acceptable minimum levels of operations for each of these functions and how they will ensure the continuity of the business, and to what extent.
- Determine how long each area of the business can cope without specific services.
- State what the acceptable loss of information is to each area of business.
- Understand the full impact and cost to the business for outages caused by the identified threats.
- Identify what information and how information about an incident should be managed and communicated both internally and externally.
Step 4: Draw up the Plan
With all the information gathered, create a draft plan which should include the following:
- The intentions of the BCP
- The roles and responsibilities of individuals
- Details of stakeholders and critical functions
- The Business Impact and GAP Analysis
- Details of things you need to do to Prevent, Respond, Limit and Recover
- What you will do to test the plan
Step 5: Review and Revise your plan
Once the plan is in place, test it so that omissions can be corrected before an incident occurs.
Individual parts can be tested on a scheduled basis and meetings set up to discuss emergency scenarios. Situations can be hypothetically created and the team members can review the effectiveness of the plan.
The threat landscape will continue to change just as other business demands change and therefore the continuity plan will need to adapt. However, by using the points above, your business will be better placed to withstand a disruptive event and stay ahead of your competitors.
While this may seem to be a big undertaking it really is well worthwhile and can even be a great way to build confidence with your customers. As stated earlier, don’t be put off creating a plan just because it looks daunting or because time is short.