IT Business Continuity and Disaster Recovery – So what can go wrong, what can you do and why should you?
Firstly the raison d’être should be “What happens when an incident occurs?” and of course we must always remember Murphy’s Law, which is typically stated as “Anything that can go wrong will go wrong!”.
So how can you possibly plan for anything and everything? Well, you can’t and don’t need to, but you must start by thinking of the main areas that will impact your business.
Of course, some will say “I’m insured so they can pay me for any losses, so why worry about it!”. Indeed, business Interruption Insurance” is offered by many insurers and is important to most businesses because they do offer protection. However, the process of claiming is not simple and takes a lot of time and effort to correctly detail how your business would be performing if the disruptive incident had not taken place.
Insurers also need to see evidence of the disruption and can refuse to pay-out. In September 2020 the High Court ruled in favour of businesses who have been required to close due to COVID-19, forcing insurers to pay out on business interruption policies. However, the ruling stated that not every case would be accepted due to the different wording of individual policies.
Additionally, insurers will typically expect business owners to take reasonable measures to avoid any interruptions to the business. While it would be unreasonable for a business to predict or prevent a pandemic it can protect itself from most other events that could interrupt the activity.
Furthermore, if a business can’t provide the product or services their customers expect alternative sources will be looked for. Your supply chain needs to be maintained so you can continue to trade and of course, your brand’s reputation must be preserved. The loss of clients and reputation in this way could be irretrievable and result in a long-term decline for the business.
Therefore, doing nothing is not without its risks! Businesses should understand what risks they are exposed to, the impact they could have and make qualified decisions to minimise disruption and to restore normal operations.
Key Areas Impacting Businesses
The first thing a business can and should do is to create a list of the key areas that could impact the business. These examples are in no particular order and of course, there will be others that relate specifically to industry sectors and individual businesses:
- Incident that damages key office space, e.g. Fire,
- Restricted Access to the office location
- Utility Outage, e.g. Power, Internet, Phone.
- Natural Disaster, e.g. Flood
- Staff or Customers not being able to get into your business premises
- Damage to stock
- Breakdown of equipment that is fundamental to business operation
- A key supplier being unable to reach you
- You not being able to reach your customers
- An occurrence of any human infectious or human contagious disease
- Industrial Disputes
- Cash Flow interruptions
- Personal Injury Claim
- Product deficiencies – recall or replacement
- Legal or IP claim against the business
- Cyber Security breach
- ICT hardware or Software Failure
- Deletion of Data / Information
- Death of key individual
Once you have a list you can start to consider what you would and could do if any of these events occurred and try to be as comprehensive as possible. Make contingency plans and assume that things will go wrong with the plan because when an incident affecting one part of the operation occurs several other parts could also be impacted adversely resulting in the whole event creating wider than expected damage to business operations.
Business Continuity & Disaster Recovery Plan
Business Continuity (BC) involves planning to keep all aspects of a business functioning during disruptive events with Disaster Recovery (DR) seen as a part of business continuity. DR focuses on the IT or technology systems that support business functions.
We provide help and solutions relating to IT Business Continuity by preparing and protecting business operations from disruptions caused by threats such as cyber-attacks and natural disasters, as well as resource unavailability such as restricted office access, power or communication outages, technology loss etc.. We make sure that the IT Infrastructure, Systems and Processes are implemented and supported in such a way that the business will continue to operate effectively when impacted by an event.
Creating a business continuity plan and maintaining it should be part of your management processes and should be a critical piece of running a resilient business. Creating a team with responsibilities and involving the whole company will help so that everyone knows what is expected of them. Make sure you have considered all the various stakeholder and what their role will be and that they have also agreed to the plan. Also be sure to test, revise, and update the plan regularly.
The Business Continuity and Disaster Recovery Plans (BC-DR Plans) should have clear objectives and goals based on a risk assessment and business impact analysis. It must be realistic, the last thing you need is finding yourself in a disaster situation to find your plans are unrealistic and can’t be implemented. Business processes can be intricate and so making a simple plan may not be easy but do your best not to over complicate it and make sure you have the resources for it to be implemented within the expected timeframe.
You’ll have to determine how your organization will maintain essential services/functions in the event of an emergency. So think about what happens when you encounter a product shortage. Supply chain issues are common in disasters like major weather events or pandemics. Conversely, can you maintain order fulfilment and shipping deadlines to your customers?
During a crisis, customers need transparency and empathy. You’ll need to provide a communications plan for your marketing/communications teams and your customer support team. Keeping everyone informed will go a long way to maintaining confidence both internally and externally.
It’s always good to make sure your plan has room for manoeuvre with options to change should the situation change. Most SME businesses can create a strong and workable BC-DR Plan, especially if they complete the steps outlined here and in our other articles. However, for some more formal processes, these businesses should consider the ISO 22301 certification which is the international standard for Business Continuity Management Systems. It encompasses events that could impact a business and help to develop plans for dealing with issues such as IT disruption or staff shortages. It ensures the business has processes in place which minimises disruption and then restores operations to normal.
Given the importance of IT in the operation of most businesses we are a key stakeholder for our clients and we work with them to identify ICT vulnerabilities and provide practical solutions to remove these weaknesses.
Read on our Guide to Business Continuity & Disaster Recovery Planning article to find out more about all steps you need to take to create your own BC-DR Plan.