It may not happen to you, but what if it does? Find out here why it pays to be prepared.
Disruption to business can be costly, not only in terms of lost trade and the consequent financial implications but also in longer-term harm to your reputation. Whilst none of us like to contemplate the worst happening, it’s important to plan for what you would do if your business was to suffer a major problem such as a fire, flood, storm damage or another similarly catastrophic event.
IT problems can also cause severe disruption, as British Airways recently found. What if your business was hit by a power outage or large scale virus attack? As we all rely increasingly upon our systems, these things can have a major disruptive effect.
You might be thinking that you have insurance to cover such eventualities, but that only takes care of the financial side, and even then may not cover all of the costs involved in recovering systems and getting your business back on track. And insurance certainly can’t replace the customers you’ll lose to the competition while your firm is non-operational. This is why it’s vital to have a business continuity plan to ensure that you get up and running again as fast as possible.
What does a plan include?
Before you can even start to create a business continuity plan, you need to take a look at the structure of the business itself. Identify the critical processes and the systems that support them; look at what measures – such as data backups – are already in place, and find out what documentation is in place to support the re-creation of systems. In an era that’s heavily reliant upon digital technology you ideally need an ‘always on’ infrastructure that is accessible whatever happens.
You will also need to look at who is going to be responsible for managing a disaster and getting the business back on track. While in most companies this may not be a full-time role, it’s important that someone oversees the operation and has sufficient authority within the business to command resources and get things done.
Finally, you need to look at the roles of staff at other levels of the business. What are their duties in the event of a problem and what, if any, additional training will they require to carry them out?
Large enterprises, banks for example, take disaster recovery very seriously indeed. They often have ‘hot sites’ replicating all of their systems elsewhere so that they can be up and running again within a short time of the main site going down.
For smaller businesses this, of course, isn’t an option. However, there are some things that you can do. Storing backups away from the systems they relate to – preferably on a different site – ensures that they’ll be available in the event of a problem. Similarly, your disaster planning documentation needs to be available and in a form that is easily accessed, preferably with a checklist of steps to be taken, lists of people to contact, etc.
Many people now use the cloud as a means of saving their data. Whilst this is good in the sense that you know it’s safely stored elsewhere, you need to give consideration to how you would access it in the event of a disaster. If your main office is unavailable you’re going to need another location with internet access to allow you to access your data.
Thanks to the rapid expansion of the cloud, many businesses no longer have in-house servers, so systems are always available from elsewhere. Increasingly, infrastructure can be delivered as a service too, so reliance upon a single physical location is reduced. Nevertheless, you need to give thought to providing access.
If you have other sites this might be a solution, allowing staff to temporarily work from elsewhere or from home. Otherwise, you need to consider other options such as managed office space, for example, to get up and running again. Even then you may need to source endpoint hardware to allow your people to get back online. All of these are issues that need to be considered and included in your continuity plan.
Because business continuity is a complex task, it’s not surprising that many companies look to outsourced solutions. This ensures that you get the benefit of people who are experienced in drawing up continuity plans. It also means that you have access to best practice solutions. This is key to satisfying, insurers, industry regulators and your investors that you’re serious about addressing the issue.
You get the advantages of specialist expertise without the need to recruit or train in-house. You also benefit from specialist centres employing the latest techniques such as Disaster Recovery as a Service (DraaS), which uses the cloud and virtualisation to provide high levels of protection and systems resilience.
Outsourcing your recovery planning also helps in addressing the fact that a continuity plan isn’t static. It needs to constantly evolve to take account of new threats and risks, adapt to new systems as they’re brought on board, and safeguard the needs not just of your business, but your customers and suppliers too.
Continuity planning is all about dealing with the unexpected. It’s important, therefore, that while you have a plan it’s one that is flexible enough to deal with a wide range of circumstances. For that reason, you need to have a comprehensive business continuity plan checklist to ensure that you are able to deal with any problem that arises.
This needs to address a number of key areas:
- Identify a coordinator and put together a continuity team. Which departments does this need to include? We’re not dealing with just an IT problem, so areas including security, HR, legal, and PR also need to be involved.
- Identify critical systems. You need to prioritise those parts of the business that are mission-critical since these need to be dealt with first. This will generally be your front line, customer-facing systems; these need to take priority in the recovery process over the back office and other tasks.
- Identify critical staff. Who are the people needed to maintain essential operations? If you’re working from a temporary location and don’t have space to bring all your team in, which roles do you really need?
- Assess vulnerabilities. What are the things most likely to affect your business? For example are you near a river that’s liable to flood? Is your power supply dependent on a particular substation? Perform a risk assessment around any major risks.
- Determine acceptable service levels. In the event of a major problem, you can’t expect to get back to 100 percent normality straight away. You need to decide what is the minimum acceptable level of service you can survive on and for how long.
- Understand compliance. If you’re dealing with personal or sensitive information, what measures are in place to apply the appropriate standards of protection and compliance and will you be able to maintain these effectively on a fallback system?
- Set a budget. What are the potential costs of downtime following a disaster? How much do you need to spend to mitigate this risk?
- Set objectives. Having identified your critical systems, set a timescale for when each one should be up and running again. If nothing else, this will serve to focus people’s minds.
- Check your backups. Make sure that you know where your backups are and understand the cycle that they’re taken on. It’s a good idea to perform a recovery test occasionally to make sure that the data can be recovered.
- Draw up a contact list. Which staff do you need to alert in the event of a problem? Who else do you need to inform, in particular people such as suppliers and major customers? If you have to move locations, what about energy and communications providers?
The isn’t a comprehensive list but it should give a clue to the fact that continuity planning isn’t just an IT problem. It’s something that affects the entire business and you need to treat it accordingly.