Think about this possibility…
It’s Monday morning. You’re dragging and you head to the coffee pot to get the first cup of the day. People are just starting to show up at the office. Then you hear a loud BOOM, the electricity goes off and the alarms go off. Everyone is to evacuate the building! You don’t know what happened, but word goes out that entry into the building will not be allowed for 4 days.
Is your business prepared for having 4 days of downtime? If you’re a dentist office, maybe you just call patients and reschedule the appointments.
But what if you are an accounting firm that needs to be working each day with clients and now you cannot get to the systems and applications necessary? To make matters worse, you expect all work for clients to be done at the office that is now off-limits. Those 4 days will be a major inconvenience, but what if you are kept out of the building for 2-weeks?
Situations like this illustrate why planning for disasters is important.
In this article we’re going to talk about the basics of Business Continuity Planning and Disaster Recovery Planning.
But first, we need some definitions. . .
Business Continuity Planning (BCP) is a process designed to guide a business in ensuring their critical business functions continue during and after a disruptive event. In order to create a usable BCP, you must work thru some things…
- Do you know what the likely threats are to your organization? There are things that can harm your business, like storms, power outages, theft, looting, etc.
- How about your vulnerabilities (weaknesses that can be exploited by the threats)? Glass fronts to the offices that can be easily broken? Poor cybersecurity practices? Something else?
- What are the most critical business functions that need to be restored or kept going during a disruptive event? Do you have access to the key stakeholders for these functions? What staff do you make direct calls to and do they know how they are to respond?
- Do you have a strategy to “keep the lights on”? This is part of the Business Continuity Plan.
The purposes of Business Continuity Planning are to
- Maintain essential business functions
- Minimize organizational downtime
- Ensure employee safety
- Protect your organization’s reputation
Disaster Recovery Planning (DRP) is similar but is focused on restoring important IT systems following the disaster. You need to work with your technical staff or IT service provider as you create the DRP. Think about these things…
- Where are your data backups, are they easily accessible, and are you confident they can be restored?
- If your servers are blown away by winds or power supplies are fried due to electrical issues, what are your plans to get new equipment? Do you have the cash on hand or a credit line to purchase? How long will that take? What about installing the OS and applications?
- And the networking infrastructure needs to be considered. If the servers, applications, and data can be restored but staff are not allowed to return yet, are there plans for secure remote access?
- Does your cyberinsurance help with addressing the disaster? Do you have a specific person you are to contact if there is a disaster? What about their response to a cyber incident?
The purposes of Disaster Recovery Planning are to
- Quickly restore IT services
- Ensure protection of data and the recovery of data
- Minimize financial loss
- Meet compliance requirements
While the BCP and DRP are similar, they have some differences.
- The scope of the BCP is the entirety of the business, while DRP is focused on IT and data recovery
- The BCP is worked during and immediately after the disrupting event while the DRP is worked post-disruption for recovery
- The goal of the BCP is keeping the business operational while the goal of the DRP is restoring systems and data
- And the stakeholders for the BCP is all departments, but the stateholders of the DRP is primarily IT and data management teams.
So how do you go about creating the BCP and DRP? We’ll cover the details in later posts, but here’s the high-level approach…
For the BCP…
-
- Perform a Risk Assessment
- Conduct a Business Impact Analysis
- Create a strategy for communication and keeping the core business functions working
For the DRP…
-
- Identify critical IT assets
- Create backup plans – both data and equipment
- Outline recovery procedures and protocols
- Regularly test these plans
Obviously it is important that the BCP and the DRP are complementary and never contradict each other. And the plans need to be reviewed, updated, and tested at least annually. Testing is often done using table-top excercises.
That’s about it. Conceptually it is very simple, but these plans need to be comprehensive for your organization. Following these suggestions will help to prepare your organization for the unexpected events that will occur and that will disrupt your business.
As they say, “Let’s be safe out there!”
