Business Continuity and Disaster Recovery Planning

Business continuity is much more than just a fancy word for backup—although some organizations treat it that way. A comprehensive business continuity plan requires a roadmap for continuance and/or restoration of mission-critical functions during and after a business interruption, e.g. a fire, flood, hurricane or even a pandemic. An effective business continuity plan includes a disaster recovery plan, an emergency response plan, a communications strategy and a blueprint for business continuity.

Your company’s response to a disaster will depend on both the nature and the extent of the disaster. Some threats, such as an earthquake, hurricane or flood, may physically destroy your building and IT infrastructure. Others, such as pandemic disease, affect staff while leaving buildings and facilities intact. A cyber attack might bring down your network but not affect the functionality of the hardware or your personnel. A bombing may destroy human life, systems and facilities. A power outage could make your equipment unusable, but do no permanent damage. Thus your plan should provide contingencies for as many threat types as possible.

Therefore, your BCP must be well thought out, hard copied and given to key personnel long before an incident that could cause a disruption to your business. Copies should be stored off-site—an obvious but often overlooked requirement.

Furthermore, simply having a plan in place is not enough. You should develop and regularly test your business continuity plan so that when it is first executed it is not during an emergency. Test under realistic conditions and make the plan robust enough to cope with extended recovery that may require use of new facilities, relocation of staff and the engagement of external resources.

Before I present my top ten business continuity and disaster recovery tips, here are some statistics which highlight why business continuity and disaster recovery planning is so essential:

Ninety per cent of businesses that lose data from a disaster are forced to shut down within two years of the disaster. Fifty per cent of businesses experiencing a computer outage will be forced to shut within five years.Source: London Chamber of CommerceTwenty per cent of all companies will suffer fire, theft, flood or storm damage, power failures, terrorism or hardware/software disaster. Of those without a business continuity plan:

* 43 per cent will never re-open* 80 per cent fail within 13 months
* 53 per cent of claimants never recoup the losses incurred by a disasterSource:Aveco
* Less than 50 per cent of all organizations have a business continuity plan
* 43 per cent of companies that do have a business continuity plan do not test it annually
* 80 per cent of companies have not developed any crisis management to provide IT coverage sufficient   to keep the business functionally effectively
* 40 per cent of companies that have crisis management plans don’t have a disaster recovery  team.Source: London Chamber of Commerce

Here are my top ten tips:

1) Areas of accountability and responsibility
A key factor in any crisis management situation, which is what you experience during and perhaps immediately after a disaster; is assignment of areas of responsibility and establishment of a chain of command. Now is not the time to have department heads squabbling about who has decision-making authority. Also remember that some types of disasters may cause a loss of personnel (or some of your staff may be on leave or off sick when the event occurs), so be sure to assign backups in case some of the important players are unavailable.

Training of key personnel in disaster preparedness, incident management and recovery should also be addressed. Be sure to cross train staff to enable essential personnel to provide critical services.

2) Emergency contact information
Your plan should include up-to-date contact information on people and entities that may need to be contacted when a disaster occurs. You should not be scrambling for phone numbers at this stage. Information should be included for both internal personnel (CEO, CIO, legal advisor, etc.) and external personnel and services (police, fire, ambulance, security services, utility companies, building maintenance, suppliers, etc.).

3) Recovery teams
Teamwork is required to manage the crisis itself and to restore operations once the immediate crisis is over. The BCP should appoint members of a disaster recovery team comprised of specialists with training and knowledge to handle various aspects of common disasters (safety specialist, IT specialist, communications specialist, security specialist, personnel specialist, etc.). The DRT members will work with emergency services during the disaster and should have access to equipment they’ll need during an emergency (cell phones, two-way radios, flash lights, hard hats, protective clothing, etc.).

The business recovery team is responsible for normalizing operations after the crisis is over.
4) Look after your staff and their welfare first.
Employees are the lifeblood of an organisation; however, many human resources elements are frequently overlooked in BC and DR planning. Revisit your HR policies. Determine how your company’s leave and salary policies will apply in emergency situations. Businesses must identify alternate locations where employees can occupy in the event a primary worksite is unavailable and address the physical safety and psychological well-being of employees.

Assign backup roles for the inevitable times when key players are unavailable or missing, and time-critical actions need to be taken. Cross train staff to enable essential personnel to provide critical services.

5) Remote-site backup of important data
Any good business continuity plan will address restoration of your company’s important digital data if it is destroyed. Too many organisations meticulously make backups of everything and then store those backups in the server room. If a hurricane, earthquake, flood, or bomb destroys the building, that (often irreplaceable) data is lost, too.

You should store copies of important data on removable media that’s held at a different physical location or back it up over the Internet to a remote server, or both. Timing is important with over the Internet backups as other firms may use this same technique and network capacity could become overwhelmed by too many simultaneous attempts to transfer data. Just as important, key staff should know where that important data is stored and have the keys, passwords, etc., to be able to restore it to return users to a productive state as soon as possible.

6) Backup power supplies
Many types of natural and/or physical disasters can result in a loss of electrical power, or a power outage can, itself, be the disaster. For continuity of business, your organisation should plan what action to take in case of a long-term outage (more than the hour or less that your uninterruptible power supplies will maintain your computers and network equipment running). If you have backup generators installed, ensure that key personnel know how to switch to generator power and are aware of the fuel requirements for the generators (must they be fueled or do they run off natural gas), among other practical issues. Consider costs to determine when and duration of the generator’s run. Providing full electrical power to a building with a generator can be more expensive than using the power grid, so the BCP should discuss in what situations it’s better to cease operations and send everyone home vs. run on generator power, and it should state who has the authority to make that decision.

7) Alternative communications strategy
If your company’s phones and/or Internet connection are down, how will you keep in touch with customers, employees who are off-site, contact emergency services, suppliers, etc.? Your BCP should note which employees have cell phones, satellite phones, and their numbers, as well as whether and where you have other methods of communicating during a widespread disaster, such as ham or two-way radios or pagers. If you run your own e-mail servers, do key employees have alternative e-mail addresses that they check regularly (home accounts or accounts with Web-based e-mail services, etc.) and are these addresses known to other key personnel in case they’re needed for emergency contact?

8) Alternative locations and supplies
The BCP should also spell out a plan for setting up operations at an alternative location if the building is destroyed or rendered unusable by a disaster. Best practice is to have ready access to an empty facility or recovery suite that you can move into; a more practical (less expensive) alternative would be to move your operations to a branch office if you have more than one physical site.

Your BCP should also take into consideration the estimated costs of moving, setup, and ongoing operations in the new facility.

In addition, your BCP should cater for the possibility that your suppliers and vendors may be unable to perform their roles in supporting your critical business processes and technical infrastructure. Be sure to ask if they have a BCP. Ensure that you have secondary providers as a precaution. Review and evaluate whether support or maintenance contracts need to be extended or have levels of support modified.

9) Essential equipment/services backup
In some cases, you may be able to recover essential equipment and move it to a new site. In others, it may be destroyed or damaged and have to be replaced or repaired. The BCP should specify how the equipment or its functions will be replaced (for example, you may switch to a Web hosting or e-mail hosting service until you’re able to replace your servers and get them operational again).

10) Recovery phase
The BCP should address the step-by-step process of recovering and reinstating the business operations to a pre-disaster state, including assessing the damage, estimating recovery costs, working with insurance companies, monitoring the progress of the recovery process and transitioning the management of the business operations from the recovery team back to the regular managers.

Just because we’re in the midst of the hurricane season does not mean there isn’t time to prepare. Don’t become overwhelmed by business continuity and disaster recovery planning because in the short-term you can take the initial steps of updating contact numbers, communication systems, processes and procedures, coordinating with external suppliers/vendors/government agencies, and testing current plans. A plan that is not tested isn’t worth the paper it’s written on.