It can be very difficult to get the traction needed to address ‘potential’ problems when there are so many other current business problems or issues to address. Dealing with potential problems tends to get short shrift – forever being pushed down the seemingly endless list of priorities until they are effectively in stasis. Business Continuity and Disaster Recovery planning tend to often fall into this bracket. Everyone thinks they’re important, but getting the business to make this type of planning a priority can be harder than the planning itself.
However, the costs of not having plans in place can be catastrophic for businesses affected by a disaster and forced to suspend operations for a period of time. According to the US Federal Emergency Management Agency (FEMA), 40% of businesses do not reopen after a disaster and a further 25% fail after one year.1 Obviously the question you have to ask yourself is not, can we afford the time and effort for Disaster Recovery and Business Continuity Planning, but can we afford not to?
You need to remember a couple of things when starting out on your Disaster Recovery journey. Most importantly, don’t get hung up on the scope of the project. You don’t have to do everything at once and not everything about your business needs to be accounted for in a Disaster Recovery plan.
Start by getting your team together and then take a close look at your business. In formal terms, this is known as a Business Impact Analysis or BIA. Ask yourself what really makes your business tick? What are your critical business activities and what are the things that they rely on? When starting out, you can limit the scope of your DR/BCP project by just focussing on these most important business processes.
Your list will likely include services and staff, infrastructure or even specific applications. When you’ve completed this task, take a look at your list and then prioritise these assets accordingly.
It’s best to think of this process as a real opportunity to get to know your business better. You can get a superior understanding of how it works, cut through perceived complexity and identify which assets are critical to operation. This type of knowledge isn’t just necessary for protecting yourself from the catastrophic impacts of a disaster, but obviously can have other positive applications as well (for example, knowing which assets are less critical to your business and may be overdue for a productivity review).
Now that you have a precise picture of what’s important and needs to be protected, you can start to look further at what types of threat might be most likely to affect them.
In this process you get to be a little less analytical and procedure-based and start to think a bit more outside of the box. That doesn’t mean that you need to start thinking about the consequences of an alien invasion, but do make sure that you include all different sorts of threats in this list and look beyond just natural disasters.
You need to include logical and technical threats as well. (Yes, the impact of an earthquake would be terrible, but so might the results of a DDoS attack on your ecommerce or catalogue showcase website). Don’t ignore more banal threats either – a flood might be bad, but water from a faulty sprinkler system might be just as damaging and much more likely depending on your location.
The key thing here is to understand and take account of the fact that different types of threats make you vulnerable to very different outcomes. Ask lots of ‘what if?’ questions and work through examples of the threats you uncover so that you can test your assumptions. You also need to take into account how likely a particular threat might be for your particular operation (which will later help you determine whether the cost of mitigation is reasonable).
Make sure you don’t forget to take into account your staff or your supply chain in this process. For example, one of your scenarios could be a flu outbreak that takes out half your staff for a month, or perhaps a transport strike that stops delivery of a critical component for your flagship product.
When you’ve completed this part of the task, you can move onto the selection of controls that can help you mitigate the risks from the threats you’ve uncovered. These controls will vary according to the results of your previous analysis so don’t expect a ‘one-size-fits-all’ approach will work here. It’s likely that you’ll need to select a number of different controls that address the threats that are most likely to concern your business.
Common IT controls include measures such as data backup and recovery (a necessary measure for pretty much every modern organization) to increasing levels of network and communications redundancy. Do remember that proactive measures tend to be more cost-effective than reactive measures in the face of a disaster though, so if you can, choose measures that you can integrate into your existing processes. Companies like NextGen, who offer you support with several key of Disaster Recovery and Business Continuity services can be invaluable in this process – and can help you not only share the risk, but to develop a DR plan for your situation.
Disaster Recovery and Business Continuity Planning offer many advantages to a business. With smart planning, not only can you ensure the safety of your staff and the ability to resume critical business functions in a timely manner – you can also, ultimately save your business from becoming another disaster statistic.