BusinessForward

By: Carrie Lewis, Solutions Analyst, BusinessForward

In the daily life of an IT leader, Business Continuity (BC) and Disaster Recovery plans (DR) are akin to a little mosquito that buzzes in your ear. You know its bite is a part of a functioning ecosystem. Most insects are annoying, not deadly, so you swat the thing away. But you never know when calamity may strike. What if the pest is carrying West Nile Virus?

Current, solid BC/DR plans are like an inoculation against those bad mosquitos. They prevent a crisis from becoming a devastating situation. Since your internal customers work across the business and rely upon you and external customers keep you in business, you have emergency processes in place. Right?

Ask yourself:  “If a violent storm hit our company’s headquarters, how will employees continue their work? If a technical issue affects our servers, how will we recover the IT services related to those servers?”

Business Continuity and Disaster Recovery plans understood by everyone will provide the answers. Whether you’re creating a plan from scratch or updating an existing one, it’s important to know the differences between the two. Having one without the other creates a lopsided emergency strategy that may negatively impact the business in a time of need.

Business Continuity – The BC Plan

Business Continuity (BC) describes how your organization continues to operate after a disaster or incident has occurred. For example, how will the human resources department pay employees if they are unable to access the system that tracks time? The focus for BC is the Recovery Time Objective (RTO), which is how long it will take for your organization to get back to normal operations before the company is affected. This is usually measured from the time of the incident to the time that standard operations resume.

Disaster Recovery – The DR Plan

Disaster Recovery (DR) relates to how long you can operate without access to applications or data. For example, how much data loss can you tolerate in the event of a disaster or incident? The focus for DR is the Recovery Point Objective (RPO), which is the amount of data that could be lost if an incident occurs. This is usually measured from the time of the incident back to the last data backup.

How to Do It

When creating these critical plans, the following seven steps are key.

1. Collaborate: Invite all employees to participate in the creation of the plan. This ensures that you don’t miss any processes and applications across departments and naturally increases buy-in.
2. Identify owners: Designate a plan owner who will act as the coordinator of its creation and update. This can either be an individual or a group of individuals from the business or IT. Also identify application and process owners who will be able to provide actions that can be taken in the event of the plan being implemented. It’s good practice to include a back-up contact person as well.
3. Identify alternate facilities: In case you are unable to access your building, your employees will need another place to continue their work. This can mean a convention center, a conference room at hotel, another of your organization’s locations, or working from home. Do this for the company as a whole or for each of your departments. For example, your HR department might work from home while accounting may work from a hotel’s conference room
4. Identify clients, vendors, and contractors: In case of an incident, it’s important that you are able to contact any clients, vendors, or contractors you work with in order to notify them of the incident. You’ll need to communicate any actions needed to take place until standard business operations are up and running again. You may also want to consider including these groups in the creation of the plan as they may have input that will help you.
5. Communicate:  After creating your plan, communicate to all employees where a digital copy of it is saved and encourage them to have a hard copy at home or their car in case of emergency.
6. Test: Do a “dry-run” or test ofthe plan to ensure that the actions you documented will work in a real-life scenario. What sounds good on paper may not work in practice. If actions in the plan don’t work during the test, work with application and process owners to find more appropriate actions and document it.
7. Update: Include an update schedule in your plan. This will keep it fresh and will guarantee that new applications, new application and process owners, and updated actions will be included. Remember to communicate the updated plan to your employees, so they always have the newest version.

Lack of capacity or skills to get plans into place is a common problem. Whether your industry is financial services or retail, the specter of creating or even updating them is enough to cause inertia. But you should make Business Continuity and Disaster Recovery planning a priority and understand that their very essence is to preempt a state of not knowing what to do.  In your never-ending swarm of responsibilities, designing and maintaining these is far less painful than the alternative: leaving your organization wide open for poisonous situation.