Business Continuation, Pt. 2

Last time, I started the conversation on building an effective business continuation plan, sometimes also known as a disaster recovery plan.  The primary focus then was identifying scenarios, so this time I’d like to go over specifics – what do you need in your plan, setting up the process, and integrating it with your routine.

First, understand that the types of events that can set off your contingency plan can be wildly varied – from denial of service attacks, ransomware, to acts of God like hurricanes, floods, earthquakes, or blizzards.  Too often people think only of natural events rather than human factors.  And the unfortunate fact is the human factor is probably the more dangerous of them all.

So, here is a brief outline of 8 points highlighting how you should build a contingency plan:

1. Build your recovery team.  The recovery team should be made up of a spectrum of talent across the organization, representing the key functions needed to keep the business running.  The recover team is a key group that is responsible for building and maintaining the plan.  This group should meet regularly throughout the year to review and keep the plan up to date.  At least two key people should be identified as the plan owners, and a couple more could be tagged to ‘own’ the documentation.  Each member of the recovery team should have a hard copy of the plan readily available.
2. Build your response team.  Separate from the recovery team, the response team is made up of individuals that represent the various functions noted below.  This may include site contacts, vendor contacts, etc.
3. Backups.  Shouldn’t need mentioning, but be sure your backup technology is working properly.  If it’s local, try to build redundant, geographically separate systems; alternately, go with a cloud-based solution.  This can be a challenge in large organizations with a large population of mobile users, who store data on their local device and frequently neglect to back that up to network drives or initiate the local backup process.
4. Identify critical technology.  Make a list of the technology your business uses.  Focus on the big application tools that could have severe impact if they were unavailable.  Document each of them separately, collecting information on where they are housed (local vs. cloud), how they are accessed (do they need a client?  Web-based?), and who owns the product or vendor relationship.  Document any work-arounds if available; otherwise, document the impact the loss of the technology will have over time.
5. Identify critical sites.  If you only have one, obviously that’s the most critical; however, if your business is multi-site, identify those that are most critical and how you can shift work if the site is unavailable.  Document the impact of the loss over time.
6. Identify critical vendors.  This is something often overlooked.  You should not only create a continuation plan for your business, but also understand the impact if you lose a critical vendor.  For example, say you use a shipping company like UPS or Fedex, and sever weather shuts down the distribution center you use.  How do you work around that, to keep things running?  For those vendors that are mission-critical to the success of the business, it would be a good idea to meet with a representative and have them share any documentation they have on business continuation.
7. Build a communication plan.  Your recovery and response teams are obviously in the loop, but it’s also important that key business leaders are kept informed of the plan.  If the plan has to be activated, there should also be a communication plan to your employees, so they know what they should do, or the things they should not.  Toll-free numbers providing updates, email distribution lists, even social media could be used as a means of transmitting important information to staff.
8. Practice, practice, practice!  At least once a year, maybe more often, conduct BCP drills to keep your teams on their toes and identify gaps in your plan. Create a scenario and act it out; then follow up with test of the communication plan to your recovery or response teams.

Something that many of these points will have in common is measuring the impact of an event over time.  What that means is it’s beneficial to have a documented response if an event lasts and extended period – 1 week, 2 weeks, 30 days, 60 days, etc.  Create a checklist of what needs to happen as time progresses.

For example, if weather prevents a one critical site from opening, the impact for a week may be minimal and the business can absorb the loss.  If it extends to a 2^nd week, a percentage of the functions handled at that site would need to be moved elsewhere.  At a month, that work may need to be distributed across several other sites, or fully moved to an alternate.

Business continuation and disaster recovery can be complex, but in today’s world it’s a necessary function.  Unforeseen occurrences happen to all of us, and it’s important to be well prepared. A BCP that has good business representation, is thoroughly documented, and frequently simulated can prepare you for the unexpected.