As part of our engagements with our client organizations, we always ask about the organization’s business continuity plan. We ask this question regardless of the size of the company or our level of engagement. Answers often sound something like this, “We’re covered!” or “We have a very detailed disaster and recovery plan” or my personl favorite: “We backup our data every night.”
As we dig deeper, our Sherpas often realize that most companies either don’t have a business continuity plan or at best have a data backup plan. This has inspired me to write this article about the areas that an organization needs to think about when it comes to business continuity.
1. Business Continuity Plan is an Operational Risk, Not an IT one.
Business Continuity Plan (BCP) is an operational risk. It effects much more than just simply the technology side of the house, and would include cross-training, rescheduling, and focusing on worst case scenarios.
2. Disaster Recovery Plan is a subset of a Business Continuity Plan
In our opinion, the Disaster Recovery (DR) plan is the technology subset of the business continuity plan. For example, a medium-size break and mortar print organization with several offices across the US, and running several systems including CRM and ERP platforms would not only need a DR plan, but also, need to figure out how to deliver customer online, telephonic, and manual orders should a disaster wipe out one of its print centers. In addition, should a call center be closed due to a natural disaster, would other centers have adequately trained specialists to answer the customer phone calls?
3. Define Key Business Activities
We’d like to start by defining key business activities, processes, and systems within the organization. For example, production lines for manufacturing companies, systems, key resources, and important business processes. We also ask some stupid questions: What if the phones are down for more than one day? Could you continue to operate? Are the phone systems designed to relay phone calls to people who work from home?
4. Define Potential Disasters
What does disaster look like in your business? The scenarios are quite different for each organization. Of course, the following categories are the most common set of business disasters:
- Natural Disasters (earthquakes, tornados, hurricanes, etc.)
- Architectural Disasters (Fire and Water damage)
- Technological Disasters (servers crashing)
- Terrorist attacks (e.g. September 11)
In addition to the above set of disasters, each organization has its own set of issues that could be potentially disastrous for the company. For example, a number of major public companies – as well as the US Federal Government – prohibit traveling of 2 of their high ranking members on the same flight as a method of insuring business continuity.
5. Define the Potential Cost of the Disaster
The way to answer this question correctly is to be able to realize that there are 3 types of cost associated with each disaster (a) The unproductive time/money loss due to lack of resources; (b) revenue loss due to lack of sales; and (c) long-term loss due to customer dissatisfaction. For example, an e-commerce company whose servers have crashed will have to pay its personnel while the site is being recovered; will lose sales for the duration; would pay for online ads during this period; and would potentially lose customers as they might find the rival site and never come back. One should calculate this cost as it would directly help with the next section.
6. Define an Acceptable Recovery Time
Following the above example, if e-commerce company A could potentially lose $1,000 per hour, its business continuity strategy might be quite different than e-commerce company B that is losing $75,000 per hour. In case of Company A, the company might be happy for a recovery time of several hours or days, where Company B, would like the recovery to be a matter of minutes.
7. Define an Acceptable Recovery Budget
So far, we have identified disaster types, cost of each disaster, and acceptable recovery times for that disaster. But how much are we willing to pay to be prepared? Nobody really wants to pay for something that could never happen (including the cost of cross-training, re-deployment, etc.), but it is a necessity of life.
8. Consider External Vendors
What if you couldn’t fulfill your products and services for a certain period of time? Could there be external vendors who could perform these services for that period to keep the customers happy? If so, start building a relationship with them and establish the criteria of working together.
9. Protect Your Data!
Data is the new gold. As part of any solid BCP and DR Plan, you’d need to make sure that your data is backed up, accessible, and recoverable. As long as we know data us accessible, recoverable, and easily discoverable, we would be able to restore it or use it in the interim to support our customers. Let’s use this example: Company A uses a sophisticated ERP format. IT department backs up this data every night to a secure offsite location. A few months down the line, the ERP servers crash and we have to wait for new servers for a week. During this period, this data is not accessible which could cause a lot of issues for the company.
Alternatively, a better business continuity plan, would have dumped key data (customer, product list/cost/price, etc.) to an unsophisticated system on nightly basis, allowing users at various offices to have access to this information during the disaster period.
10. Train Your Employees
And finally…. Make sure your employees know what to do in case of a disaster, whether it is natural, technological, or architectural. It’s important for them to have all steps documented in a manual and practiced those scenarios so that they could react to those conditions naturally. Such manuals should be customized for each vital set of groups, so that they’re simply focused on their specific function in case of a disaster.