Business continuity planning is not just about backups!
May 21st, 2010
The number of businesses I speak to who don’t have a Business Continuity Plan (BCP) is horrendous. I usually get the stock reply of “but we do backups”. Creating backups is not preparing your business for all potential eventualities that could hinder, damage or destroy your operations.
Anyway, regarding backups – the problem is that it can take days to get a business up and running again using normal data/system backups. And that’s even if you have the spare hardware (servers, etc) to restore onto at hand. What if you don’t have spare hardware to hand? Actually, if you haven’t recently tested restoring your systems, how can you be sure you’ll get operational at all?
We all know the scarily high statistics about companies without Business Continuity Plans going to the wall, so I’m still surprised by how many companies are prepared to take huge risks by not having trusted plans in place.
What to include in a business continuity plan
Here are an initial six things to start thinking about when business continuity planning comes onto your agenda:
1. Determine how long you can live without data and systems
Deciding this will directly influence your Recovery Time Objective (RTO) which is a key variable in your BCP. You probably have an understanding of the time you can afford to lose with no access to key systems and data, and how many hours or days of lost data you could arguably manage without. Once you define this, you can effectively balance desired recovery times and risk tolerance against a budget.
2. Plan for all eventualities
Downtime, whether it rears its head through a fire, flood, power outage, chemical leak, transport strike, malware attack, hardware failure, terrorism or even a flu pandemic, will hurt your business financially. You should consider all possibilities and have a documented strategy in your business continuity plan a documented strategy to deal with identified risks.
3. It’s more than just IT
As part of your business continuity planning process, you should be identifying key information, systems, people and processes, and how they all interact to keep your business running. Then envisage what would happen were you to lose any, or all, of these key ‘assets’. It’s easy to think that your IT infrastructure becoming unavailable is what would cause a lockup of business processes but key personnel becoming unavailable is just as impactful.
4. Scrutinise your suppliers
In business, it’s not just about you; you’re almost certainly reliant to some degree on other companies. It’s fine to have a well-thought-out continuity plan but do your key suppliers (cloud software vendors, IT providers, communication providers e.t.c.) have plans of their own in place? Can they ensure they can still deliver a service to you if they encounter problems or downtime? Send them an email or phone them up and ask.
5. Understand the technologies available
A few years ago, the only effective technologies to protect businesses from a disaster were notoriously expensive, typically aimed at large multinationals with generous budgets. Now virtualisation, replication and vaulting technologies will fit the SME budget. And if you’re astute, you’ll find you can implement some without charge due to the savings you’ll make from increased uptime.
6. Test & communicate the plan
There’s no point defining your business continuity plan and leaving it in a drawer. To be able to trust it, you need to prove it and tell people about it. Test it regularly, perhaps every 3 to 6 months or at the very least once a year. If the first time you test your plan is when an emergency occurs, then you could be in trouble.
You need to ensure that the human side of the business continuity plan is tested and proven, not just the IT parts: make sure everyone in the organisation is aware of the procedures and what part they must play should the business continuity plan be invoked. The more you test, the more routine it will become and the slicker your recovery will be – saving you money and perhaps even the business itself.
The above is in no way a comprehensive list of items to consider – it’s just a number of elements to demonstrate there are other areas that need to be considered. You’ll find plenty of other resources on the QuoStar blog to help you plan. If you want to take things a step further then get in touch and we’ll see how we can help.
Here’s another way to think about it: You pay for insurance policies, you lock the server room, you close your windows, you put the building alarm on… but you don’t know how you’ll deal with a disaster? Madness!
In the press: Financial services firms can benefit from cloud
Financial services firms operating in the UK can now utilise cloud-based IT solutions without fear of breaking their regulatory obligations, as the Financial Conduct Authority (FCA) has issued guidance for firms outsourcing to the “cloud” and other third-party IT services stating there is “no fundamental reason” why financial services firms cannot implement cloud services. While […]
How to create an information classification policy
Documents are a business asset. If an asset is lost, stolen or damaged, it becomes a risk. Both for the business and for their client. This means having control systems in place to understand these risks is critical. And having the controls to counter them is equally as important. It sounds simple. But after a […]
In the press: The future of cloud computing
Originally published on Mail Online. While the ‘cloud’ is not new, it is big business. Providers such as Amazon, Microsoft and Google are spending billions on their cloud infrastructure, and some commentators believe the cloud computing market could be worth more than £312 billion by 2020. Cloud services offer greater flexibility to businesses of all […]