In a perfect world, executives wouldn’t need to be convinced of the importance of business continuity planning. The reality—as you’ve no doubt found out if you’ve explored the issue—is probably less than ideal.
However, more and more senior leaders are realizing that putting a BC/DR plan in place makes sense. In a way, Hurricane Sandy was a wake-up call—it proved that disaster can strike at any time, and it really can happen anywhere. (Even on Wall Street, where trading was halted for weather reasons for the longest period since 1888.)
Assuming, then, that your leadership has done an about-face on business continuity—and you and your implementation team are raring to go—here’s how to implement your BC/DR plan.
You’ll start by conducting a risk assessment, identifying hazards that could disrupt your business, and gauging the likelihood that those risks will become reality. You’ll also want to take a look at the relative severity of those risks: a server crash may be a lot more likely than disgruntled-former-employee-takes-staff-hostage, but only one of those could cause loss of life.
Now it’s time for a business impact analysis, or BIA—a measured analysis of the financial and non-financial impacts of an interruption to key business functions. (For a discussion of impacts you may not have anticipated, read, What does downtime really cost?)
Consider both the amount of time you can spend recovering a particular business function (your recovery time objective, or RTO) and the level to which services need to be restored (your RPO—recovery point objective). In a data center, for example, your RTO would probably be measured in hours, and your RPO would likely be zero—meaning that data must be restored with no loss.
Break out your thinking cap, because it’s time to get creative. In the design phase, you’ll work to develop risk mitigation and recovery strategies meant to protect your people, your business and your tangible and intangible assets. This is where the rubber hits the road on employee safety, network recovery, crisis communication and more.
Finally—this phase is when your business continuity plan actually gets written. Whether you write a single document or compile a set of smaller pieces, we recommend at least the following:
And whether you use a format of your own or follow an industry-specific template, once your plan is approved, remember to publish it to your organization, share it with staff and train employees on how to use it.
Start at the theoretical level and compare your plan to all applicable statutes, regulations and standards. If you’re all set to accidentally break the law in the middle of a catastrophe, you need to know now.
Then, move to the real world and test the plan with your people. Consider role-playing crisis scenarios to give yourself an idea of whether your plan is understandable—or even actionable. Gaps in your strategy are much easier to deal with when you’re not actually fighting for the life of your company.
If you’ve enjoyed this high-level blog post and would like to explore these five steps in more detail, download The Definitive Guide to Business Continuity Planning. Use it to develop a BC/DR plan from start to finish, test and improve your existing plan, or anything else in between.