Preparing for the Worst: Disaster Recovery and Business Continuity Plans

Darkness looms overhead. They sky is covered by grey, boiling clouds. The wind blows in gusts strong enough to give you pause—to shore your footing. There is no noise aside from the constant rustling of the wind through the trees. The animals have all fled. Water has risen—seemingly from everywhere. It’s only enough to cover your feet right now but soon it will be waist deep. The wind will become a driving force. It will fell trees and power lines, street signs and stop lights. The rain, now a constant annoying drizzle, will turn into a deluge that soaks to the core.

Your business will be flooded. The windows and doors destroyed. It will be a total loss. And as you stand perplexed at the magnitude of damage, the calls will come in. Orders have been missed. Customers are upset. Your employees have nowhere to work. What do you do? Do you shutter the business? See what you can get out of insurance and pack it in? A hurricane, flood, tornado, fire—there is a myriad of catastrophic events that can tear your company apart and in order to stay afloat, you need to have a plan.

You need a Business Continuity plan. A BCP details all critical functions of a business and a backup should regular avenues of functionality fail. Communications, physical locations for employees, financial operations, and customer service all need accounting for during and after a disaster. It’s harsh to say, but the business world doesn’t stop when your company experiences hardship.

Though your business has experienced a disaster, a BCP is not the same as a Disaster Recovery plan. Many businesses with on-premises, colocation, or cloud systems infrastructure have a DR plan in place. Too often though, this is confused with a BCP or vice versa. A DR plan is an integral part of a BCP and a business may have one in place without a full BCP (though that is not advised). Disaster Recovery’s focus is far more narrow than a BCP and emphasizes solely on IT functionalities related to systems like servers, NetApps, and networking devices. Disaster, in this sense, can be natural, but is almost more likely to be unnatural—hardware failure, hacking, malware, or human error. Natural disasters are more likely to cause the implementation of a business’s BCP. Whereas a DR plan would be implemented in the case of hardware, application, or data loss/failure.

The point of a DR is to get up and running as fast as possible after a “disaster.” Two large components of a DR plan are Recovery Point Objective and Recovery Time Objective. These objectives are where in time a business wants to be able to revert their data back to after a loss, and how long it takes to get the data back to operational, respectively.

Now, in order to create a business continuity plan, a business needs to know itself. To start a BCP there needs to be a complete inventory of all business capacities in order to correctly identify the critical functions that must be kept running or are first priority to get back up and running after a disaster. Be aware that this is a large undertaking that will take time and in depth analysis of the business. Once there is a BCP in place though, it will prove it’s worth many times over, not only in the case of catastrophic events but for an intimate knowledge of the business processes and possible streamlining of functions and capabilities.

It’s harsh to say, but the business world doesn’t stop when your company experiences hardship.

It may seem daunting to start the project, but there are many free templates available online that can at least push you in the right direction. Ready.gov supplies a free, generic BCP template that covers the basics and allows you to make your own decisions on how to elaborate how you see fit.

The first step in creating a BCP should be to define the BCP itself. What are the objectives of the business’s BCP? Every business is different and every BCP should be, too. Along with the BCP’s definition and objectives, create a Business Continuity Organization Chart. Assign someone to be the BCP leader, someone who will coordinate the plan should it need implanting and whom all information from different departments will funnel through. Surround them with a team in order to spread out BCP functions.

Next, conduct a Business Impact Analysis. The BIA is the tool with which the business will determine its critical functions and the effects of a disruption to those functions. One way to do this is to create a survey or questionnaire. Distribute the document to department managers in order to understand the operational and financial effects a halt in their workflow would have on the company. This should also focus on the Recovery Time Objective, with emphasis on how long a disruption could last before it impacted operations and finances.

After determining the effects of a disruption in business processes, the business will need to focus on recovery. Again, work with department leaders to understand what recovery means, how to recover, and what resources are necessary for recovery. Be detailed, all the way down to chairs, desks, and office space requirements, not to mention technological requirements. Document workarounds for processes where possible. Compile the requirements for recovery and develop recovery strategies from the information based on the logistics of regaining functionality. This is where a DR plan would come into play for your IT requirements. Keep RPO and RTO in mind here.

Develop a BCP from all the information collected and documented. Create and document procedures for activating the BCP. How will the business notify employees and vendors necessary to implement the plan? Where will the business operate while in recovery mode? How will the business assess damage? All these processes need to be documented and compiled to create the BCP. Once that is done, make sure to spread the knowledge. Create multiple copies of the BCP and distribute physical and electronic copies of the document throughout the business.

It’s all well and good to have a plan in place, but unless the plan is tested it may not work. Train employees on their responsibilities and roles in the BCP and test all recovery strategies to ensure they’ll work. Also review the BCP on a regularly scheduled basis. As the business grows and changes, so should the BCP. Keep it updated with contact and vendor information as well as recovery strategies.

A Business Continuity Plan is an invaluable resource to a company. It’s a lot of hard work and critical thinking to create, but should the worst occur you’ll be glad you did. It’s not something to take lightly, the business and its employees depend on maintaining operations, no matter the size of the company.

Let Atomic Data take a piece of the BCP off your plate. Atomic Data’s experienced Engineers can create a DR playbook for your company featuring backup and disaster recovery options for Windows Servers, NetApp, and PC or Mac workstations. Backup using our Cloud or Colocations services or we can create an on premises solution for any business. There’s also the option to maintain a hotsite in order to keep any applications operable while data is restored from backups in case of a failure. It’s better to be safe than sorry.