|A First Step Toward Awareness and Preparedness: Ask The Critical Questions|
|The good news is that not all business continuity planning requires significant capital investment. At the heart of being prepared is being aware and having processes in place that can both minimize the likelihood and mitigate the effects of a serious business interruption. The first and most critical thing an organization’s leadership can do is to ask the hard questions and get them answered honestly. There are no “right” or “wrong” answers so long as there is realistic awareness of the organization’s vulnerabilities, its ability to respond to them and the best plan for doing so based upon their current processes, infrastructure and organizational structure.
These 10 questions are a good place to start:
Would you travel to the center of Antarctica without a coat? Not likely. Would you taunt a wild animal? Doubtful. And yet, there are many other risks we take in life and business that can have dramatic consequences. Perhaps these other risks do not put our lives in the same danger that severe frostbite or being mauled by a bear might, but each day company executives neglect to take the precautions necessary to protect their company’s business continuity, a decision that can have damaging consequences for the company and its employees.
Disasters can strike at any time. Natural disasters, such as floods, hurricanes, tornadoes, or fires, can completely incapacitate the workings of a business. Knowing this fact makes it all the more surprising that, in a 2006 survey of more than 300 members of boards of directors, 50 percent of the organizations surveyed do not have business continuity management programs. And there are other frightening statistics: 29 percent of businesses that suffer a major disaster fail within two to four months and 43 percent will go out of business within five years. The most shocking fact is that these failures can be avoided with a strategic business continuity plan.
Awareness of risk does not mean that we need to live our lives as doomsayers. In fact, taking the necessary steps to avoid risk puts us in the opposite camp. Being prepared for the worst allows us to proceed without a constant cloud over our heads. We can be confident that if something terrible happens, we’re prepared to handle it.
But how do company executives help prepare their businesses for the unexpected dangers that could be lurking around the next corner? They develop an effective business continuity plan. An effective business continuity plan will help a company avoid disruption in the face of a catastrophe. Clients will still receive services, computers will continue to run, and data, relationships, revenue streams and value will be protected.
Building a BC/DR plan involves understanding a company’s potential for risk. By accepting the risks a company faces, the company will be able to evaluate the probability of having to face the risks, determine whether it has the financial reserves to absorb the impact of a negative event and consider other possible consequences. Acceptance of risk is fluid; it changes as a company and its risks change. Another way to deal with risk is to assign it elsewhere. By transferring the risk to an area where it would insure against exposure can help to delay the effects of the risk, or eliminate it altogether. A final option is to mitigate the company’s risk by taking action to protect itself and lowering its exposure. Without the right business continuity plan, it is difficult to effectively mitigate risk.
The above steps are a tried and proven method for building a successful BC/DR plan: Assess, analyze, implement, test, and maintain.
Step I: Assess
Knowing the company well – and what it can stand to lose – is the first step in realizing the importance of having a BC/DR plan in place. Information technology analyst firm research consistently shows that 80 percent of mission-critical outages in data centers are caused by people and process issues. Establishing a process for crisis avoidance, gaining employee buy-in for the plan and weaving business continuity into the fabric of the business will protect employees, customers and the company’s data from these and other unforeseen crises.
Step II: Analyze
To create a new BC/DR plan, company executives must analyze potential threats and the possible impact of those threats, including the time involved in recovery. Next, they must decide on a cost-effective solution that will meet business and IT requirements.
Steps III and IV: Implement and Test
After implementing the solutions, testing that the plan effectively meets business and IT requirements and that the plan meets stakeholders’ expectations will confirm that continuity and recovery strategies and assumptions are sound. In other words, you have your coat, but how do you know it will fit and keep you warm enough? You try it on – before you head to the South Pole. Simply having a plan is not enough. A good BC/DR plan has been “tried on,” or tested. Testing, however, is not a one-time occurrence. Every plan needs continual evaluation to ensure that it aligns with personnel, technology and process changes. The evaluation can take place through regular discussions, or on a larger scale through an operational exercise.
An operational exercise is a way for every person in a company to participate in the BC/DR plan. A mock disaster drill is one way to test a company’s incident management and evacuation plan and strengthen the company’s relationship with local security and fire department officials and the community. It will also provide the opportunity to evaluate how a crisis might look and bring to light areas that need improvement for providing safety for employees and ensuring the security of the data center. Evaluation after a drill will help in drawing conclusions about the effectiveness of the plan and in making any necessary changes.
Step V: Maintain
The final step is to maintain the plan with testing, verification and documentation, and keeping the plan aligned with the company’s growing and changing needs.
In cases where the process outlined above seems daunting, or when there is concern that important aspects of the BC/DR plan will fall between the cracks, turning to a third-party organization can help. By looking objectively at the entire enterprise and evaluating the alignment between IT and the business to ensure appropriate resilience and recoverability, a third-party organization can also help to maximize budgets in order to make sure the company is getting the highest level of protection needed to keep the business functioning in the event of a disaster. Additional benefits include added manpower and proven methodologies to cover all aspects of the enterprise.
There is not a single industry that is impervious to disaster. This is how things look today. The scary part is most executives think they are covered. Some are; most are not.
Managing and Mitigating Risk
It’s true that not many people will have to worry about whether their coats would keep them warm in the middle of Antarctica or how to thwart a bear attack, but we do wear seatbelts, use potholders, and keep our eyes on our children while they are in the pool. These are common and simple things we do from day to day to protect our assets. It’s also true that most businesses will never be affected by an earthquake or other violent act of nature, but companies face other risks every day that can affect their business’s most important assets: their people, customers, data, reputation, and their future. By developing a business continuity plan built on accurate awareness of their vulnerabilities, risks and capabilities, companies will be able to focus on what their businesses can do each day to avoid disasters and know with confidence that they are prepared to face the events that are beyond their control.
As director of business continuity and disaster recovery for Forsythe, Michael Croy helps clients with strategic, adaptive BC/DR planning and implementation. Croy brings more than 25 years of experience in building, developing and implementing disaster recovery and business continuity programs to a variety of clients and industries. Croy is also the author of “Are We Willing to Take That Risk? 10 Questions Every Executive Should Ask About Business Continuity.”