It’s Disaster Preparedness Month (Sept), the perfect opportunity for business continuity professionals to consider some fresh tactics for preparing proactively for a disaster.
Natural disasters don’t appear to be slowing down in frequency, as Superstorm Sandy and the destructive tornadoes in the Southwest underscored. And another hurricane season has begun.
Hurricane Sandy and the tornadoes revealed gaps and holes in many companies’ business continuity and DR plans – and it’s essential to find them before disaster strikes. Specifically, Hurricane Sandy kept executives, IT staff and other critical personnel stranded without power, the ability to use the Internet, or any avenue for restoring their IT systems and ensuring the safety of their companies’ invaluable data.
Business continuity professionals now are thinking of remedies to ensure they’re prepared in the future. These precautions include retaining a third-party data center host or using alternative methods of data recovery. Increasingly, companies are linking up with a managed recovery program provider that directs every stage of the disaster recovery process. This third-party host provider delivers the people, processes and tools necessary for comprehensive, compliant and effective testing and data recovery.
With fears growing of potential security breaches, professionals also should be reexamining their business continuity and disaster recovery plans to incorporate the adoption of cloud services, mobile applications and wireless network capabilities, among other tactics.
Where to Begin?
Certainly, executives are extremely concerned about the threat of disasters. Sixty-three percent of executives surveyed for the latest AT&T Business Continuity Study cited the looming threat of security breaches as their most important security concern for 2013. Seventy-eight percent indicated their business continuity plan accommodates the possibility of a network security event.
What types of disasters should you plan for today? The list should cover hurricanes, tornadoes, earthquakes, flooding, power failures, food and/or water contamination, radiation, severe erosion, fire and landslides. And those are just the natural disasters.
Planners should determine those calamities that could occur in their area, indicate if they’ve never occurred, have a low occurrence, say, every 11 years or more; medium occurrence, every 5-10 years, and high occurrence, every 1-4 years. For medium- and high-occurrences, plans should consider the implications on their companies.
They also must consider the chance of a security breach, either internally or externally, and what damages could occur should a cyber-attack ensue. Indeed, planners should identify each risk as manmade or a natural disaster and label each as catastrophic, critical, limited or negligible.
Refresh Your Risk-Assessment Plan
Several proactive strategies are essential today. A critical one is to revitalize your risk-assessment plan. How long has it been since you’ve updated it? Regardless, identify the risks, hazards, weaknesses and vulnerabilities you could face. They might encompass data security and process systems, among others.
Analyze how you would handle each risk. If you have a threat of a flood and you only use paper documents stored in cabinets, have employees make digital copies or hire a DR company that provides scanning services for that purpose. Create written DR plans for managing resources in an emergency and for ensuring business continuity.
Retain a professional disaster recovery company so help is available quickly when needed, especially in restoring your IT infrastructure, recovering data and keeping critical information secure. Update your emergency-response plan, including evacuation, shelter and lockdown plans.
If necessary, review and revise your crisis communications plan for communicating with employees, customers, vendors, other stakeholders and the media. Update your employee training plan and ensure employees are schooled in the protective actions to take during a crisis, either manmade or a natural disaster. If yours is a small business, talk to your business insurance agent about your policy and whether it addresses today’s potential crises.
Planning Ahead Pays Off
Advance planning can make the difference between staying in business and losing everything. Preparedness is vital.
Testing your disaster recovery and business continuity plans becomes more and more critical so consider bringing experts to help develop that plan. When testing, use your worse-case scenarios to test against; don’t be complacent about your testing environment. Plan a tabletop or mock exercise to determine all the materials necessary for a major exercise outdoors.
Develop a “people” plan where you figure out where all essential personnel should be and how they should be notified. Test every six months and, if necessary, every three months and be sure to understand what you’re testing and if it’s robust enough to uncover the gaps and holes that could spell disaster.
If you’re new to testing, follow a “crawl, walk, run” approach, starting off slowly with a tabletop exercise perhaps and testing just a few applications and then advancing until you test the whole plan and all applications, including accounts payable, payroll and receivables and not just your servers.
It May Be Time for a Third-Party Provider?
Given the persistent anxieties about data disruptions, it may be the appropriate time to consider hooking up with a managed-services disaster recovery host, a cloud-computing host provider and a managed recovery program to ensure the best management and security for your most valuable data and information.
A managed-services host directs your system and frees you to handle more-appropriate duties and to plan future projects. A cloud services host can quickly and inexpensively restore your data. And a managed data-recovery program is structured around a business’ specific needs and the requirements of its applications.
In addition, determine your vendors’ business continuity and DR plans so you know how they will service you should they experience a disaster. Demand to see the plans; they should have a failover arrangement and provide service-level agreements as well. Find out if they use cloud computing because that can ensure you’re up and running again much more quickly should something go wrong.
Let the CIO’s Voice Be Heard
Business continuity professionals should help ensure that the chief information officer gains a voice in the C-suite and reports to the CEO rather than, say, the chief financial officer. This will guarantee that senior management and, perhaps, the boards of directors gain a much better understanding of your business continuity and disaster recovery plans.
Even consider getting a board committee, perhaps the operations panel, more closely tied to the CIO so the committee or the entire board gets briefed regularly on business continuity and disaster recovery preparations.
Don’t Forget Global Operations
If your company is becoming more global, make sure your disaster recovery and business continuity plans and software encompass global operations. In addition, develop a global support plan with C-suite level support.
Among other proactive steps, conduct a safety audit regularly, perhaps every quarter, at your facilities to ensure they’re keeping people safe. Also develop an employee evacuation plan as part of this preparation.
A weather-awareness and alert system may be a valuable addition as well, especially one that monitors current weather conditions through the National Oceanic and Atmospheric Administration, or NOAA.
Awareness and preparation are critical to ensuring that your business continuity and disaster recovery plans perform flawlessly should a crisis occur. Consider Disaster Preparedness Month as an annual time for making sure your organization is prepared.
Mother Nature, to be sure, can never be trusted. And neither can cybercrooks.
Robert DiLossi is director of crisis management at SunGard Availability Services.