If time is money then logically, lost time must equal lost money. Downtime due to a disruption in the business process, for any reason, is difficult, if not impossible to recoup. A business continuity plan (BCP) that addresses how an organization can continue functioning after disaster strikes is essential for any organization, regardless of whether it's small or large, profit or non-profit.
Because information technology (IT) is so ingrained in the business process, any BCP must include the organization’s IT systems. In fact, IT plays two positions on the business continuity team, one on defense and another on offense. A BCP aims to secure the IT network and critical data, and employ IT proactively to ensure business continuity in the event of a business disruption.
This was exactly the case right here at Meridian last month when one of the snowiest winters in recent memory shut down our headquarters here in the Washington DC metro area on several occasions. Luckily, our ability to stay connected and to work remotely allowed most of our operations to function smoothly — after all we are in the managed IT services business!
Of course, the BCP will of course vary from enterprise to enterprise, but most will include these core units:
- Risk Analysis
- Business Impact Analysis
- Network Failure
- Disaster Recovery and Response Plan
Notice earlier I said systems not IT departments, because many small-to-midsize businesses (SMBs) don’t even have an IT employee, let alone an IT department. Large enterprises generally have the ability to sustain business interruptions better than small-to-midsized businesses (SMBs). But that is where a managed services provider (MSP) can help an SMB develop a big business style continuity plan. It is important that the MSP understands the client’s overall mission and business model.
Business Risk and Impact Analysis
This initial phase is vital because it will enable the team to prioritize and focus on (a) possible disrupting events, and (b) the probability of occurrence and potential impact to business operations. At one end of the spectrum there are low probability/ low impact events. At the other end the opposite – high probability/high impact. In between, there are various combinations of probability and impact that must be estimated and prepared for. This is not a simple task, and here it is vital that the MSP understands your business process and is not just trying to sell goods and services.
Let’s go back to that snowstorm. There is a pretty good chance of a shutdown snowstorm hitting the Wash. DC area every winter. The probability is high, and the impact, since it entails a temporary loss of business processes, is probably in the medium range for most organizations. Downtime due to snow should definitely be a part of any DC area enterprise’s BCP.
On the other hand, earthquakes have a very high impact potential, but in this part of the world they are very unlikely to even occur let alone cause serious damage. So we have to decide how much time and resources to devote to high impact/low probability events like natural disasters. Scoring of probability is difficult because we don’t know what we don’t know. Fires, floods, explosions, tornados, acts of vandalism, etc. can and do occur, but who knows when?
In today’s business environment, the chances of a business interruption due to IT failure is a very real possibility. Cyberattacks and data breaches that shut down an organization are much more likely to come from human error, hackers and cyber criminals than from tsunamis and hurricanes. Because loss of business continuity is frequently due to IT failure, a BCP should anticipate the failure of core components such as the secure server room’s climate control and power source, the server, and connectivity to a service provider.
Depending on the enterprise, the failure of any of these systems could result in the loss of revenue, increased expenses, regulatory fines, or lost clients. Therefore, network redundancy, such as having dual service providers, and backup power sources may be a viable option for some businesses. Storing vital data in the cloud and virtualizing business processes are also ways to mitigate risk. For SMBs this is where a consult with a managed services partner is critical.
Disaster Recovery and Response Plan
If business continuity is disrupted due to IT failure, it is essential to have a disaster recovery strategy in place. There should be a plan to prioritize the restoration of all hardware, software and data that is essential to business operations as quickly as possible.
The plan should outline and clearly define all processes, checklists, roles and responsibilities detailing what needs to be done, and who needs to do it in order to effectively recover from an IT failure event.
Planning for the loss of business continuity also requires testing and drills. Having built in technology safeguards and redundant systems is no substitute for rehearsing and planning for the worst case scenario. Without such preparedness, even minor disruptions in business continuity can cause major problems to an SMB’s bottom line.