BCP Tip: Don't Rely on Luck to Get Your Firm Through a Disaster
Feeling lucky that your business has never been impacted by a disaster? If so, now is the time to evaluate everything from your call tree to your disaster recovery solutions. Most studies show that up to 40 percent of businesses fail after a disaster. That means that almost half of firms reading this article will not recover if not fully prepared.
So what do you do to ensure that you will be more than just lucky to successfully recover from a disaster?
Start with your documentation. What do you have? You should have a current Business Continuity Plan (BCP) and Employee Quick Reference Cards (QRCs). If you have those two items, be sure to review them and make sure any recent changes to your business have been captured. Once you’ve validated the information is current, it’s time to test the documentation.
If you haven’t already done so, I would recommend conducting a table top exercise. You will need your BCP and any other related documentation, key stakeholders (recovery management team members and/or senior managers), one hour and a scenario. Your scenario can be realistic (think fire or flood) or unrealistic (think terror attack). Keep in mind it’s often the events you least expect to occur that will end up happening. Also, the more unrealistic your scenario is, the more your BCP will be put to the test. Keep it informal, but also keep in mind it’s a test, so if you discover any gaps or missing pieces to your BCP, that’s a good thing. You don’t want to make these discoveries during a real event. Also, keep in mind writing your BCP is only the first step in your BCP program. You need to continually test it, update it, test it, update it….repeat.
Okay, so I jumped ahead and assumed you not only had a BCP, but you also had a reliable disaster recovery solution in place for your systems. If you don’t have either, then you are going to need more than just luck to ensure your business is recoverable after a disaster. Let’s assume you don’t have a BCP or DR solution in place. Don’t panic. I’ve listed some high-level steps below to get you started:
Develop a Team – Start by identifying a team of employees who will provide input into what needs to be recovered and when.
Conduct a Risk Assessment – Most risk assessment surveys focus on all of the different scenarios that can occur, but this list could be pages long. For a more effective approach, identify the impacts. For instance, your building is closed but operational or your building is destroyed or has no power, etc.
Perform a Business Impact Analysis – Identify what you are trying to protect (i.e., applications, data, processes, people, etc.).
Identify Recovery Strategies – Analyze the potential impacts of various scenarios to assess what you will need to recover from those situations. Take a look at what safeguards you currently have in place (i.e., employee call trees, alternate office location, alternate set of systems and data in another location, etc.) and list what you should have in place to identify any gaps.
Once you have finalized the information for the steps above, you can then use this to evaluate your current disaster recovery solution or create a new one. If the analysis is done correctly, it should clearly document what the needs are of your business and, once presented to your information technology team or the vendor that maintains your infrastructure, you are then ensuring everyone is on the same page (both the business and the technology).When all is said and done, this will help ensure you have a little more than luck on your side should a disaster occur.