Growing numbers of organisations in the private and public sectors have business continuity and disaster recovery plans in place to ensure organisational resilience in the face of disaster. A few organisations fully understand what events should trigger the invocation of that plan, and what issues should be considered, says Wayde Anderson, Customer Manager at ContinuitySA.
“For a business continuity plan to be effective, it needs to be put into operation—or invoked—timeously. Too early or too late can reduce its efficacy,” Anderson explains. “Five triggers should prompt serious thought on whether the plan should be invoked.”
These triggers are:
• Power outages. While most businesses today use uninterruptable power supplies and generators when the power outages occur, these measures themselves can fail.
• ICT infrastructure failure. Business is largely dependent on its IT and telecommunications systems. Failure of either will impair the company’s ability to trade.
• Strike or mass action. Increasingly violent strikes and other forms of mass action are regrettable features of South African life at present. Such incidents frequently prevent employees from getting to work.
• Fire. Whether the fire affects the whole site or just part of it, fire is likely to disrupt normal business operations for a time.
• Water damage: Natural disasters or plumbing failures alike can compromise the use of a company’s premises.
These triggers should prompt a discussion about whether to invoke the business continuity plan, or whether to continue restoring normal operations onsite. This decision will have to be taken using the limited information available just after the disruption has taken place.
A key input will be the pre-determined Recovery Time Objectives for each of the critical service levels within business processes. Another factor will be the Maximum Tolerable Period of Disruption, which will indicate the margin by which the recovery time objective can be exceeded.
Key decision points to consider when deciding to invoke include:
• What is the estimated time required to restore onsite and does this breach your Recovery Time Objective?
• What are the service-level agreements in place with critical suppliers? Have these been reviewed and tested? ISP, voice and network infrastructure providers, logistical suppliers, software management suppliers like SAP or payroll systems as well as those further down your supply chain.
• When the recovery time is uncertain, what is the point in time by which the decision must be made to invoke the business continuity plan if the disruption cannot be resolved within Recovery Point Objective timelines?
• Has the disruption occurred at a critical time of the month or year, and what is the worst case scenario?
• How long does it take to have the disaster recovery site ready to continue working?
• What are the recovery priorities and are they based on achievable recovery times?
Anderson says “As a post incident review, re-assess the design of the organisation’s recovery strategies and solutions, as they may hold some inherent risk which may not have been considered at the time of implementation”
“Having an effective, meaning a validated business continuity plan is critical, but knowing when to invoke it is equally important,” Anderson concludes.