Having an IT disaster recovery plan in place is not enough to ensure business continuity, warns Aptronics Service Manager, Keith Newnham. He gives tips on how to build a Business Continuity Plan (BCP) that works.
No large business would be caught dead without a strategy in place to counter the effects of IT downtime. The catch is that for businesses to assume that IT disaster recovery equals business continuity and that because they have some elements of IT disaster recovery planning (DRP) in place, they’re immune to disruptions.
The classic scenario is for a company to request their IT department to come up with a plan that allows for service availability, often undefined or vague in terms of the when, where and how, of IT-critical systems in the event of an outage. Without a roadmap of exactly what counts as a business-critical process, IT typically then arrive at an all-encompassing, costly and often over-engineered plan that treats all systems as equally critical.
Another part of the problem comes from the perception of what business recovery is. If you fall into the bracket that sees it as a function that falls under the domain of the IT department, overlooking the fact that ‘offline’ doesn’t necessarily only stem from IT disruptions, you might be heading for a shock. Disruptions to business operations could mean anything from power problems to strike action or running out of money due to a run on the stock market.
Keep in mind also that it doesn’t matter how good your IT systems are if you don’t have the means to access them.
The unfortunate reality is that business continuity plans that are not driven by strategic business requirements come up short when it’s time to perform. Developing a thorough and integrated strategy can be a challenge; this applies across the board from large multinationals, enterprise-level businesses through to SME’s. It’s important to follow these key steps:
Enter at executive level
The first step that any business needs to take before embarking on or reviewing their business continuity strategy is identifying core critical processes and the time that the business can function without them. This assessment, which should including mapping dependant service providers to them, can only take place when driven through executive and senior business management or preferably business process owners. By establishing how critical each process is, businesses can determine how thorough their recovery needs to be in each area and hence look realistically at costs.
Unpack your processes and systems
Once your business has created a basic skeleton of what its recovery plan looks like, it’s time to identify what dependencies and facilities go into each critical process requires. Keep in mind that a business process will have internal and external service providers and dependencies
The list might surprise you and will certainly extend beyond IT. Identify and involving all dependant services is key to an effective recovery strategy.
Get in control
A key element of recovery is an effective command and control structure, keep in mind that the normal channels of communication might simply not be available- we are all too accustomed to picking up a phone and being connected, it might not be possible. Without a centralised command centre and a means of enforcing tasks, you will end up with a group of disassociated people and departments all doing their own thing and creating more disaster in the process.
Make sure you can get back on track
Putting in place the means to keep working through disruptions is only half the battle won. A complete recovery plan must support overall business continuity by allowing for a managed return to full operational efficiency once the event that triggered the plans has been resolved.
Test, test and test again
All recovery plans, be they the IT DRP or elements of the BCP or a combination of both need to enter into a cycle of continuous improvement through testing and maintenance. There are various forms of tests you can apply depending on how complex the process is and your own auditing requirements. These range from table-top tests all the way through to controlled and unannounced simulations. Only by regularly testing all aspects of a recovery plan’s efficacy can businesses identify gaps and overlooked requirements or scenarios.
Ultimately, an effective recovery plan needs to support and feed into a company’s overall business continuity requirements. Ensuring your company’s resilience when disaster strikes calls for more than just ticking all the boxes.