For some inexplicable reason, since the start of the 21st century, the term business continuity started being used interchangeably with disaster recovery. This is a problem. Disaster recovery does not guarantee business continuity. Business continuity is about ensuring that strategic business objectives continue to be met even when faced with an unforeseen risk. Based on that answer, what is the business willing to invest to mitigate that risk? What we are seeing instead is the view that technology will solve all of our business continuity problems.
This means that business units can be left with a false sense of security and the belief that the IT department’s disaster recovery plan will get them back up and running if any sort of disaster is realized. The truth is that disaster recovery is only one component that falls under business continuity. It also happens to be a component that requires a substantial investment from the business to align the criticality of the business processes of every business unit within the enterprise.
When we think of invoking a business continuity plan, we think of reasons such as fire or a flood. But in reality, a large number of business continuity plans are invoked due to the loss of personnel who took with them key information on how to complete mission-critical business processes. In preparation for any sort of business disruption, there are a number of deliverables that every organization should complete. Here are five of the most critical.
Business continuity is the process of proactively ensuring that all mission-critical processes within a business can continue regardless of any risk that is realized. To have an effective business continuity plan, it is necessary to document all processes that are required to run the business and to then evaluate which of the processes are mission-critical.
The positive fallout from this process is that quite often, when this exercise is undertaken, numerous business processes are identified that are no longer relevant to the business. These processes can often be eliminated with no impact to productivity and their removal also results in a positive savings to the bottom line. In business, we often continue to do things because “they have always been done that way,” even though there is no logic as to why the process is still in place.
Each business unit needs to identify how long they can survive should their current resources to complete each task be removed from the equation. For example, let’s take a key function of finance — generating the payroll. We do not know when a risk will be realized. At best, it will happen the day after payday and there will be a certain amount of time to ensure the next payroll can be generated. But what if a disaster occurs the moment before the payroll file is generated? What is the contingency plan to ensure that employees are paid on time? Smaller companies may have the ability to manually write checks and physically hand them to employees. Large organizations may choose to invest in a SaaS payroll service that has 100 percent failover capabilities. Failover means that should an event occur that prevents access to technology, the system will automatically failover to another site with an exact mirror image of the software. The result is that payroll can be completed with no downtime.
Here is the issue. Many companies assume that IT has the ability to get them up and running immediately. However, if the business has not identified, via an accurate and up-to-date business continuity plan, that the task at hand is mission-critical and has not invested in the cost of failover capability, there could very well be a substantial delay to get back up and running.
The business continuity plan must identify the timeline that each documented process can be unavailable without impacting the strategic objectives of the business.
A disaster recovery plan is very technology-focused. How do we get our technology back up and running if for some reason our technology infrastructure becomes damaged or destroyed or in some way unusable? Somehow, we need to ensure the continuation of our vital technology infrastructure.
The disaster recovery plan also means a conscious assessment of the cost/benefit analysis. In other words, where do we land on the continuum of recovery time? If our technology infrastructure fails, can we do without it for one day? One week? One month? The answer to that question will dictate the investment that must be made. Many large organizations depend solely on backup and recovery strategies. If there is a failure, a backup copy of the software and data is retrieved and installed onto new or existing hardware. This is not a fast process, although thanks to new innovations in backup technology, the process has been substantially improved. This strategy is also very cost-effective.
The thing is, the business must understand that if they need to be back up and running within, let’s say, one day, the backup and recovery strategy most likely will not meet your needs. There are often issues with recovered data and testing is a crucial piece of this puzzle. Restoring a backup and assuming it can be immediately usable is a mistake. Quality assurance and testing are absolutely critical.
Do not assume that your service providers have failover capability. When contracts are signed, the procurement process should include an in-depth exercise to ensure the contract T’s and C’s are in direct alignment to the corporate business continuity plan. I have personally never seen a contract that does not include a force majeure clause. A force majeure clause basically frees both parties from any liability in the case of an event that is beyond the control of either party. Subjective? Yes. Scrutinize your contracts carefully and be fully aware of the potential risks. Your providers may have less accountability than you think — especially in this age of the coronavirus pandemic.
When there is an emergency, emotions run high. We need to know who we call in the case of a major risk being realized. An accurate and up-to-the-minute list of contact names and phone numbers needs to be readily available and all employees must be able to access the list quickly. Sorry to say it, but hard copies of the list need to be available in case access to systems is not readily available.
This may seem like a weird statement, but the list needs to be tested. The individuals listed need to be available and the phone numbers need to be accurate. If named stakeholders are not available during a test run, don’t think they will miraculously be available when an actual event occurs.
Having lived through what one can only hope to be the worst part of the coronavirus pandemic, we are left with a false sense of security that our businesses have handled business continuity just fine. In reality, all that we know is that some of us were able to function when working from home. Buildings were not destroyed. In fact, most of us were still allowed to enter buildings when necessary. No technology infrastructure was destroyed. Our service providers are still in business. This was not an effective test of our business continuity plan. But it might be the wakeup call that we all need to ensure that we work toward putting an effective business continuity plan in place.
Featured image: Shutterstock
RAID is a technique to virtualize independent disks into arrays for improved performance. Should you…
COVID-19 has changed everything, but once it disappears, we will not go back to how…
An Exchange server with a hybrid connection to Microsoft 365 is usually pretty seamless —…
Chatots are primarily thought of as consumer-facing solutions. They bring life to customer interactions by…
The newly uncovered Hakbit ransomware campaign spread via spear-phishing emails may indicate a shift in…
Credential stuffing is yet another weapon being used by cybercriminals. Here’s what credential stuffing is…