Business continuity planning is often thought to be the domain of very large enterprises, like large financial institutions, who need to continue trading even in the event of major global disaster. However, small companies, especially ones without dedicated IT staff are often the most vulnerable to loss of productivity due to seemingly minor upheavals, such as weather-related staff shortages. For example, according to the UK Federation of Small Businesses, a heavy snowfall could translate an estimated 1.2 billion pounds lost in a day because of travel disruptions, with one-fifth of the UK workforce unable to make it into work. "
1. Maintain an accurate systems inventory
When a disaster of whatever nature strikes, chances are that most of the staff normally required to support IT systems will be unable to make it to the office, and minor issues may have to be put on hold to concentrate on the most pressing problems. To help with prioritisation of issues, ensure that you have an up-to-date inventory of all IT systems and applications, including the level of business criticality, based on input from all keyholders, including members of the business, end users and even customers. Ensure that your inventory also includes the locations of servers and systems, key support contacts, and upstream / downstream dependencies. This inventory will help you in the heat of the moment when disaster strikes, allowing the IT team to focus efforts on what's really important.
2. Understand the risks of each company site
Use your systems inventory to determine potential areas of vulnerability. Ideally, by the end of this analysis, you will have a contingency plan for every high- and medium- priority IT system in your organization.
How safe are each of your sites?
Do you have servers in different office or data center locations? What are the risks associated with those locations? You may have a comms room located in a flood plain, or an office in a city center which is vulnerable to terrorist attacks. Take the risks of each site into account in your plans by identifying any contingency systems you already have in place and, if possible, building new contingency systems in areas where it does not already exist.
Or do you have a single point of failure?
On the other hand, if you do not have servers in various locations, and have everything in one place, you must plan for the loss of this single point of failure. For example, what would you do if there was a complete loss of power to your primary site?
3. Create a business case for disaster recovery planning
Consider the impact of your last major outage or loss of productivity, be it from a Tube strike, major snow storm or power cut. What was the impact in terms of tangible sales, loss of business opportunity or damage to the company reputation? Apart from the loss of tangible sales, these can be difficult to quantify, but a good estimate can provide a compiling arguments towards increasing the budget for disaster recovery planning.
4. Provide staff with remote working facilities
Remote working is now more feasible than ever, especially with advances in technology such as VPN connectivity in larger organizations or cloud computing for small and medium businesses. Develop a remote working policy for your company that incorporates flexibility through modern technology (such as 3G wireless cards for laptops) and offers security and control (through token access to other security measures). Cloud computing services can offer an excellent all-in-one solution for anytime, anywhere access.
Providing staff with the means to work from home as part of a corporate Flexible Working Policy (for when transport causes chaos or unexpected child care duties get in the way) can be an invaluable way to increase morale and productivity. Beside forming a cornerstone of your flexible working policy, permitting staff to work from home on a regular basis allows remote-access technology to be regularly tested, increasing the chances that any issues with connectivity or technology infrastructure will be worn before there's a real disaster.
5. Identify key roles and cross-train
It's likely that only a skeleton crew will be available in the event of a real disaster. Rather than identifying just the key people required to keep the business going, build an inventory of the key roles needed to perform any recovery scenario. Take the time to cross-train a number of individuals to perform these duties, highlighting in particular any duties which absolutely must be performed on-site. Document all procedures, making sure they are updated in line with changes to the systems.
6. Conduct due diligence on your vendors
Even if your company's business continuity planning is comprehensive and thorough, it can all fall apart if your mission-critical systems have dependencies on vendors who have not planned adequately for disaster recovery. Ensure that you have the conversation with each of your vendors, requesting information on their business continuity plans in detail, along with any contractual provisions that they may make for compensation should they break their service levels.
7. Test your disaster recovery plan at least once a year
Finally, once your systems are inventoried and prioritized with a recovery plan for each and a number of staff cross-trained for the recovery procedures, ensure that you actually perform a test of the entire process at least once a year. Although it's resource-intensive and time-consuming, it will allow any issues to surface with remote connectivity, system interdependence and documentation. It will also give you an estimate of how long it will take your business to recover from a major disaster, providing valuable information to your customers, shareholders and, incrementally, external regulators.
Amanda Dahl, Director at AWIC Technical Advisory