Cybersecurity, IT Maturity
If technology is the foundation of your business, you have to ensure it’s running all the time. That’s why a viable business continuity plan is a corporate necessity, not an amenity. Not only does a business continuity plan act like insurance, it enables your business to recover quickly after a cybersecurity incident, power outage, or other unforeseeable event.
According to Gartner Inc, the average cost of IT downtime is $5,600 per minute and costs businesses from $140,000 per hour to $540,000 per hour.
Moreover, a growing number of government and industry regulators mandate that businesses put viable recovery plans in place. In financial services, the Financial Industry Regulatory Authority, Inc. (FINRA) Rule 4370 explicitly states that enterprises need to create comprehensive recovery plans.
A business continuity plan enables organizations to proactively manage risks stemming from an outage, rather than simply reacting to it. Let’s take a closer look at what a business continuity plan is, the elements it includes, and what steps you should follow when developing one.
Key Business Continuity Terms
There are many misconceptions about what a business continuity plan is. It’s not simply a disaster recovery plan. With a disaster recovery plan, the goal is to get your systems up and running. The business continuity plan (BCP) is a broader plan and includes specific steps, such as helping individuals move to temporary desks, so they can resume working.
Business continuity introduces a new nomenclature, such as terms focused on how much downtime a company can withstand before it must get moving again. A few of the key terms include:
Business Impact Analysis (BIA) differentiates critical and non-critical organizational functions in your business. Critical functions have a direct impact on the business, such as a warehouse system that moves product. Non-critical applications simply support the business, such as running a social media advertising campaign.
Recovery Time Objective (RTO) is the acceptable delay before restoring a function. While no department desires to be offline, some downtime problems are more impactful to the overall business than others.
Recovery Point Objective (RPO) is the point in time when the company recovers its lost data. While managers would like all data to be saved continuously, the cost of such a design becomes prohibitive. Consequently, organizations make tradeoffs when determining how often to back up information.
Creating a Business Continuity Plan
Building a BCP is a process that takes time and effort and includes multiple steps, as the complexity of your business must be reflected in your plan. Here are steps to building an effective business continuity plan:
- Assess Your Organization: Begin by creating a BIA to identify the structure of your organization, how it runs, which services are needed, and what technical devices support those services and how they support them.
- Document Key Elements: Conduct an internal audit to determine which systems the business relies on. You’ll need up-to-date information about:
- Team Members
- Central Computers
- User Devices
- Remote Devices
- Network Connections
- Data (Electronic and Physical)
- Unified Communications Solutions
- Supply Chain/Third Party Vendors and Key Contacts
- Office Furniture
- Identify Mission Critical Systems and Data: Businesses can have hundreds of applications supporting various functions. Sometimes, departments deploy applications that no top executives or IT realize are running. Compile a list of all applications used in the organization and determine the worth and risks of using that application.
- Determine Acceptable Downtime for Key Business Areas: Correlate equipment, business processes, and personnel to their potential impact on the organization. While all employees and tasks have value, certain functions have a more significant impact on the bottom line than others. Make sure you know the RTO and RPO of your backups to ensure they align with your expectations.
- Develop Plans to Restart Critical Systems/Processes and Restore data: This area is the red meat of the BCP. You need to determine how to duplicate your workplace in another location. The plan must be realistic: if all user systems are lost due to a hurricane, a lag will occur as the new systems are delivered and installed.
- Form a Crisis Team: If a task is not assigned to a person, chances are good that it will not get done. Consequently, a company needs to start by assigning employees to a crisis management team.
- Establish Clear Reporting Processes: In the event of a business disruption, employees need to know who is responsible for what. A chain of command and concrete responsibilities needs to be outlined so everyone knows how—as well as when—the systems will be brought back.
- Identify Alternate Communication Methods: The company needs to communicate not only internally but also with key customers, partners, and stakeholders. The enterprise needs to be sure that employees have access to the communication lines needed to reach outsiders.
- Create a Business Continuity Checklist: The devil is in the details. It’s easy to assume that certain items needed to complete work, such as electricity, will automatically be available, but a strong BCP makes no assumptions. It accounts for all potential needs, including:
- Location of Business Continuity Plan
- Location of data backups/backup
- A list of providers/key contacts
- Update the Plan Annually and Perform Table-Top Exercises. Businesses are dynamic and change is a constant. Consequently, companies need to do more than create a BCP; they need to test it and update it regularly.
Sooner or later, all companies will experience an outage. How much that outage impacts the enterprise depends on the legwork that you put in before the event. If you act proactively, clearly communicate to employees what needs to be done, and simulate the problem, you will limit the potential damage.