80% of businesses without a well-structured recovery plan are forced to shut down within 12 months of a flood or fire – so if you don’t have a plan to deal with at least the most major incidents, you could be risking your entire business. In this piece I will be looking at two key elements of any such plan, disaster recovery and business continuity, exploring their differences as well as the best ways to build both into your business.
Business Continuity (BC) is defined by ISO, the International Organization for Standardization, as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident”.
Disaster Recovery (DR) is the way in which an organisation would retrieve key information and services after an unforeseen disaster. Any disaster recovery plan should include a set of policies and procedures to follow in order to get the affected parts of the business working again after a significant disruptive event.
Essentially, disaster recovery is a part of business continuity. For example, to enable business continuity you might need access to a very important database. Your DR plan would dictate how often backups of this database are taken, where they’re stored and how to restore this data in the event of a disaster, while your BC plan will communicate more generally how your business will remain operational following a failure or disaster.
Figure 1: disaster recovery is one element of business continuity
First and foremost that, to safeguard the performance of your business, you’ll need both a business continuity and a disaster recovery plan. One of the best ways to approach the creation of these is to perform a risk analysis on each of the services that you provide to your clients (whether internal or external). This is something that can be done in a number of different ways, one of which is to use the formula:
For example, you might value your phone system at £500,000 a day, factoring in the cost of sales not taken (per day) if it was to fail, and set the probability of this happening at 1%. Using the above formula, and assuming that a new system could be ordered/installed and working within 24 hours, the risk value is £5,000. This figure can be used to inform the amount you spend to mitigate against the event – so if an additional phone line/system only costs £2,000 a year, the conclusion might be drawn that doing this would be worth the cost when compared to the risk.
While it might seem unnecessary to spend money on something that may never be used, it must be remembered that the cost of not doing anything and having to deal with a disaster later will always be higher. Consider, too, that if the disaster is likely to affect your whole area/industry, having a more robust plan than your competitors will increase your chance of surviving, helping you go on to thrive in an environment with less competition.
Figure 2: risk matrix
You should apply these assessments across all areas of the business, then use your findings to create a clear plan for handling any risks identified. Below is a simple 5-point checklist that should enable you to start putting this together – although do note that risks change, so this exercise should be repeated at regular intervals to be of most use.
If you do not protect your business with a business continuity and disaster recovery plan, then when catastrophe does occur you won’t be prepared – leaving you with the worst of both worlds. Even simple precautions such as having a telephone list of staff/suppliers/clients could save huge amounts of time if you need to advise these people of a change of location due to fire/flood etc.
As mentioned at the start of this article, the statistics for businesses surviving without a business continuity and disaster recovery plan do not read well:
There are also high-profile cases of organisations that have suffered due to the lack of an adequate BC/DR plan. For example, 123-reg made the news last month when it accidentally deleted a number of servers. They admitted that: “Unfortunately, there have been a small number of incidences where we may not be able to restore a customer’s data.” (source). Losing your own data is bad enough, but if you are also responsible for your client’s data then you should make sure you are fully aware of all the potential risks, and plan appropriately for them.
Hopefully reading this article has started to get you thinking (if you weren’t already) about business continuity and disaster recovery. You tend to only hear stories about these areas of IT when there has been poor or no planning (and disastrous consequences as a result), but an effective BC/DR strategy doesn’t have to be cumbersome or expensive. It could be something as simple as having a list of contact numbers for staff, or asking staff to take their laptops home each night. Imagine not having this in place if your office (and surrounding area) floods, for example.
Every part of your business needs BC and DR built in, particularly that cloud infrastructure which relies on newer technology than your existing/previous infrastructure. Was full consideration for example given as to how your cloud-based services/data will be restored during their set-up? Remember, not having access to the physical hardware behind this infrastructure brings its own set of challenges (and if you want to find out more about this aspect of BC/DR, get in touch – Box UK is both an official AWS and Microsoft Partner, so we’re highly familiar with the full stack of cloud solutions that both offer).
And finally, don’t ever forget that business continuity and disaster recovery aren’t just the responsibility of the IT team/department. If the IT team are unaware of how the finance team are using their accounting software or where this information is kept, for example, they are not going to be able to ensure that it is backed up and able to be easily restored if needed. Everybody, therefore, has a role to play in ensuring that the business can survive any catastrophe – from human error to natural disaster.