80% of businesses without a well-structured recovery plan are forced to shut down within 12 months of a flood or fire – so if you don’t have a plan to deal with at least the most major incidents, you could be risking your entire business. In this piece I will be looking at two key elements of any such plan, disaster recovery and business continuity, exploring their differences as well as the best ways to build both into your business.
What is business continuity?
Business Continuity (BC) is defined by ISO, the International Organization for Standardization, as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident”.
What is disaster recovery?
Disaster Recovery (DR) is the way in which an organisation would retrieve key information and services after an unforeseen disaster. Any disaster recovery plan should include a set of policies and procedures to follow in order to get the affected parts of the business working again after a significant disruptive event.
What’s the difference?
Essentially, disaster recovery is a part of business continuity. For example, to enable business continuity you might need access to a very important database. Your DR plan would dictate how often backups of this database are taken, where they’re stored and how to restore this data in the event of a disaster, while your BC plan will communicate more generally how your business will remain operational following a failure or disaster.
Figure 1: disaster recovery is one element of business continuity
What does this mean for me?
First and foremost that, to safeguard the performance of your business, you’ll need both a business continuity and a disaster recovery plan. One of the best ways to approach the creation of these is to perform a risk analysis on each of the services that you provide to your clients (whether internal or external). This is something that can be done in a number of different ways, one of which is to use the formula:
Risk Value = Probability of Event x Cost of Event
For example, you might value your phone system at £500,000 a day, factoring in the cost of sales not taken (per day) if it was to fail, and set the probability of this happening at 1%. Using the above formula, and assuming that a new system could be ordered/installed and working within 24 hours, the risk value is £5,000. This figure can be used to inform the amount you spend to mitigate against the event – so if an additional phone line/system only costs £2,000 a year, the conclusion might be drawn that doing this would be worth the cost when compared to the risk.
While it might seem unnecessary to spend money on something that may never be used, it must be remembered that the cost of not doing anything and having to deal with a disaster later will always be higher. Consider, too, that if the disaster is likely to affect your whole area/industry, having a more robust plan than your competitors will increase your chance of surviving, helping you go on to thrive in an environment with less competition.
Figure 2: risk matrix
You should apply these assessments across all areas of the business, then use your findings to create a clear plan for handling any risks identified. Below is a simple 5-point checklist that should enable you to start putting this together – although do note that risks change, so this exercise should be repeated at regular intervals to be of most use.
5-point checklist for creating a Business Continuity/Disaster Recovery Plan
1. Analyse your business
- What products/services are offered by your business?
- What do clients expect in terms of deadlines/contracts?
2. Assess the risks that could affect your business
- Flood/fire
- Theft/break-in
- Unable to gain access to building(s)
- Illness (especially flu/contagious disease)
3. Develop your strategy
- What actions are needed to prepare for/respond to the situations identified above?
- Who needs to perform these actions?
- Where/how should these actions be carried out?
4. Develop your plan
- Ensure that the plan is well-written and distributed to any staff that may be involved in its implementation
- Make department heads aware of their responsibilities
5. Test your plan
- A plan is useless if it is never tested so ensure this is done regularly, and especially when any key staff members leave the business
- If your plan relies on any key suppliers, confirm that they will be able to cope in the situations you have identified (running a test exercise if necessary, for example)
What happens if I don’t have a BC/DR plan?
If you do not protect your business with a business continuity and disaster recovery plan, then when catastrophe does occur you won’t be prepared – leaving you with the worst of both worlds. Even simple precautions such as having a telephone list of staff/suppliers/clients could save huge amounts of time if you need to advise these people of a change of location due to fire/flood etc.
As mentioned at the start of this article, the statistics for businesses surviving without a business continuity and disaster recovery plan do not read well:
- 80% of businesses suffering a major disaster go out of business within three years
- 93% of companies that lost their data centre for 10 days or more filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management filed for bankruptcy immediately.
- 34% of companies that use tape drives to backup their data fail to test these systems, and of those that do 77% have found instances of failure
There are also high-profile cases of organisations that have suffered due to the lack of an adequate BC/DR plan. For example, 123-reg made the news last month when it accidentally deleted a number of servers. They admitted that: “Unfortunately, there have been a small number of incidences where we may not be able to restore a customer’s data.” (source). Losing your own data is bad enough, but if you are also responsible for your client’s data then you should make sure you are fully aware of all the potential risks, and plan appropriately for them.
Conclusion
Hopefully reading this article has started to get you thinking (if you weren’t already) about business continuity and disaster recovery. You tend to only hear stories about these areas of IT when there has been poor or no planning (and disastrous consequences as a result), but an effective BC/DR strategy doesn’t have to be cumbersome or expensive. It could be something as simple as having a list of contact numbers for staff, or asking staff to take their laptops home each night. Imagine not having this in place if your office (and surrounding area) floods, for example.
Every part of your business needs BC and DR built in, particularly that cloud infrastructure which relies on newer technology than your existing/previous infrastructure. Was full consideration for example given as to how your cloud-based services/data will be restored during their set-up? Remember, not having access to the physical hardware behind this infrastructure brings its own set of challenges (and if you want to find out more about this aspect of BC/DR, get in touch – Box UK is both an official AWS and Microsoft Partner, so we’re highly familiar with the full stack of cloud solutions that both offer).
And finally, don’t ever forget that business continuity and disaster recovery aren’t just the responsibility of the IT team/department. If the IT team are unaware of how the finance team are using their accounting software or where this information is kept, for example, they are not going to be able to ensure that it is backed up and able to be easily restored if needed. Everybody, therefore, has a role to play in ensuring that the business can survive any catastrophe – from human error to natural disaster.
