A Disaster Recovery Plan is essential to any business. In the past few weeks we have seen the devastating effects that flooding can have on a business – Storm Dennis hit more than 1,000 homes and businesses in Rhondda Cynon Taf alone after heavy rain last week.
From devastating floods to recent growing cyber threats, power outages, hardware failure or human error, there’s a lot that can go wrong in your organisation; much of which is out of your control.
Regardless of the cause, downtime is expensive. Sungard AS’s research found that the average cost to a business of unplanned downtime was just over £1.4m. It also found as many as 70% of managers believe they need to spend more on business continuity. But no amount of spending will be effective unless it is backed by an effective plan. We outline 5 steps you can take towards developing a robust business continuity plan should the worst happen to you.
Tip 1: Always be prepared: Business risk analysis
This may seem obvious, but you would be surprised how many organisation do not conduct an in-depth risk analysis of their business. The first stage in any disaster recovery project should be to assess the risks facing the organisation. Managers should link risk assessments to a business impact analysis. It is only by looking at risk and impact together that allows a director to scale your organisation’s priorities, and also to decide on the type of protection measures needed.
Some risks will be so great, and the impact so high, that only a formalised business continuity plan will reduce them. For others, a staged recovery plan might be acceptable.
One example in is planning for cyber threats, where businesses have invested in: perimeter security to ensure continuity; a backup and recovery plan to protect data, including against malware; and cyber insurance to cover the most serious incidents. ITCS provide a free IT Security Audit so that you can assess the risks facing your business.
But a really robust disaster recovery plan goes further, and considers threats such a disrupted access to buildings – which can be caused by something as mundane as a burst water main – to disruption to staffing from public transport problems or weather disasters.
You should also consider supply chain risks. A supplier is likely to have its own business continuity arrangements, but its priorities and recovery objectives might not align with your own
You can’t protect against every possible threat, but the key is to have the most comprehensive picture possible of the risks facing the business and an understanding of their likelihood, how deeply they affect the business, and how long it would take to recover from them.
Tip 2: Break down IT Risks
IT failures remain a significant source of outages for businesses. Industry analyst IDC calculates that half of organisations would not survive an outage that takes down their central IT systems “for an extended time”. But it is not easy to predict which parts of a system could fail, and the impact of the failure.
Directors need to adopt a similar approach to IT risks as they do to environmental, human or infrastructure risks. Experts should examine the likelihood of failure across all components of core systems, whether these are on-premise, outsourced or in the cloud.
IT teams should not just look at hardware, but at the risks posed by data loss and data corruption, including through cyber attacks or malware, and of application unavailability. They should then be able to rank systems in terms of how critical they are and how easily they can be restored or recovered.
Tip 3: Set recovery objectives
Your IT System audit will, in turn, set the key objectives for your Disaster Recovery Plan. This includes an understanding of acceptable periods of downtime, and their cost – something that can only be calculated in discussion with the business.
The disaster recovery plan is likely to consist of resilience, availability and business continuity measures, along with backup and recovery strategies and a degree of managed failure.
This might include contingency plans, such as staff working from home using cloud-based applications and mobile phones, through to access to high-end business continuity locations. Fortunately, cloud-to-cloud backup of application data and backup of on-premise data to the cloud are both helping businesses of all sizes to become more resilient.
Tip 4: Set your response strategy
Disaster recovery is the archetypal “people, process and technology” challenge. Unless the outage is brief enough to get by on cloud-based services and through remote working, the business will need to consider alternative working locations and how to move staff and technology there.
If the outage affects a data-centre and systems fail-over to a secondary site, IT will need to work to restore the primary location or find a new one, as well as ensure that the now single fail-over site is backed up too.
The main way to contain a disaster, and to ensure effective recovery, is to maintain good communications. The business should, in advance, appoint a person to lead the disaster response. This person does not have to be the person who wrote the DR plan, but does need to be familiar with it.
The disaster response team should include experts from outside IT, including HR, as well as representatives from business operations. Crucially, the team should have a way to communicate in an emergency and, ideally, take part in any DR exercises.
Tip 5: Test the DRS Plan
Testing your Disaster recovery or business continuity plan through an exercise can be disruptive, but they are necessary. A DRS exercise will test if the plan needs to be reviewed or updated.
It is only by testing that a firm will know whether the plan works, and whether it is resilient enough to perform under pressure. Simulation, and testing the communications systems, is the best way to expose any weaknesses. Teams can then feed insights gained from the testing phase back into the risk assessment and business impact analysis, fine-tuning the plan as they go.
The unfortunate reality is that it is impossible to prevent every business risk, and that no matter how much you prepare, there are still risks. However, being proactive now also means you, and your business will be better able to react rapidly and intelligently when something does happen.
For more information, guidance, and support on making sure your infrastructure is as secure as possible, get in touch with one of our engineers.