Learn How to Think ‘Big Picture’ When Crafting an Effective Business Continuity Plan

Ensuring access to mission-critical applications and data following a disaster is critical. However, business continuity and disaster preparedness are about much more than that. In order to be certain that your business can recover following a disaster, you need to think “big picture”.

In this in-depth article, we cover practical information on four distinct but interconnected aspects of effective business continuity and disaster recovery planning:

1. Employee safety and communications
2. Customer communications
3. IT disaster recovery and business continuity
4. Continuity of operations

Let’s get started.

(1) Employee Safety and Communications

Communication during and following an emergency presents a variety of challenges. Hence, crafting an employee safety and communication plan that works is absolutely essential.

The specifics will vary widely from company to company, but your emergency safety and communication plan must address the following:

• How will the company ensure employees are safe during a disaster event?
• How it will communicate essential information to employees after the event?

The first part will depend heavily on the nature of your business. Safety planning for a manufacturing facility will obviously be very different than for a small real estate office. Because of this, it’s very difficult to provide specific best practices. However, the key is to match your safety plan to the specific needs of your organization.

For the second part, you will need to first gather a variety of information and make sure that it is well documented, easily accessible, and stored in a number of secure locations. This should include up-to-date employee contact information (such as email, cell phone, home telephone numbers, spouse contact information, etc.). It should also include a methodology for contacting employees.

Effective Employee Communication

Obviously, email is the easiest way to reach a large group of employees, but if your company’s email server is down, you are out of luck. Some businesses employ redundant Exchange servers or cloud-based services to ensure email access. Of course, if you are without internet access entirely, you’ll need an alternative.

A call tree sometimes referred to as a phone tree, call list, phone chain, or text chain, is another popular method for distributing important information to employees during and following an event. Here’s how it works:

A predetermined employee initiates the call chain with a call to the next person on the chain. That employee contacts the next person on the list and the chain continues until everyone on the call tree has been reached. Other companies may automate emergency calls with purpose-built communications software/services.

Regardless of the methods you use to distribute information to your employees, your emergency communications plan should provide enough detail that it can be carried out if the plan’s creator is not available following the event (e.g., due to injury). Your plan should also be flexible enough to accommodate for a variety of potential emergency situations.

The response to a fire in your office will be very different from an imminent threat of riots and looting, for example. Emergency communications should be brief and as accurate as possible. Depending on the structure of your organization, you may want to keep managers updated, allowing them to pass on information to direct reports on a “need-to-know” basis. Again, the specifics of the disaster will dictate the correct approach.

Related:

Popular Causes of Data Loss (And How to Prevent It)

Finally, it is essential to test and update the communications plan periodically. Testing will identify gaps in the plan such as out-of-date employee lists or contact information

(2) Customer Communications – Keeping Customers in the Loop

Managing customer relationships is obviously critical to the ongoing success of your business. As such, it is important to craft a plan for distributing information to your customers during and following a disaster event. The scope of your customer communications plan will vary widely depending on the nature of your business.

Obviously, not every glitch in operations will merit reaching out to your customers. However, if an event occurs that is likely to impact them, it is essential to communicate the details of the issue and explain the steps you are taking to mitigate it. This might mean direct communication to your customers, but it could also mean messaging via social media. Failure to do so can have a negative impact on the reputation of your organization.

Consider the way Toyota responded to reports of self-accelerating vehicles back in 2009-2010. Instead of acknowledging the issue and assuring customers that the company was investigating the problem, the company opted to cite user error in a classic case of blaming the victim.

The problem was eventually pinned on floor mats, pedal design, and faulty electronics. Although Toyota spent billions to replace accelerator components, their initial response created distrust among customers.

Protecting Your Reputation When Things Go Wrong

So, how do you keep your good reputation intact? It comes down to careful preparation.

First, you must be prepared from a personnel standpoint. Carefully planning communications with customers is essential. You will need to be able to respond quickly and clearly explain the steps you are taking to resolve issues.

All customer-facing staffers should be briefed and ready to deliver a clear and consistent message. You may want to consider using script templates, which can be adapted to address various events. Pre-scripted messages can be developed, approved by management, and quickly distributed to customers following a disruption.

You also need to ensure access to a communication infrastructure (phone, email, internet access). This might mean redundant phone lines/services, VoIP, hosted PBX systems, cloud-based email or redundant Exchange servers, etc. Larger businesses may need to invest in a secondary contact center to manage inbound and outbound communications. There are a number of vendors that offer call center services, temporary workspaces, and even mobile data centers.

Related:

3 Reasons Why Your Business Needs VoIP Phone Technology

Testing or rehearsing all or parts of your customer communications plan should be considered essential as well. Testing is the best way to identify and resolve customer support weaknesses and communication infrastructure issues.

(3) IT Disaster Recovery and Business Continuity

To understand the IT role of disaster recovery and business continuity, it helps to look at the not-so-distant past.

It wasn’t too long ago that ‘backup’ meant daily incremental and weekly full backups to magnetic tape storage or an external disk backup target. Duplicate tape copies were created and shipped offsite for disaster recovery—typically to a secondary site maintained by the business or to a tape vaulting facility. Many businesses continue to use this model today, and depending on your recovery needs it may be perfectly adequate.

However, disaster recovery from offsite tape can be painfully slow. First, you need to physically retrieve the tapes from an offsite location. Once they are back on-premises, you must ingest data to your backup server. At that point, you can restore data and applications to your primary servers. This, of course, means considerable downtime.

Related:

5 Reasons Why Backing Up to an External Hard Drive is a BIG Mistake

Therefore, when creating an IT disaster recovery plan, it’s important to understand two concepts:

• Recovery Time Objective (RTO)
• Recovery Point Objective (RPO)

RTO is the amount of time that it takes to get a system restored following a failure or disaster event. Whereas RPO is the point in time to which data can be restored following the event.

So, if you performed a backup at 6 pm each night and a server failed at 5 pm the following afternoon, your RPO would be 23 hours and any data created during that span would be lost. For many organizations this was unacceptable.

So, rather than relying on tape for disaster recovery, some organizations replicated data to a secondary site that mirrored their data center. However, this approach historically required a massive investment in hardware, because it required two sets of identical servers, storage, switches, software, etc. Not to mention a secondary data center facility.

Remote replication allows users to fail over operations to a secondary site in the event of a disaster, which improves RTO but is well out of the reach of most businesses financially.

Disaster Recovery as a Service (DRaaS)

Today, users can run applications from image-based backups of virtual machines. This capability is commonly referred to as “recovery-in-place” or “instant recovery.” Recovery-in-place dramatically improves RTO because operations can continue while primary servers are being restored. RPO is reduced as well—snapshot-based, incremental backups at 15-minute intervals are a common practice. Virtual machine images can also be replicated to an alternate site or cloud for disaster recovery.

There are a number of ways to implement this type of system. Many backup software products today have the ability to perform these tasks. If your current backup software supports it, you can set it up yourself. If you are relying on an older backup software product or you are starting from scratch, you might opt to outsource these tasks.

In this model, an appliance is typically placed on-premises for local backup and recovery, and data is replicated to the cloud for disaster recovery. Recovery-in-place technology allows you to run applications from the onsite appliance or from the cloud following an outage or disaster. This is commonly referred to as “cloud disaster recovery” or “disaster recovery as a service” (DRaaS).

DRaaS offers the failover capabilities of traditional remote replication at a much lower price point. Users typically pay a monthly subscription fee based on the amount of data they are storing in the cloud.

Some services charge additional fees for the processing power necessary to run applications in the cloud during disaster recovery. Compare that with the facilities, personnel, and technology expenses associated with setting up a secondary data center, and the value of recovery-in-place and DRaaS is apparent.

Testing IT disaster recovery plans is essential. Historically, this was a difficult and potentially risky process. Today’s technologies and services have greatly eased the testing process. Because of the ease in which virtual servers can be created, users can set up DR test environments without the risk of harming production systems.

(4) Continuity of Operations – Keep Business Moving

Application downtime is, of course, just one factor that can impact your bottom line. Again, there is a broad spectrum of possible considerations depending on the size and type of your organization. However, there are a variety of examples that apply to many businesses:

Training

Every business will need to identify employees critical to the recovery process. This might mean executives, department managers, and IT staff. Whatever the structure of your business, you will need to define business continuity roles and responsibilities. It is also important to cross-train staffers on essential tasks, in case a critical employee is unavailable following the event.

Facilities

It is critical to evaluate the facility or facilities in which your business operates. Considerations might include but are not limited to:

• Appropriate fire suppression systems
• Generators capable of powering essential equipment
• Uninterruptible power supply systems for critical servers
• Surge protection systems
• Alarm/intercom systems to alert employees of emergencies
• Armed response and security services

Dependencies

It is important to consider dependencies within and especially outside of your organization.

Let’s say you are in the business of manufacturing medical devices. You might source parts from a variety of vendors—possibly worldwide. If one such vendor suffers a flood or fire and production comes to a halt, this could limit access to the raw materials you need, directly impacting your ability to continue operations.

Your business continuity plan should offer solutions to mitigate these issues—for example, identifying multiple suppliers or stockpiling large numbers of essential parts.

Conclusion

Disaster recovery and business continuity planning should be considered a critical aspect of running a business. However, many organizations disregard it completely. Others have some kind of plan in place but fail to grasp how time-consuming the recovery process can be and the associated cost of downtime.

The good news is that today’s data protection technologies and services have greatly improved the IT piece of the business continuity puzzle. There is a wide array of options in the market today at different price points, which enables you to select a product or service tailored to your specific business needs.

And finally, the importance of testing business continuity/disaster recovery plans cannot be understated. Testing is the only way to reveal gaps in your plans and address them proactively – and not while you are frantically trying to pull the pieces back together.

Take the First Step with iSite Computers

Ready to implement business continuity planning but not sure how to start?

iSite Computers is here to help.

Since 2008, we have worked with SMBs in South Africa to maximise productivity, minimize RTO and RPO, and ultimately save our clients time and money through modern business continuity and backup solutions.

Get started today with free, no-obligation advice from iSite Computers. Give us a call on 031 812 9650. Or schedule a free consultation and we’ll call you back.