If a tornado struck your business, or a lightning strike caused you to lose data, do you have a plan in place to make sure that your company can continue operating?
Disaster can strike at any time, and it is critical for every company to have a business continuity or disaster recovery plan in place to ensure the business can sustain operations. Some organizations may opt not to invest the time and resources required to develop a business continuity strategy, but it is simply not wise to operate without a backup plan, says Larry Newell, manager, risk services, and IT infrastructure practice leader at Brown Smith Wallace LLC, St. Louis, Mo.
“Business continuity planning is essentially succession planning,” says Newell. “You never know when a business disruption will take place, and companies need to be prepared. The cost of a business disruption will generally far outweigh this type of investment.”
Developing a plan for business continuity or disaster recovery involves asking lots of what-ifs, gaining buy-in from key managers and business unit leaders, and developing an all-encompassing plan so that the organization can continue operating seamlessly.
Smart Business spoke with Newell about why businesses should invest in business continuity and disaster recovery strategies and what to include in these mission-critical plans.
What is the difference between a business continuity plan and a disaster recovery plan?
The two overlap somewhat, but there is a fine line between how these plans function. The focus of a business continuity plan is to create a backup that mimics the critical business processes a company has in place and the tools needed to support those processes.
The business identifies what those critical processes are. For instance, an accounting firm might need to ensure that software programs containing client data are up and running, and the associates can always communicate with their clients. So data and communication are critical to business continuity.
A disaster recovery plan is IT-centric, focusing on IT services that support the business and designing preventive controls and recovery techniques. This is where high-availability systems really come into play — the speed and ease with which a company can shift to the alternate site.
Why should a company invest in a business continuity or disaster recovery plan?
Like any component of succession planning, business continuity or disaster recovery plans answer the question, ‘What’s next?’ No business can anticipate the types of disasters that can disrupt daily business or shut down their operations entirely. But once disaster strikes, whether that is a weather incident, data loss or power outage, all you can do is react.
Businesses that have sound disaster and continuity plans in place are least impacted by tragedies and interruptions. You don’t want to become a statistic. It’s important to protect your company assets by thinking about alternatives to your current processes.
An adviser with experience in risk management and IT protection can be a great resource, as most plans center on IT and accessing/resuscitating data.
How do you develop a business continuity or disaster recovery plan?
First, there must be support from executive management and participation from business unit leaders, who can provide insight on the processes that must be protected and duplicated to continue business-as-usual in case of disaster. And there must be a plan champion who will take ownership of the planning process.
Creating a plan takes time: It requires a thorough analysis of the company’s operations and asking tough questions about processes and procedures. Essentially, a company must identify the back-end operations that enable it to service customers, and then devise a plan to protect those operations. Knowledge from an IT administrator is critical during this process.
How in-depth should a plan be?
The depth of your plan will depend on your client or customer dependencies and regulations, such as the Financial Institution Regulatory Authority or Federal Financial Institution Examination Council.
Basically, a plan should mitigate the highest risk and impact across the enterprise.
Also keep in mind that a plan has diminishing returns at some point. Treat it like a living document that is regularly updated as your business changes.
What common mistakes do businesses make when developing a plan?
The biggest mistake is not having a plan at all. Also, many organizations fail to think big picture when they create the plan. They may focus on a particular business unit that is considered high impact, when there are other vulnerabilities in the organization that should be addressed. Including business unit leaders will help you tease out the critical processes that require protection throughout your organization.
Ideally, you should include a crisis management plan, identify critical business processes to develop the business continuity plan and then create a disaster recovery plan that is IT-centric. You should test these plans at least annually to be sure that they work effectively for your organization.
Consulting with an adviser who can help you identify risky areas of your business that should be protected with a business continuity or disaster recovery plan will give you an important outside perspective to make sure your plan is tight.
Larry Newell is manager, risk services, and IT infrastructure practice leader at Brown Smith Wallace, St. Louis, Mo. Reach him at (314) 983-1218 or [email protected].
