Disasters, industrial accidents and other catastrophic incidents are events that can strike any organization without warning. One of the greatest dangers with such events is the likelihood of grounding a business for good. Think about what would happen if, for instance, your organization lost all of its customer and financial records following a natural disaster.
In the best case, disasters can disrupt your operations for minutes or hours. In the worst case, you may have to shut down the business permanently. Developing a business continuity and disaster recovery (BC/DR) plan is key to ensuring your organization is always prepared for such unexpected incidents.
Here are the main considerations for developing such plans.
1. Classify Enterprise Data
The average organization is home to a wide range of information. Such data comprises spreadsheets, emails, contact lists, computational data, physical files, document printouts, payroll information and more.
The business must categorize its data based on its value. The classification will help define the most appropriate backup, archival, retention and retrieval policies. The data classification determines system classification.
2. Classify Enterprise Systems
System classification lies at the heart of every effective BC/DR plan. It’s important because first, not all systems are created equal. Some are more important to organization survival than others. Second, no business has infinite resources. That means more resources should be expended on high priority systems and less on low priority systems.
Information systems can be classified as either business support, business critical or mission critical. Mission critical should enjoy the highest level of protection and redundancy.
3. Choose a BC/DR Location
BC/DR-associated standards such as ISO 27001, ISO 22301, NIST SP 800 and BS25999-2 don’t usually specify the minimum distance there should be between a production site and a disaster recovery site. That’s mainly because the definition of sufficient distance will vary depending on whether the disaster is a fire, flood, earthquake, tsunami, hurricane, tornado, data corruption or ransomware infection.
At the minimum, your choice of a BC/DR site should be driven by your business model, your main revenue streams and regulatory requirements. As much as possible, use cloud-based disaster recovery solutions for your BC/DR since this will almost certainly fulfil any distance requirements.
4. Get Senior Leadership to See the Value
Implementing a BC/DR plan costs money. The larger the organization, the more expensive the redundancy setup is likely to be. The size of the expenditure is likely to raise eyebrows when presented to senior management. The key to getting the expenditure approved is ensuring the business leadership focuses on the value and not the cost.
For starters, BC/DR plans often uncover plenty of otherwise hidden issues with the production environment during the risk assessment. This inadvertently helps make production systems more robust even before you factor the recovery plan. Another way to soften management is to recommend cloud-based DR systems the organization only pays for when the DR plan is invoked.
5. Document the Plan
This may sound obvious except if industry surveys are anything to go by, as much as 40 percent of companies don’t have a DR plan. Many organizations will set up elaborate backup systems and redundant network links but won’t have a specific well-thought-out step-by-step BC/DR plan. Yet, documentation cannot be overemphasized.
Remember that certain disasters may come with massive loss of human life including key employees. Documenting a plan that details server architecture, network infrastructure, system applications, interdependencies, interfaces, contacts, assets and the recovery sequence ensures business continuity after such a deadly event.
6. Test the Plan
A Forrester/Disaster Recovery Journal survey found that 1 in 5 organizations do not test their BC/DR plans at all. Creating a working BC/DR plan is intense work that may involve several months of meetings, workshops, training, documentation and testing. After such an exhausting process, too many businesses will consider their work as complete and will only refer to the plans again when disaster does strike. This is a catastrophic mistake.
First, the production environment is never static. As systems and procedures change and evolve, so should the BC/DR plan. Second, regular testing is an effective way to unearth unforeseen challenges or gaps such as configuration problems, version inconsistencies, data conversion failures and incomplete recovery. BC/DR plans should be tested via a drill at least once a year.
BC/DR planning is a painstaking process. But it pales in comparison to the disastrous repercussions of not having an effective BC/DR plan. A good plan minimizes downtime and prevents reputational damage and lost market share.