Does your Company have a Business Continuity Strategy?

A Business Continuity Strategy may prove to be the best type of insurance and least expensive that can ultimately save your company in the face of disaster. Business continuity does extend beyond that of technology; however, I would like to start here as it is at the core for most business operations. So let’s get to it.

As a principal in a business or a C-suite employee, I would like you to take a moment and ask yourself these 5 simple questions, as they are all equally important for a sound Business Continuity Strategy.

1. Does my company have a Business Continuity Plan (BC)?
2. Does my company have a Disaster Recovery Plan (DR)?
3. Does my company have a Recovery Time Objective (RTO)?
4. Does my company have a Recovery Point Objective (RPO)?
5. Does my company’s mission critical system(s) have High Availability?

If you do not know the answers to these questions, I will say it’s your fiduciary responsibility to get them fast. The right answers to these questions are just as important as growing the company’s top-line and boasting a healthy net profit. The reason I say it’s just as important, is because when an incident occurs; and notice I said when, because chances are likely it will; your company’s survival will depend on its capability to recover quickly to continue doing business.

So let’s get back to the (5) questions, which I will go over in an abbreviated way so you may bring them up in your next EC Meeting or discuss it directly with those who have oversight of your company's IT.

1. Does my company have a Business Continuity Plan (BC)? A Business Continuity plan is a plan put in place to continue business if it is affected by situation that disrupts operations.

• Case example: I was consulting a company with multiple calls centers. As sophisticated as the operations was, if they lost their phone lines in one of their call centers, that center simply stopped doing business. Therefore, I spoke with the Executive Committee and explained to them that if they implemented a hosted PBX phone solution at all locations they could configure the system to automatically fail-over to a particular call center if one was to lose its phone line connections, which would allow them to continue to take calls for that region. As simple as this may seem, they did not have a plan in place to continue to do business.

• Find out if your company has a strategy in place that would allow it to continue operations if a disruptive event was to occur from a power outage to a complete disaster that wipes out your offices.

2. Does my company have a Disaster Recovery Plan (DR)? A Disaster Recovery Plan is a document that provides tactical instructions on what a company is to do in the event of a business disruption, such as a server down.

• Case example: A client of mine did not have a plan on how to recover from backups if their server went down. I asked them did they have server backups. They explained yes. This was good. I then asked, “What is your procedure for restoring from those backups if your server was to fail.” I did see that they did not have the answer, let alone they were not even sure how their backups worked nor was there a document on what types of backups they had. It was a scary thought on their behalf, as they were working on mere faith that there systems were being properly backed up.

• Imagine if you ran your business / department without ever reviewing your monthly financials. This seems a bit preposterous. So why wouldn't you have some type of document stating how your company would recover from given disaster and this information being shared with your key employees. It is your fiduciary responsibility to know what your company has a document on what to do or what will be done in light of a disaster.

3. Does my company have a Recovery Time Objective (RTO)? A Recovery Time Objective (RTO) is a targeted duration of time which a business process must be restored. This time is typically decided on how long a business can operate without a certain process or function.

• Case Example: During an assessment meeting I asked the CEO of the company “do you have backups for your servers?” The CEO replied “yes” with great pride. I responded “perfect.” Then I moved on to my next question. “How long would it take for you to recover from your backups if you had a situation that required you to do so?” The CEO looked puzzled and turned to his IT Manager. At that moment I could tell that neither of them had the answer. I then went on to ask “How often do you test the health of your backups and run recovery tests?” Again neither of the two had an answer. Then my final question came “What is your company’s Recovery Time Objective?” Needless to say this sparked an entire conversation and we left the meeting with a strategy to validate the questions I asked and implement a RTO based on the company’s tolerance levels.

• Find out what your company’s tolerance levels are on how long it can operate without a certain business process or function. Then decide what steps need to be taken to recover from an incident within that time frame. This will give you your Recovery Time Objective.

4.Does my company have a Recovery Point Objective (RPO)? A Recovery Point Objective (RPO) is time point in time that must be recovered from a backup for normal business operations to resume if a system was to fail or disaster strikes.

• Case Example: Not too long ago a client of mine was conducting their scheduled database maintenance on one of their key systems. Unfortunately, this maintenance did not go very well and their database administrator recovered the database from one of their backups. The only problem was that the backup was a week old. Therefore, when operations started the next morning, none of the orders for the past week was in the system. Fortunately, my organization had a snap shot taken of the server a few hours prior to the database maintenance, in which we were able to recover and restore the database. If this was not the case, they would have been in a situation that would have forced them to re-enter all their orders for the past week. Think about this type of activity could affect your business.

• You should ask your team how often are backups taken and is this sufficient for a Recover Point Objective. How you would know the answer to this? Ask yourself the question, if an incident was to occur and we had to recover from a backup, could my company operate with minimal disruption, if X amount of data was missing due to the backup intervals. Typically, a good backup time interval is 1 to 4 hours. However, it all depends on if your systems transaction volume levels. The more transactions that run through your system the shorter the time intervals should be for your backups.

5. Does my company’s mission critical system(s) have High Availability? What is High Availability you may be asking yourself? High Availability is defined as a machine that can immediately take over if one were to fail. The common term for this is a system fail-over.

• Case example: If you need High Availability for your internet then you would invest into two Internet Service Providers and a piece of equipment that would allow you to designate one as a primary and another as secondary. If the primary fails then the secondary would automatically take over with no to little business disruption. This can be done with network equipment, servers, power, and many other components within a company. This is very typical in the industries such as banking or medical, as we are highly dependent on their systems always being available.

• I would ask my IT Manager, due we have fail-overs for our mission critical systems and network equipment. If not, I would explore your options and determine if it is feasible to implement systems fail-overs. This would provide you company with the least amount of downtime in the event of system failure or disaster.

I trust once these (5) questions are addressed; you’ll have sound idea on if your company has an effective Business Continuity Strategy.

If you are interested in understanding more about Business Continuity and how to effectively implement a sound strategy in your organization, feel free to reach out to me at any time.