The ABCs of a Business Continuity Plan

Image of replicated computer system to enable business continuity.

The ABCs of a Business Continuity Plan: How To Stay in Business After an Extended Outage

You’ve probably heard this sermon a million times, but we will keep harping on it until small business owners start taking the issue of business continuity and disaster recovery planning more seriously. Especially in this new era of daily reports of ransomware attacks.

Those in the trenches know the familiar drill: you get a call about a failed hard drive, a system that is down, a lost laptop, a folder encrypted by a former employee, or the worst, an inaccessible office. Of course the first statement you make is “no problem, we’ll just restore from backup“. That is until you see the guilty look on the client’s face and the reality hits you: there is no backup or if there is one, it is either not up to date or has never been verified.

Business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible.

Although the business world has enough reminders about what could happen to companies without adequate business continuity and disaster recovery plans – hurricanes Katrina, Rita and Dorian, the Indian Ocean Tsunami, The Earthquakes in Japan and California, the recent deadly floods, and the numerous fires and vandalism that plague businesses every year, the hash reality is that SMEs (Small and Medium Enterprises), do not have business continuity and disaster recovery as priorities. As Anne Marie Staley of the New York Exchange aptly put it:

Until recently, most organizations treated business continuity like health insurance. [They focused on] getting the cheapest coverage, hoping nothing ever happens, reluctantly paying the premium each month and praying that when the inevitable happens, they have enough coverage.

Most SMEs are content with the fact that there is access to the server (a converted Windows desktop computer box in most cases) and employees have access to the network, the internet and email are working; until a virus hits one of the workstations that was hosting the customer database, or the server goes up in smoke and suddenly business grinds to a halt and the scramble begins to get the IT guy. Nothing is more painful than seeing a business close its doors because of lack of a simple business continuity and disaster recovery plan.

What is Business Continuity Planning?

Removed from the high-level talk, business continuity planning simply means providing methods and procedures for dealing with outages and disasters that could last for a long time, like a tornado wreaking havoc in Alabama as happened recently.

Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery.

Business Continuity Planning is the last leg (Availability) of the the concept known as the CIA Triad (Confidentiality, Integrity, Availability) in information security circles. It specifically deals with the “now” after an event, before humpty-dumpty is put back together. It tackles the issue of how to ensure that the resources required to keep the business going is available to those who need them within the company.

What do we do now that the building has burned down? How do we reach or communicate with our staff when communication lines are disabled? What do we do now that our building has been washed away along with our servers and desktop computers? Having access to critical data that a company needs to get up and running as quickly as possible in the event of a disaster – man-made or natural, is the main goal of a Business Continuity Plan (BCP). Call it planning ahead or having the foresight o improve the chances of resuming business should stuff happen.

These could be resources, personnel and tasks that are required in order for the business to stay profitable. It does not matter if the disruption was caused by an earthquake or an accidental deletion of your customer database. Statistics have shown that the longer it takes a business or an organization to resume normal operations after a disaster, the higher the possibility that it may never recover.

The big question is, can you continue to operate as a business should some type of disruption happen?

  • Do you have a backup of your accounting database for example, on something as simple as a USB stick that you can copy to a folder and reconnect so your business can go on?
  • If a critical employee calls in sick, or leaves the company, does business grind to a halt or can someone else fill in?
  • Do you have supply chain partners that provide critical services? What happens if they go out of business or are unreachable? Even a big company like Nissan recently had to shut down factories and operations for three days because its suppliers could not make deliveries.
  • What happens if the internet connection is down? Is there a backup internet connection like a dial-up or broadband? I had a client once that fussed when we suggested a broadband subscription as a backup to their T1. The benefit of that investment came when they had a major roll-out of an e-commerce site and the T1 connection had problems and we switched to the broadband line while the T1 line was being worked on.
  • Do your employees know what to do, who to call, where to go etc. in the event of an emergency?
  • Do you have an evacuation plan and are employees aware of that plan?

There is a tendency for those of us in IT to focus too much on the technology aspects of a business continuity plan. Yes, data is essential, but so are people. This is exemplified by the instructions you get on an airplane –  “In case of an emergency, save ya neck and forget your Versace briefcase!”

What is included in planning for Business Continuity?

The first thing is to adhere to the rule of ” Know thy self!”. There is hardly any point in planning for BCP if an organization has no understanding of how it works – its processes, people and systems – in enough detail to make rebuilding effortless. Knowing the organization means knowing the core pieces and parts that make it tick. It means knowing how people, data, network and functions are tied to the various roles within the organization. If the CEO were to suddenly “take off”, do you have a plan for succession? Take a look at the Zachman_Framework on to give you an idea of what it means to “Know thy self”.

The next question to ask is “Why?” While the main reason for a BCP usually revolves around dealing with an unexpected mishap, it sometimes goes a little deeper. The primary reason for a BCP should be to maintain the goals of the business or organization. For commercial entities, that could mean sustaining profitability, and for non-commercial entities, the main reason could be o ensure that service to the community is not disrupted or that disruption is reduced to a minimum level.

According to National Institute of Standards and Technology (NIST, Publication 800-34), there are six crucial steps in Business Continuity Planning:

  1. Develop a planning policy statement – for guidance and the assignment of authority to various roles (or decide who gets axed should stuff happen)
  2. Conduct a Business Impact Analysis – you identify critical systems, processes and people; identify vulnerabilities or weaknesses, potential threats and accompanying risks.
  3. Identify preventive controls – determine how to reduce the risk level of the business.
  4. Create contingency strategies – backup and recovery, offsite storage, alternate sites, equipment replacement, cost considerations, roles and responsibilities
  5. Test, Train and Conduct Exercises (TT & E)
  6. Maintain the plan

The performance of a Business Impact Analysis is very important. This is where a business or an organization identifies the systems, processes and resources that are most crucial  and the effect an extended disruption in access will have. The greater the potential impact, the more investment  a company should spend to restore a critical system, resource or process quickly. For instance, a  company may decide to pay for completely redundant IT systems that would allow it to immediately start processing at another location, or decide that it is safe to wait for 24 hours or longer before resuming business.

A Business Impact Analysis will help companies set a restoration sequence to determine which parts of the business should be restored first.

Other important suggestions include:

  • Develop and practice a contingency plan that includes a succession plan for your CEO.
  • Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available.
  • Determine offsite crisis meeting places and crisis communication plans for top executives. Practice crisis communication with employees, customers and the outside world.
  • Invest in an alternate means of communication in case the phone networks go down.
  • Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency.
  • Make business continuity exercises realistic enough to tap into employees’ emotions so that you can see how they’ll react when the situation gets stressful.
  • Form partnerships with local emergency response groups-firefighters, police and EMTs-to establish a good working relationship. Let them become familiar with your company and site.
  • Evaluate your company’s performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.
  • Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

In summary, a viable Business Continuity Plan will be highly dependent on the overall planning framework adopted, a thorough Business Impact Analysis, the identification of operational recovery requirements, recovery strategies, plan development, testing and feedback mechanism and delivering awareness and training throughout an organization.

If you need help putting a Business Continuity Plan together or revising an old one, Tech Prognosis can help. Give us a call at (512) 814-8044, or use our contact form.