Business continuity management ensures the survival of a company, not just during or after a disaster, but during daily operations.
In a constantly changing environment, particularly one that is IT dependent, words have a way of redefining themselves. A definition that the whole world has seen evolve is the definition of a disaster. Today, disasters can result from terrorist attacks, power outages, security breaches, nature and human error. With the heightened threat of such disasters, there is an increased risk of business disruptions. The inability of a business to quickly resume everyday operations and protect its resources is often detrimental to a business and its community.
The unpredictable nature of events that can cause IT disruption continues to be a threat and is one that businesses can't afford to dismiss. Business disruptions resulting from disasters plague more than 90 percent of all businesses. Forty-five percent of these businesses fail to recover and subsequently don't survive for another five years. In addition, this percentage can increase when major damage to computer centers is involved.
The only way to minimize the effects of these disasters is to have an implemented business continuity plan. Business continuity management ensures the survival of a company, not just during or after a disaster, but during daily operations. Business continuity not only includes a disaster recovery plan, but it assesses potential everyday risks and provides solutions to mitigate them. Recent disasters have proven that the success of businesses lies more in what they did to prepare for a disaster than how they reacted after the fact.
Events such as September 11, 2001, and the August 13, 2003, North American blackout demonstrated that while it's crucial to a business' survival to have a plan, it is even more important that the plan covers all bases. This means preparing for the unexpected and maintaining a plan that can allow operations to resume almost immediately. Covering all bases also means paying attention to details. Details such as suitable relocation facilities and updated phone numbers are often overlooked but could ultimately determine business resilience. The businesses that had all of their bases covered were able to quickly resume operations and, as a result, maintained their position in the marketplace. Businesses that were not prepared for these disasters suffered damaging money and reputation losses.
A mistake that businesses often make is they view disaster recovery plans as insurance rather than a component of everyday operations. The truth is that successful disaster recovery plans are embedded into a corporation's culture as a part of business continuity. They are regularly tested and reviewed to ensure that they are functional and current. They also serve as more than a piece of paper and are actually put into action. This ensures that employees are aware of their role in a disaster and have had some practice performing their duties.
Recognizing the importance of business continuity plans, the government has even stepped in and has passed business continuity regulations. Regulations such as the Sarbanes-Oxley Act of 2002, SEC Requirements, Basel II and PAS 56 are forcing corporate executives to review their strategies for business continuity and make sure they comply with regulations. While these regulations are important to make certain businesses are better prepared, there are many additional steps executives should take to ensure their company's security. Here are some ideas for how businesses can be prepared in order to protect their people, information, infrastructure and assets:
Prevention is the key - it costs less than recovery and it's faster. When a disaster occurs, one of the first questions asked after the smoke clears is how it could have been avoided. That's the prevention question. The issue right now for many businesses is when they want to answer that question.
Don't put all your eggs in one basket. Spread "vital" operations across more than one location to prepare for business disruption. Backups should be taken frequently and stored outside the facility. It is important to make sure the backups are usable by randomly choosing one or more sets and restoring the data. In too many instances, data thought to be safely backed up can't be accessed when needed.
When disaster strikes, don't let the plan disappear. Companies should review their business continuity plan for adequacy and currency. Special attention should be paid to new technology systems and business processes that might not have been included in the original plan.
Have these plans been tested recently? Can critical vendors help in a crisis? Proper planning helps a company maintain their presence. If a company fails to maintain market presence and reputation after a disaster, their absence can create a vacuum in the marketplace. This being the case, competitors will fill that vacuum out of necessity.
Remember the "Three Ps" of disaster planning: people, property and priorities (business). Here are three more: practice, practice and practice. Physical security plans should be up to date, including instructions for contacting local fire, police and rescue authorities. Some examples of questions to ask are: Do you have a written crisis management procedures manual and do you follow it? Has it been tested recently? Do you know when to call local authorities and who has the authority to decide to do so? How (and how well) are visitors and vendors controlled in your facilities? Do your security procedures reflect what you really expect your employees to do? Are they up to date regarding your IT environment?
Review your human resources procedures for potential weaknesses. Consider the adequacy of your background checking processes for new hires, vendors, etc. Do you have an adequate way to communicate with your employees in an emergency? Are your employees "security aware?" If trouble looms, consider distributing key workforce, vendors, facilities and processes as much as possible. Ensure that a failure or crisis in one location is contained to that location if possible and has minimal impact on the business as a whole. This will help avoid the "domino effect" where a crisis in one location quickly spreads to engulf an entire company.
Revisit budgets for business continuity planning and IT security to ensure their adequacy. Often, business continuity plan budgets are among the first casualties in a budget crunch. This is often a "penny-wise and pound foolish" approach. Proper planning for IT disasters can repay its cost many times over when the crisis actually hits. Poor or nonexistent planning can ultimately cost much more in lost business, destroyed or damaged information or physical resources and personnel disruption.
Tailor business continuity investments to likely threats and key priorities. Recent events have made us think of terrorism as a major threat; however, there are other more diverse threats, such as employee or non-employee workplace violence, labor actions or disputes, cyber threats (including computer viruses and denial of service attacks), hoaxes and industrial espionage.
Focusing on employee safety will pay off during a disaster because knowledgeable employees are an important key to recovery plans.
Think of recovery like a recipe: everything must come together at the right time and in a usable form. Recovery is a process of blending ingredients at the right time and following the proper steps. This includes asking critical vendors about their plans and capabilities to deal with emergencies. Relying on one or more critical vendors to keep business going can be dangerous because a crisis that affects them could spill over if they are unable to provide services. If they have no plans, they should create them, looking at all elements of the supply chain. Also, consider executive protection plans. Are all members of key staff aware of how and when these plans will be put into effect? Is there a well-defined succession plan in the event of an issue?
Remember that regional disasters have a way of mandating unexpected priorities. It is a good idea for businesses to look at the immediate area surrounding each of their facilities and perform a risk assessment. After risks are identified, choose a method designed to mitigate those risks should the unexpected occur. Make sure you are aware of who local authorities are and have met them prior to a disaster. After all, they are usually in control when a disaster strikes.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access