Maintaining Your Business Continuity in the Event of a Man-Made or Natural Disaster

It’s 3 a.m. and you’re awakened by the sound of your cell phone ringing on your nightstand. Your first thought is always, “Something happened to the kids!” or “A family member is in trouble!” However, as you come back to your senses a bit and realize that it is probably work-related, nothing really prepares you for the person on the other end of the line telling you, “We have a business emergency! Our business and the customers we support may be in jeopardy if we can’t recover from this disaster!”

That’s when your heart literally skips a beat as you realize, we don’t have a Disaster Recovery and Business Continuity Plan in place. For any association, consortium or standards–setting organization (or, for that matter, just about any other type of group or business), having such a strategy to rely on in a crisis is essential, yet it’s also often overlooked. As this reality hits you, questions start running through your brain, such as:

“What happened to all of our files and data?!”

“How are we going to notify our staff?! … And our customers?!?”

“How is the business going to operate today? Tomorrow? Ever again?!”

Sure, some of your data may be stored up in “The Cloud!” that everyone is talking about, but how does that help you when it’s only a part of your association’s information and business? And what do you do if “The Cloud” stops working?

Many times we take for granted our office space, as well as the personnel who help to keep the organization running smoothly; and we forget that it’s usually the more junior team members who are handling the daily work process. While they are excellent at keeping the workflow moving, they usually lack the long–term planning knowledge or the skills required to recover from a disaster-level catastrophe or problem. They will need senior leadership experience to provide direction and instruct them on what to do when their office is suddenly no longer there! That’s why it’s important to have a documented plan and preparations for when these circumstances, rare as they may be, suddenly appear, most times without warning.

When you start to think of all that is involved when it comes to the daily tasks and the security of your organization, it’s no wonder many of us lie awake at night staring up at the ceiling! But it doesn’t have to be that way. Having Business Continuity and Disaster Recovery Plans will help you to sleep at night and provide you with the confidence that you will be able to continue the business and to rebuild after the disaster. Now, you may be thinking, “What’s the difference between a Business Continuity Plan and a Disaster Recovery Plan? Aren’t they the same thing?” The answer to that is “No.” However, they do go hand in hand. 

A Business Continuity Plan (BCP) is structured around how to keep the association operating when a natural or man-made disaster takes place. It covers things like where does the business telephone number ring? Or even the mail, how is that handled? Where do employees go to work now that the office is gone or, at the very least, under repair for an extensive period of time? Whom do we contact and in what order? The BCP is the script or outline to keep the business operating despite a significant disruption within its services.

A Disaster Recovery Plan (DRP) focuses on the steps that must be taken in order to get the business back to at least a minimum operating capacity, if not 100 percent. This is all dependent upon how much the organization is willing to invest in a solution to minimize the time and impact of being down. For most businesses, every hour of downtime is a loss of income. So, in order to minimize downtime, you need instructions that will allow you to maximize the speed and time to get operational again. Procedures such as how to rebuild/restore the server/network infrastructure, how the company personnel will connect to the new infrastructure, and how to mitigate the negative effects of lost data are all examples of DRP requirements.

Getting Organized

There’s a lot to cover when you start to think about Business Continuity and Disaster Recovery Plans, and having one person trying to encompass everything would make even the best project manager feel a bit overwhelmed. That’s why your first task is to form a Business Continuity Committee with one or more representatives from each relevant department. The committee will elect the leader of the Business Continuity Plan, as well as the leader for the Disaster Recovery Plan. In most cases, this will be two separate individuals, but if your organization is on the smaller side, you may have just one.

The committee should meet on a regular and consistent basis. Getting the plans together will take some effort on everyone’s part, so you would probably want to meet every week until the plans are compiled. Eventually you can reduce the meetings to monthly or quarterly, depending upon changes in the business, infrastructure or organization. All participants will be assigned roles, responsibilities and action items that they will bring to the committee for plan development. We will delve into more details on that later. 

Once the committee has been organized and team leads elected, the committee should identify the key items within its mission statement.

Recovery Point Objective (RPO) – The RPO is the amount of data the organization is willing to lose. This could be as little as zero and as much as 24 hours‘ or one day‘s worth, depending upon business needs and the amount of money or budget that is available to be invested in order to get the organization back into operation. The LESS data you are willing to lose, the higher the cost will be to implement the solution. The MORE data you are willing to sacrifice, the cheaper the solution. Having some of your less consequential data in “The Cloud” will help minimize that; however, there is always going to be a tradeoff with respect to security. And, if you have to reenter or manually recover all the data that is lost, that will affect the time until you’re operational again, which is defined in our next key objective.

Recovery Time Objective (RTO) – This refers to the amount of time that internal, external and/or third–party personnel must invest in order to get the organization to an operational and functional level. The same principle just mentioned applies here as well. The LESS time you are willing to be down, the more costly it will be to implement the solution, and vice versa. How do you decide what your RPO and your RTO should be? Perform a Business Impact Analysis!

Business Impact Analysis (BIA) – Your BIA involves identifying the potential effects a disaster will have upon the business. This will include loss of revenue on an hourly, daily, weekly and monthly level. Identifying how much money the organization is losing at every interval allows the committee to justify the budget required to set up redundant infrastructure and services, while providing a dollar amount to the senior management team. 

Let’s be honest. It all comes down to the bottom line whenever a large investment is under consideration. The Business Impact Analysis should be comprehensive, including income and revenue lost, employee cost, other finances, facilities, marketing, legal issues, customer impact, business reputation, and service–level agreements in conjunction with quality assurance. All of these items will help you define your RPO and RTO and move the Business Continuity and Disaster Recovery Plans toward identifying a cost-effective solution on a reasonable budget for your organization, while gaining the appropriate support and investment from senior management.