Disastrous Business Continuity Planning
If you are the head of IT, IT Director, CIO, IT Manager, or otherwise in charge of your IT operation, then you’re not who I want to talk to. Sorry, nothing personal.
However, you are most likely to be the person charged with organising whatever it is your company thinks it needs in relation to disaster recovery.
To be fair, this probably applies to organisations of a certain size, who have few compliances to adhere to and are ‘pragmatically organised’.
Disaster Recovery and Business Continuity Planning (DR & BCP) are subjects everyone knows they need to be aware of, have provision and plans for, and unless this is what you do for a living, wish (hope?) someone else would look after.
Clients are probably either continually asking you about it, or if not, assuming you have a plan in place.
It is the elephant in the room. It is the item on the To Do list that is more mobile (in a downward direction) than any other. If it were a person, it would be the one that nobody wants to talk to, and is left standing in the corner at parties on their own.
So let’s be clear what it is we’re (well, I am) talking about, as the two elements here are distinctly different things. Firstly, DR. It’s the erroneously ascribed abbreviation for a plan that will enable your organisation to continue working as normally as possible in the event something interrupts your normal operation. Wrong, well mostly. DR is the bit that IT (if you’re still reading, this is you) has organised where your IT estate, the applications, data, access technologies and processes can be recovered, in part or in total, based on a number of scenarios. You may even have defined your RPO for your data recovery systems & processes.
Business Continuity Planning is the bit that organises everyone who works within your organisation to utilise those resilient systems, to be able to continue operating as near normal as possible, so you can service your clients as usual.
In my experience, if a company has put any kind of thought in to this, then they are likely to have done the IT bit. But more often than not, will have neglected the BCP bit. That’s usually because the Executive see this as an IT issue, for IT to plan and organise. And this couldn’t be further from the truth. This is a whole business issue, of which IT plays a significant part. Every area of the organisation needs to know what to do when responding to an event that interrupts normal business activities.
This could be as simple as a short power outage that only needs them to survive for a couple of hours without their IT systems. It could be a weather-based interruption, stopping your people getting in to the office, but everything still running. It could be something much worse. It could be a combination of all of these. And each scenario needs a different response from different people. The one thing that is common, though, is that unless you’ve put the thought and planning in to what these responses are ahead of time, service to your customers will be interrupted and your business will suffer.
So, where do you start? By organising a team of people to share the task, that represents the whole organisation. And someone running it who has enough clout to enforce and reinforce the message. You’re going to be asking people to do work on top of their day job. You’re also going to be asking others to change what way they do things. Not dramatically, but enough to generate some push-back. So you’re also going to need top-level backing, that won’t crumble at the first hurdle.
There are some good consultants out there who do this for a living, so if once you’ve decided that not having a proper BCP in place is a problem, but you don’t have the internal resources to fix that, you can hire in some help to guide you through from start to finish.
For step-by-step help, you could do worse that go to the Business Continuity Institute’s website – thebci.org – and search for the Good Practice Guidelines. (If you’re just starting out on implementing a proper BCP, then don’t even consider going down the ISO22301:2012 accreditation, unless you have a good reason not just to put a practical plan in place but to demonstrate to others that you’ve done that. Go for the badge later if you have to.)
Central to any BCP is organisation and communication. In the event that something bad does happen there’s going to be a lot of people asking, “what do I do now?”, “how do I log in to my ERP system?”, “where’s the phone number for HR Director?”, “I need to let the insurers know what’s going on, but don’t have their number.” If you’re very organised you could create a website will all of this on. If you do, though, make sure the content is as automated as possible. You don’t want to be manually updating telephone lists, contact processes, names & addresses, etc.
There are some good bespoke applications out there that can make the management, content & communications part of a BCP a lot easier to manage. See the Resources list at the end of this blog for reference to a few I’ve found. Of these, I’ve only actually seen the Yudu app, which is designed specifically to make communications management during an incident a lot easier to do and control. The others are more about managing the whole BCP.
A final couple of points. Once you have created and crafted your BCP, you’ve communicated the plan to your staff, your IT department have setup the relevant backup and recovery systems, you may even have tested all or parts of the Plan. Then what? Then you do it again. A BCP is not a static plan. In fact, it isn’t really one plan at all, but a composite plan of plans, that change, adjust, expand and contract just as your organisation does. It needs to be nurtured and managed, and not just by one person (and certainly not by your IT Director) but by all parts of the business. Build this into the mindset of your managers, and segway resilience and recovery into all your planning activities.
This is not a glamorous task, but at least when your client asks you about your DR or BCP plan you won’t have to roll out the usual excuse of it ‘being updated’, or ‘re-written’, and then change the subject hoping they will forget about it. You can look them in the eye and have a genuine conversation about how you’ve embedded this in to your business. Then go on an talk about all the great things you can do for them knowing you have the basics covered. Not having one is a disaster in itself.
- The Business Continuity Management Institute – thebci.org
- HM Government Business Continuity Management Toolkit – https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/137994/Business_Continuity_Managment_Toolkit.pdf
- Centre for the Protection of National Infrastructure – BCP guide – http://www.cpni.gov.uk/Security-Planning/Business-continuity-plan/
- Emergency Communications application (Yudu) – http://www.yudu.com/services/emergency_communications
- Business Continuity Management lifecycle software – http://www.clearview-continuity.com/
- Phoenix Shadow Planner – http://www.phoenix.co.uk/media/100016/shadow_planner_datasheet.pdf
- Template for Business Continuity Planning organisation – https://doc.co/SfHPvp