If your organization is affected by a disastrous event, do you have a plan in place to continue providing services? What would happen if the technology for communicating with customers, vendors and other key individuals is unavailable? What if you don’t know the location of materials and contractors? What would happen if payroll, accounts receivable and accounts payable systems are not available? What if maintenance systems and records are not available? What would happen if key personnel are not available?
These inherent business risks can affect your ability to provide quality service and support and maintain critical business processes before, during and after a disaster event.
Disaster Recovery and Business Continuity Plans (DR/BCPs) address what should occur before, during and after a disaster. If handled properly, DR/BCPs can help an organization temporarily operate in the absence of information and normal resources required for critical business processes.
DR/BCP is about maintaining, resuming and recovering the business, not just technology recovery. The planning process should be conducted on an enterprisewide basis, requiring board and senior management support. Company leaders are responsible for:
- Establishing ownership and support for the plan and providing executive buy-in
- Allocating sufficient resources and knowledgeable personnel
- Setting policy by determining how the institution will manage and control identified risks
- Ensuring the DR/BCP is up to date, employees are trained and the plan is sufficiently tested
- Reviewing and approving the DR/BCP annually or when business environment changes occur
As with any project, planning is critical to success. DR/BCP planning must include the following:
- Project initiation and management
- Risk identification and evaluation
- Business impact analysis/risk assessment
- Development of continuity strategies
- Emergency response
- Development and implementation of business continuity/disaster recovery plan
- Development of plan test schedule
- Review of testing results and conclusions
- Awareness and training
- Ongoing plan maintenance
Typical reasons—or excuses—why DR/BCPs are not accepted:
- “We’ve never had a disaster, so we’re willing to take the risk.”
- “The auditors haven’t written us up, so we won’t commit the resources to a plan.”
- “We have business interruption insurance.”
- “The data center has a plan, and that’s all we need.”
As individuals, we don’t plan on wrecking our cars, breaking our legs or having our homes hit by lightning, so we mitigate the potential risk by buying insurance. We manage the risk to provide for our families. Likewise, companies don’t plan on power failures, earthquakes, building fires, floods, tornadoes or bombs, but they need to manage the risk to protect their employees, stockholders, customers and reputation.
Organizations change all the time—adding new business units, making personnel changes, relocations, implementing new applications or outsourcing key functions. Likewise, a DR/BCP is a living document that must be nurtured and supported by proper maintenance and attention to mirror the organization. A stale or hastily assembled plan can have major gaps or deficiencies, resulting in recovery failure when a crisis occurs. There are several frequently overlooked components of a business continuity plan:
- The business impact analyses and risk assessment are not reviewed and updated.
- Recovery sites do not reflect changes in the organization or technology configurations.
- Personnel changes are not reflected in recovery team assignments.
- New IT applications with recovery time objectives are missing or incorrect.
- Key vendors are not included in the plan.
- Plan testing is lacking.
A DR/BCP will not prevent a disaster, but it certainly can lessen the negative effects. The plan will enhance your company’s image with employees, stockholders and customers by demonstrating a proactive attitude. Additional benefits of DR/BCP planning include:
- Improved processes
- Improved technology
- Fewer disruptions
- Higher quality services
- Competitive advantages
- Compliance with government standards and regulations
For more information on DR/BCP planning, contact your BKD information technology or risk services advisors.