The 4 C’s of Business Continuity Planning

If you have or run a business, then you have had those nights of no sleep, as you worry about ‘What if’. Every business owner has had these worries. Ranging from ‘What if the weather guy is wrong and we are hit with a blizzard?’ to ‘Fred is my strongest employee. What would we do, if he decided to retire, tomorrow?’ These are the questions that we need Business Continuity Plans for. A Business Continuity Plan (BCP) is a plan put in place to account for emergencies and situation that impact normal operations. When in the middle of a crisis, we can not think clearly, because everything is an emergency and demands our full attention at the same time 20 other things need our full attention. A BCP is thought out and documented while our minds are clear and unencumbered with demands. We can plan for most everything and a BCP is not chiseled into granite, but covers a majority of the issues that will arise. When you start to create your BCP, consider these 4-C’s.

Communication with Employees

Communication with your employees during a disaster ensures they are safe and not taking unnecessary risks. Communicating with your employees also helps ensure they have the critical information they need to survive the disaster, both for themselves and for the business.

E-mail is the easiest way to communicate with a large group of people, quickly, but if the company’s e-mail server is down, then you are out of luck. If you are using a hosted Exchange server for your e-mail, then you will probably be covered … if you have Internet access.

The next best alternative is the tried, tested and true ‘Phone Tree’. A Phone Tree works very simply. The primary decision maker (You) decides to activate the tree and call a specific number of people, such as your department heads. These people then call their managers, who in turn call their staff members. If they have large teams, then maybe they will call only two or three, who will call two or three others, each. Before long, the entire organization has been notified of the implementation of the emergency plan. Before there was internet, schools used to use the Phone Tree to notify parents and students of school closings and delays with great efficiency.

There is one grossly negligent issue with the above scenario. It relies on only one person being the decision maker. If you, as the sole decision maker are unavailable, then your business and staff are put in danger and at risk. Have clearly defined conditions when and where a subordinate may initiate the emergency plan without your direction.

Customers need to be in the Loop, too

Relationships with our customers is critical to ongoing business. With this in mind, it is critical to craft a plan for distributing information to our customers, both during and following a disaster event. The scope of your customer communications plan will vary widely depending upon the kind and severity of the disaster and the nature of your business.

Realistically, not every hiccup in operations warrants reaching out to your customer base. However, if an event occurs that is likely to impact the, it is critical to communicate the details of the issue to them and to explain the steps being taken to mitigate that impact. This may mean calls from sales staff to explain a delay in delivery or posting on websites and social media the extent of the emergency and what is being done to get back to business as quickly as possible. Failing to deliver this simple, but critical, communication can have a very negative impact on your reputation with not only your clients, but also the potential clients they could refer.

Computer Uptime and Access

Not long ago, Disaster Recovery Plans included full and incremental backup tapes shipped offsite to either a secondary site or to a tape vaulting facility (Remember Iron Mountain?). Though this may still work for many businesses, it just is not fast enough, for the majority of businesses. Disaster Recovery from offsite tapes can be painfully slow. First, the tapes must be retrieved from the offsite location. Then there is slow, like watching grass grow or paint dry, process of ingesting your data into the server. More downtime as you and your team are struggling to return to as close to normal operations as possible.

When creating an IT Disaster Recovery Plan, not understanding Recovery Time Objective, Recovery Point Objective and the relationship between the two is a recipe for failure. Recovery Point Objective (RPO) is the minimal data restore point that means the organization can be functional. Recovery Time Objective (RTO) is the amount of time it will take to reach the RPO. The delay in getting tapes FROM the vaulting facility is critical to reaching the RPO. Depending upon the disaster, getting those tapes may be delayed hours, or even days.

So, rather than putting this critical data into the hands of a potentially affected or distant vaulting facility, you may decide to replicate your data to online resources or to an alternative location, sometimes known as the Backup Office. Historically, this approach requires a massive investment in hardware, because it requires two sets of identical servers and services. One at each location. Remote replication allows users to fail over to the backup site, which improves RTO, but is usually out of reach of most businesses, financially.

For small businesses, a more balanced approach to Disaster Recovery is the only real solution. To define the value of a good Disaster Recovery plan, let’s run a few numbers. To start, let’s consider your business has only 10 employees and on a typical day, the average hourly revenue produced by those 10 people is $150 per hour. In order to perform daily tasks, employees need access to e-mail, a large database and a variety of file-based data. Let’s assume the total data size is 1 TB. Let’s also assume an on-site incremental backup is performed every day at 8PM with a copy of that incremental backup sent to a cloud storage service.

Given these parameters, a full restore from the local backup would take roughly 8 hours. That is ($150 per hr * 8 hrs) $1200 in lost revenue. To restore that same data from the cloud storage service will take closer to 3 days. A lost revenue of ($150 per hr * 8 hrs * 3 days) $3600. Not to mention the costs to the business for the staff who are unable to actually work, or their personal issue, because the business is closed for the duration of the recovery.

These numbers will vary greatly, depending upon the business and operational requirements. But this example clearly demonstrates the impact of not being able to continue operations, even at half speed, while recovery was in progress.

Today’s modern businesses move at the speed of their data.

Continuity of Business

Application downtime is, of course, just one factor that can impact your business success. We are lucky if it only impacts our bottom line, rather than our success. There exists a broad spectrum of options on keeping your business fluid and data accessible, depending upon the size and type of organization. Below are a variety of examples that apply to many businesses.

Training – Every business must identify employees who will be critical to the recovery process. Executives, managers and IT staff are immediately recognized as being critical. Depending upon the structure of your business, you will need to define roles and responsibilities that support the business continuity effort. Cross training staff to handle multiple essential tasks is essential, in the event a critical employee is unavailable.

Facilities – A critical evaluation of the facility your business operates in will help define what is needed to increase chances of successfully surviving a business continuity challenge. A few questions to include in that critical evaluation are:

  • Is there an alarm/intercom system in place to notify staff of an emergency?
  • Are servers and other critical equipment protected by battery backups for power?
  • Is there a sufficient fire suppression systems available?
  • What protection is in place for surge protection?
  • Are there generators available that will power essential equipment?

Dependencies – Inside and outside of your business there are dependencies. For example, if your business is a print shop. You will source toner for the copiers from one vendor. Ink from another vendor and the paper you print on, from yet a third vendor. A flood two states away could close your paper vendor. Having a list of alternative vendors who can deliver the raw materials needed, is a part of a good BCP. And is considerably less expensive and less risky than having to stock pile large volumes of these same raw products.

Insurance – Insurance is an important factor in your recovery effort. Warehouses of raw components and finished products awaiting distribution lost would be a massive and severely impactful loss. Having documentation that includes the correct policies, contact numbers, names and policy numbers would be a critical component of any BCP.

All of the above are just components of a complex solution to help your organization weather a disaster that impacts your ability to stay in business. Indy’s I.T. Department has created multiple Disaster Recovery and Business Continuity Plans that covered events such as the y2k bug that never manifested, California Earthquakes in Silicon Valley and natural/weather disasters in Oklahoma. Give us a call, today at 317-560-4443, to get us started on building your Disaster Recovery and Business Continuity Plans. Call us, before the disaster hits.

About the Author:

Leave A Comment