The other day my Financial Advisor asked me about getting life insurance through him. I politely declined as I already have it, but after digging a bit deeper he informed me that it might not be enough to take care of my loved ones if I were to pass on. Since our meeting I was thinking of the similarities between life insurance and Business Continuity Plans, and how some believe that since nothing’s happened to them yet, there is no need for action.
Too often when speaking with IT decision makers do I hear there is no budget in place for a Business Continuity Plan, or at least not a sufficient budget. Many businesses do incremental backups and monthly backups to disc/tape drives which go home with an employee at the end of the work day, so that the data will at least go off site… but what happens if that person were to be robbed at home, or worse, dies?
It is these sorts of Business Continuity Plans (BCPs) 
that are not planning for disaster – they are done simply because we feel we ought to have some back ups done. In the event of a real disaster, is there a written plan in place for all that would be involved in getting the business back to normal? It’s imperative to have a written BCP and to have it in a safe place where all parties involved will know where to access it. The toughest part for IT decision makers might be persuading your Executive team to approve the upgraded plan – here are a few ideas to include when writing out a proper Business Continuity Plan:
What will it cost if we don’t have a proper BCP?
The business impact is the best place to start with this one. How many man hours will be needed to fully restore your IT environment if shit were to hit the fan? How many days would it take to get back to normal? Based on this number of days, what would be the amount of revenue lost? Usually when these numbers are crunched, the lost revenues far outweigh the costs of implementing a solid BCP. By the way, if a business can’t get it’s mission-critical systems up and running within a 48 hour period, the risk of bankruptcy increases dramatically – this will grab the attention of your Executive team.
Know the recovery plans in place today.
As said earlier, the existing plan could be enough to ensure data isn’t lost, but when we’re talking about a massive disaster, where will the data reside? Usually there is room for improvement on the existing BCP so review this before rewriting it altogether. Being available and being recoverable are two different things when referring to returning to operations.
Know which types of disasters your BCP currently protects you against.
This man used to work with you. NOW look at him!
Again, as said earlier a lot of plans will cover a server failure or data corruption, but not a full data environment failure. Weather-related disasters (hurricanes, earthquakes, etc.), environmental-related disasters (fires, chemical spills, etc.), or human-related disasters (viruses, psychos with hammers, etc.) are all important to cover when writing out the plan. These larger-scale disasters are a more difficult sell to the Executive team since they are less likely to occur, but are that much more important to recover swiftly from in the event any were to happen.
Know the risks associated to specific disasters.
Ok, so maybe businesses in the Pacific Northwest won’t have to worry about hurricanes anytime soon. Nevertheless, it’s important to assess the likelihood of potential disasters when writing the plan so your Executive team can assess why the extra money needs to be spent to have a proper BCP in place. If the business is located along a highway, is there a possibility semi trucks could crash into or near your building, causing problems? Are you located along a body of water that could be susceptible to flooding in the Spring if the snowpack melts too quickly?
Know who is involved in the Disaster Recovery process.
Depending on the size of the organization, there may be a whole team of people involved in getting business back to normal. Included in the written plan should be all parties involved and each should know the plan inside-out so there is no miscommunication, in order to prevent delays in returning to business as usual.
Remember, the goal of the plan is to never have to use it – kind of like life insurance. But stranger things have happened, so why not take care of this before a disaster occurs?
Now if I could only remember where I put my Financial Advisor’s business card…
