Below is part 3 of our 6-part series aimed at helping you Stabilize your business where we focus on Business Continuity in this post. To read part 2 of the series, click here:
When disaster strikes, what’s the plan?
In studies conducted by iLand, only 54% of medium-sized businesses have a company-wide disaster recovery plan in place. Despite this abysmal figure, according to FEMA – Forbes Oct 2021, an estimated 40% of Small and Medium-sized Businesses (SMBs) never reopen after a disaster event, and an additional 25% reopen but fail within one year.
Why lead our blog post with these metrics?
Because it speaks to the reality that for businesses from startups to medium-sized organizations, there is a running theme of being woefully unprepared should a disaster strike. In conversations with customers and partners, we realized that there are a few common aspects as to why this is.
The first common scenario belongs to the group of people who believe that they are prepared for disaster events because they have some things in place to recover. However, they have not had a proper business continuity assessment completed to outline where their gaps reside. In particular, the promised recovery times and the actual recovery times meet to support the business’s recovery objectives.
The next common scenario belongs to the group that thinks having a business continuity assessment and putting the necessary improvements in place simply costs too much. However, without a proper assessment, it’s difficult to understand the potential revenue and reputational loss that occurs due to a disaster event.
Then there is the last scenario which belongs to the group who simply believe that the potential for a disaster event is so incredibly low that it is essentially impossible. Therefore any investments in disaster recovery or business continuity assessment would not make financial sense for their business.
Each of these three common scenarios is what keeps us up at night as consultants who love to help companies prepare for disaster events to protect their business.
What is Disaster Recovery?
Disaster recovery is a subset of business continuity that focuses specifically on the measures taken to restore systems, processes, and infrastructure after a disaster or other major disruption takes place. Disaster recovery plans outline the steps, communication actions, and protocols to follow as required to recover from a disaster to get back to normal operations as quickly as possible. This includes measures such as restoring data from backups, setting up temporary locations or systems, and coordinating with outside organizations or vendors to provide assistance.
The goal of disaster recovery is to minimize the impact of a disaster on the business and its customers by minimizing the disaster with redundant systems and resuming critical operations by restoring systems to a working state.
How do I prepare for a disaster?
To meet the bare minimum of preparing for a disaster, you should perform the following high-level steps:
- Perform a business continuity assessment
- Perform a business impact analysis
- Prepare a disaster recovery plan
Don’t be fooled by the short list above. Each one of these steps can be fairly time-consuming. However, we will share some insight on how you can focus and cut down on time to achieve your initial goal of preparing for a disaster scenario.
Quick Tip: If you are a small business with most or all of your tools or solutions in a cloud solution, you will have very little control over some of the practices mentioned in this article. However, it would be your due diligence to contact the vendors to understand what their processes and SLAs are these practices.
Perform a Business Continuity Assessment
Identify the functions that are critical to the delivery of services to your customers and the market.
You will want to go end to end within the business and map out which people perform which processes and which technologies they utilize to deliver. Consider the many dependencies that may exist, such as supply chain operations, support functions, ancillary processing operations, and essential functions tied to SLAs or contractual obligations.
Cut the line
In order to streamline your Business Continuity Assessment (BCA), focus only on the most critical areas of your business. All of the areas of your business are critical, and that is why they exist, so instead, focus on the value chain. The value chain is the chain of people, processes, and technology that directly deliver revenue to the company. Ensuring those resources can continue to work in the event of a disaster will be the most crucial component.
As an example, maybe the product you sell is sold on your website. You will want to focus on the website as the main hub of the continuity assessment. Or if your salespeople sell using a CRM system. You guessed it, that becomes the hub of your assessment.
Perform a Business Impact Analysis
A Business Impact Analysis (BIA) is the analysis of the potential impact of those critical systems identified in the BCA. The BIA focuses on the potential impact of a disaster and measures it against the likelihood of it happening.
Out of the BIA will be two very important things. The first will be deciding on two major factors for your critical systems. RPO and RTO.
RPO – Restore Point Objective
The restore point objective defines how far back you can go to retrieve data for a system before it becomes detrimental to the business. Ideally, you would want to keep all of your data up to date during a disaster and not want to have to go back. Solutions like this exist but quickly become exponentially more expensive. The goal is to achieve a balance between reducing downtime and operating costs of the solution doing so.
RTO – Restore Time Objective
The restore time objective defines how quickly you need to restore your systems before the interruption becomes too much to bear for the business to recover. This is typically defined in any SLAs you have to your customers to ensure you deliver in a specific amount of time or the time it takes for a customer to switch to a competitor.
As an example, if you provide grocery ordering and delivery services and customers see your service is offline, it would most likely take only a few hours for them to switch to a competitor to get their groceries.
Cut the line
When performing a business impact analysis, we will reiterate the same advice for the Business Continuity Assessment: Focus on what matters. Spend time only on what disasters are likely and pose the largest impact. If you are in an area where tornadoes, power outages, or tsunamis are not a threat, don’t spend time planning for those risks. Or, if the people, processes, and technology have recovery options that meet your needs, don’t spend resources on improving those services over those that do not meet the recovery needs.
Prepare a Disaster Recovery Plan
And that brings us to the coup de grace, a Disaster Recovery Plan (DRP). This plan will be a culmination of what to do when a disaster event happens. It can be broken down by disaster scenario, value chain impact event, or interruption to a specific system or service.
It will also contain roles and responsibilities of who does what in such an event, the people to contact, the process for contacting them, and timelines for objectives to return to a critical operating state.
But Wait, There’s More.
Once you have your disaster recovery plan, you aren’t yet finished. You will want to do a few more things before you can rest easy.
Testing and Maintenance
In order to make sure your disaster recovery plan works, you will want to test it out. Ensure you regularly run tests on your disaster recovery systems and plans and measure the RPO and RTO. If your systems are too sensitive or you don’t have the resources to perform actual DR tests, at least run mock scenarios in which you create a scenario and ensure everyone knows what to do and how to respond.
Also, as your business changes, be sure to update your disaster recovery plan so that it remains effective. There is no sense in having a plan with outdated systems, contacts, and services. Be sure to have at least an annual process to update the plan. Better yet, make it part of your change process. When changes to systems are made, ensure it does not impact the DRP.
Perform a Post-Mortem
If a disaster does unfortunately strike, it is absolutely critical that a post-mortem review is conducted. This review will allow you to identify why the disaster happened and what resources or investments could be leveraged to prevent or lessen the disaster in the future. After that is identified, you guessed it again, update your DRP.
Wrap up.
As you can see, performing the above tasks can seem a bit daunting. However, we promise that the exercise will be well worth avoiding the pain and embarrassment of enduring a disaster to your business. Or worse yet, not enduring it. You can always start small, and move incrementally. Getting something done is better than never starting.
How StrataNorth can help.
Are you thinking about investing in the stabilization of your small or mid-sized business? Do you need help creating a Disaster Recovery Plan? Let us help you. If you are ready to transform your business’s operational efficiency and are looking for experts to guide you, StrataNorth has Security and Technology consultants with decades of experience. We can help you reach Operational Stability and help establish a Disaster Recovery Plan. Reach out for a no-cost, no-obligation chat with an IT Consultant or Security expert today.