In today’s well-connected world, the fight for market share is intense. For many businesses, a few minutes of downtime can lead to lost revenue. Imagine the financial consequences of a fully fledged disaster that can last hours or days or in some case rather rare cases even longer. A well thought out Business Continuity/ Disaster Recovery (BCDR) plan is an imperative for any business that wants to ensure survival post disaster.
A well planned and drafted Business Continuity and Disaster Recovery (BCDR) plan requires input from several aspects of the business. These inputs define the contours of the businesses activities and the relative importance of each activity. However, two very important parameters for business continuity, that have to be defined upfront are Recovery Time Objective [RTO] and Recovery Point Objective [RPO].
Recovery Time Objective [RTO]
The recovery time objective is defined as the period for which the business can be out of operation without significant risks or losses. After careful analysis, managers should arrive at the maximum duration for which systems can be down. This is the Recovery Time Objective. Performance to meet RTO objectives requires adequate resources are available. The resources required should be carefully determined and management must commit to this.
The RTO clock should start from the time the recovery processes is set in motion. When the service is back online, DR Managers should analyze the time taken against the recovery time objective and see if the recovery period was less than the goal. In case recovery took a longer period, a detailed analysis of all procedures and systems should be undertaken, to improve RTO performance. This ensures future disruptions are less painful.
Recovery Point Objectives [RPO]
The recovery point objective can be defined as the maximum acceptable data loss measured over time. This relates to the backup storage which is required to resume normal operations in the event of a system failure.
To get a clear idea of this concept, it is best to look at a practical example. If the RPO of a business is set at one hour, then back up of data must be done every hour. The RPO is completely independent of the RTO. The RTO and RPO are the two basic parameters, among others, that enable managers to draft a suitable disaster recovery plan for business continuity.
Once the RTO and RPO parameters have been determined, other parts of the disaster recovery plan can be put together. The other aspects of the disaster recovery plan business continuity are:
- Identify all the internal key personnel without whom the business cannot function. Though this list can have as many names that are essential, it should be kept to the minimum. Critical functions and contact information must be identified and recorded. Alternate methods of communication should also be in place.
- While stop gap measures can be introduced so that key personnel work from home, for longer periods of time, alternate locations should be identified as a part of the planning process.
- A contact list of critical vendors, contractors and suppliers should be made. The contact information should also be a part of the disaster recovery plan. In addition to these people, a list others such as attorneys, bankers, IT consultants, utility companies, police, fire, water, hospitals etc., who may be needed for the operational issues, should also be available.
- Critical equipment, models, vendors etc should be identified and listed as a part of the plan. For example, some businesses depend heavily on fax machines for others it may be tailor-made specialized software. Alternates for critical equipment and software are absolutely essential for business continuity.
- Identify all critical documents such as legal papers, articles of incorporation, utility bills, banking information, lease papers, tax returns, critical HR papers etc. Copies of this must be available so as to restart the business.
- Make a list of other contingency equipment required. The list should show where items such as vehicles, computers, fax machines, printers etc. can be sourced in the event of a total loss of facility.
- A contingency operational location should be identified in the event of a total facility loss. Business operations can be resumed from the contingency location. It could be from a hotel, a vendor’s office etc. The contingency location should be clearly identified in the business continuity plan and should be known to all personnel.
- A responsibilities grid should be drawn up. Each responsibility should be listed and assigned to a person and an alternate. The plan should include detailed step-by-step instructions listing out who should do it, how should it be done.
Once all the parts that form the disaster recovery plan for business continuity have been determined, it should be put together in a cogent and easy to understand manner. Since it is a reference document of vital importance numerous copies should be available preferably to all employees. All key personnel should have an up to date copy at all times. Extra copies could be stored in off-site locations, homes of critical personal and also in a safety deposit box. However, a far more efficient method is to use a cloud based automated system such as the one developed by www.disasterrecovery.org.
It is imperative that everyone in the company knows relevant parts of the business continuity plan. Hold training classes for all employees, without exception, and make these classes mandatory. This will ensure that in the event of a disaster, everyone knows what is to be done. The plan should be thoroughly tested to see if it works properly. Conduct mock drills and see if any parts of the plan need fine tuning.
As the saying goes – nothing goes exactly according to plan and the smart planners know how to develop a flexible plan that adapts to different situations.