Disasters will happen. It is not a matter of if. It is a matter of when. You cannot avoid disasters, but you can plan for them and mitigate against the impact.
With a proper Disaster Recovery Plan and a Business Continuity Plan, you can avoid some disasters and almost completely mitigate against the others.
What’s your excuse? ‘Prayer!’ In the many years that I have been developing and implementing Disaster Recovery and Business Continuity Plans, the number one answer to the question “What is your Disaster Recovery Plan?” is ‘Prayer’ followed closely by ‘Hope’ and ‘We don’t have one.’ Even for those companies that have a Disaster Recovery Plan (DPR) in place, that plan is usually five plus years old.
Does any of this sound familiar? If so, or if you have not reviewed or tested your current Disaster Recovery Plan in the last year, then you might find these comments worthwhile.
What would constitute a disaster for your company? Total loss of your building? All data locked by Ransomware? The loss of a single key employee? Or, just a single application that is simply gone--for example, your ERP or CRM? How long can your company go without access to its data or applications? How much would it cost in lost revenue each day that you are closed?
According to the Federal Emergency Management Agency (FEMA), 40% of businesses fail to reopen after a disaster. (Federal Emergency Management Agency, The National Flood Insurance Program. See fema.gov/protecting-your-businesses. Last Accessed July 13, 2017.)
Steps to take
Here are some steps to keeping the doors open during a disaster.
Evaluate your risks Determine the impact from potential risks such as fire, tornado, Ransomware, or a disgruntled employee. Look at the impact of the domino effect and assign a dollar figure to each impact. In particular, the impact on IT with hardware, software, applications, email, to even payroll will need to be evaluated.
Mitigate your Risks How can you mitigate or eliminate the impact? In many cases, you cannot avoid the risk but you can plan in a way that the risk does not produce an impact or can be minimized. Backup your data and store it offsite. Put redundancies in place for equipment, storage, and employees. Detail your assets, contracts, processes, proprietary information, contact lists, and store in a secure location. Do not wait until after the disaster to determine what vendors you will use or where you can physically setup shop. Do it now!
Develop the Disaster Recovery Plan Write the plan! Review the plan by walking through the processes step-by-step. Update it often.
Implement the Disaster Recovery Plan Developing a plan is not enough to protect your assets. A nice, pretty document on the shelf does not do you any good unless you implement the plan. Require key individuals to put the plan into practice and, in the process, you may find some business processes that can be streamlined.
Test the Disaster Recovery Plan Having a plan is not enough. Implementation will include testing your plan. This is critical and shows the effectiveness as well as exposes potential weaknesses. Verify backups and that redundancies are in place.
Update the Disaster Recovery Plan Your business changes all the time. Your DRP should change as well. Review your plan on a set schedule and update it.
Test the Disaster Recovery Plan Was this said already? It cannot be stressed enough to TEST, TEST, TEST!
Even with a proper DRP your business will still have the impact of time. How long will the recovery process be? From construction to ordering new equipment or even waiting for utilities to be restored to a functional level. “My data is backed-up and verified” is wonderful news, but now you need to order new servers and decide where they will be located, which can take a week or more just for delivery. What will or can your company do in the meantime? How long can you go with your doors closed?
Determine the bare minimums that are needed for your company to function and put in place the measures to assure that you have those essential items available from servers to license keys, forms of communication, and even backup personnel. Develop partner agreements, establish good vendor relationships and proper communication channels and put them in place before you need them.
Final Advice If you and your staff do not have the time or resources to properly develop, implement, and test a plan, then seek out a firm that can do it for you.