Recently, the Northeast was battered by rain from two separate storm systems: Henri and Ida. Both systems brought tropical level downpours and flooding to the area, with Ida hitting particularly hard. The impact of these storms left many companies throughout the region unable to operate because their physical locations were inaccessible. These natural disasters, however, are not the only events that can render physical locations unsafe to enter. Events such as fire, chemical spills, downed power lines – and even a pandemic – can cause you to lose access to your primary place of business.
The recent storms and the continuation of the COVID-19 pandemic highlight the need for Business Continuity Management (BCM).
Two-pronged BSM Strategy
BCM has two parts: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). Though they may sound the same, BCP and DRP are different activities. DRP is the planning process laying out the steps for your company to get from a disaster event back to normal operations. BCP are the plans your company puts into place to ensure that as much of your regular business as possible can take place while the disaster plan is put into action or until the business interruption has passed. Having this two-pronged BCM strategy allows your company to focus on your employees and continue revenue generating activities while working towards resuming normal operations.
The first step of BCM comes from knowing where your company currently stands regarding its assets and processes and its ability to cope with a disaster or business interruption. This step can be accomplished by following a series of guides, templates, or self-assessments. The end goal is to have a thorough understanding of the state and scope of everything your business owns. With this information in hand, you can begin to answer some difficult questions. Mainly, you need to know how long your business could withstand an interruption to operations without suffering fatal financial distress. You also need to know how much data your company could afford to lose. Though you might be tempted to answer that your business can never afford downtime or data loss, the self-assessment from step one should allow you to answer this question with both honesty and confidence.
Estimating recovery time and objectives
Your answers to the above questions will be used to develop your firm’s Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO represents the maximum amount of time your company can have its operations interrupted and still stay in business. Firms can measure RTO in months, weeks, days, or even minutes and seconds. RPO measures the amount of data or input your company can lose while still maintaining business operations. RPO will be measured in whatever input data your company uses to generate revenue.
However you measure these factors, remember that the closer to the time of interruption your RTO and RPO are, the more costly it will be for you to implement your disaster and business recovery plans. Therefore, it is important to make these decisions as honestly as possible with the most up-to-date information you can gather.
With an accurate RPO and RTO in hand, you can begin to plan out the steps for your disaster and business recovery plans. Many BCM elements overlap with each other, such as the use of backups, alternative worksites and data centers, and equipment procurement. For example, you may decide that for better remote capabilities, you will move your primary operating applications into a Software as a Service (SaaS) cloud environment such as Microsoft Office 365 and Microsoft Azure. This can offer more robust remote capabilities and could provide cornerstones for your BCP and DRP. In any case, you will have to decide how you will spend your available resources.
Disasters and interruptions
Throughout this article, we have considered BCP and DRP as two separate items, though there may be some overlap in the assets used in each plan’s execution. This is because while all disasters cause an interruption, not every interruption is a disaster.
For instance, compare the impacts of the COVID-19 pandemic and the Ida storm system. Both caused major business interruptions, but only Hurricane Ida caused significant physical damage to primary business facilities, disrupting a company’s ability to operate. At the outbreak of COVID-19, businesses were affected by the sudden need to work remotely, however, no physical assets were lost, no buildings were damaged, and power was maintained. Thus, most businesses were quickly able to pivot from in-person to remote work with a few key investments in mobile equipment (e.g., laptops, mobile phones, or VPNs) and by purchasing SaaS services such as Microsoft 365. In the case of COVID-19, your business did not need a Disaster Recovery Plan. Instead, you needed to use your Business Continuity Plan to shift operations.
Be smart: plan ahead
This brings us to our final point: you need to have these plans in place before disaster strikes or an interruption happens. To facilitate an efficient and cost-effective return to normal operations, your BCP and DRP must be specifically detailed, updated in a consistent manner, and executable in short order after an event. This is something that cannot and should not be done after an event has occurred. Trying to plan your recovery in real time while an event is happening will prevent you from an orderly recovery that focuses on your team and your clients. A lack of proper planning and testing may lead to longer downtime, increased expenses, and perhaps the permanent closure of your business.
Business Continuity Management has been around for a long time. However, new technologies and the expectations of an ‘always connected’ world have changed the requirements of what an effective BCM plan looks like. Your plan must be ready to handle minor and major interruptions at the same time. Depending on RTO and RPO requirements, your business model may not allow for much downtime.
Get assistance with business continuity management
Setting up BCM can be a complex process. Not sure where to start? Reach out to us today to start the conversation. NOW is the time to create your business and disaster recovery plans before disaster hits.
About the Author
Joshua Silberman, CISSP, CCSP, CISA, is a cybersecurity leader responsible for the direction, design, and development of cloud transformation and cybersecurity at Infoaxis. Reach Joshua at 201.236.3000 or firstname.lastname@example.org.