Is your business protected with a BCP/DRP?
A sound Business Continuity Plan (BPC), should be part of any business and this plan should be known and tested with the key stakeholders knowing their part in this crucial process. The larger and more complex the business the more complex the BCP tends to be, often with the Disaster Recovery Plan (DRP), being handled as a separate process. A working BCP/DRP is critical for any business as studies have shown that a business that suffers a disaster without a solid, working BCP/DRP is almost guaranteed to cease trading as a result.
The DRP focuses on the recovery of systems and data and usually lives with the IT department or organisation, while the BCP’s focus is on people and processes and belongs with the management team. Small to medium businesses will combine the BCP and DRP as the systems are usually not complex enough to separate them, allowing a more streamlined approach to process.
Do you have a BCP?
Firstly start by asking yourself if you have a plan. If the business location burnt down tonight, how would you continue to operate the business?
Where would you operate from?
How do you and your employees access your business information and system in order to continue to operate, pay bills and of course pay your employees?
A small business of a couple of staff members may have backups of their business data at home and will be able to operate out of their own homes during the recovery of the physical site. However the more complex the business system the more complex and time consuming the recovery process.
Do you know the plan will work?
Remember you are betting the business on the plan you have in place, so you need to know that your plan will work. This is not just the technical side of recovery of data and systems but who needs to be where, what they are doing and who they need to be working with.
Have you tested the recovery of systems and data and that you can access them? This sounds so simple but every time you patch, update or add new systems, you need to update your plan(s) to include these changes and you need to test that the plan still works.
Does your team know what to do and those that are in charge of various business processes, know who to contact during these events? As staff join and leave an organisation the impact on the BCP/DRP needs to be considered. It’s recommended that staff names are not referred to in the plan, instead refer to the relevant position or title. This is another checkpoint when reviewing the plan(s), to ensure that a position hasn’t been made redundant but is still referred to in the plan.
I recommend you annually test your BCP/DRP to ensure you are aware of changes and know that these plans will work in the event you need to do so.
My business is in the Cloud, so I’m covered, right?
Having your business systems working in the cloud does provide a level of comfort, however, don’t assume that you system is fully protected. I’ve sat in business discussions with Data Centre people discussing the new virtual structure for a business. I’ve heard the Data Centre ask if the customer wanted to include (optionally), Disaster Recovery as part of the solution. If you have assumed just because your servers are in the cloud, your servers are covered in the event of a disaster, best check your agreements. Check to see what is and is not included in your agreement, as sometimes it’s not as comprehensive as you might think. Ask your Data Centre providers if they can explain, in the event of a disaster, what happens to your systems, including timeframes. In doing this, I’ve discovered some will only recovery the base Virtual Operating systems and assume the business will recover their own environment. Some will not include coverage if their own site is compromised unless you pay extra for it.
What does your SLA state and is this enough for your business to survive?
It’s important for any business to know how they manage a disaster and can confidently say to customers, stakeholders, shareholders and most importantly to yourself that your business is safe and will continue to operate. Being offline for a day or so for some businesses is enough to cause irreparable damage, for others, hours matter in the eyes of their customers and competitors.
If you are no longer sure your business is safe in the event of a disaster, I recommend you speak to your IT staff or service provider. If the answer you get isn’t completely reassuring, please contact Nixon Technology to see how we can help you