How Disaster-ready is Your Organization?

Good news handshake in the office

The recent plane crash into the Austin IRS building and the data loss incident at Scientific Investigation and Instruction Institute which is housed in the building (story featured in Austin Business Journal, March 1, 2010) proves that any business can be vulnerable to a disaster.   Man-made disasters (i.e., plane crash, fire, electricity failure, terrorism, pandemic) as well as a myriad of natural disasters (i.e., tornado, hurricane, flood, etc.) can render an organization susceptible to serious consequences.   Business executives should ask, “Do we have processes in place to continue business during and following such an event?” Most business owners focus their attention on generating more revenue and acquiring new customers – which is only logical, but what about saving and protecting what you have already acquired? Can you really sustain your business if you lose communication with your customers and vendors? How long are customers willing to wait for a business to restore their operations before they seek out their competition for services or products they offer? These are pretty serious issues considering the volatile and competitive market. Planning ahead can help organizations reduce the impact of the risks arising from unforeseen events to an insignificant level – this is what Business Continuity and Disaster Recovery Planning is all about.

Many executives believe that the responsibility associated with the continuity of operations lies within the Information Technology department (IT). What they fail to acknowledge is that IT is not the owner of the business processes. IT has the knowledge and capability to execute the technical aspect of restoring the IT operations but the business process owners are responsible for identifying and prioritizing the business need. This gap in communication and understanding was evident when we reviewed a few of our clients existing Business Continuity Plans (BCP). In most cases the plan was put together by IT or by a pre-packaged solution without any direct involvement of the business process owners. As a result even though the plan was not aligned with the business need, it provided the executives a false sense of security that they have a working process in place.

Since having a plan put together by IT or an off-the-shelf solution is not enough, the question becomes how does one design an effective BCP? Here are a few things that are crucial for an effective business continuity plan:

Top Down Involvement: Management and business process owners must understand the importance of a BCP and drive it from the top. They must be involved in the process of BCP creation, provide prioritization of critical business components and be the process owners of the plan. For example, if the BCP and Disaster Recovery plan is designed by IT, they may have difficulty justifying the cost involved in implementing a successful program but if management drives the process then they can justify the cost by calculating “the cost of downtime” for each business unit.  As such, management involvement is necessary to build a successful ongoing program, communicate program expectations and measure performance.

Develop an Actionable and Practical Plan: Any plan is worthless if it is not actionable and practical. During review of a Disaster Recovery Plan for a large financial institution, we discovered that the client had shelves of binders for BCP and Disaster Recovery but the information in those binders was not really practical during a real disaster. We also found that the employees shied away from the plans due to the enormity of the information it presented. It may be important to have scenarios for every possible type of disaster but the most important thing to realize is that in the event of a “true” disaster are you really going to flip through the big binders to find a solution?  Probably not.  We use this reference to emphasize that when designing a plan it is very important to understand that the plan needs to be straightforward, precise and practical in order to engage the employees and get them involved in the process. For example, an actionable and practical plan provides employees clear direction on their safety and provides instructions on how to report during a disaster. It incorporates strategies for moving critical operations offsite to a hot or warm site location, routing communication and computer operations to a pre-determined alternate location.  By looking at your plan if you feel that it does not address the issues listed above, then it may be time to revisit your plan.

Communication: The BCP and Disaster Recovery plan should be set up so that critical communication is made to all individuals who do business with the company (employees, customers, vendors, etc.) When a disaster strikes, the BCP will have a ‘BCP Team’ tasked with performing specific functions to set up operation in a post-mortem environment.

Test and Maintain: Once you have an actionable and practical plan it is very important to test it at least on an annual basis. Testing will identify any gaps that you may have and help you refine your plan to accommodate your findings. Also, as you test your plan you can update and maintain it to reflect the most up to date information. For example, preparing meaningful test scenarios and defining success criteria will allow staging a successful execution of the BCP and Disaster Recovery plan. It will also provide lessons learned during the test and help develop pre and post test action plans to fill the gaps, prioritize organizational issues and plan improvements to your business continuity program.

Business Continuity and Disaster Recovery Planning is something that most businesses put on the back burner. Most large organizations have multiple locations and as such a cushion for disaster tolerance is already built in. For small to medium businesses that may not always be the case. A little preparation beforehand can go a long way, as the saying goes, “A stitch in time saves nine”. So don’t wait until the very core of your business is shaken to ask yourself, how disaster ready is my organization?