While well-defined BCP and DR plans are standard practice for industry compliance and control frameworks, keeping them updated and ensuring their viability is just as important as the plans themselves.
The Importance of Effective Business Continuity Planning and Disaster Recovery to Weather the Next Big Storm
Grant Auerbach, Consultant | Capco
If there is one thing to be learned from Winter Storm Uri that devastated Texas in February 2021, it is how critical it is to be prepared in times of emergency. Widespread loss of power and flooding, along with days of untraversable roads, caught many off guard. Organizations cannot ensure resiliency if their workforce is uninformed or un-practiced on what to do when disaster strikes.
Solid Business Continuity Plan (BCP) and Disaster Recovery (DR) plans are the foundation for upholding services in these challenging times. The COVID-19 quarantine and the corresponding shift to remote work changed the landscape, bringing new complexities to consider for existing plans. While well-defined BCP and DR plans are standard practice for industry compliance and control frameworks, keeping them updated and ensuring their viability is just as important as the plans themselves.
Defining a plan
BCP and DR plans are often mistaken as the same or used interchangeably. Although the plans share similarities, they focus on different perspectives, and both are crucial for an organization. A BCP is more strategic in focus, looking at maintaining business operations and how to respond and communicate, whereas a DR plan tends to describe technical activities needed to restore operations and get back up and running quickly.
Business Continuity Planning (BCP)
The BCP involves understanding the risks of organizational processes and creating policies, plans, and procedures to address them. A BCP can be broken down into the following critical steps:
Project Scope and Planning. To begin a business continuity plan, you must identify the core services you provide to your customers and know what critical support services are required for the upkeep of those operations. To assist in the initial analysis, you must determine the members involved in the BCP team. These individuals are unique to each organization, based on the company’s technical, financial, and political environment. Be cautious to include representatives from each of the organization’s departments to ensure that no information is missed and that all groups are familiar with the plan.
The BCP team must consider the resources allotted for creating, testing, training, and maintaining of the BCP as well as when the plan needs to be executed. Knowing legal, regulatory, and contractual obligations and understanding any dependencies on remote resources are key to a successful BCP.
Business Impact Analysis. Business impact analysis (BIA) uses measurements to help prioritize resources. The analysis can include a quantitative value based on impact and likelihood of certain risks, or it may include qualitative considerations such as reputation and customer confidence that can be equally as damaging. Risks can both be natural, like an unprecedented winter storm, or man-made, such as a prolonged power outage. As risks take many forms, it is important to determine what is acceptable for your organization. Common cloud solutions can offer robust ability to support operations, but you need to be able to thoroughly test DR processes and ensure that your redundancy is geographically diverse enough not to be impeded by a regional event.
Continuity planning. Once the landscape of risks relevant to your organization are outlined, it is time to determine how to mitigate them:
People – The most valuable asset to any organization must be safeguarded and provided with resources needed to complete essential tasks. For extended periods, arrangements may need to be made for shelter and food. Perhaps consider opening the office to displaced workers when significant areas are impacted.
Facilities - Ensuring that your offices stay accessible may not be enough to protect resources working from home. Various facilities can be hardened, but in the event that is not feasible, an alternate location for business activities should be identified.
Infrastructure – Like buildings, infrastructure can both be hardened or protected by redundancies. Uninterruptible power supplies (UPS) for your IT systems, alternate sources of power generation for an entire facility, or redundant communications channels for critical processes are just the tip of the iceberg of options to consider. How you ensure continuity of critical processes depends on your organization’s risk appetite and posture.
Approval and implementation. Once design of the BCP is complete, it must be approved by senior management and distributed to the rest of the organization. Personnel with responsibilities in the BCP should be trained and have backups in case they cannot reach the workplace. Likewise, the BCP should be written as a document for ease of reference and clarity in instruction.
Disaster Recovery (DR)
DR planning focuses on the more technical components encompassed in the BCP to help manage restoration efforts. When thinking through the ever-changing landscape of disasters, your organization should have an easily executable plan the moment mission-critical processes suffer an interruption.
When temperatures drop below freezing and roads are no longer traversable, an action plan must already be in place that requires as little decision making as possible. It is essential to provide instructions in multiple forms in case of prolonged power or communications outages. In 2017, during the landfall of Hurricane Harvey, millions in Texas were without power for an extended duration. Make sure that your plans account for these possibilities.
Understanding the technical controls that support system availability can help eliminate single points of failure. To combat single points of failure, increase your fault tolerance and system resilience through options such as replicating to a failover backup server or automatic cloud elasticity.
When drafting the disaster recovery plan, it is better to write out detailed directions rather than having a reliance on common sense. In times where panic can cause confusion, clear steps for exactly what to do and who to reach out to are essential. Checklists are a great way to allow first responders the means for properly addressing the situation. Knowing when to calling 911, who else to contact, and alternate methods of contact are crucial components of these lists. In addition, individuals should be trained in crisis management routinely through their time with your firm.
Consider how rapidly the digital environment of organizations is changing and ask yourself if you are testing frequently enough to discover necessary modifications to your plans. Established testing exercises will help your employees remain familiar with what to do and identify areas that need to be clarified or improved in your plans. These exercises can take many forms, but the key is to do them often, thoroughly, and with external help if you want a fresh perspective.
Preparing for the next storm
You must consider many factors to get the most out of BCP and DR plans. The more thorough your preparation, the greater your risk mitigation will be. Due diligence for BCP and DR addresses potential legal liabilities, maintains brand reputation, and ensures your people have the resources they need in times of emergency. A consistent strategy, taking ownership, and maintaining open communication channels put you on the right path and safeguards your company, regardless of the challenge ahead of you.
Grant Auerbach is a consultant at Capco, a management and technology consultancy focused on financial services and energy, and can be reached at firstname.lastname@example.org.
The content & opinions in this article are the author’s and do not necessarily represent the views of AltEnergyMag
This post does not have any comments. Be the first to leave a comment below.
Post A Comment
You must be logged in before you can post a comment. Login now.