Wildfires, earthquakes, hurricanes, and massive cyberattacks—when we think of natural or man-made disasters, we often imagine major catastrophes. As we are reminded too often, these things really do happen, which is one reason I hope your organization has a Disaster Recovery preparedness plan.
But the fact is, most severe business disruptions happen because of much more common occurrences. Power failures, hardware failures, and network failures account for more than 80 percent of IT-related disruptions. As disastrous IT crashes have become much more frequent, strategic planning for disaster is no longer optional.
Fortunately, creating a reliable plan to ensure that your organization survives a disaster can be a straightforward process if handled with the right amount of deliberation. The first step is to ask yourself a few questions about your Disaster Recovery (DR) preparedness.
1. What constituencies, both inside and outside your organization, would be impacted by a disruption?
This of course begins with the folks who will be most severely impacted—your employees, including your management teams. You will need to identify and prioritize your crucial partners and clients as well. At the other end of the workflow, you may also have suppliers and vendors who will be impacted if a disaster takes you offline.
While answering this question, I recommend that you put together a plan that will allow you to communicate with your various constituencies when you don’t have access to normal channels. As with all business, good communication is the key. You can prevent a natural disaster from doing reputational damage upstream and downstream by getting this part right.
2. What is required of your organization to remain in compliance with regulatory agencies, and what exactly do those regulators demand?
Your legal exposure and vulnerabilities with regards to disaster preparedness depend on your industry, the size of your organization, and many other variables. If you are in any area of the healthcare industry, you are likely aware that the Health Insurance Portability and Accountability Act (HIPAA) requires that you develop and implement contingency plans ensuring that your business can continue to function in the event of a natural or man-made disaster. If you work in the financial services industry, you surely know that the Security and Exchange Commission mandates business continuity planning.
Depending on which state you operate in, there are also countless laws and agencies empowered to protect their constituents by making sure they do not get hurt if your business suffers a disaster. And beyond that, there are industry organizations with their own rules and regulations. For example, the Payment Card Industry Security Standards Council’s Requirement 12.10.1 mandates that anyone who processes credit cards create and maintain an incident response strategy that addresses business continuity and disaster recovery processes in the event of a data breach.
3. What processes and functionalities are absolutely necessary to your organization?
Keep in mind that any or all of your business assets can be at risk. You will need to catalogue all of these assets. There are many benefits to conducting an inventory of the infrastructure that your organization determines to be essential. Protecting yourself from disaster may be the most important.
This will include the utilities that power your basic functioning—power and connectivity to one or more networks. It will also include your core business equipment and the applications that run on your machines, your networks, and in the cloud. A catalogue of your core business processes will be equally valuable. It’s likely that your sales and marketing processes, product development, accounting, technology, administrative, and finance— all of your core business processes—are essentially running on momentum. If and when disaster hits, you’ll be forced to restart these processes practically from scratch. By documenting how the various elements of your business work, you are giving yourself a valuable head start on the way back to complete recovery.
This inventory will be at the heart of your DR preparedness plan. Putting it together might sound a bit daunting, but the process is relatively simple. Begin by assembling a disaster recovery team from among your employees, including representatives from your executive, technical, operational, and communications teams. You will likely find that the information already exists and simply needs to be organized.
4. Does your organization routinely conduct basic safety and Disaster Recovery procedures?
The moment that you discover something has gone very wrong, you will want to have not only a plan in place, but also procedures that have been tested. Running regular emergency-response tests such as fire drills and other building-evacuation scenarios can save lives and your business. Develop and test disaster communications strategies, including alert systems and information dispersal policies.
Stress-testing your technical and strategic resources gives you valuable information that can be acted on immediately. Ideally, you should consider allowing your team to rehearse its disaster response plan. In the face of increasing threats, many organizations are employing a rigorous set of practices known as “tabletop exercises.” This allows your team to go through the actions of dealing with a simulated disaster scenario and essentially run through the plan step by step.
5. Do you have a Disaster Recovery and Business Continuity plan documented; do you know who oversees that document; and does that person review it to account for business and IT changes?
It is important not to dismiss this question as too far “into the weeds.” If you do not already know for certain that the answers to all three parts of this question are “yes,” you will want to remedy that as quickly as possible. If the answer to even one of them is “no,” it’s time for you to get started doing what needs to be done to protect your organization.
I hope you found this information helpful. As always, contact us anytime about your technology needs.
Until next time,
Tim