Four fifths of all businesses who suffer a major incident fail within a year and a half – so if you don’t have a plan to deal with such events, you could be risking your entire business. And, as we’re seeing today, major incidents aren’t just those that damage business premises – almost every business across the globe is now facing a series of Covid-19 restrictions and challenges that has forced them offsite and into some form of business continuity plan.

In this piece I will be looking at the two key elements of any recovery plan – disaster recovery and business continuity – and will explore their differences as well as detail the best ways to build both into your business.

What is business continuity?

Business Continuity (BC) is defined by ISO, the International Organization for Standardization, as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident”. In reality it’s you building out a plan that ensures your business is able to deliver the same (or as near to as possible) level of service as it did before the plan was required to be invoked.

What is disaster recovery?

Disaster Recovery (DR) is the way in which an organisation would retrieve key information and services after an unforeseen disaster. Any disaster recovery plan should include a set of policies and procedures to follow in order to get the affected parts of the business working again after a significant disruptive event.

What’s the difference between business continuity and disaster recovery?

Essentially, disaster recovery is a part of business continuity. For example, to enable business continuity you might need access to a very important database. Your DR plan would dictate how often backups of this database are taken, where they’re stored and how to restore this data in the event of a disaster, while your BC plan will communicate more generally how your business will remain operational following a failure or disaster.

Business continuity recovery plan

Figure 1: disaster recovery is one element of business continuity

Do I need to plan for business continuity, disaster recovery or both?

To safeguard the performance of your business, you’ll need both a business continuity and a disaster recovery plan (though these could be contained within a single document if you prefer). One of the best ways to approach the creation of these plans is to perform a risk analysis on each of the services that you provide to your clients (whether internal or external).

Performing your risk analysis

This is something that can be done in a number of different ways, one of which is to use the formula: Risk Value = Probability of Event x Cost of Event.

For example, you might value your phone system at £500,000 a day, factoring in the cost of sales not taken (per day) if it was to fail, and set the probability of this happening at 1%. Using the above formula, and assuming that a new system could be ordered/installed and working within 24 hours, the risk value is £5,000. This figure can be used to inform the amount you spend to mitigate against the event – so if an additional phone line/system only costs £2,000 a year, the conclusion might be drawn that doing this would be worth the cost when compared to the risk.

While it might seem unnecessary to spend money on something that may never be used, it must be remembered that the cost of not doing anything and having to deal with a disaster later will always be higher. The Covid-19 pandemic has shown that even the least likely of events can actually happen, with prepared organisations finding themselves in a much better state than their competitors (being able to move easily to working from home, for example).

Probability and Impact of Risk chart

Figure 2: risk matrix

You should apply these assessments across all areas of the business, then use your findings to create a clear plan for handling any risks identified.

The impact of cloud

Just 10 years ago, the only real option for businesses who wanted an immediately-available DR option would be to have a warm or cold ‘site’ – in other words, IT infrastructure that was already set up and ready to go. If ‘warm’ it was literally on and ready to move to at a minute’s notice, and if ‘cold’, it was off but deployable within a day or two. Of course this was massively expensive, and usually only implemented by large companies since you basically needed to double all of your servers (one set in your live office, and another elsewhere).

With the cloud though, that has all changed and no longer do you have to invest massive up-front capital expense to achieve this same outcome. Instead, with the right automation, you can spin up new infrastructure in a new location (or locations) within hours and incur cost only once it’s active. This does increase the level of expertise required but the benefit is huge (and it is something that Box UK has lots of experience in!).

6-point checklist for creating a Business Continuity/Disaster Recovery Plan

Below is a simple 6-point checklist that should enable you to start putting your plan together but do note that risks change, so this exercise should be repeated at regular intervals to be of most use.

1. Analyse your business

  • What products/services are offered by your business?
  • What do clients expect in terms of deadlines/contracts?
  • What hardware/software/tooling only works on-site?
  • And what happens if this site has to be closed for a short/long period of time?

2. Assess the risks that could affect your business

  • Flood/fire
  • Theft/break-in
  • Unable to gain access to building(s)
  • Illness (especially flu/contagious disease)

3. Develop your strategy

  • What actions are needed to prepare for/respond to the situations identified above?
  • Who needs to perform these actions?
  • Where/how should these actions be carried out?
  • How will you test to ensure that this strategy is effective?

4. Develop your plan

  • Ensure that the plan is well-written and distributed to any staff that may be involved in its implementation
  • Make department heads aware of their responsibilities
  • Make absolutely sure that you have mechanisms in place that allow you to communicate with your staff, whatever the scenario

5. Test your plan

  • A plan is useless if it is never tested so ensure this is done regularly, and especially when any key staff members leave the business
  • If your plan relies on any key suppliers, confirm that they will be able to cope in the situations you have identified (running a test exercise if necessary, for example). You will also want to ask them for a copy of their own DR plan.

6. Update your plan with any changes

  • Every time you test, or indeed any time there’s a significant update to anything you’ve already detailed, remember to update the plans accordingly. This might be particularly pertinent if you’ve added new technology to your setup, or changed any existing business processes.

What happens if I don’t have a BC/DR plan?

If you do not protect your business with a business continuity and disaster recovery plan, then when catastrophe does occur you won’t be prepared – leaving you with the worst of both worlds. Even simple precautions such as having a telephone list of staff/suppliers/clients could save huge amounts of time if you need to advise these people of a change of location due to fire/flood etc.

And, for those businesses that aren’t even sure where to start, why not speak to us? We not only have our own BC/DR plan but help our clients with their own planning in this area too. This can range from ensuring that we can help you to deliver a resilient service to your customers, to helping you have stretch infrastructure across the globe according to your needs.

As mentioned at the start of this article, the statistics for businesses surviving without a business continuity and disaster recovery plan do not read well:

  • A quarter of SMEs don’t have any recovery plan at all
  • Among those businesses that do have a disaster recovery plan, more than half (54%) don’t regularly test it and a third has never tested it at all
  • Four fifths of all businesses who suffered a major incident failed within a year and a half

There are also high-profile cases of organisations that have suffered due to the lack of an adequate BC/DR plan. For example, back in May 2019 DXC Technology had an entire outage at their Wynyard colocation site that hosted a number of FSTE 50 financial services clients. And, while it looks like they did have a backup core switch it’s unclear when it was last tested, since it didn’t perform as expected. Which serves only to underline my previous point – unless a DR plan is regularly tested, it cannot be relied upon during a disaster.

Conclusion

Hopefully reading this article has provided support for your own planning around business continuity and disaster recovery. You tend to only hear stories about these areas of IT when there has been poor or no planning (and disastrous consequences as a result), but an effective BC/DR strategy doesn’t have to be cumbersome or expensive. It could be something as simple as having a list of contact numbers for staff, or asking staff to take their laptops home each night. Imagine not having this in place if your office (and surrounding area) floods, for example.

Every part of your business needs BC and DR built in, particularly that cloud infrastructure which relies on newer technology than your existing/previous infrastructure. Was full consideration for example given as to how your cloud-based services/data will be restored during their set-up? Remember, not having access to the physical hardware behind this infrastructure brings its own set of challenges (and if you want to find out more about this aspect of BC/DR, get in touch – Box UK is both an official AWS and Microsoft Partner and has extensive experience in Google Cloud, so we’re highly familiar with the full stack of cloud solutions that both offer).

And finally, don’t ever forget that business continuity and disaster recovery aren’t just the responsibility of the IT team/department. If the IT team are unaware of how the finance team are using their accounting software or where this information is kept, for example, they are not going to be able to ensure that it is backed up and able to be easily restored if needed. Everybody, therefore, has a role to play in ensuring that the business can survive any catastrophe – from human error to natural disaster.

About the Author

Alistair Gibbs

Head of IT Alistair has been working in the industry for the past decade both in the UK and Europe, supporting internal and external clients in various roles. Operating within a fast-paced environment, Alistair is experienced in numerous technologies such as Amazon Web Services, Windows Servers, Switching, Firewalls, Desktops, and everything in between.