Four fifths of all businesses who suffer a major incident fail within a year and a half – so if you don’t have a plan to deal with such events, you could be risking your entire business. And, as we’re seeing today, major incidents aren’t just those that damage business premises – almost every business across the globe is now facing a series of Covid-19 restrictions and challenges that has forced them offsite and into some form of business continuity plan.
In this piece I will be looking at the two key elements of any recovery plan – disaster recovery and business continuity – and will explore their differences as well as detail the best ways to build both into your business.
Business Continuity (BC) is defined by ISO, the International Organization for Standardization, as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident”. In reality it’s you building out a plan that ensures your business is able to deliver the same (or as near to as possible) level of service as it did before the plan was required to be invoked.
Disaster Recovery (DR) is the way in which an organisation would retrieve key information and services after an unforeseen disaster. Any disaster recovery plan should include a set of policies and procedures to follow in order to get the affected parts of the business working again after a significant disruptive event.
Essentially, disaster recovery is a part of business continuity. For example, to enable business continuity you might need access to a very important database. Your DR plan would dictate how often backups of this database are taken, where they’re stored and how to restore this data in the event of a disaster, while your BC plan will communicate more generally how your business will remain operational following a failure or disaster.
Figure 1: disaster recovery is one element of business continuity
To safeguard the performance of your business, you’ll need both a business continuity and a disaster recovery plan (though these could be contained within a single document if you prefer). One of the best ways to approach the creation of these plans is to perform a risk analysis on each of the services that you provide to your clients (whether internal or external).
This is something that can be done in a number of different ways, one of which is to use the formula: Risk Value = Probability of Event x Cost of Event.
For example, you might value your phone system at £500,000 a day, factoring in the cost of sales not taken (per day) if it was to fail, and set the probability of this happening at 1%. Using the above formula, and assuming that a new system could be ordered/installed and working within 24 hours, the risk value is £5,000. This figure can be used to inform the amount you spend to mitigate against the event – so if an additional phone line/system only costs £2,000 a year, the conclusion might be drawn that doing this would be worth the cost when compared to the risk.
While it might seem unnecessary to spend money on something that may never be used, it must be remembered that the cost of not doing anything and having to deal with a disaster later will always be higher. The Covid-19 pandemic has shown that even the least likely of events can actually happen, with prepared organisations finding themselves in a much better state than their competitors (being able to move easily to working from home, for example).
Figure 2: risk matrix
You should apply these assessments across all areas of the business, then use your findings to create a clear plan for handling any risks identified.
Just 10 years ago, the only real option for businesses who wanted an immediately-available DR option would be to have a warm or cold ‘site’ – in other words, IT infrastructure that was already set up and ready to go. If ‘warm’ it was literally on and ready to move to at a minute’s notice, and if ‘cold’, it was off but deployable within a day or two. Of course this was massively expensive, and usually only implemented by large companies since you basically needed to double all of your servers (one set in your live office, and another elsewhere).
With the cloud though, that has all changed and no longer do you have to invest massive up-front capital expense to achieve this same outcome. Instead, with the right automation, you can spin up new infrastructure in a new location (or locations) within hours and incur cost only once it’s active. This does increase the level of expertise required but the benefit is huge (and it is something that Box UK has lots of experience in!).
Below is a simple 6-point checklist that should enable you to start putting your plan together but do note that risks change, so this exercise should be repeated at regular intervals to be of most use.
If you do not protect your business with a business continuity and disaster recovery plan, then when catastrophe does occur you won’t be prepared – leaving you with the worst of both worlds. Even simple precautions such as having a telephone list of staff/suppliers/clients could save huge amounts of time if you need to advise these people of a change of location due to fire/flood etc.
And, for those businesses that aren’t even sure where to start, why not speak to us? We not only have our own BC/DR plan but help our clients with their own planning in this area too. This can range from ensuring that we can help you to deliver a resilient service to your customers, to helping you have stretch infrastructure across the globe according to your needs.
As mentioned at the start of this article, the statistics for businesses surviving without a business continuity and disaster recovery plan do not read well:
There are also high-profile cases of organisations that have suffered due to the lack of an adequate BC/DR plan. For example, back in May 2019 DXC Technology had an entire outage at their Wynyard colocation site that hosted a number of FSTE 50 financial services clients. And, while it looks like they did have a backup core switch it’s unclear when it was last tested, since it didn’t perform as expected. Which serves only to underline my previous point – unless a DR plan is regularly tested, it cannot be relied upon during a disaster.
Hopefully reading this article has provided support for your own planning around business continuity and disaster recovery. You tend to only hear stories about these areas of IT when there has been poor or no planning (and disastrous consequences as a result), but an effective BC/DR strategy doesn’t have to be cumbersome or expensive. It could be something as simple as having a list of contact numbers for staff, or asking staff to take their laptops home each night. Imagine not having this in place if your office (and surrounding area) floods, for example.
Every part of your business needs BC and DR built in, particularly that cloud infrastructure which relies on newer technology than your existing/previous infrastructure. Was full consideration for example given as to how your cloud-based services/data will be restored during their set-up? Remember, not having access to the physical hardware behind this infrastructure brings its own set of challenges (and if you want to find out more about this aspect of BC/DR, get in touch – Box UK is both an official AWS and Microsoft Partner and has extensive experience in Google Cloud, so we’re highly familiar with the full stack of cloud solutions that both offer).
And finally, don’t ever forget that business continuity and disaster recovery aren’t just the responsibility of the IT team/department. If the IT team are unaware of how the finance team are using their accounting software or where this information is kept, for example, they are not going to be able to ensure that it is backed up and able to be easily restored if needed. Everybody, therefore, has a role to play in ensuring that the business can survive any catastrophe – from human error to natural disaster.