Published in The Business News on 1/31/2022
If you peruse this particular publication as passionately and per-usual as I do, well, alliteration aside, we can all agree that the topic of cyber security and disaster recovery has been covered once or twice. But not by me so here we go.
Disaster Recovery is just that. This process refers to a business’s ability to recover to normal business conditions, following a disaster incident. Business Continuity then, is… anyone… Bueller? A business’s ability to continue business during a disaster incident.
Whether you are looking to recover or continue business (the correct answer is both, by the way), the process starts with a plan. There are a couple of things to keep in mind as you get started:
- Your plan must be easy to read and navigate. Remember, if the day comes that you will need this plan, you will be in the midst of a disaster. Panic will have set in and both your patience and your ability to rationally work through things, will be gone. Your plan should be written with a five-year-old in mind.
- Your plan should follow the basics of S.M.A.R.T. goal planning. If you are unfamiliar, I’ll give you a quick breakdown. Smart goals are Specific, Measurable, Attainable, Relevant and Timely. Your Disaster Recovery/Business Continuity (DRBC) plan should focus on real risks and plan for real results. Don’t go planning for Superman do drop a frozen lake on your burning chemical plant. That only happens in 80s movies.
I start with a template, so I’m one step ahead. I made the template and so can you. My template has five sections and a table of contents. Section one is company information. It lists out key personnel, their role and their contact information. Section two looks the exact same but the information here is vendors. Your IT company, your insurance company, your lawyer… you never know what disasters will come your way so list everyone.
Section three is a risk analysis. You can’t just list the risks and call it good. Call a meeting or a series of meetings, with key personnel and consultants to analyze all of your risks. I like the risk/impact approach. For every risk, assign a number, 1-10, for how likely the risks is (risk) and also for how big of an impact it would have. For example, a tornado may not be your most likely risk (2), unless you are setup in a trailer park in Kansas (8), but it would like have an impressive impact (10). Alternatively, a single broken laptop may not have a huge impact (2), but it’s pretty likely (7). Especially with ole’ butter fingers Jerry in shipping. We’re on to you, Jerry (10).
Section four is for logging. I know, yawn. Logging is important because it’s where a business holds its employees accountable for avoiding disasters, or at least minimizing disasters. We log meetings, DRBC plan testing and anything else pertinent to your business ability to function through and recover from a disaster incident. Log the successes and failures, so you know what you have to work on and what you can expect, in the event of a real disaster.
Lastly, section five is the meat of the plan. Scenarios. In section five, you take that risk analysis and work out how you are going to work through and recover from those risks, should they become real disaster incidents. Be detailed, be organized and write it for a five-year old. Again, panicking, with no rational thought. Even if you are confident in your ability to keep a cool head, in an otherwise tense situation, you may not be the one reading the plan in the middle of a disaster. It could be Jerry and we all know that Jerry is a complete mess when things go wrong.
As you work through scenarios, consider each step and the impact of each step. Will things get better or worse with each step? Who will need to be notified of progress and how often will they need those updates? Think of people in your organization and outside of your organization. What is the facilitating event to notify a client? Be detailed and thorough. Leave no stone unturned.
You’ll want to test your plan relatively frequently. How frequently you test, will depend on the disaster incident that you are testing. Ensuring that you can recover lost data, with your offsite data backup system should be done at least twice per year. Fire drills have a schedule as well and someone who knows about fire drills can tell you that.
A DRBC plan is pretty basic stuff, but you should ask for help, if you want it done right. I’ve written a bunch of them, and I learn something new every time. Winging it could put you out of business, if you aren’t prepared.