Don’t Fret Disaster:
Build A Business Continuity Plan
40% of companies that experience business disasters (such as a large-scale security breach or significant loss of building access) go out of business in the subsequent 5 years. This might be surprising, but Singapore business continuity plan developers understand the stakes. Nowadays, an organization’s resilience can come under pressure from many angles, in unforeseeable ways.
This requires an adjustment in thinking with regards to risk. While risk management seeks to prevent disaster, business continuity management (BCM) keeps you prepared in the event that something does happen. Many organizations that have invested heavily in disaster prevention find it difficult to then shift their attention to disaster preparedness. Consider some of the events of the past year: the US election (and associated cyber-security matters), the Mossack Fonseca incident, and Brexit; all have had extensive impacts on IT and business, were hard to foresee, and are hard to estimate in terms of their impact.
Heightened brand fragility on social media, increased incidence of ransomware attacks, and even the rapid disruption of existing industries add to the level of uncertainty. The current interdependence of tightly-integrated supply chains is another factor. The lesson here is that mitigation of known risks can only protect your business so much. Continuity measures are vital in such an uncertain climate.
It’s important to note that a comprehensive business continuity plan does not stop at disaster recovery (backup of sensitive data); the aim is to put in place a complete set of procedures and plans to get actual business back on track as soon as possible, and with minimal damage and disruption in the meantime.
With this in mind, consider some of the major areas that should be addressed by your business continuity plan:
Technology – Systems and Data
This is the front-line of recovering from a crisis. As mentioned, data is the most fundamental asset of your business and protecting it with a Disaster Recovery plan will form the basis of your continuity plans. This involves not only storing data backup offline at a separate location, but ensuring it is accessible through a number of means (physical and remote access). Even hard-copies of the most important data can provide extra options.
Can your business be run on the remote backup unit during the data restore process, ensuring minimal downtime? How current does the data backup interval need to be – can you afford to lose 15 minutes worth of data? What if there is a facility as well as data compromise – can your employees access the backup data while at a second site? And in the unimaginable event that sensitive client data is compromised, do you have a procedure for swiftly notifying the affected clients, and regulators who may need to be notified?
A combination of physical server and cloud backup can be the solution here, covering the danger of loss of data from all angles.
Another single-point-of-failure is enterprise resource planning software. While the advent of ERP enables considerable efficiency gains, it also replaced what was previously a workaround-friendly (if inefficient) range of systems in most organizations with a more concentrated and complex source of risk. While system failures might be more uncommon with ERP, when they do happen they cause significant risk.
The same data backup continuity best practices apply here as were mentioned above. But furthermore, there is the added dimension of the complexity of the systems themselves. While most companies have the benefit of capable in-house database administrators, ERP installations usually rely on outsourced and external expertise. Minimizing dependence on third-parties is a key component of successful continuity plans
Also, given the fact that ERPs are designed to tightly fit with business processes, in the event of an ERP failure business functioning cannot proceed at all in many cases since there are so many system touchpoints. This can make continuity planning for ERP failure difficult to establish. You can reset the system in the event of downtime, but how long will the business catch-up take? Any procedures and practices that can be put in place to keep business moving during a downtime can significantly reduce the time needed for business catch-up.
In 1999, Hershey experienced a continuity disaster at one of the busiest operating times of the year when the failed go-live of their new ERP system led to $100 million of orders going unfulfilled, leading to an 8% drop in their stock price in one day. The risks with ERP are real, and continuity measures are vital.
Facilities, Buildings, and Equipment
Continuity challenges in this regard range from the more mundane threats like power outages to more high-profile security breaches. Your continuity plan should address these different levels of severity in terms of duration, extent (i.e. a partial loss of a building vs a total loss), and also how these threats can interact with other risks (such as the compounded problems associated with loss of both servers and workspaces).
Adequate continuity plans can therefore range from how to shuffle workplaces around in the event of flooding on one floor, to preparation for loss of a key building for an extended period of time. This is one area that can be thoroughly planned for, hence facility considerations should be a source of certainty in your business continuity plan.
Third Parties (Suppliers, Vendors, Partners)
In an increasingly interconnected business ecosystem, planning thorough continuity measures regarding supply chain partners can be one of the more complex yet ultimately valuable risk management activities a company can undertake. The saying among continuity practitioners is that when you are over-reliant on a business partner, their risk becomes your risk.
Advanced continuity planning in this regard is possible with scenario analyses. What would your short-term and medium-term procedures be in the event of a loss of a key business partner? For some companies, these situations are as unthinkable as sensitive client data being compromised – but as we have seen, these situations cannot be completely ruled out.
Loss of Key Human Resources
While most organizations can recover from the loss of some key personnel if given adequate notice, disaster can instantly deprive a business of their most important assets. HR should be consulted when making a plan that ensures that adequate provisions are made to enable your staff to keep business moving during challenging times. Issues like second-site availability, stand-in human resources, work-from-home ability and, importantly, the means to pay your staff in disaster conditions are key to any continuity plan.
Fitting BCM with your way of working
From an IT perspective, support and maintenance procedures are usually designed with incident resolution in mind – and don’t take major disasters into account. Worst-case continuity considerations should be built into your support and maintenance methodology, expanding the scope of procedures to encompass disaster situations.
Thankfully, the leading support and maintenance frameworks like DevOps and ITIL allow easy integration of business continuity considerations. Common concepts used in DevOps like mean-time-to-recovery and cost of delay are useful when bridging the gap between BCM and DevOps. Similarly, Business Impact Analyses and more broadly the ITCSM components of ITIL are effective analytical tools when drawing up continuity plans.
Whatever the methodology and documentation used by an organization, integrating BCM considerations into the everyday processes of the IT department ensures a heightened level of readiness. Your business continuity plans should speak the language of IT and vice versa.
The Unknown Unknowns
Donald Rumsfeld’s famous “known knowns” speech was widely misunderstood at the time, but has become a highly-regarded piece of wisdom regarding uncertainty and risk. Scenario planning, risk management, and disaster prevention are all valuable ways to mitigate against the “known unknowns” – quantifiable risks that can be hedged against. A comprehensive business continuity plan takes this a step further, outlining what you should do in the event that a disaster does occur. And a mature business continuity plan prepares you for disasters you had no ex-ante knowledge about (the unknown unknowns), as well as coinciding disasters occurring. You may not be able to prevent the unknown unknowns, but you can prepare for them.