Business continuity and disaster recovery

First published 19 February 2019 • Updated 16 July 2019

To survive, your business must be resilient. This of course means growing and adapting to changes in the market. But it also means being able to survive the unexpected.

Besides the obvious challenges like competition and the economy, there are a whole range of other hazards that could harm or even end your business. Accidents, theft, fire, flood, tech failures and cyber-attacks are just some of the mishaps you need to safeguard against. This is why every business needs a business continuity plan – also called a disaster recovery plan or resiliency plan.

What is a business continuity plan?

Business continuity planning is about ensuring that your business can pick up again after a damaging incident. Remember that even in the event of a disaster, debts, bills and taxes still need to be paid. Some customers may be patient and understanding if their orders are delayed – however, some may not. What’s more, if you can’t meet your obligations, you could quickly find the businesses becoming insolvent.

Your priority is therefore to get back up and running as quickly as possible – or at least to ensure that the most vital parts of the business are restored in good time, while you work to rebuild the rest of it.

At the very least, having a disaster recovery plan in place will reassure creditors and other stakeholders that you are taking steps to get back on your feet. In the best cases, a good plan properly executed can mean that there is little or no real disruption to the business.

What should a business disaster recovery plan cover?

There are three main types of events to plan for:

• Physical disasters (e.g. flooding)
• Malicious acts (e.g. burglary)
• Data-related disasters (e.g. cyber-attack or data breach)

In both cases your main objective is to protect your critical assets. However, the impact of each kind will be different.

Physical disasters

A fire or flood may do serious damage to your place of work, potentially making it unusable for months. This means you need to think about having a back-up base of operations. This may involve remote working, or you may need to find temporary office space (or a combination of both). The problem will be compounded if key equipment is destroyed or damaged, so think about how these could be replaced or substituted.

Malicious acts

With an incident like a burglary or vandalism, your priorities are different. Your workspace may still be usable, but you need to ensure that you and your customers are protected from any further consequences, such as data theft via stolen IT equipment.

Data-related disasters

As with malicious acts, data security is of paramount importance. You need to be able to reassure your customers and stakeholders that their data is safe. A cyber-attack may also shut down your IT system or delete vital data. Think about what alternative IT arrangements you could use, and how you can back up your data securely so that it will survive any such incident.

Any of these scenarios could also result in a PR crisis, for which you may need a separate response.

Creating a business continuity plan

Your business continuity plan should grow out of the specific needs, vulnerabilities and setup of your business. For instance, your employees typically work remotely from multiple locations, your needs will be very different from a business based entirely on one small site.

The first step in creating your plan is to make a list of the top 10 disasters that could theoretically affect you. Next, rank the disasters according to

• How likely they are
• How damaging they are

Each disaster will now have two scores – likelihood and damage – which will be a number from 1 to 10. For each one, multiply the two scores together to get a ‘risk score’ out of 100. Now you can list the disasters in order of risk, starting with the highest score.

Now go through the list one by one and imagine each disaster has just happened. What would you need to do first? Write down your priorities.

As you proceed down the list, you will find that certain priorities keep repeating. These will form the basis of your disaster recovery plan.

Refining your plan

As your disaster recovery plan develops, make sure it addresses these key areas.

• Your objectives – are you aiming to protect your data, serve your customers or protect important equipment?
• The scope – do you need an individual plan for each site or will a single plan cover the whole business?
• A list of contacts – who will need to do what? Whom will you call, both internally and externally, and in what order?
• What are the key response actions for each type of incident?
• Who is responsible for executing each part of the plan? Who will stand in if they are unavailable?
• Where will you work if your usual location is unusable?
• How will you communicate with employees and customers?
• What insurance policies do you need?

Remember too that your business will change over time, so review your plan regularly.

Executing your business continuity plan

Once you have a resiliency plan ready, don’t just put it aside until you need it. You may need to take regular actions to make sure it works effectively at the right time. Here are some ways to keep your plan effective.

• Conduct disaster recovery drills to make sure everyone knows what their role is
• Ensure your disaster recovery plan is accessible instantly, from anywhere
• Regularly review your insurance policies
• Make sure your IT security is up to date
• Conduct risk assessments
• Give your employees business continuity training
• Back up your data off-site

One of the greatest benefits of business continuity planning is that it prevents panic setting in at the worst possible time. If you have a plan to hand, then no matter how grim the circumstances, having a practised set of activities to execute will help to keep you focused, and maximise your chances of surviving the crisis intact.