You’ve worked hard to build your business; you’ve taken risks; and after all that hard work it can be gone in an instant. You carry insurance, you have some ideas on what you’d do when a disaster strikes, but you’ve never spent a lot of time on the subject.
Unfortunately, you wouldn’t be alone in this perception—it can’t happen to us! The fact is, after a fire—the most common disaster experienced by a business—only 66 percent of those businesses survive. The sad truth is that very few businesses consider the risk of a disaster, and even fewer take steps to deal with it.
If you work in a highly regulated industry, you likely have already gone through the process, commonly called business continuity planning, or BCP, to satisfy your stakeholders and regulators. The vast majority of businesses could learn some valuable lessons just by going through the exercise. In our business, not only do we walk clients through the BCP process, but we help them enable and test their plans.
A BCP normally boils down to a set of documents that outline the procedures used in the case of a disaster. These documents come out of a standardized process that includes an analysis phase, a solution design phase, an implementation phase, a testing and acceptance phase, and a maintenance phase. Also commonly included are risk matrixes and documentation of individual roles and responsibilities when a disaster is determined.
The point of this process is to prioritize what services, systems and resources need to be recovered to continue to operate the business—basically what functions need to be re-established to conduct your daily operations. Some industries have legal standards to meet in terms of what functions need to be restored first; others need to go through the BCP process to help determine what functions need to be addressed first.
One thing we commonly see in our BCP practice is a client discovering just how critical a particular function they really took for granted is. The BCP process, when done correctly, walks you through the business piece by piece and uncovers every function that makes the business run—it’s essentially a forensic exercise that educates the leadership and often leads to other efforts to change and improve processes.
The downside of not having a plan is not obvious to most business owners. The Small Business Administration estimates that 25 to 45 percent of businesses do not re-open after a disaster, which can mean anything from a tornado or fire to an extended server, internet or network outage. You need to consider natural disasters; terrorism; power disruptions or failure; IT systems failure; network failures; external IT threats like hackers, viruses and the like; processing shutdowns; and labor strife as potential threats to your business and account for your response to these types of issues.
Businesses should be prepared to answer these kinds of questions:
- Are we prepared to relocate temporarily?
- Do we have copies of, and access to, vital company records?
- Do we have access to vital business applications (payroll, accounting, line-of-business applications)?
- How much data would we lose in a disaster between backups?
- How quickly can we recover from a disaster?
- How long would we be disconnected from our customers?
These types of questions are where you need to start. The BCP process formalizes this analysis into two key measurements: the RTO and RPO. The RTO is the “recovery time objective,” or how long we have to have the function back before harm is done. The RPO is the “recovery point objective,” or how recent our backup needs to have been before harm is done.
For instance, a business may process hundreds of transactions per day but only backs up their accounting system every night. If they experience a disaster, is it reasonable, or do they expect any negative repercussions if the staff has to re-enter yesterday’s transactions? Some businesses would have no problems manually recovering a day of transactions, whereas others would have a hard time recreating those transactions, or have a problem fulfilling orders, or getting feedback to clients. It depends on the nature of your business, of course, but without going through the exercise, you won’t know until it’s too late.
In our business, we focus on network resiliency and disaster recovery, including systems, facilities and network/internet access redundancy. Our data centers and IT systems are designed to enable businesses to outsource those functions and gain access to facilities, services and skills that they wouldn’t otherwise have in-house. Whether you are looking for help in that area or are just having this thought exercise for the first time, I would highly encourage you to invest some time into this aspect of your business. You do not want to count on the “if,” but rather, be prepared for the “when.” iBi
Eric Fisher is chief technology officer of a5.com, with existing data centers in Peoria and Bloomington.A5.com recently opened a 5,000-square-foot Tier 2 Data Center in the downtown Peoria corridor. The facility offers OC48 diverse path, multi-honed internet connections, redundant UPSs and A/C units, 250Kw CAT Diesel generator emergency power, Ecaro-25 fire suppression, unsurpassed physical security and complete monitoring, bringing a greater level of sophistication to local businesses for disaster recovery, back-up requirements and business continuity.