How well prepared is your business for a disruption in critical services like phone, internet or power?
Until the last decade or so, losing internet access would be a minor disruption for most businesses. But today, when many companies have documents or server space located off-site and accessible via “the cloud”, internet service is a critical function for many businesses.
A business continuity plan lays out how you will continue to operate when anything from a tornado to a system failure strikes.
Putting together a BCP is a lengthy, detailed process. It is one of those “you get out of it what you put into it” things. Every business - regardless of size - should follow these steps or something similar to be sure your business can continue in an emergency.
The first thing to ask yourself is how available does your business need to be. If you are a news organization or a first responder (fire, police, medical), availability is critical. Other businesses may be able to shut down for a day or two without a huge impact. Still, you need to know what your business requirements are. Then work through these seven steps to develop a continuity plan.
1. Arrange for offsite storage of critical files and equipment - these may include anything from copies of records, contacts, digital files, even spare computers. The storage should by in a monitored facility and be some distance from your office - accessible even if there is a localized disaster or quarantine.
Whether you have one computer or 20 servers, backup your data. That includes your email, files, folders and databases. You should have a weekly backup of your data stored offsite. Even if you use cloud services and hosted email, it is still your business at risk. Make sure you know how to access backups of your data if you need them from your vendor or how to take backups of your company info on your own.
2. Identify critical information your business needs:
● Identify the key personnel in your organization and put together a list with cell phone numbers, home addresses, secondary addresses or phone numbers (like weekend places at the beach). Key vendor and client lists should also be maintained.
● Many business functions can be performed remotely through a web browser, but not if you have everything bookmarked with passwords stored on your office PCs. Document the addresses and the access codes. There are many programs that will securely store and encrypt your passwords - 1Password for the Mac and RoboForm for the PC are just two options. These encrypted passwords should be kept under lock and key in a secure facility.
3. Map your business processes. Who does what, when do they do it, how do they do it and what’s the backup process? Identify any single points of failure. Develop and document backup procedures for everything critical. What you need may depend on how long the disruption lasts - some can be brief like a chemical spill that causes a 24-hour evacuation; others can be catastrophic - hurricanes, tornados, even winter storms can put you out of business for days or weeks.
4. Identify alternate facilities. Where will you relocate your business if your building is damaged or inaccessible? Does your business have a second facility that can be set up as an emergency location? If so, stock it up with tables, power strips, folding chairs. Build “back up boxes” for your departments with notebooks, pens, batteries, flashlights and locate them at your backup site.
Since it’s not likely you’ll go out and buy new equipment for backup purposes, how about flipping that proposition? When you buy new laptops, move the best of the ones being replaced to your backup site. Whether you need one or 10 depends on your business needs, but remember, you are not trying to replicate normal business, but to keep business going at some level.
5. Once you have all your information assembled, put together a how-to document that walks through your recovery plan step by step: who will set up the remote location, who’s authorized to obtain the backups and access the critical company files, who notifies your staff, and once assembled how is each critical process performed.
6. Test and distribute your plan. If you think assembling all this information sounds like a ton of work for something you might never need, you are right. But even worse, is a ton of work that it turns out you do need, but some critical piece was missed. Make sure everyone who is involved in executing the plan has a copy of it. Load your plan on USB keys with encrypted logins for critical staff.
7. Review the plan each quarter (if you’re really on top of things) or at least once a year. Staff come and go, contact information changes, new systems are installed, passwords are changed. Your plan needs to be a living document.
Disasters come in all shapes and sizes: a roof leak over your data center, a blown transformer that knocks out your power, flooding that makes your business inaccessible. Things happen every day. Be as ready as you can be.