The Federal Emergency Management Agency (FEMA) has reported that 40 to 60% of businesses never reopen following a disaster and a total of 90% of smaller companies fail within a year unless they can resume operations within 5 days after the disaster. These statistics are staggering and should drive companies to implement business continuity and disaster recovery plans, but many do not. Even for companies who do have a business continuity plan in place, FEMA reports that 1 in 5 of them spend no time maintaining their plan.
When researching business continuity or disaster recovery planning, these terms are frequently used interchangeably and often thought to mean the same thing. Nothing could be further from the truth. Business continuity and disaster recovery, although linked, refer to different means of protecting your business and recovering from a disruptive event.
Here is what you need to know.
What is Business Continuity?
Business continuity or business continuity planning is the way in which a company maintains the operations of their business in the event of the loss of resources during a small outage or complete disaster. Whether the outage lasts for two hours or six days, it has the potential to be equally devastating. It includes preventative measures that are put in place company-wide and regulates a variety of controls.
Ask yourself, how will our company continue to function if an outage occurs for any reason? What location will we work from and how will our employees be able to access the materials and information they need to continue to do their jobs? How will we continue to sell products and services to our customers? How will we continue to support them?
Business continuity is about mitigating risk before anything ever happens.
Best practices for developing an effective business continuity plan include:
- Form a team, including employees from various departments, to develop a living business continuity plan.
- Obtain buy in from your executive management team to ensure this is a priority for the company.
- Be proactive in identifying risks and watch for new, potential risks on a regular basis.
- Understand how those risks will affect your day to day business operations, as well as specific groups including employees and customers.
- Put measures in place to mitigate those risks.
- Identify people and procedures needed to alert employees, customers, vendors, and other key stakeholders that a disaster has occurred.
- Regularly test your procedures to ensure they can be implemented efficiently, effectively and quickly.
- Examine your plan quarterly or at an interval determined by your team to review the procedures and ensure they are still current.
What is Disaster Recovery?
Disaster recovery is one critical component of the larger business continuity plan. Although it is not solely focused on IT, it is often the IT department that takes over responsibility. It becomes your backup and recovery plan—the way in which you will maintain, store, and restore your data, files, software applications, servers, and other equipment so that you are up and running again in the shortest amount of time.
Ask yourself, how frequently do we currently backup our data and can the company function without critical data for any period of time? Are additional servers and other equipment readily available to us to quickly rebuild our network infrastructure? Is there another secure location within a reasonable distance of our office where we could restore our network if the current server closet or server room is no longer usable?
If business continuity is about mitigating risk before anything ever happens, disaster recovery is about quickly and efficiently implementing your plans during and after the disaster has occurred.
Best practices for developing an effective disaster recovery plan include:
- Understand what impact the previously identified risks could have on your IT assets.
- Decide how you will replace equipment if that should be necessary.
- Know how many additional servers and other pieces of equipment you have in stock which could be installed immediately after the outage.
- Implement a procedure for obtaining any new parts which you may not have in stock.
- Identify the level and type of support/notifications you will provide to employees, customers, vendors and others during the outage. For example, a help desk, call tree, automated push notifications or conference bridges.
- Determine your Recovery Time Objective (RTO): The target time you need to recover your IT and business activities after a disaster has struck. Knowing how quickly you can actually recover your IT infrastructure and how quickly the business needs to recover to prevent catastrophic loss, will help you decide on the preparations you need to put in place to make sure that those two numbers are in sync.
- Determine your Recovery Point Objective (RPO): The window of time in which data loss is acceptable for your company. Put simply, it is the amount of time between required data backups. Could your company still operate, virtually unaffected, if you were unable to access the last three days of data? If not, you may want to consider daily backups or even real-time backup.
- Decide on your recovery failover procedures and system restart procedures.
- Preselect a local data center provider whose colocation or cloud services you would be able to utilize in the event that your facility is no longer usable or accessible to ensure that rapid restoration of business operations is possible.
The Key Takeaway
Many companies choose not to proactively prepare for a disaster because they believe that it will never happen to them. If they are not located in a region prone to floods, hurricanes, tornados or blizzards, they do not believe it is necessary to expend the time, resources and money to not only implement but also maintain and test a plan.
Remember, a disaster can come in many different forms, not just environmental. IT hardware failures, cyber-attacks, terrorist attacks and even vandalism or simple human error can cause extensive outages over extended periods of time.
Correctly defining disaster recovery and business continuity planning, understanding the specific differences of each, proactively implementing a custom plan to meet your requirements and continually testing and reevaluating your plan will help keep your business in business for many years to come.