How To Create An Effective IT Business Continuity Plan

Every business faces uncertainty and the constant risk that disaster could strike with enough impact to affect day-to-day operations within the organisation. A Business Continuity Plan (sometimes referred to as a BCP) determines the suitable course of action your company will take in case of an emergency or disaster. These disasters can range from a storm or fire that destroys the building to a cyber-attack or data spill that compromises fundamental data. In any of these scenarios, having a business continuity plan in place is essential (and in some cases a legal requirement). A good BCP should contain all the information you need to get your core business systems running again after an incident or crisis, including the steps taken by all key roles within the organisation.

An effective Business Continuity Plan will help you:

• Decrease downtime after or during an event
• Minimise losses to either income or productivity, or both
• Preserve your brand value and reputation
• Reduce the impact on customers and end users

For your company to thrive even when it experiences a disaster, you need to have developed and tested an effective Business Continuity Plan. This should be implemented and tested according to best practice for your particular business, as well as considering the risk/likelihood of each possibility.

Here are some crucial details around what needs to be covered in your Business Continuity Plan:

What’s in a Business Continuity Plan?

A Business Continuity Plan contains specific instructions and steps to be taken during or after an event or disaster. An ‘event or disaster’ could be anything that disrupts the ability of your internal systems to function normally and therefore affects the running of the business. The plan will cover crucial aspects of the business such as human resources, business processes, assets, data backups, and even your business partners. Business Continuity Plans include a Risk Management Plan; an Incident Response Plan; and a Recovery Plan (also known as a Disaster Recovery plan).

Because data is critically important, many businesses will consider a Disaster Recovery service to restore the data after a disaster. Without its data, a business cannot operate hence the requirement for a well-designed BCP. One also needs to continue to function during the event and immediately afterwards, whilst all the data is being restored.

A Business Impact Analysis (BIA) quantifies the impact that a sudden loss of business functions may have on your organisation and helps identify the most crucial business processes to restore – and in what order. A Disaster Recovery plan focuses on restoring IT processes and infrastructure after a disaster.

Although these two planning methods are crucial for your organisation, they do not cater to every aspect of the business. That’s why it’s necessary to create an effective business continuity plan which covers all aspects relevant to your business. This should consider the working habits of your entire organisation, and how you can keep the essential processes running. One will therefore be required to engage with all stakeholders who cover the essential functions of the business.

Tips for Crafting an Effective Plan:

To better understand the process of building a Business Continuity Plan, consider the following:

• Start your Business Continuity Plan by identifying the scope of the project and exactly what’s required in your plan.
• Who needs to be involved, and at what stage?
• What are the critical aspects that will keep the business functioning?
• Conduct a Threat and Risk Analysis to determine vulnerable areas and potential losses you may face. For each critical function, decide how much downtime is acceptable. This is your Recovery Time Objective (RTO) and what would be considered an acceptable loss in data – your Recovery Point Objective (RPO).
• Identify key business areas and various critical functions and determine the dependencies between them
• Create an Incident Response Team from the critical functions findings. These people will be essential in responding to an incident.
• Create a Recovery Plan which outlines the steps to take after a disaster in order to get your business back up and running
• Build your Business Continuity Plan in order to effectively maintain crucial operations.
• Spend time deciding what is critical to keep the business functioning
• Test and update.

Testing Your Plan Is Essential

How do you know if your IT Business Continuity Plan will work as it needs to? Rather than wait for a disaster to determine the success of your Business Continuity Plan it is vital to create and implement regular testing strategies. We advise you carry out testing procedures either two or four times a year, depending on the specifics of your organisation.

The necessary steps for ensuring correct testing procedures include:

1. Review your initial Business Continuity Plan with your internal subject matter experts who can suggest changes based on their past experiences
2. Decide when to test and how long the procedure will take
3. Inform all employees and explain the main objectives – you don’t want panic!

4. Create and re-enact a scenario that can genuinely effect your IT business. Consider this a ‘drill’. Create a few different scenarios that cover each aspect of the BCP.
5. Evaluate and discuss the plan with your employees by focusing on gaps in the plan
6. Re-document your Business Continuity Plan as necessary

 Contact andersenIT for assistance with creating and/or testing your Business Continuity Plan.