How a company responds during an emergency or other unexpected event can drastically impact how quickly it can resume operations and its prospects for future success. Planning ahead and having systems in place for such events can be just as important as the actual response once an event occurs.
To prepare, companies should have both business continuity plans (BCP) and disaster recovery plans (DRP) in place. Below, we outline how these plans differ and steps your company can take to design effective plans should an emergency arise.
While business continuity and disaster recovery plans are two separate types of plans, they should complement each other as there are many similar concerns for each.
A BCP is a predefined approach and procedure for how a business will continue to run when coping with an emergency.
A DRP is a predefined approach and procedure for restoring the business to full functionality, following a system failure or compromise, while keeping the impact to a minimum.
While a BCP focuses on defining how business operations should function under abnormal circumstances during a disaster or emergency, a DRP focuses on getting applications and systems back to normal.
Disaster Causes and Effects
Business emergencies can include events that are intentionally or accidentally caused by humans as well as natural disasters.
Potential disasters and threats can include the following:
- Pandemic flu
- Computer and server shutdown or denial-of-service and sabotage
- Ransomware attack
- Bomb threat
- Severe weather or wildfire
Regardless of the origin, business disasters may cause:
- Death or significant injury
- Damage to property or environmental damage
- Closing of business
- Work or service stoppage
- Negative impact on the company’s financial standing or company image
Benefits of Planning Ahead
A BCP and DRP can provide several benefits to your organization.
People and Property Protection
Having emergency BCPs and DRPs in place can help safeguard life and property of the company and its employees. The Occupational Safety and Health Administration (OSHA) even requires companies with more than 10 employees write such plans to comply with its Regulation 1910.38 Emergency Action Plans.
When employees know plans are in place, they may feel safer. This can help boost morale and potentially increase business value perception to buyers who recognize the responsibility and preparedness of the company.
Planning ahead allows for systemic, structured, and timely implementation of your plan and lets you make decisions based on the best available information, should an emergency occur. It also provides room to be dynamic and responsive to change. Flexibility can allow you to take human and cultural factors into account, such as supporting workers with medical needs or managing teams that operate across geographic regions, and allows the company to be transparent and inclusive with its plans.
Even if you haven’t faced an emergency, planning for one can help facilitate continual improvement of the organization and become an integral part of all organizational processes.
Managing risk for organizations includes risks posed by relationships with third parties, such as service providers or vendors. These third parties can play a significant part in the overall risk for an organization based on the types of data they have access to or handle. They can also be used to provide recovery services or high availability for systems that need to meet high levels of up time.
For companies serving highly regulated industries, such as health care, financial services, and utilities, third-party risk management often includes assessing BCPs and DRPs. By documenting and testing these plans, organizations are better equipped to meet the expectations of those they serve.
Business Continuity Planning
There are several key factors to consider when creating a BCP. While employees and customer safety should be your top concern, there are also other areas of focus that are especially important.
Business continuity planning should focus on:
- The duration your business can last without its tools, assets, operating locations, and other elements crucial to operations
- Possible outcomes if you’re denied access to facilities, servers, customer records, or other needs
- The length of time you can operate without telephone service, electricity, or temporary electricity if running only on generators, water, and other utilities
- The necessary changes to processes and workflows to maintain critical operations until the situation can be returned to normal
- The scenarios that are most likely to occur and that would create the greatest disruption to the organization
Processes and Procedures
To prepare for those concerns, a BCP should define processes and procedures for the following:
- Assessing and planning for threats to business operations
- Maintaining operations and meeting obligations during emergencies
- Testing your plan, including test types, testing schedules, and documentation requirements
Steps to assess various risks should include the following:
- Estimating the likelihood of the event based on data, such as the historical frequency of natural disasters in an area
- Defining risk categories, such as operational, legal, reputational, or security risks
- Estimating the impact to assets or processes based on the defined risk categories—for example, a natural disaster that causes a server outage may affect a public website hosting a storefront, which could impact revenue or relationships with partners
- Mitigating controls such as backups and alternate operating locations
Contacts and Communications
Primary and secondary points of contact should be determined internally and externally. It may help to create templates or prewritten communications as well as communications schedules that can be deployed immediately in the event of an emergency. This helps put plans into action and address employee and public concerns.
Emergencies can require all hands on deck so it’s important to identify top personnel and their responsibilities in your plan, as well as team members to serve as alternates in case the primary role player is unavailable. Responsibilities should be defined and assigned for the following roles:
- Crisis manager or site coordinator
- Engineering or maintenance officer
- Human resources officer
- Communications or public relations officer
- Outside members such as police, fire, and government personnel
Employees will need to be notified and provided instruction in an emergency situation. Employee contact information should be up-to-date and easily accessible with departmental organizational charts as well as cell and home phone numbers and emergency contact information included.
Planning should also consider the likelihood that communications systems may be inaccessible and define alternative means of connecting with employees and team members, including any third parties supporting business continuity efforts.
Safety and Security
First-aid kits and other resources should be inspected at least on a monthly basis. Identify local hospitals, medical treatment options, and available 911 services so the correct parties can be contacted as quickly as possible if needed.
Evacuation and Access to Property
Evacuation plans from all company buildings should be readily available, and employees can be instructed on evacuation routes through drills. Additionally, they should be provided directions to shelter and safe areas.
For those not at a company location or to plan for how to access property following an emergency, alternate routes to key facilities should also be provided in the event of damaged roads.
Contractors, Support Equipment, and Utility Companies
Should you require the assistance of emergency personnel, repairs to infrastructure, or equipment, it’s important to consider how you’ll access these resources. Contractor contact information and tools and equipment requirements, as well as rentals, should be readily available.
Equipment you should consider having access to includes the following:
- Generators for backup power including portable options such as trailers
- Computing equipment and storage
- Trailers to transport fuel to generators, equipment for repairs, or sandbags before storms
In addition to requesting these materials, it’s important to make sure anyone who will come in contact with the equipment has a deep knowledge of how to properly operate machinery and assess any safety concerns.
Other important vendors and contacts to have easy access to include the following:
- Banks and financial institutions
- Computer and IT backup support providers
- Building contractors
- Fuel companies
Should damage take place to your property or if people are harmed, you’ll want to make sure the proper insurance protocol is in place. You should be able to easily access the contact and claims reporting information for the following:
- Property-casualty agent
- Group health insurance
- Life or accidental death and dismemberment insurance
Insurance concerns can also extend to cars and other vehicles, so it’s important to have access to vehicle identification numbers (VINs) in case they go missing or are damaged.
Disaster Recovery Planning
The purpose of disaster recovery planning is to support critical operations by returning IT systems to full functionality. This should be prioritized based on customer needs, regulatory requirements, and the importance to your organization or the operations that the IT system supports.
You should be able to determine the availability of workaround options compared to work stoppages to do the following:
- Reduce the likelihood or impact of an event through technology and controls
- Maintain minimum mission-critical systems to allow for eventual full restoration
- Recover post-disaster by bringing all systems back online to full operational state
Key Plan Elements
A DRP has many of the same elements of a BCP that need to be documented and defined ahead of time, as well as a few additional ones. Key elements include the following:
- Business impact analysis
- Assumptions and constraints
- Communication processes
- Data and system backup plan
- Damage and impact assessment
- Response communication and action plan
Additional details around some of these elements is provided below.
Business Impact Analysis
A business impact analysis (BIA) is essential for determining and evaluating the effects of an interruption to critical business operations. The BIA assesses a disaster’s impact over time and helps establish recovery strategies, priorities, and requirements based on system criticality.
Business leaders and management should be involved in determining the system recovery priorities as the BIA will be used to document the critical systems, document dependencies with other systems, and prioritize the system recovery efforts.
Communication Processes and Role Assignments
Communication is a key process during the recovery effort so recovery teams should understand their roles and responsibilities. A disaster recovery coordinator (DRC) should be established, along with a backup to the DRC. This person will be responsible for coordinating, communicating, and managing staff during the recovery efforts.
An emergency response team (ERT) should also be documented as these personnel will be responsible for the actual recovery of the systems. They will need to prepare the recovery site for operation, coordinate recovery steps and activities, interface with system vendors, and ensure recovery is complete once systems are restored.
Data Backup Plan and Response Action Plan
Disaster preparedness is rooted in an agreed-upon backup strategy that addresses acceptable recovery time and data loss, adequate system redundancy, and sound data restoration processes. The data backup plan details the backup strategy employed to ensure that data is available in order to restore systems during emergency and nonemergency situations.
This plan outlines the backup strategy for all of the critical systems identified in the BIA. The recovery and response action plan provides detailed steps on the recovery procedures that need to be performed in order to restore systems and data. The recovery steps are critical as they will help guide staff in the steps necessary to fully recover a system.
Once a plan is in place, perform tests that help verify that it can be properly executed.
Diverse testing methods must be deployed so that multiple scenarios can be addressed and tested. Suggested testing methods include the following:
- Walkthrough testing
- Simulation testing
- Checklist testing
- Full-interruption testing
- Parallel testing
Testing can be done for several purposes including the following:
- Exercising the recovery processes and procedures
- Familiarizing staff with the recovery process and documentation
- Verifying the effectiveness of the recovery documentation and site
- Establishing if recovery objectives are achievable
- Identifying improvements to the disaster recovery strategy, infrastructure, and recovery processes
We’re Here to Help
Emergency preparedness is all about planning, training, and maintaining a supportive culture. To learn more about how your business can organize business continuity and disaster recovery plans and confidently test and execute them, contact your Moss Adams professional.