There’s a budding misconception that the prevalence of cloud computing has brought about the obsolescence of business continuity planning.
We’ve been in the IT industry since before the internet was a thing and we’ve been preaching the benefits of cloud computing since we had to define what “the cloud” even meant. As much as we’d love to credit technology with solving the problem of operational disruption, there’s more to it than that.
Business continuity planning seeks to minimize downtime and lost goodwill in the event your operations are disrupted. This spans everything from identifying potential losses to drawing up recovery plans to designing system and personnel redundancies to simulating various incidents.
We’ll walk you through the full scope.
Why Business Continuity Plans Still Matter
It’s true that the COVID-19 quarantine forced businesses to operate without any access to their physical offices. While being able to work from anywhere does offer significant advantages in terms of continuity, we can’t rely on cloud computing in every disruptive scenario.
The Cloud Will Keep You Running When… | The Cloud Will Not Help When… |
You accidentally delete an email and try to retrieve it that same week | You delete an email and try to retrieve it after your deleted items are purged |
Your computer is lost, stolen, or damaged and you have to use a loaner | A critical IT resource with the “keys” to that cloud is fully unreachable |
You don’t have physical access to your office | You experience an internet outage |
Your office is fully destroyed | The cloud provider experiences degraded performance or downtime |
These are some instances where a business continuity plan (BCP) comes into play.
The Anatomy of an Effective BCP
A business continuity plan is a large-scale undertaking that will involve every functional area of your business. The key elements are:
- Baseline Assessment to establish your starting point.
- Business Impact Analysis to define risks, costs, and your level of tolerance.
- Remediation Projects to reconcile your tolerance with reality.
- Crash Book to map how various disaster scenarios should play out.
- Tabletop Exercises to simulate how various disaster scenarios would play out.
- Revision, testing, and more revision to refine and improve your BCP on an ongoing basis.
There’s a lot baked into each of these phases. We’ll dig deeper into steps 2 and 4 below.
Business Impact Analysis
This part of the process is intensive. You’ll need to sit with a cross-section of your team to:
- List out important business processes (e.g. invoicing) and what people, third parties, IT systems, and equipment are required.
- Calculate what it would cost for those processes to be disrupted for 24 hours. Factors are both direct (lost revenue, operating costs) and indirect (impact on clients and partners).
- Establish how many hours’ worth of lost time and data you are willing to tolerate.
- Calculate how much time and data you would actually lose before you could recover those processes today.
- Highlight the delta between your tolerance and reality.
If you consult with a third party for your plan, they’ll have templates for you to use to simplify this stage of the process a bit.
Crash Book
Picture flow charts for this phase. For each of the processes you evaluated in the Business Impact Analysis, consider every step of the recovery process.
- Who/what identifies the disruption and how?
- Who/what determines scope and severity and how?
- Who investigates and determines the root cause?
- What action needs to be taken based on the cause? What if that action fails?
- Who needs to be alerted when, and who takes lead on those communications?
- What third parties need to be involved? Who is your contact and how do you reach them? What is their availability and what options do you have outside that window?
The more detail you can include the more clarity you will provide in the event you have to put these recovery processes to the test.
How to Get Started with Business Continuity Planning
As you can see, building this plan will require hefty investments of time, energy, and money. This means the first step in building your plan is getting buy-in across your organization.
Once that is established, seek out an IT consultant who can guide you on a strategic level. While you’ll need to leverage technical resources for phases of this planning (remediation projects and tabletop exercises in particular), it’s important to keep this discussion at the business level.
They don’t call it a technology continuity plan, after all.