How to Develop a Business Continuity Plan

Posted 01-25-2013

How to Develop a Business Continuity Plan

By Paul Hyman

When Hurricane Sandy took a $65 billion toll on New York and New Jersey last October, flooding streets, knocking out power, and demolishing infrastructure, it’s impossible to know how many businesses were prepared for the devastation.

But disasters like Sandy are exactly what comprehensive business continuity (BC) plans are designed to protect against. And it is very likely there are an awful lot of companies out there that are now considering how they might deal with the very next disaster– natural or human-made.

The number one reason to develop a BC plan, if your company doesn’t already have one, is to keep the critical services up and running in the event of an outage or interruption, say experts, making sure the plan is in place, that it’s regularly tested, and that it’s up-to-date. It’s like having a spare tire in your car, they say, or a Plan B.

The goal is to protect seven resources that are the key to your business: facilities, staff, technology, machinery, transportation, critical records and supply chain.

Before any planning is started, the leadership team, which should include the CIO, must determine what are the critical processes that need to be protected, says Michael Emerson, senior director of infrastructure at Citrix in Fort Lauderdale. The plan can’t be all encompassing.

The next step, Emerson says, is to make sure you have buy-in from the executive leadership team and that the plan, which takes considerable time and effort, is a priority for the company. And then start building your team. Make sure they understand that their level of commitment to the program needs to be strong to make it successful. Having people plan for something that might never happen is extremely difficult when people have deliverables due daily, he says. Getting the commitment from the executive leadership team sends the right message, sets the tone and helps prioritize BC efforts.

John Linse, an advisory solutions principal for EMC’s Assured Availability Services Group within EMC Global Services, who blogs about business continuity, recalls working with a Midwest company that didn’t have a BC plan. The company had two offices, which housed about 2,600 employees, located on both sides of an expressway with a walk bridge connecting the two buildings. One morning, a power outage knocked out electricity in one of the buildings. Because no BC plan was in place, a security guard made the decision that, due to the lack of power and air conditioning, he would send home the building’s 1,300 employees.

“That decision--made by an $8.75-an-hour security guard--cost the company about $1.2 million in expenses,” says Linse. “If there had been a plan in place, employees might have been prioritized by who needs to be at work and who doesn’t, work space could have been set up on a temporary basis in the second building’s conference rooms, and a back-to-work plan could have kept the business going that day. When we talked to the CIO and COO afterwards, you can be sure they were ready to begin creating a plan, knowing what can happen in the absence of one.”

How to Develop a Business Continuity Plan

But which type of plan protects a data center best that, after all, is usually the CIO’s main concern? Here are three examples to choose from depending on the company’s budget and how long it can afford to be without its technology services, says Douglas Henderson, president of Florida-based Disaster Management, Inc.:

·        Redundant site. A completely functional separate operation that continually duplicates every activity of the primary data center. Under this environment, the primary data center can be completely shut down without any interruption of service as the redundant site is fully staffed, equipped and continually operational.
PRO: Technology services can be accessed instantaneously.
CON: Requires duplicate staff, hardware and space, which may make it a very expensive choice.

·        Hot Site. A separate operation that’s ready on a standby basis with compatible hardware, power, communications and other necessary assets. Must be regularly tested to assure readiness.
PRO: Doesn’t require a duplicate staff. Can generally be made fully operational in 24-36 hours.
CON: Requires duplicate hardware and space.

·        Cold site. A separate facility that isn’t operational but can be made operational within a reasonable period of time. Electric power and communication access is available, but the computer hardware isn’t in place.
PRO: Doesn’t require duplicate staff or hardware. Least expensive choice.
CON: Requires duplicate space. Provides partial recovery in five or more days but full recovery takes longer.

Regardless which BC plan you choose, your priority should be resiliency--assuring reliability within the data center so that, perhaps, Plan B may never be necessary. Experts point out that backing up electronic data to an off-site location as frequently as possible is the very best, simplest way to prevent catastrophes. With the popularity of cloud computing, electronic vaulting is a no-brainer.

What you don’t want to do is backup data daily but only move it off-site, say, once a month. This means that if a disaster occurs 28 days from the most recent transfer, you’re at risk of losing almost a month’s worth of data. A weekly transfer is recommended.

And be sure your staff knows how to access the data that’s offsite. A planning session is critical to determine that everyone knows where the data is and how to get to it.

Also, are you sure you are backing up everything, even the data that employees are working on at home on their laptops? Or from the Macs in your art department, which may not be part of your main data center?

Smaller companies may try to cut corners and save money by storing data onsite in a so-called fireproof enclosure, like a safe. Be aware that safes may be fire-resistant but they aren’t fire-proof. And if the data is on the premises, what happens if a fire or other disaster prevents you from accessing the building? Or perhaps the building is destroyed?

 Here are some other no-no’s to avoid:

·        Don’t overplan by addressing every single disaster that could possibly occur. It’s more important to prioritize. One company put a lot of effort into determining what they would do if a terrorist walked in the door. Wasn’t it more likely that a fire would occur? The largest percentage of outages in data centers result from human errors and power failures, not from earthquakes or bomb explosions. Spend your time and effort on the most likely occurrences.

·        Don’t rest on your laurels. When you get a plan in place, keep testing and improving it. Planning that appears adequate on paper may have glitches in an actual emergency. Conducting periodic exercises will help to discover what needs to be corrected before a disaster strikes.

How to Develop a Business Continuity Plan

Creating and maintaining a comprehensive business continuity plan costs time and money, which is why, in today’s economy, companies are often willing to risk not having one.

“But then they’re just rolling the dice,” says Henderson. “Can you really afford to have your business shut down for a period of time just because you didn’t plan for that eventuality?”

Paul Hymanis a freelance technology writer and editor. He was an editor-in-chief at CMP Publications (now United Business Media) and currently reports for such publications as Communications of the ACM, IHS’ Electronics360, and CRM Magazine. See an archive of some of his stories.