Aug 02 2011

5 Steps for Building a Business Continuity Plan

These five steps can limit your headaches if disaster strikes.

Fewer than half of all businesses in the United States feel confident that they can recover quickly from a disaster, according to a recent Ponemon Institute study. The U.S. confidence rate, at 38 percent, pales in comparison to the 85 percent rate achieved by German and Dutch companies.

Where do you fit on this spectrum? Are you one of the six in 10 businesses that do not feel confident of survival in the face of a disaster?

Building a robust business continuity program can be an intimidating task, especially when you turn to the bookshelves and find tomes several inches thick on the topic. However, it doesn’t need to be that way. By following five simple steps, you can implement a solid business continuity strategy that will keep your critical operations functioning in the event of a disaster.

Step 1: Get Started

The first challenge in getting a business continuity program off the ground is obtaining executive-level support for the initiative, according to David M. Sarabacha, global leader for Deloitte & Touche’s business continuity practice. Having the support of your CEO or another senior executive underscores the importance of the plan and puts it in a different light in the eyes of functional leaders who might be tempted to dismiss it as just another IT initiative.

Remember that support is more than a statement. Executives will need to put their money where their mouth is and provide the financial resources necessary for the complete implementation of the plan. Sarabacha stresses the importance of putting funding behind the plan. He explains that business continuity is not an area where you want to make a partial effort. “The 80/20 rule does not work here; the business is either up and running, serving customers and clients, or it is not,” he says.

Step 2: Identify Business Requirements

After obtaining the resources needed to develop your plan, you should turn your attention to identifying and documenting the critical business functions that require support in the aftermath of a disaster. This information is critical to properly allocate your business continuity resources and deserves a rigorous evaluation.

When you open one of those business continuity books mentioned earlier and skip to the chapters on business requirements, you’ll probably find a lengthy discourse on the topic, but you can boil this down to one simple question that you can ask business leaders in each department: “In the event of a disaster, what business systems do you need to have up and running quickly to prevent disruption of your core function, and what is the longest amount of time you can do without them?” The answer they provide becomes the maximum tolerable downtime (MTD) for those systems.

While the question itself is straightforward, you should handle it with the utmost political savvy. Ask probing follow-up questions until you are confident that any identified systems are truly critical and not simply convenient.

For example, while members of your accounting staff might indicate that they must have the payroll system operating within 24 hours of a disaster, follow-up questions might reveal that they are comfortable rerunning the biweekly payroll two or three times without modification, which doesn’t require access to the payroll system. This alternative procedure effectively lengthens the MTD from 24 hours to six weeks or longer — a change that can have a dramatic impact on resource prioritization.

Step 3: Determine Recovery Speed

Although 84% of small businesses feel that recovering their data in the event of an emergency is important, only 40% perform offsite data backups.

Once you’ve worked with functional units to develop a list of critical systems and their corresponding MTDs, you’re ready to turn your attention to the underlying technology. Ask your organization’s relevant technology specialists a question similar to the one you asked your business leaders: “In the event of a disruptive disaster, how long would it take to restore system X to working order?” This value becomes your recovery time objective (RTO).

You’ll need to approach these conversations with the same degree of political sensitivity you used for the MTD conversations. No system engineer wants to admit that his or her systems are susceptible to failure, and their natural tendency will be to sugarcoat the RTO value. You need to stress to them the importance of developing accurate estimates now, while you’re developing your plan. An overly ambitious RTO can easily lead to an underinvestment in technology and a critical outage in the event of a disaster.

Step 4: Deal with the Gaps

After adding the RTOs to your list of MTDs, you now have the information you need to assess the impact of a disaster on your technology operations. Simply look down the list and identify the cases where the MTD is less than the RTO. Each one of these situations represents a system where functional leaders have expressed a recovery requirement that you are not currently positioned to meet in the aftermath of a disaster.

Your first step upon discovering a gap should be to revisit the numbers. Talk to the business leaders and make sure that their MTDs are accurate and that the recovery times described by technologists are truly insufficient for meeting business needs. Similarly, sit down with the technologists and ask if they might be able to make small changes to their procedures that would allow them to recover a given system before reaching the MTD.

You’ll often find that providing this context allows you to reach a negotiated solution to the gap. However, be sure that both parties understand that you’re not asking them to bend the truth in the interest of removing the gap. If the gap truly exists, you need to know that.

The gaps that remain after these conversations are candidates for investment. You may need to purchase additional systems, add fault tolerance capabilities or make other commitments of time and money to either reduce the RTO or increase the MTD.

Step 5: Maintain the Program

After crossing the last gap off your list, take a few minutes to pat yourself on the back and congratulate your team on a job well done. Then get back to work. Business continuity plans are living documents that must evolve as the needs of the business and the capabilities of technology change. Sarabacha agrees: “The level of effort is not the same in subsequent years from the original baseline year, but the business will change.”

Taking the time to develop a robust business continuity plan may be one of the best investments your business will ever make. Far too many organizations don’t take the time to think rigorously about these issues until a hurricane is bearing down on them or a risk materializes in some other fashion. Remember, an ounce of prevention is worth a pound of cure.


Be Ransomware Ready

Is your organization prepared for a cyberattack? Learn how to step up your ransomware protection.