Common Mistakes To Avoid When Building Your Business Continuity Plan
by Team Virtiant, on Sep 7, 2017 5:25:00 PM
Read Time 4 Minutes
Business continuity is the ability of an organization to continue to operate at an acceptable or high level after it has experienced a disaster. In order to ensure continuity, organizations should have in place a business continuity plan, also known as a disaster recovery plan. Once you have the right continuity plan set up you can be confident your data will always be available no matter what happens. Most companies rely on standard recovery plans that they’ve just copied from the Internet or other businesses. This is a mistake. A one-size-fits-all approach will not work with disaster recovery. In fact, the main reason why many organizations fail to achieve the defined objectives of their disaster recovery plan is because they depend on this cookie cutter method. Here are some other common mistakes that you should avoid when creating your business continuity plan/disaster recovery plan.
Not assigning roles and responsibilities
One of the biggest mistakes most companies make is that they create their disaster recovery plan without assigning specific roles to employees, leaving key personnel confused about what they need to do during the recovery process. This lack of instruction derails the entire plan. As such, it is important to define the value of each asset and then assign the right personnel to each particular process underlying your assets. Give them clear instructions on what they must do, how they should perform their tasks, what resources are required, and how you will evaluate the results. In order for your continuity plan to work efficiently make sure you choose the right personnel for the right role.
For example, if you assign an important role in your disaster relief plan to a new employee, at the time of a disaster he might not yet have enough basic knowledge about how the department processes work, which could render your recovery plan inefficient. One chink in the chain can wreck your entire continuity effort.
Once you assign the roles, you must make sure your employees clearly understand their roles and can deliver the results that you expect. This means your organization should train and help them if they have trouble learning what to do. When everyone is on the same page about your expectations, the plan will run smoothly. You should also document the roles and responsibilities of every member of your organization.
Not measuring the intensity of a disaster
When designing a disaster recovery plan, bear in mind that every organization has different requirements, and each department within a given company has its own varying requirements. The basic idea of a disaster recovery program is to deliver your software data and route your network’s lines to a recovery center, where it will be possible to run your organization’s critical applications. The recovery center provides essential coverage, workspace, and the required equipment. This process should work for any type of disaster, regardless of its nature and size.
However, most organizations do not take time to measure the intensity of any given disaster. To quantify the intensity of a catastrophe, you should first define the value of each asset and identify your recovery point objective (RPO) and recovery time objective (RTO). While these terms sound similar, they have different objectives. RPO can be defined as the acceptable level of latency by which data cannot be recovered. To calculate this value run a business impact analysis (BIA). In this analysis, you will separate processes and services into critical and non-critical categories. All critical functions are essential to the continuity of your business and for which you cannot afford to have any downtime. In the same vein, your RTO is the maximum amount of time needed to restore a process or a function. Running your BIA will enable you to identify business and technical requirements to recover from disaster. Also, you can run a threat and risk analysis (TRA) to prepare for several impact scenarios I recommend involving all stakeholders of your organization in the disaster recovery plan to better help you assess the risk levels of each application or service.
Not being ready for disasters of lesser magnitude
While preparing for a disaster recovery plan, many organizations focus on worst-case scenarios, but they often ignore common daily disasters that can affect your IT infrastructure. So for example, companies usually have disaster recovery plans in place to handle catastrophic hurricanes. They set up warm-site data centers that have a separate electrical line and network. This is good. But hurricanes are not common events. And the reality is that you’re much more likely to regularly experience network downtime or email shutdowns owing to non-maintenance or updates to your infrastructure software. It’s imperative for the continuity of your business that you be ready to handle these daily breakdowns efficiently.
There are three types of recovery sites.
- First is a cold site. This is a facility where you can move all your staff. It may or may not have external communication, and it has no hardware, software or network equipment available. You have to install them.
- Second is a warm site. At this site, you will have live communication links and some of the hardware equipment. Also, you will have to install the software and restore all the data. It will take a bunch of hours and maybe even a full day before your site becomes fully operational.
- Third and last is a hot site. Here you will have all your live communication links, working systems, and real data. Your business will, therefore, be ready for an immediate failover of operations.
Keep in mind, however, that you’ll need a big budget to maintain a hot site because you will have to continuously replicate data and operations for business continuity. When you have a clear disaster recovery plan with preparations for all possible disaster scenarios, your business will be positioned to recover from every conceivable kind of disaster quickly.
Miscalculating RPO and RTO
Every organization has different levels of tolerance when it comes to data loss and network downtime. When you are preparing a disaster recovery plan, it’s important to accurately identify the value of each asset and the loss it would bring to your business operations. Calculate the metrics, such as recovery point object, recovery time objective, and business impact analysis. RPO and RTO play an important role in preparing a disaster recovery plan because they help you determine which kinds of data to prioritize when deciding what to recover in the event of a disaster.
Imagine that your organization has just been hit with a disaster and you’ve lost all your data. You can retrieve some of the data from other sources. Your suppliers will have the data of the purchase and sale of your product. But in the case of customers who have purchased products from you online, you won’t be able to reach out to them to gather that data. But this kind of data, along with customer behavioral trends and purchasing patterns, is not crucial because your business will run without any interruption even if you lose such data, though you won’t be able to deliver customized offers to customers. By contrast, if you lose the data required to run critical applications, you would experience downtime that, in turn, will cause you to lose revenue.
Setting a common budget for recovery programs
While organizations are typically interested in setting up their infrastructure and running their company, they often neglect to design and maintain a disaster recovery plan to safeguard their business operations. It’s easy to understand why— you have to run business processes on a daily basis, whereas disasters occur rarely. And people usually don’t like to spend money on things they do not need at the moment. This is why most organizations set up a common budget for the disaster recovery program and expect the administrators to manage recovery operations within their budget limit.
Disasters tend not to let us know they’re coming beforehand, and you have no idea what will hit you and how bad it will be. Accordingly, if you fail to calculate the financial impact of downtime and devise a continuity plan, in most cases you won’t be able to recover your operations after a disaster. The prudent approach is therefore first to calculate the recovery point objective and recovery time objective by running the BIA and TRA. Running these analyses will enable you to differentiate between critical applications and non-critical applications and ensure that critical applications are always given priority when performing a recovery program. If you are on a low budget, the RPO and RTO values will tell you where to invest your money in the recovery plan.
While it’s important to know what to do, it is equally important to know what not to do. And when it comes to devising business continuity plans for companies that have deep pockets, the stakes are much higher, and it is imperative that you avoid costly mistakes. Your primary focus should be ensuring that you always have an uninterrupted flow of data available. Another good rule of thumb for your disaster plan is always to put people first. The safety of your employees is more important than the security of your assets. And when you care for your employees, they will surely take care of your company in turn