How to Successfully Plan for and Recover from a Disaster
The novel coronavirus pandemic has taught us several lessons already and there’s likely more to learn.
We’ve learned the definition of essential businesses and personnel during a time of crisis, the term “social distancing”, which employees are able to perform their duties remotely, and more.
We’ve also learned that pandemics need to be included in every organization’s business continuity/disaster recovery (BCDR) plan.
If you already account for them in your business plan, kudos to you! I recently wrote about how to go about this for the Hartford Business Journal and have included more detail below.
When putting together a BCDR plan, I think many of us focus on the more typical potential disasters that come to mind like weather, human, and data related incidents.
When gathering my thoughts for this, I even subconsciously put pandemic last when listing out types of plans to consider making.
Did you have a plan in place that’s helped get your business through this crisis?
I recorded the video below to go over why you need a BCDR plan, how to start putting one together, and how to test it for success.
Check out my video here - https://share.vidyard.com/watch/4tthU7apVprZCh7bodqvev
Why you need to have a BCDR plan
Everybody has a business plan for their organization because it’s never a good idea just to wing it.
For example, your business likely has a strategic plan and strategic initiatives that you review on a regular basis. In those meetings, you’re likely discussing where you're headed, and what to do if there's a bump in the road, how that would impact your company’s strategic direction or the future, and other questions.
Anytime you have any sort of business interruption it's very stressful and you don't want to be making business critical decisions under an extreme stress load. You’ll want to have some sort of plan that you've thought about ahead of time for any given scenario.
What would you do if “this” happened? What would you do if “that” happened? It’s all thought through ahead of time and has been established into a series of steps that you can execute, like any other strategic initiative.
This protects you from making hurried decisions under duress and keeps everyone in the loop about what is happening, what you’ve done so far, and what next steps are including who is handling those next steps.
That’s exactly why I would recommend that every organization have a BCDR plan. There are multiple types of plans you could need and we’ll cover those later.
How to Build a BCDR Plan
Before you start building your plan, you’ll need a blueprint for the type of BCDR plan you’re looking to put together. The best way to do this is to pull a template from a reputable source or to work with your managed service provider (MSP)/IT partner.
If you’re looking to pull a template, The SANS Institute has a lot of great resources.
Regardless of how you choose to start developing your plan, they’ll all include some version of the steps below.
Identify What’s Essential to Your Operation
Start with an internal assessment of your organization. You need to know who/what your assets are such as:
- Your principle people
- The most important people in your organization
- Your compute requirements
- Your internet access requirements (along with static IPs, DNS changes, etc.)
- Where your data is located
- Logistics requirements to get products in and out
- And more
Once you’ve identified all the essentials to your business the next step is to prioritize them.
Establish a Simple, Verifiable Method of Communication
The most important thing is not to over complicate this. You need a simple way of notifying your individuals that your plan has been activated.
The message needs to get out and be received easily. Verify that the individuals responsible for parts of your plan know that it’s really “on”.
For example, you don't want to be put in a position where you declare a disaster, you send the information out to your principles, they're supposed to pull their plans, start the execution of the BCDR plan – but only half of your send list received that message.
Determine What Outside Help You Have
What vendors do you use? Do you have a managed service provider that you use for your IT support? Anyone out there that's going to help you get back on your feet after a business outage needs to be accounted for.
However, if you're going to go down that road and have them built into your BCDR plan, make sure that there is a legal contract in place. There must be a contractual obligation for these people to be involved. Otherwise they can't be considered a critical part of your plan.
Identify Your Legal, Compliance, and Other Obligations
While we're talking about legal, there are legal obligations for having a BCDR plan. Many companies have compliance requirements stating that they have to make a declaration that’s built into their plan.
Who is going to write that declaration? Who is going to present it? How is it going to get approved? These are things to consider.
Make sure that everybody is on board and on the same page as to how they communicate with the outside world about this interruption.
Have Multiple People Involved in the Plan
It's better to have multiple people involved in this plan and planning. It’s always best to have fail over-type capabilities in case any one individual is not available.
This even includes the possibility that your BCDR person - the person that knows everything about the business and would be absolutely essential to the continuity of it - could be unavailable.
Have multiple people identified that are aware of the plan, involved in the plan, and capable of executing the plan if necessary.
Appreciate the Benefits of BCDR Planning
Perhaps the biggest benefit of doing the plan is this process of sitting down and reviewing your business.
Making sure that you know all the parts that are involved, how critical they are, organizing them based on their criticality, reviewing all your processes with your division heads, making sure that everyone's on the same page, discovering what is relatively simple to reproduce, what can't be reproduced, etc.
You'll also likely find that certain parts of the business that you thought were relatively straightforward are a lot more complicated than you originally thought.
You may find that there are critical paths there and people involved in processes that you didn't fully understand until you've tried to document how to replace them or build a contingency for them.
It's a good practice to get all your ducks in a row and truly understand your specific organization inside and out.
I've never seen an organization go through this process and not come out the other side feeling that there was a significant value in doing it.
How to Test Your BCDR Plan
You’ve got your BCDR plan together and you’re confident that it’s sound. Now you need to put your plan to the test by practicing it.
You’ll want to be good at and be able to execute any plan you have in place in a quick and efficient way.
Test the Plan in a Realistic Way
If you don't practice it, you should at least always test your plan in a realistic way to ensure it actually works.
You can do actual real live testing though that can be a little more difficult to do if you're just starting out.
You can also run a tabletop test where you gather your significant partners in a room together to “run” a test. Basically, you sit down with your plans, go through a test scenario to determine who's going to do what, when they'd do it, and how they think that would've worked.
Try putting different people in charge for each test to address more variables and see what changes.
While you're doing that process, review what did and didn't work, making sure you document every step. How you review your plan during these test scenarios and the updates you make to your plan after is what determines the quality of your plan.
Regularly Update the Plan and Retest
Updating your plan after testing and then retesting should be a regularly scheduled task. It should be done at least quarterly and it should become something that you do as a normal part of running your business.
Different Plans for Different Disruptions
Much like there are many different types of disruptions to your business, there are different types of BCDR plans that account for the unique aspects and challenges that present with each circumstance.
Here are the more common ones to consider.
Disaster Recovery Plan
A disaster recovery plan typically involves a loss of your principle site of business. This can be more involved if you have multiple sites at multiple locations.
Some possible scenarios to consider when putting together a disaster recovery plan include:
- Loss of a single site
- Loss of multiple sites
- Loss of only the headquarters
- Duration of site loss
- Site accessibility
- And more
Don’t forget the implications of regional or more widespread disasters and other similar factors.
Business Continuity Plan
A business continuity plan accounts for an event that brings about:
- Data loss
- Application loss (such as primary and secondary applications)
- Server loss
- Hardware failure
- Network loss
- Loss of access to the internet for cloud-based applications
- Corruption or encryption of data like with a ransomware infection
Generally, anything that prevents you from getting to your data.
Incident Response Plan
An incident response plan is typically based around a security breach. To me that means at the very least that data inside your organization, that should have been kept inside, somehow made its way outside.
Usually this involves somebody stealing your data (whether by an internal or external actor) and then releasing or selling it. Sometimes this may also be part of presenting a ransomware requirement for compliance.
A pandemic plan typically involves planning for a loss of personnel and loss of access to physical sites.
These plans typically incorporate a remote access component as a response measure if that’s an option available for your company. Sometimes this isn’t entirely possible for some organizations.
For example, manufacturers may be able to prepare for some of their workforce to be remote but the majority of their essential work likely needs to take place at a physical site.
Hopefully this will help you design, test, or review your BCDR plan.
Kelser has been helping businesses prepare for, survive, and recover after disasters in Connecticut and Massachusetts for almost 40 years. As one of Kelser's longest tenured employees, I've been able to help many of these organizations with their BCDR planning.
I have to say, not one of them regretted having a BCDR plan in place and tested.
If you have any questions about your current BCDR plan or getting one started, please feel free to reach out to us or grab our free eBook below that also contains the essentials for starting your own BCDR plan.
Good luck with your planning and stay safe.