The novel coronavirus pandemic has taught us several lessons already and there’s likely more to learn.
We’ve learned the definition of essential businesses and personnel during a time of crisis, the term “social distancing”, which employees are able to perform their duties remotely, and more.
We’ve also learned that pandemics need to be included in every organization’s business continuity/disaster recovery (BCDR) plan.
If you already account for them in your business plan, kudos to you! I recently wrote about how to go about this for the Hartford Business Journal and have included more detail below.
When putting together a BCDR plan, I think many of us focus on the more typical potential disasters that come to mind like weather, human, and data related incidents.
When gathering my thoughts for this, I even subconsciously put pandemic last when listing out types of plans to consider making.
Did you have a plan in place that’s helped get your business through this crisis?
I recorded the video below to go over why you need a BCDR plan, how to start putting one together, and how to test it for success.
Check out my video here - https://share.vidyard.com/watch/4tthU7apVprZCh7bodqvev
Everybody has a business plan for their organization because it’s never a good idea just to wing it.
For example, your business likely has a strategic plan and strategic initiatives that you review on a regular basis. In those meetings, you’re likely discussing where you're headed, and what to do if there's a bump in the road, how that would impact your company’s strategic direction or the future, and other questions.
Anytime you have any sort of business interruption it's very stressful and you don't want to be making business critical decisions under an extreme stress load. You’ll want to have some sort of plan that you've thought about ahead of time for any given scenario.
What would you do if “this” happened? What would you do if “that” happened? It’s all thought through ahead of time and has been established into a series of steps that you can execute, like any other strategic initiative.
This protects you from making hurried decisions under duress and keeps everyone in the loop about what is happening, what you’ve done so far, and what next steps are including who is handling those next steps.
That’s exactly why I would recommend that every organization have a BCDR plan. There are multiple types of plans you could need and we’ll cover those later.
Before you start building your plan, you’ll need a blueprint for the type of BCDR plan you’re looking to put together. The best way to do this is to pull a template from a reputable source or to work with your managed service provider (MSP)/IT partner.
If you’re looking to pull a template, The SANS Institute has a lot of great resources.
Regardless of how you choose to start developing your plan, they’ll all include some version of the steps below.
Start with an internal assessment of your organization. You need to know who/what your assets are such as:
Once you’ve identified all the essentials to your business the next step is to prioritize them.
The most important thing is not to over complicate this. You need a simple way of notifying your individuals that your plan has been activated.
The message needs to get out and be received easily. Verify that the individuals responsible for parts of your plan know that it’s really “on”.
For example, you don't want to be put in a position where you declare a disaster, you send the information out to your principles, they're supposed to pull their plans, start the execution of the BCDR plan – but only half of your send list received that message.
What vendors do you use? Do you have a managed service provider that you use for your IT support? Anyone out there that's going to help you get back on your feet after a business outage needs to be accounted for.
However, if you're going to go down that road and have them built into your BCDR plan, make sure that there is a legal contract in place. There must be a contractual obligation for these people to be involved. Otherwise they can't be considered a critical part of your plan.
While we're talking about legal, there are legal obligations for having a BCDR plan. Many companies have compliance requirements stating that they have to make a declaration that’s built into their plan.
Who is going to write that declaration? Who is going to present it? How is it going to get approved? These are things to consider.
Make sure that everybody is on board and on the same page as to how they communicate with the outside world about this interruption.
It's better to have multiple people involved in this plan and planning. It’s always best to have fail over-type capabilities in case any one individual is not available.
This even includes the possibility that your BCDR person - the person that knows everything about the business and would be absolutely essential to the continuity of it - could be unavailable.
Have multiple people identified that are aware of the plan, involved in the plan, and capable of executing the plan if necessary.
Perhaps the biggest benefit of doing the plan is this process of sitting down and reviewing your business.
Making sure that you know all the parts that are involved, how critical they are, organizing them based on their criticality, reviewing all your processes with your division heads, making sure that everyone's on the same page, discovering what is relatively simple to reproduce, what can't be reproduced, etc.
You'll also likely find that certain parts of the business that you thought were relatively straightforward are a lot more complicated than you originally thought.
You may find that there are critical paths there and people involved in processes that you didn't fully understand until you've tried to document how to replace them or build a contingency for them.
It's a good practice to get all your ducks in a row and truly understand your specific organization inside and out.
I've never seen an organization go through this process and not come out the other side feeling that there was a significant value in doing it.
You’ve got your BCDR plan together and you’re confident that it’s sound. Now you need to put your plan to the test by practicing it.
You’ll want to be good at and be able to execute any plan you have in place in a quick and efficient way.
If you don't practice it, you should at least always test your plan in a realistic way to ensure it actually works.
You can do actual real live testing though that can be a little more difficult to do if you're just starting out.
You can also run a tabletop test where you gather your significant partners in a room together to “run” a test. Basically, you sit down with your plans, go through a test scenario to determine who's going to do what, when they'd do it, and how they think that would've worked.
Try putting different people in charge for each test to address more variables and see what changes.
While you're doing that process, review what did and didn't work, making sure you document every step. How you review your plan during these test scenarios and the updates you make to your plan after is what determines the quality of your plan.
Updating your plan after testing and then retesting should be a regularly scheduled task. It should be done at least quarterly and it should become something that you do as a normal part of running your business.
Much like there are many different types of disruptions to your business, there are different types of BCDR plans that account for the unique aspects and challenges that present with each circumstance.
Here are the more common ones to consider.
A disaster recovery plan typically involves a loss of your principle site of business. This can be more involved if you have multiple sites at multiple locations.
Some possible scenarios to consider when putting together a disaster recovery plan include:
Don’t forget the implications of regional or more widespread disasters and other similar factors.
A business continuity plan accounts for an event that brings about:
Generally, anything that prevents you from getting to your data.
An incident response plan is typically based around a security breach. To me that means at the very least that data inside your organization, that should have been kept inside, somehow made its way outside.
Usually this involves somebody stealing your data (whether by an internal or external actor) and then releasing or selling it. Sometimes this may also be part of presenting a ransomware requirement for compliance.
A pandemic plan typically involves planning for a loss of personnel and loss of access to physical sites.
These plans typically incorporate a remote access component as a response measure if that’s an option available for your company. Sometimes this isn’t entirely possible for some organizations.
For example, manufacturers may be able to prepare for some of their workforce to be remote but the majority of their essential work likely needs to take place at a physical site.
Hopefully this will help you design, test, or review your BCDR plan.
Kelser has been helping businesses prepare for, survive, and recover after disasters in Connecticut and Massachusetts for almost 40 years. As one of Kelser's longest tenured employees, I've been able to help many of these organizations with their BCDR planning.
I have to say, not one of them regretted having a BCDR plan in place and tested.
If you have any questions about your current BCDR plan or getting one started, please feel free to reach out to us or grab our free eBook below that also contains the essentials for starting your own BCDR plan.
Good luck with your planning and stay safe.