Business Continuity Planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. Doing that has historically meant building a solution specific to your company, at possibly a great expense. With recent improvements to cloud services, it may be possible to reduce the cost of the required services with the proper planning.
With statistics from FEMA telling us that 40 percent of all small businesses never reopen after a disaster, you need to ask yourself how you can help protect the business in the event of a natural or ma-made disaster. It is also estimated the 3 out of 4 small to mid-sized businesses don’t have a written disaster recovery plan, and most never purchase disaster insurance.
Most small businesses don’t have insurance to protect them financially. They don’t even have a written plan on how to deal step-by-step with disasters, even without a step to “call the insurance agent”. Those businesses probably don’t think they can afford to insure for something that will probably never happen, or even write a plan for what to do if it does happen.
I have written on this subject before, but you need to have a written plan. Sit down with your team and discuss the various scenarios that could happen (fire, flood, earthquake, hurricane, tornado, tsunami, landslide, industrial accident, power failure, terrorist attack, etc.), write down how you would deal with each issue, and how it could impact the company. The idea is to understand the strengths and weaknesses of your current infrastructure and begin to plan and train for the day something horrible happens. If you have written plan that helps your company get through a disaster with minimal impact, you will continue to have a job. If you don’t have a written plan, your company will probably fail to recover from the impact even a minor disaster could have on the company revenue stream.
There is an electrical fire in your data center at 3 am. The automated suppression system turns off power and handles the flames while the fire department is dispatched to investigate. The local fire chief identifies an electrical issue by 9 am and orders the facility closed for 3 days starting right now. Everything must be powered off for 3 days starting right now. You have just lost your data center for at least 72 hours. What do you do now?
What would happen if you didn’t have a plan? By the time you got the entire team together to formulate a plan it would have been 2-4 hours into a network outage. If your business relies on the employees and customers to get to those servers to generate revenue, they couldn’t have done anything until you determine a solution and get the pieces into place. How long would it take to rebuild the network infrastructure required to support your business? Redirecting internet traffic, configuring network security, helping employees and customers get connected, etc. could literally take days.
You had talked about this possibility several months ago and you rented space in a failover facility several miles away. The data has been replicating to secondary servers for many months, and you have even tested the failover process a few times. When the team is notified of the fire, the team automatically failed the entire server system to the failover site by 3:30 am. The outage was measures in minutes, and the employees and customers did’t even notice the outage.
Do you see what impact a plan has on such a small disaster. The cost of this solution could be a much a $5000 a month, but the savings during a disaster could be measured in millions.
The value of cloud services to provide cheaper and faster solutions to disaster recovery and business continuity is something you need to investigate. If you could push your mission critical applications into a cloud solution, like Amazon or Microsoft hosting, you might continue your business even if your datacenter was destroyed in a major fire.
What do you do to determine if you can solve your issue with cloud services?
- Identify mission-critical applications and data by performing a risk assessment. A risk assessment will tell you what types of incidents (natural or man-made) are most dangerous to your environment. You should also perform an asset inventory, making sure you understand what your company owns and what it is all worth. This simple analysis will allow the business to calculate the potential impact of most likely threats and prioritize their response accordingly.
- Determine when operations should resume by measuring success against established Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). This can be analyzed through stakeholder interviews and frequent testing to understand what is possible while you verify the plan provides flexibility in the disaster recovery solution the business selects. You don’t want to build a solution that allows for complete failover in 4 hours if the business stakeholders measures failure in minutes.
- Identify a backup worksite in the event the business becomes unsafe. Just like our example above, a simple disaster could cause major issues. I know of one company that arranged to meet at the local library for the three days it took to finalize a lease on temporary office space. You need to have some type of plan and be able to lead the other employees to keep them safe and productive during an unscheduled office closure.
- Design and publish a written business continuity plan (BCP) or disaster recovery plan (DRP), making sure it is accessible from anywhere by everyone. It is great having a document on the network, but in a true disaster will the people who need to see it even be capable of opening the file?
- Make sure the employees who need to know about the plan and are familiar with it, and know who to talk to if they have questions or concerns. When disaster strikes a businesses with a written plan and clear communication will quickly cut through the chaos and get the business back on track.
- Businesses should review the plan quarterly, and put the plan to an actual test at least once per calendar year. With the maturity of cloud solutions, you also have to take into account migrating and living with a more diverse private/public cloud portfolio. Ensure you have a go-to plan for the future to expand into new things like high availability, and archiving within clouds.
- Regularly review existing systems and services to verify they are protected by the plan. Consider changes to systems that are good targets for moving them from local servers to a cloud-based systems.
- Discuss any proposed system to make sure cloud services are properly considered. While not all systems or services are ideal candidates for cloud-based solutions, many are perfect for moving into the cloud.
Cloud-based services won’t prevent a disaster, and they aren’t even 100% free from outages themselves. What they can do is provide inexpensive failover services that are too expensive or too complicated for a small business to attempt on their own.