Don't panic, have a plan.
Having a business continuity plan means your business knows what to do if a problem occurs which
is large enough to disrupt your operations.
A good business continuity plan should cover more than just IT, but for many businesses, IT is one of the most likely areas where a business-impacting problem may occur - if you don't already have a plan, it might make sense to start here.
But bear in mind that even an IT focused Business Continuity Plan should cover systems, facilities (eg: buildings) and people.
Why have a Business Continuity Plan?
Avoid panic - Decisions made in a stressful situation are rarely the best ones, which can increase the time taken to resolve the situation, or even make the situation worse. Having a plan means all your key people know their responsibilities, and can work more efficiently.
Restore normal operations faster - Ensure your resources are working on the most urgent things. For example, you may be able to work without your accounts system for a day, but couldn't be without email for more than an hour, so your IT team need to know they should work on restoring e-mail service first.
Improve confidence - If you provide services to other businesses, they may prefer to work with suppliers who have a Business Continuity Plan. Some may insist you have one.
Producing a Business Continuity Plan
Review your business and critical systems.
Make sure you fully understand the issues and risks.
Consult an expert in each system or process - this could be the person in your business who owns the process, or a technical expert / consultant.
Assess the risks.
How likely is each risk (eg: fire, flood, natural disaster, theft, vandalism, malicious action)
What would be the impact on your business in the worse case scenario? Try to put a monetary value on this (eg: how much would an hour / day of downtime cost you) - that'll help you work out your budget for reducing the risk or recovering from the problem.
How quickly would the affected systems (email, servers, internet connection) need to be restored either partially or fully? This is called your Recovery Time Objective - the minimum time that a particular service can be down or degraded.
How can you reduce or avoid the risks or impact?
Can you put backup systems, redundant systems or spares in place - if one system fails, can another take over?
Can you detect the problem automatically before it becomes critical?
How much to spend on these things can be guided by the value you worked out in section (2)
Plan your recovery
If the worst happens, what are the exact steps to get back to partial or full operation?
Who needs to be involved and what exactly should they do?
What materials, spare parts or equipment is needed?
Which steps need to be done first?
What mistakes could be made? How do you avoid them?
Testing your plan
It's important to test and update your plan regularly. Systems change, staff members may leave or join. Business processes change.
By testing your plan at least annually (and ideally more regularly), you'll ensure that everyone involved is aware of their roles and responsibilities, and they're confident to carry them out.
After each test, make sure to update the plan with anything new you've learned, or anything that's changed since the last test.
You don't have to have a real crisis or problem to test your plan properly - many types of IT problems can be simulated using cloud systems such as Amazon Web Services or Microsoft Azure, without affecting your live systems, so your plan can be tested "hands on".
If you already have some type of resilience built into your IT systems, you can simulate failure of one system outside office hours and make sure the backup system takes over - your IT team or service provider can help here.
For more information on disaster recovery planning, please visit our website or talk to one of our technical advisors firstname.lastname@example.org