Recent experience with Hurricane Irene has left many executives feeling uneasy about their companies’ plans to maintain operations in the event of a disaster or emergency. Business executives know disaster recovery and business continuity plans are important, and they want to be prepared when a natural or human-created disaster disrupts their operations. So why do so many fail to plan?
Instead of listing the many potential reasons, we’ll pose a different question: what will lead a company to cross the bridge from thinking about a plan to actually creating a plan? The most frequent answer: when the top executive wants the company to do it. “That single voice starts the process and creates an ongoing commitment for planning, testing, evaluating, and updating a business continuity plan,” says Sassan S. Hejazi, director of Kreischer Miller’s Technology Solutions Group.
Many of the most successful organizations bring together the senior management team and set business continuity planning as a top priority within the organization, and in fact, make business continuity/disaster recovery a regular agenda item when the management team gathers. “All of your other priorities are severely compromised without a business continuity plan,” Hejazi says.
Business continuity planning requires breaking down the silos, which can offer added benefits. For instance, managers will share what they’re doing and talk about their needs. They can also discover duplicative efforts that could be minimized in order to create more productive operations.
“Business continuity planning isn’t about getting data out of storage, it’s about running the business,” Hejazi says.
The top priority of any business continuity plan should be the one thing that’s most at risk and hardest to replace. In most organizations, that’s information. Thus, data loss is the asset that needs the most protection. Businesses still must strike a balance between the data-loss risk they can tolerate and the cost of a no-data-loss system. This is commonly referred to as scaled protection and involves consideration of two key metrics. Recovery time objectives (RTO) spell out how quickly the organization can recover critical systems and be back in business. Recovery point objectives (RPO) identify what and how much data actually needs to be recovered. Exploring and determining RTO and RPO is the only way to guarantee the organization can operate after a major business disruption.
While organizations can benefit from working with business continuity experts and advisors in developing the plan, completely outsourcing the project to a third party with little or no involvement from the organization’s key stakeholders isn’t fruitful. A qualified advisor can facilitate the process and share his or her expert insight, but no one knows the day-to-day operations of the company better than its top management and stakeholders. “If the leaders of a company actively participate in the development of the plan, then that plan will be much more sustainable,” Hejazi says.