Disaster Recovery

10 things you should cover in your business continuity plan


Business continuity is much more than just a fancy word for "backup" -- although some organizations treat it that way. A comprehensive business continuity plan (BCP) provides a roadmap for continuance and/or restoration of mission-critical functions during and after a disaster, such as a fire, flood, tornado or even a disease epidemic.Your BCP must be thought out, written down, and distributed to key personnel well ahead of any incident that could cause a disruption to your operations. Copies should be stored off-site -- an obvious but often overlooked requirement. Here are 10 things a good BCP includes.

Note: This information is available as a PDF download.

#1: Analysis of potential threats

Your company's response to a disaster will depend on both the nature and the extent of the disaster. Some threats, such as a tornado or flood, may physically destroy your IT infrastructure. Others, such as pandemic disease, affect human resources while leaving buildings and machinery intact. A cyberterrorism attack might bring down your network but not affect the functionality of the hardware or your personnel. A bombing may destroy both human life and network components. A power outage could render your equipment unusable, but do no lasting damage. Thus your plan should cover contingencies for as many threat types as possible.

#2: Areas of responsibility

A key component in any crisis management situation -- which is what you have during and perhaps immediately after the disaster -- is assignment of areas of responsibility and establishment of a chain of command. This is no time to have department heads squabbling about who has decision-making authority. And remember that some types of disasters may result in loss of personnel (or some of your staff may be on vacation or out sick when the event occurs), so be sure to assign alternates in case some of the important players are not available.

Training of key personnel in disaster preparedness, incident management, and recovery should also be addressed.

#3: Emergency contact information

Your plan should include up-to-date contact information on people and entities that may need to be contacted when a disaster occurred. This is no time to be scrambling for phone numbers. Information should be included for both internal personnel (CEO, CIO, legal advisor, etc.) and external personnel and services (police, fire, ambulance, security services, utility companies, building maintenance, etc.).

#4: Recovery teams

It will take teamwork to manage the crisis itself and to put things back together once the immediate crisis is over. The BCP should appoint members of a disaster recovery team (DRT) made up of specialists with training and knowledge to handle various aspects of common disasters (safety specialist, IT specialist, communications specialist, security specialist, personnel specialist, etc.). The DRT members will work with emergency services during the disaster and should have access to equipment they'll need during an emergency (cell phones, flash lights, hard hats, protective clothing, etc.).

A business recovery team is responsible for reestablishment of normal operations after the crisis is over.

#5: Off-site backup of important data

Any good business continuity plan will address restoration of your company's important digital data if it is destroyed. Too many organizations meticulously make backups of everything and then store those backups in the server room. If a tornado, flood, or bomb destroys the building, that (often irreplaceable) data is gone, too.

You should store copies of important data on removable media that's kept at a different physical location or back it up over the Internet to a remote server, or both. Just as important, key personnel should know where it's stored and have the keys, passwords, etc., to be able to restore it to get users back to a productive state as soon as possible.

#6: Backup power arrangements

Many types of physical disasters can result in a loss of electrical power, or a power outage can, itself, be the disaster. For continuity of business, your organization should plan for what to do in case of a long-term outage (more than the hour or less that your uninterruptible power supplies will keep your computers and network equipment running).

If you have backup generators in place, ensure that key personnel know how to switch to generator power and know the fuel requirements for the generators (must they be fueled or do they run off the natural gas line?), among other practical issues. Consider cost factors to determine when and for how long the generators should be run. Providing full electrical power to a building with a generator can cost much more than using the power grid, so the BCP should discuss in what situations it's better to close down operations and send everyone home rather than run on generator power, and it should define who has the authority to make that decision.

#7: Alternative communications strategy

If your company's phones and/or Internet connection are down, how will you keep in touch with customers, employees who are off-site, contact emergency services, etc.? Your BCP should note which employees have cell phones and their numbers, as well as whether and where you have other methods of communicating during a widespread disaster, such as ham radios. If you run your own e-mail servers, do key employees have alternative e-mail addresses that they check regularly (home accounts or accounts with Web-based e-mail services, etc.) and are these addresses known to other key personnel in case they're needed for emergency contact?

#8: Alternative site of operations

The BCP should also spell out a plan for setting up operations at an alternative location if the building is destroyed or rendered unusable by a disaster. Best practice is to have ready access to an empty facility that you can move into; a more practical (less expensive) alternative would be to move your operations to a branch office if you have more than one physical site.

The BCP should also take into consideration the estimated costs of moving, setup, and ongoing operations in the new facility.

#9: Essential equipment/services backup

In some cases, you may be able to recover essential equipment and move it to a new site. In others, it may be destroyed or damaged and have to be replaced or repaired. The BCP should lay out how the equipment or its functions will be replaced (for instance, you may switch to a Web hosting or e-mail hosting service until you're able to replace your servers and get them operational again).

#10: Recovery phase

The BCP should address the step-by-step process of recovering and reinstating the business operations to a pre-disaster state, including assessing the damage, estimating recovery costs, working with insurance companies, monitoring the progress of the recovery process, and transitioning the management of the business operations from the recovery team back to the regular managers.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

7 comments
geoffrey.turk
geoffrey.turk

Hi. In my experience you need to start with working with the business as to what's critical and don't forget to normalise the results. Generally a BIA kicks this off. Also, the testing stage is one of the hardest areas to get right and is often not undertaken, and you only get 'shelfware' documents ;-)

wrlang
wrlang

A great title. 10 things that should be covered... Doesn't lead one to believe that these 10 things make up a complete BCP, unless someone is looking to shortcut the process. I think every 'nn things that......' should begin with the same first thing ??? 1. If you don't know how to do it and you want it done right, find someone who knows how to do it. This is a good article for the novice planner. It gives some idea of the depth and breadth of things that need to be considered. Taking everything in the article into a plan could even get you through most of an audit if your auditors are friendly and you're a fast talker. 10 things that should be covered for lunch: 1. chair 2. table 3. knife 4. fork 5. spoon 6. napkin 7. plate 8. salt 9. pepper 10. catsup Now what have I forgotten? :)

rw
rw

I have found in trying to perform this task, the faster way to business approved results, is to ask each department of the feed into the process. What do I know about what is critical to the business in terms of the inner workings of each section. Once they are clear what is "critical", and this must be made clear, then get suggested time frames for each systems recovery. You then have a list of what's needed and how fast. You can then work with your DR company on meeting those figure. if you can't you can take back to the dept Dr rep a list of "can do" times and negotiate from there.

DRPlanner2
DRPlanner2

The most effective way to determine what functions and resources are critical to an organization is through a Business Impact Assessment. It takes a bit of time and work to collect and analyze the resulting data, but it ensures that you are on track. Be prepared for some suprising results like unofficial processes that a lot of people depend on or things that you thought were unimportant turn out to have real impact when they're not available.

WhocreatestimecreatesGod
WhocreatestimecreatesGod

Ten things to do sounds fine. But the critical thing to do is to test it. When you brainstorm the disaster scenarios, and test it, you'll find how fragile the BCP is. No matter it's 10, 8, or 20 things to do. Besides, most BCPs actually do not cover paper based information in the BC process. Will these kind of BCP work? In my experience, BCPs work, only if they are prepared for each disaster scenario. If you have one BCP catering multiple scenarios, I am in doubt of its effectiveness.