The following terms are undoubtedly familiar to you: Disaster Recovery, Disaster Preparedness, Business Continuity Plan, Operations Resumption Plan.
But how do they relate to you or your clients? Moreover, how does information
technology fit into these concepts?
In the big picture, the above terms all emphasize the survival strategies in a business’ Risk Management process. In a more perfect world, every company would prioritize the strategic and tactical processes required to resume, sustain and manage their operations through an unplanned disaster or a damaging business interruption.
Many constituents have a legitimate interest in this Risk Management process, from employees and management to owners and investors, and outside parties such as auditors and bankers. As such, why don’t most businesses, particularly those that are not SEC registrants, prioritize this matter?
First, it is a great deal of work to become proactive and to determine the activities required before any disaster, as well as to be able to plan the processes to resume after a disaster. Business Continuity Planning (or a Business Continuity Plan), which is also referred to as “BCP” is indeed challenging … and is far more involved than just drafting an insincerely prepared plan and filing it in a drawer. Second, most businesses don’t have the internal management experience to address this process. And third, among others, many business owners and managers believe that their business is already prepared for disasters based on naïve assumptions such as “we have good backup tapes” or “we know everyone’s cell phone numbers.” And then you have the other thought process (which is often unspoken) that summarizes many business’ approach to this risk: “It won’t happen to us.”
BCP involves company-wide participation, coordination with internal and outside constituents, ongoing updates, management and testing. Among the most critical components of the BCP process, however, and among the more straightforward to address is the ability to have information and computer systems survive and support the business as a result of some disaster.
Information technology is a key driver in BCP. Without considering the IT factors, a disaster can dramatically impact a business’ continuity in the form of lost data, lost practices and automated processes, lost revenues and lost operations. Read on for an example of what can happen.
Imagine This Horror
Your client, ACME, runs a business with five offices spread around the country. A snapshot of its IT environment is important to be aware of in our example. From its headquarters, ACME manages its operations, accounting, IT network and all software services for its five offices. ACME also hosts its own website, eCommerce and all data servers at its headquarters. Forty percent of ACME’s business originates from customer transactions using ACME’s website. Finally, as a good business practice, ACME does not allow its system users to backup or store documents and other sensitive data on their own computers. Rather, their information is centralized in ACME’s servers at headquarters to ensure (we’ll see) comprehensive backup.
ACME’s headquarters was hit by a relatively harsh storm. The lower floor, which houses the server room, flooded to a good degree due to a leak caused by ineffective weather preparations. The flood caused irreparable systems and hardware failures. Work came to a halt … in all locations. The client website was completely “down,” precluding many customers from conducting business with ACME. The most recent backup tapes were over two weeks old and were actually stored in the server room. Sadly, they were ineffective because they were soaked and damaged by surrounding debris. A search continued unsuccessfully for other reasonably current backup tapes.