Business Continuity planning is an interesting juxtaposition: It is one of the few things you spend lots of time on with the hope that you’ll never actually need to use it. It will be both hypothetical and very, very real. It often measures a business function’s worth by measuring the potential for loss.
In keeping with this duality, I’ve created a few Do’s and Don’ts that should help you and your institution create a complete and effective business continuity plan. To start, let’s go through a list of things that you want to make sure you aren’t doing:
DON’T: Assume your “Big Book” is going to cut it
You’ve all probably seen it: the dreaded business continuity binder. It’s got 300 pages, and it sits on a shelf all day, gathering dust. Much of the information is out of date or duplicated but it hasn’t been edited in ages, and it only gets picked up when an auditor comes by.
There was a time when that may have been enough, but those days are over. More and more, regulators want to see a dynamic plan, thoughtful and efficient and understood by the team. FFIEC guidelines now require annual signoff on your BCP by the board of directors to be sure there’s accountability, awareness, and understanding throughout the organization. Your business continuity plan needs to be treated like a child; change it when it needs changing, and never leave it alone for very long.
DON’T: Leave Business Continuity Planning solely to the IT department
10-15 years ago, the focus was more on disaster recovery, and IT departments took care of system recovery planning. This led to IT departments with amazing IT recovery plans, but no sound model for getting the larger business back up and running.
The business objectives, not the technology, need to guide how the business continuity plan takes shape. This is why BC plans start with a Business Impact Analysis (BIA). The BIA is meant to determine the critical business functions, the impact to your business if those functions are interrupted, the resources needed to support those functions, and the necessary timeframe for recovery. With this information, it immediately becomes evident what business objectives the BCP should be protecting, and what parameters the institution can work within before significant losses. At this point, the business can turn to the IT department (who may still be responsible for implementation of the BCP) and say “here’s what we require”. The situation is now open to collective dialogue about how those requirements are met.
DON’T: Confine your plans to regional disasters
There have been some pretty devastating natural disasters in recent years: hurricanes Sandy and Katrina, New England’s OmniBlizzard this winter, and just as recently as last week, major flooding in Texas and Oklahoma. It’s easy to imagine business continuity and disaster recovery plans creating contingencies for the Next Big Thing of natural disasters. However, data tells a different story. In a 2013 study, the top 4 causes of downtime were as follows:
- 55% - Hardware failure
- 22% - Human error
- 18% - Software failure
- 4% - Natural disaster
Let’s also not ignore the continual increase of DDoS attacks and other cybersecurity issues that can cause downtime. People often forget that, statistically, the causes of business disruptions are location specific, not regional events. Regulators are expecting to see that your organization has been planning for many different types of disasters, some natural and some otherwise.
Through each of these potential disasters, plan for the worst case scenario. What does this look like? Likely, it will be a situation that severely impacts your ability to service your customers, while your customers expect you to be running normally. These outages are less likely to be regional. If everyone is being impacted by an outage, your customer will probably be pretty understanding while you’re trying to recover. If you’re the only organization down, they might not be as sympathetic, and losses to your reputation (as well as your revenue) could be significant.
Business continuity planning is no easy task, and there are many mistakes that could be made in your effort to protect your institution from crippling downtime. Now that you know some things NOT to do, check back next week to hear some DO’s that can help take your business continuity plan to the next level!