Four steps to business continuity
The most effective business continuity plans are the simple ones, but organizations must practice them regularly.
In football, it comes down to basic blocking and tackling. Performing the fundamentals well always pays off. Too often, business continuity plans fail because they are too elaborate and have excessive dependencies or organizations underestimate the need to practice them. An effective business continuity program consists of four dimensions: analysis, planning, policy, and testing.
Analysis will enable you to understand what is important to your business. Developing reasonable requirements that are grounded in the reality of your operation is the keystone to all business continuity initiatives. Practical plans rest on knowing what level of degraded performance your business can tolerate and what data, processes, and staff must be available in an incident.
Specific actions include:
Analyze your operations and assign your performance metrics (normal, degraded, minimally acceptable or unacceptable operations); Analyze and characterize your data and processes so your organization knows what types of service degradation/ outage it can live with and which services are mission-critical. Where appropriate, assign timeframes to different outage types;
Once you are confident you have identified your practical requirements, start planning. First, keep the plan simple. it will be far more likely to work when you need it. It is better to be confident that critical systems and operations will be available than to risk a failure of some grandiose plan. Most organizations are sufficiently robust that they can withstand temporary outages and in many cases, can fall back to more manual procedures.
Second, state the obvious. Success in business continuity critically depends on having the details at your fingertips. You should not assume that everyone knows what to do in any set of circumstances.
Third, write things down. Time passes, people forget, and staff gradually turns over. Too often, in a crunch, people remember that they had a plan for a particular situation, but don't recall the details. Or dependencies were built on individuals or entities that have long since moved on.
The simple solution is to write things down.
Above all, develop a one-page action plan that is immediately available to all operations staff, and a crisis communications plan to ensure information reaches those critical to executing the business continuity plan.
Finally, maintain accurate call-down lists and contact information for primary staff.
When it comes to policy, many organizations successfully develop a business continuity plan, but fail to keep it current. It is useful to reinforce that necessary action with formal policy.
Review your plans at least once a year, or more often if business priorities change.
Finally comes testing. Will the plan work when you need it? To develop confidence in your plan, you need to test it and practice it regularly.
Think broadly. Think about the root-causes of problems, rather than symptoms. Don't just react to outages, consider what might trigger them. In many cases, that means testing externally accessible systems and applications before proactively hardening them.
What could be easier? A simple written plan based on what is genuinely important to your business, containing the details that everyone "already knows". Review it, update it, and practice it regularly. It's just blocking and tackling.
Jonathan Gossels is president of SystemExperts Corporation