Remember meForgot password?
    Log in with Twitter

article imageQ&A: Why companies are weak on business continuity planning Special

By Tim Sandle     May 9, 2019 in Business
Most business continuity plans have the same procedures in place regardless of the kind of disaster a company experiences. This means neglecting things like a rise in measles cases as a consequence of the growth of the anti-vaccination movement.
Business continuity awareness week runs from May 13, 2019. This presents a timely reminder about the disasters companies tend to underestimate and under prepare for, like a pandemic (notably measles cases rose 300 percent through the first three months of 2019, mostly as a result of the anti-vaccination movement).
Over the past decade, most business continuity plans appear to have the same procedures in place regardless of the kind of disaster a company experiences (storms, floods, outages, breaches, and so on), and ignoring things like the rise in those who are electing not to have their children vaccinated (in opposition to the overwhelming scientific consensus in favor of vaccination), plus other pandemic risks (such as influenza), and the threats posed by technology (as presenting a cybersecurity risk).
Dan Johnson, director of global business continuity and disaster recovery at Ensono, discusses with Digital Journal about the types of disasters companies typically leave out of their business continuity plan, as well as how they can adjust them to survive and recover from all unforeseen crises.
Digital Journal: What types of disaster planning do businesses conventionally prepare for?
Dan Johnson: Companies typically create Business Continuity Plans (BCPs) for recovery of a specific business unit. Rather than scenario-based plans, they’re designed to recover from any type of business interruption or disaster, like a fire or flood, bad weather, power outages, cyber attacks and active shooters. BCPs should address both short-term and long-term outage events to ensure that no matter what the disaster, the business will remain resilient.
DJ: Do all businesses have disaster recovery plans? If not, why is this?
Johnson: Some businesses view disaster recovery plans as an extra insurance they don’t want to purchase. They figure if it hasn’t happened before, then they don’t have to worry about it in the future. But with that line of thinking, we shouldn’t buy car, home or health insurance either. If you’ve never been in an accident, your house hasn’t burned down, and you’ve never gotten sick, why should you have insurance?
All businesses should have some type of plan to manage a disaster. You don’t need to spend thousands of dollars to document your most critical processes and know how to keep them operating in the case of a business interruption. Having a single point of failure with no resiliency and no plan is a recipe for disaster.
DJ: For businesses that don’t have plans, what types of procedures should they have?
Johnson: Businesses should first focus on their most critical processes or functions with the lowest Recovery Time Objective (RTO), which is the duration of time a business process must be restored after a disaster to avoid unacceptable consequences. In other words, how long can you afford to be inoperable before there are consequences?
The Recovery Point Objective (RPO) must also be considered. This is the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the maximum allowable tolerance. In other words, measured in time, how much data can you afford to lose?
The procedures should first focus on recovery of your most critical processes with the lowest RTO and RPO, dependencies to those processes, and the resources needed to support them.
DJ: What makes for a good business continuity plan?
Johnson: Every strong BCP starts with a Business Impact Analysis (BIA) for the most critical parts of the business to determine how a disaster would affect the people, processes and technology within the organization. Once this is complete, businesses can focus on creating Business Continuity Plans (BCPs) for those same critical areas. They should document response and recovery tactics, communication directives, management oversight, actions, roles/responsibilities, processes and procedures.
Next, businesses should develop Technical Recovery Plans (TRPs) for their IT assets, identifying strategies to recover critical systems, applications and data. Following TRPs, a Crisis Management Plan (CMP) should be made, outlining the steps the company should follow to respond to a disaster.
Finally, a regular testing program should be put in place to ensure all the plans developed will be successful, like a Tabletop or Walkthrough exercise.
DJ: How well equipped are businesses for cyber attacks?
Johnson: It depends on the business, but unless there are detailed and tested cybersecurity plans in your BCM program, you will not be adequately prepared for a cyber attack. These plans should include the initial steps you would take to ensure you are responding quickly and effectively. Appropriate communication is critical in all disaster planning, but for a cyber attack this is extremely important to maintain customer relations and comply with regulations.
DJ: How about things like pandemics, are businesses prepared for these?
Johnson: Pandemic Planning was popular several years ago when we experienced threats of Swine flu and the H1N1 virus, but it hasn’t been discussed recently. However, with the new measles outbreak, some businesses may be dusting off their unused Pandemic Plans to prepare for this potential disaster. In all cases, planning for how your company can manage a reduced workforce should be documented in your overall plan.
DJ: What other types of disasters should businesses be preparing for?
Johnson: Businesses should ensure their BCPs are written for recovery, not specific disasters. However, in order to prepare for specific disasters, they should first review the weather probabilities in their area. There are wildfires in the West and Southwest, tornadoes in the South and Midwest, and hurricanes on the East Coast. Having a recovery strategy that includes relocating to an area not impacted from the same disaster is strongly advised.
Active shooter incidents occur almost daily, so employees should be trained to react to such an occurrence. Even if the office has power and is seemingly unaffected from the event, employees might not be allowed back in the facility for days or even weeks. Businesses need to provide workers with the tools needed to work offsite to keep the business running. They should also ensure employees receive appropriate counseling if such an event occurs.
DJ: Should business be seeking external support? If so, who should they be turning to?
Johnson: If you have a small budget for Business Continuity and Disaster Recovery (BCDR), there are contractors that focus on this field and can assist you with developing plans for your Business Continuity Management Program.
More about antivaxxers, Vaccination, business continuity, Pandemics
More news from
Latest News
Top News