A good business continuity plan has to do more than outline how your client's data is backed up and restored. The plan must detail a specific set of procedures to follow in the case of an emergency, and different kinds of disasters require different precautions. Now that you know how to assess your client's risk when you create a business continuity plan, we can take a closer look at how to put that plan together.
Your first step should be to establish which disasters to plan for. As part of your risk assessment phase, you should have put together a group of some of the top managers at your client's organization to determine how quickly each department needs its systems up and running after an interruption. Now you'll be working with that group to prioritize your disaster recovery (DR) plan.
One approach is to come prepared with a list of possible scenarios and have each manager rank them by importance, said Jeffrey G. Williams, founder and CEO of Binomial International Inc., a business continuity planning consultancy in Ogdensburg, N.Y. Once you compile those surveys into a master list, you can focus on the top few items; after the first five or 10 items, the probability of a given disaster happening is probably low enough that it doesn't warrant a specific course of action, Williams said.
Many concerns are common to all companies, such as electric outages, bad weather and fire, Williams said. But you should also take the company's immediate location into consideration when you develop the business continuity plan, said Michael Grunder, vice president at Vantage Technology Consulting Group in Boston.
For instance, if your client's building is on the same block as a hospital or police department, they'll get priority over your client in the case of an outage or emergency. To make sure it's still covered, your client may need to take extra precautions, such as buying UPS devices and electric generators, or upgrading its service contract with providers. And of course, you should take the area's usual disasters into account; if the building is in an area that gets lots of earthquakes, for example, find out how earthquake-proof your client's building is.
Another common concern is internal sabotage from disgruntled employees, Williams said. A quarter of all known interruptions are traced to internal sabotage, he said, and he speculated that the actual number may be higher, since sabotage -- unlike fires or earthquakes -- might be hidden from the public to save face.
There's no easy fix for sabotage, Williams said: It comes down to knowing your employees and keeping them happy. But you can mitigate the risk by physically securing your servers and backup systems, and a good business continuity plan can at least help your client recover its data if an employee does make an attack.
Because there are so many possible scenarios, the planning process is at least as important as the plan itself, Grunder said.
The goal should be to get everyone in the company thinking about what to do in a disaster, he said. Managers and other employees should know what the operating procedures are and who they should contact in an emergency.
Williams says he considers a project a success if he's able to go to any employee at the company and have them answer two questions: Does the company have a business continuity plan, and what is that employee's role in the plan? A half-hour training session every six months is usually enough to effect that, he said, and a half-day every six months should be the top limit you need.
Of course, the cornerstone of a good business continuity plan is still the backup and quick recovery of your client's data. In our final installment of this Hot Spot Tutorial, we'll review some of the common techniques for data backup, including Web-based services, virtualized storage and standard tape drives.
This was first published in November 2008