By Jessy Smulski & Florin R. Ferrs
The Coronavirus outbreak once again reminds IT Managers and business owners that the best time to plan for pandemics and natural disasters is before they happen.
But how prepared are you?
As COVID-19 races around the world and major cities in the USA start declaring states of emergency to tackle the outbreak, it means that the time has come to dust off and update your business disaster recovery plan.
The sad reality is that 68% of small businesses and 30% of all businesses do not have a disaster recovery plan and 90% of them will not survive a catastrophic incident without one.
The average cost of downtime is anywhere from $926 to $17,244 per minute! Multiply that by an hour, a day, or even several days…would your business live to see another quarter if forced to shut down by a pandemic?
Let's begin by reviewing the basic framework for a disaster recovery plan that you can start using right away. No business is invincible against a significant pandemic or large natural disaster, but with the right preparations, businesses can endure the unthinkable.
What is a Disaster Recovery Plan?
A Disaster Recovery Plan (also known as a Business Continuity Plan) is a system of procedures that you and your employees will follow to restore business functions in the event of an unplanned catastrophe, like a pandemic or a natural disaster.
Prevent Before You Plan
Before you start your Disaster Recovery planning, you need to conduct a risk assessment. A risk assessment will do several things to prepare you for disaster recovery planning and implementation, including:
● Inventory all the systems, networks, workﬂows, and security measures that comprise your business infrastructure.
● Identify vulnerabilities and recommend updates.
● Determine if there are tools that you are missing from your business continuity survival kits, such as redundancy and backup solutions or cybersecurity measures.
● Reveal ways to simplify your internal processes to make them easier to manage (and ﬁx), such as having an integrated helpdesk solution that centralizes business tools and platforms. This solution will be particularly handy after vital systems are restored and when remaining issues need to be systematically resolved as fast as possible.
● Distinguish and prioritize mission-critical systems and securities from supplemental ones. Understanding the priority levels of your systems, networks, and business functions will be the difference between life and death for your business in the face of a disaster.
Checklist: Disaster Recovery Plan Framework
No matter what type of disaster your business encounters, communication is the ﬁrst thing you need to establish. Recovering from a disaster isn’t a one-person job. As your communication plan unfolds, make employee safety the ﬁrst priority and business continuity the second.
● Establish a calling tree using every employee’s emergency contact information. Determine who your most valuable employees are (based on their role in business functions).
● Have a backup communication channel, such as an extranet or Emergency Notification System that employees can access if the main communication channels are down.
● Deﬁne when to initiate your disaster recovery plan. Be speciﬁc.
● Determine and assign who will be in charge of what, including data security, third-party vendor outreach, customer service, and PR.
● Create a list of the most likely disasters you could encounter. This list will serve as the basis for the rest of your DR plan.
For example in the case of a pandemic or just as a preventative measure, you can setup a plan for your staff to work from home for a significant amount of time.
Possible scenarios include: viral pandemics, hurricanes, tornadoes, ﬂoods, power outages, data center shutdowns, building damages, ﬁres, cyber attacks, internal attacks, human error, failing equipment, etc.
II. DISASTER SCENARIO SOPS
For EVERY possible scenario, create a step-by-step standard of procedure. When you and your employees are in panic mode, it will be incredibly difficult to focus on and process information. So, make each procedural concise and simple enough for a sixth grader to read. If it looks like an Ikea furniture instruction manual, you’ve gone too far.
● Assign a leader to each scenario (scenarios may have different leaders depending on the business functions involved).
● Create a master list of all vendor contact information and link them with the business systems, networks, and equipment they manage.
● Recruit a core disaster scenario team. This will include your most valuable employees (those most relevant to affected systems and networks), 3rd party vendors, customer outreach representatives, etc. In the case of quarantine due to a pandemic, have a plan for your team to work remotely in order to minimize risk of contagion.
● Create a chain of command for your disaster scenario leadership and core team to follow. This chain of command will prevent miscommunications.
● Make sure every single employee involved in the disaster scenario understands their role in the recovery.
● Identify what systems and networks may be impacted by the disaster. Prioritize this list based on those most important to business up-time.
● Deﬁne what business functions may be disabled during the event. Again, prioritize which business functions must recover ﬁrst.
● Set Recovery Time Objectives (RTO). RTOs are goal timeframes for which each system can be recovered.
● Organize all of this information in clear, simple, step-by-step directions.
III. BUSINESS IMPACT
Estimating the business impact of a disaster is just as important as assessing the affected networks, systems, and equipment. You cannot contain the damages of a catastrophic event if you do not understand what they are. To estimate the business impact, you will need to understand the inner-workings of your business like a mechanic knows the inner-workings of a car.
● Pinpoint what business functions may be affected.
● Determine what/how many employees may be affected based on the business functions involved.
● Identify how many customers may be affected.
● Make a list of the potential direct and indirect costs associated with down-time. This will include the direct cost of repairing equipment as well as the indirect cost of lost productivity, missed sales opportunities, and a potentially damaged reputation.
● Know how to estimate the cost of downtime (see formulas).
Formula: Productivity Cost = E x % x C x H
E = number of employees affected
% = percentage they are affected
C = average cost of employees per hour
H = number of downtime hours
Formula: Revenue Loss = (CR/TH) x I x H
GR = gross annual revenue
TH = total annual business hours
% = percentage impact
H = hours of downtime
As you work through your disaster recovery planning, many of the action items will take place at the same time. There will be several parts and pieces at play, stress and nerves interfering with problem-solving skills and team-work, and split decisions hanging in the balance. For this reason, your execution must be extremely well orchestrated. Having integrated systems will help reduce the chaos. However, one of the biggest mistakes a company can make is failing to TEST and PRACTICE their disaster recovery plan regularly with employees and leadership teams. You do not want your ﬁrst acquaintance with these processes to be amid the havoc of a real-life event. Lastly, share your disaster recovery plan with all employees. Conﬁrm that every member of your workforce (especially your core disaster scenario teams) understands their role in the recovery process, and make accessibility easy.
Hint: you do not want the only version of this plan to exist in digital format. If systems crash or you lose power, your business is essentially skydiving without a parachute. Create multiple formats of this plan in digital and hard-copy, and store them locally and in the cloud.