Business Continuity & Disaster Recovery Plans: Why It’s Critical to Update

Your organization is always vulnerable to any number of natural and man-made disasters. Just in the last few months business continuity has been threatened by power outages, winter storms, political upheaval, and a global pandemic. Continuity is constantly threatened by hurricanes, tornadoes, ice storms, earthquakes, fires, flooding, and software and hardware failures. We can’t forget the continually increasing and escalating instances of cyberattacks, along with all the risks that accompany them. 

Regardless of whether your business is a large corporation or a small-medium business (SMB), the effects of any one of these events could be devastating. While there is no sure way to avoid certain risks, there are things you can do to protect your business from any potential fallout that may follow. 

Developing a tight business continuity plan (BCP) provides your disaster recovery team with a solid set of tools to perform your due diligence to give your business the best chance to reopen and recover quickly, and with as little damage to your operations and brand reputation as possible. 

“51% of organizations around the world did not have a business continuity plan in place when the coronavirus outbreak began,” according to a Business Response to the COVID-19 Outbreak Survey conducted by Mercer. 

What Is a Business Continuity Plan? 

The purpose of a business continuity plan is to ensure that your standard business processes can continue during—as much as that is possible—and immediately after an emergency or disaster. Your BCP gives you insights into potential threats that may directly affect your business. Plus, it outlines prepared strategies to ensure continued operations should any potential threat become a reality. 

A standard business continuity plan involves the following: 

• Research and analysis of possible threats to your organization. 
• A detailed list of primary tasks intended to keep organizational operations flowing smoothly. 
• Updated management contact information. 
• Instructions for personnel safety, such as where employees should go, in case of an outbreak of infectious disease or a disastrous event. 
• Information regarding on-site data backups or cloud backups. 
• Instructions for collaboration among all departments and team members within the organization. 
• Assigned responsibility for each role to ensure the widest possible coverage in any disastrous event. 

How a Business Continuity Plan Supports Disaster Recovery 

Businesses – large and small – that don’t prepare for disasters pay a high price in terms of significant and costly downtime. The potential impact reaches to: 

• IT equipment, 
• Recovery, 
• Productivity, 
• Lost revenue, 
• Technical costs, 
• Business disruption, 
• Damage to reputation and business relationships. 

With a proactive BCP ready and at your fingertips, you can avoid costly downtime that renders your team unproductive, your customers frustrated, and your brand tarnished. 

Related article: Are Current Supply Chain Disruptions Causing Further Vulnerabilities?

Developing a Business Continuity Plan: Where to Start 

Not sure how to approach the task of building a business continuity plan? Here are three simple steps to get started. 

1. Identify Your Organization’s Potential Risks – Perform your due diligence to learn about common external risks in your business’s location and industry.  
2. Assess Operations and Level of Preparedness – Look at how well your company is prepared to handle a disaster right now then start building your disaster recovery plan and your business continuity plan. This is the perfect time to look for and assess internal vulnerabilities. 
3. Reach Out to a Team of Experts in Business Continuity Planning – Sometimes finding and engaging a trusted expert in business continuity planning is the best step toward shoring up your disaster recovery strategy. This path is particularly helpful if you face several potential risks, you don’t have the time and resources to fully devote to such a crucial aspect of your business, or you are reeling from a past disaster or breach. 
4. Build a Strategy for Recovery – Identify and document the necessary steps to recover critical business functions and processes. 

Aspects of the Business that Are Addressed in a Continuity Plan 

• Strategy: Anything related to the strategies used by your organization to carry out activities and complete operations. 
• Organization: Factors connected to the management, communications, and roles of your employees. 
• Applications and data: These refer to the software needed to conduct business operations and ensure staff have the tools needed to access data. 
• Processes: Anything linked to critical business processes and IT processes relied on for regular operations. 
• Technology: This includes the infrastructure, network, equipment, and hardware that enable continuous operations and backups for applications and data 
• Facilities: The plan should outline a disaster recovery site in case the primary site is damaged, unsafe, or inaccessible. 

Why Do You Need to Review and Update Your DRP? 

Just like you periodically get a health checkup for your body or a tune-up for your car—no matter how well they are currently functioning—you need to ensure that your organization is running at optimal capacity and is fully ready to take on any disaster that may be on the horizon. 

Your company is not static, and as we’ve seen in the past year, neither is the environment in which we work. The plan you created last year—or more—is already outdated. Without regularly reviewing and updating the disaster recovery plan, you risk overlooking new factors on the horizon that have the potential to devastate the business. 

How Often Should You Review and Test the Disaster Recovery Plan? 

There really is no set standard frequency mandated for reviewing and updating a disaster recovery plan. To keep everything running smoothly, we advise reviewing, testing, and updating your DRP on an annual basis.  

Factors That Affect Your Disaster Recovery Plan 

However, there are intermittent issues that may arise between official updates and reviews. There are a few key factors that can help you determine when you need to go off script and schedule an extra update and review. 

Physical Relocation of the Business. 

This factor may either eliminate certain risks or expose the company to new risks. An example involving natural disasters would be the potential for hurricanes along the Atlantic Coast or tornadoes in the Midwest. 

Changes in Key Staffing Positions. 

Perhaps a member of your DPR team has left the company. It is important to make sure his/her replacement is up to speed as quickly as possible and ready to enact his/her role in the disaster recovery team. It is also important to keep your regular staff up-to-date on standard system maintenance and any potential issues that may arise and how to detect them. 

Significant Changes in the Technological Infrastructure. 

Since all technological considerations are paramount to protecting data, it‘s critical to review that new additions are compliant with your DRP. This includes implementing new hardware and software and shifting to a cloud or hybrid environment. 

New Compliance Requirements. 

External factors include those mandated by regulatory standards and other legal or regional requirements. Stay abreast of your regulatory obligations to make sure you remain compliant. This factor alone may dictate the standard frequency that you choose for your organization’s updates and reviews. 

Related article: Everything You Need for Your Next Disaster Recovery Audit. 

How a Disaster Recovery Plan Should be Reviewed and Tested 

Your update and review of your disaster recovery plan is meant to help make sure you avoid potentially devastating effects of possible disasters over which you have no control. It is essentially a good-faith exercise to ensure the ability to protect and access your data in the event of a disaster. This is to the great benefit of your company, your customers, and other stakeholders. 

Regularly Update Your Disaster Recovery Plan. 

This step serves as an active and ongoing resource that you will rely on in each of your reviews. Your initial disaster recovery plan was current and accurate the day you completed it, but each change that occurs—no matter how small, regarding staffing, hardware or location, etc.—is likely to alter your plan. Note every change as it occurs in a specified log that you will use as a reference in your upcoming review to make sure you don’t miss anything. 

Schedule Test Dates in Advance. 

Testing the disaster recovery plan is helpful for everyone. Your DRP is not a static manual that should lie dormant on a shelf. It is instrumental in ensuring proper staff training and provides peace of mind for your stakeholders since it lays out your commitment to the protection of their data in a potentially catastrophic event that could negatively impact their data. 

Perform Routine Exercises to Test the DRP’s Effectiveness. 

Prepare Q&As and other practical exercises to make sure your disaster recovery plan is fully functional on demand.  

Provide Training for the Disaster Recovery Team. 

Each team member should understand their role in the disaster recovery effort and the responsibilities assigned to them within the plan. Testing exercises also serve as an opportunity for training and practice each task. 

Check All Contact Information. 

Determine all the primary, secondary, and emergency contacts, and make sure their information is current in your plan. Additionally, make sure you have all staff contact information, as well as that of vendors and key government agencies. 

Updating and reviewing the disaster recovery plan will help your organization function during a disastrous event and bounce back quickly after one. 

Related article: The Importance of Disaster Recovery for Healthcare Organizations and HIPAA Compliance.  

Our Team Is Here to Build Your Business Continuity Plan 

I.S. Partners, LLC. professionals can help you tailor a BCP to your organization’s specific needs, factoring in your business location’s risks for natural disasters and your computing system’s potential for cybersecurity breaches. We want to help you avoid disaster, when possible. And just as importantly, we want to help make sure you can get back on your feet quickly in the event of a disastrous event. 

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.