Creating a Business Continuity and Disaster Recovery program can be an intimidating and overwhelming process. Since Department Of Labor statistics indicate that 40% businesses don’t survive 24 months after dealing with a disaster, this is an important process. This paper will outline the activities involved in creating a comprehensive Business Continuity and Disaster Recovery program for your firm. Traditionally, the term "Disaster Recovery" refers to the recovery of information technology systems, and "Business Continuity" deals with "keeping the business running" when a disruptive event occurs - apart from IT. .
Risk Evaluation & Business Impact Analysis
Before embarking on a disaster recovery plan, it is important to conduct a risk assessment and business impact analysis. A Risk Assessment is the process of determining which threats pose the most disruptive and likely dangers to your firm. This doesn't need to be a complicated exercise and should be based on your most likely risks. For example, if your firm's office is near a river that floods every few years or your area has unreliable power distribution, both of these threats should be considered in your assessment.
When you're performing a Risk Assessment, a Risk Analysis should be included as well. If you identify "citywide flooding" as a threat, then your Firm needs to analyze that risk and decide whether they're going to:
- transfer the risk (insurance),
- accept the risk, or
- mitigate the risk (move to an office building on higher ground).
Some firms simplify the Risk Assessment process by planning for complete and permanent unavailability of their primary work space. If you're planning for permanently losing our work space, then you're going to be covered for something less severe such as a fire that closes your office building for a month.
To identify potential risks, research prior disasters (outages) in your geographic area, your internal organization/building, and any organizations you depend on for critical services. Some good resources include your local utility company, energy and power outage trackers (http://info4disasters.org/energy-power-outages/), the Federal Emergency Management Agency (FEMA) website, and business continuity publications (Disaster Recovery Journal). There may already be trained risk managers in your firm. In many firms, the General Counsel is considered the firm's "risk manager", and could probably provide guidance on this process.
A Business Impact Analysis will identify all or your firm's business processes, and determine the operational and financial impact of a disruption to each. This analysis involves digging deep into every department and practice group to condense "what they do" into "Business Processes." This should be department specific and just not a broad outline of tasks such as “attorneys enter time, accounting bills client, etc.” You will need to identify business functions, processes involved, applications, and dependencies. Start by developing a questionnaire that will help function area work groups think through their business processes and be able to articulate what is done, how it is done, and the dependencies required to complete the processes. In most cases, it is best to conduct group interviews with multiple representatives from the same work group which should result in a more complete work flow and process list.
Once business processes are identified, assign a Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO is a number that represents how long your firm can live without this process without suffering unacceptable consequences (e.g., damage to reputation; loss of revenue; etc.). For instance, if your firm determines that the firm begins to operate at a loss after 8 hours of not processing accounts receivables, then your RTO would not be 8 hours. It would be 7 hours and 59 minutes. Therefore everything put into place to preserve the business must be molded to have resources both back online and functional within 8 hours. Important! Restoring backups alone, without restoration of the core services is not sufficient in meeting the RTO objectives! RTO objective means that EVERYTHING needed to restore the service is fully functional within the time calculated.
The RPO (Recovery Point Objective) is a number that represents how much data can be lost without suffering unacceptable consequences. This number will be used to determine the backup strategy for a business process or application. The result will look something like this:
New Client Intake
Client Communications (e-mail)
While you're performing the BIA, be sure to identify all the dependencies to each business process. For example, if you determine that the New Client Intake business process is critical, you will need to identify all the hardware and software required, the subject matter experts, etc.). As a rule of thumb when planning resources needed during a crisis, nearly 1/3 of your planned resources will NOT be available when you need them. Therefore accurate documentation, testing, cross-training of backup personnel, and communications are going to be important in overcoming a potential loss of resources. Can your IT Department restore services if 1/3 of the staff is unavailable? More importantly, which 1/3 of the staff would cause the greatest struggle in restoring services if they were not able to assist in recovery efforts? It’s not how many people respond to an emergency, but whom. (Who needs 100 police officers to show up to a house fire when there is only one firefighter on scene?)
Developing A Business Continuity Strategy
Develop a strategy that recovers your critical business processes from an interruption during the most likely threats. Your BIA will help define your continuity strategy, particularly as it relates to what needs to be recovered and how quickly. For example, if a flooded office is a likely threat, your recovery strategy may include having an alternate data center (so your servers will continue running if your office is flooded), and an alternate work space (so your people can have a place to work if the office is flooded). This approach is avoiding a disaster which should be less disruptive than recovering from a disaster. It’s always a sound idea to plan for what is impacted rather than why. You can waste time chasing down “what if” scenarios regarding the cause of the disaster. If you plan for the loss of the resource, independent of the cause, your recovery plans can be much more resilient and strong.
Identify recovery alternatives and determine what you will implement as part of your plan. Be sure to develop costs ranges for each option, implementation timeline, and a cost benefit analysis.
- Work Area Recovery
- Work area for staff (partial or total work area loss)
- Work area for Crisis Management Team (Command Center establishment (onsite or remote) is crucial for proper execution of BCP
- Work from home.
- IT systems Recovery
- Critical Systems and infrastructure.What do you really need to keep your firm running?
- Alternate recovery facilities.
- Production Systems Recovery
- Critical equipment and resources.
- Critical services (data and internet circuits).
- Data and Records Recovery
- Critical Data & Records
- Offsite data/record storage facilities
- Pre-established (Hot Site or Warm Site) - Do you have resources, in place, ready to go at this moment?
- Pre-arranged (Cold Site) - Do you have resources readily available to be brought online to meet RTO, when needed?
- Acquire-as-needed - Do you have business agreements with resources and vendors ready to respond and be in place when needed?
Cost Capability Review
Go through an exercise to review the cost, quality, security, and resources associated with each alternative.
- Cost to implement an option.Is the cost to implement a DR resource going to cost more that the revenue it’s set to protect? Or conversely, how much money would your firm be willing to properly budget if it knew its revenue was on the line? If the cost of recovery is less than the potential cost of lost business (billed hours, etc.), it will help support the initiative.Use the firm’s hourly or daily revenue to determine how many hours or days of revenue pay for the cost of implementing a disaster recovery strategy.
- Quality associated with option. Backing up to USB hard drives may be easy on the budget, but not an enterprise solution for meeting the RTO & RPO.
- Satisfies Safety & Security requirements (physical and virtual). The challenge is that during a crisis, all previous levels of security MUST be maintained and never suspended. You must plan and accommodate that into your Business Continuity Plan. In fact many successful hacking attacks succeeded after a diversion due to a crisis arose.
- How much control and access your organization has to resources Note - Once you call 911, your organization surrenders all control. If a Fire Marshall closes your building, no matter how safe you think it may be, you have lost the ability to resume normal operations under your timetable and cannot until the local authorities gives it the go ahead.
Training, Communication and Documentation
Once you have developed a business continuity or disaster recovery plan, it is important to train, communicate and document all aspects of the plan.
- Communicate the business continuity plan to everyone in the firm.
- Where to work.
- What will and will not be available.
- Train employees on how they will work during a business continuity event.
- Develop plans for how you will communicate to internal employees, external parties (clients, co-counsel), EMS/Law Enforcement, etc. during a disaster.
- Office Maps/Floor Plans
- IT Network
- Technology Data Maps
- Passwords vaults and locations
- Recovery process
Be sure that all documentation and plans will be readily available and accessible in the event of a total loss of your technology systems and work space.
Maintaining and Exercising Business Continuity Plans
Test the plan. Tabletop exercises and other drills are important to keep Business Continuity Plan current and viable. Take the results from the tests and analyze them to determine what worked, what didn’t, and what could be improved. Imagine going to a recovery space with computers, monitors, and printers and not having enough power outlets to accommodate the equipment. A ten dollar power strip, extension cord, or other easily accountable items, could be the difference between executing a successful BCP and failing. It’s better to find these things out in a test environment than in real life when it matters.
Be sure to continually update your plan to account for technology, process and people changes. When any one of these three components change, go back to the plan each time to determine how each change impacts the plan.
There are many resources online that can provide additional information on Business Continuity and Disaster Recovery such as the Disaster Recovery Journal (www.drj.com) and http://us.redit.com/wp-content/uploads/2013/01/Business_Continuity_and_Disaster_Recovery.pdf.
Mark Brophy, IT Director, Hunoval Law Firm, Certified Business Resilience Manager & IT Professional
Clint Gandy, IT Project Manager, Moore & Van Allen, PLLC, Certified Business Continuity Professional
Eileen Kelly, IT Director, Morrison Mahoney, LLP