As a consultant, I’ve had the good fortune of working with many great companies. All have high reliance on their technology being available to conduct business. I have felt personal responsibility to ensure that IT outages do not have any adverse effects on their ability to run the business. Sometimes this outage avoidance involves preventative investment in their technology environment. At times, it is challenging to balance expenditure on an IT project that mitigates a perceived risk against the cost of that project. The benefits of investment in a technology solution may not always be obvious or seem pressing. Data Breach Security Forecast report by Experian confirms, “For businesses, the risk of experiencing a data breach is higher than ever with almost half of organizations suffering at least one security incident in the last 12 months” (2015).
It is my job to ensure leaders understand costs versus risks so they can make an informed decision.
Businesses can offset perceived risk with cloud-based software packages. But, that approach doesn't remove all or even most of the risks that can cause disruptions. The goal of this document is to provide steps businesses can take to continue operations when an unexpected event occurs.
UNDERSTAND THE BUSINESS
Before assessing the risks, the first step is to understand the core mission of the business. This step is critical in pinpointing the areas with the most risk. Here are some items to consider:
- What makes us who we are? This is the mission of the business and the goals that drive the everyday actions.
- What do we do to reach our goals? These are the specific processes and tools we use every day.
- Who are the people that use the processes and tools? These are employees, vendors, and contractors who contribute to the success of the business.
IDENTIFY THE RISKS
The risks and likelihood may vary by business and by units within the business. For example, the loss of the phone system would have a higher impact on a sales unit than an accounting unit.
When identifying specific risks, first estimate the likelihood a risk will occur. Second, assign a value to the risk. These two steps provide a measure that can be used as a guide to assigning the resources. Then, the business can begin mitigating and preparing for the risk. Each company may be in a different phase of maturity in this process. I worked for a client in the financial services industry who expressed loss in dollar amounts. Each hour a specific application was not available was equated to dollars lost. The risk assessment enabled us to direct resources to the most critical (expensive) outage. Another reasonable starting point may be ranking the likelihood of risk on a scale one to three.
Time and effort need to be dedicated to protecting critical business data. The news about a major data breach at large organizations comes out often. Even federal employee data was comprised, and customer information at Target was stolen.
The impact of this risk can be dramatic. In one example, a business had multiple failures on fault tolerant server disk systems, one of which was the backup system. One disk system contained critical customer work product. The business paid a large sum of money to recovery that turned out to be about 70 percent of this data. The rest of the data was recovered from employees searching their systems. Besides the loss of the money, this failure created a loss of productivity. Employees allocated their resources to searching for the missing customer deliverables. A simple offsite backup plan would have minimized the loss of resources and time. This customer did not perceive the risk great enough to spend the extra money on offsite backups.
Keep in mind that employee personal information needs to be considered. One of my past employers had the HR lock box stolen. The box contained all employee records. While no major adverse issues resulted, in this case, my perception of my employer changed.
Physical security is the protection from physical circumstances that could result in significant losses. An example of physical security is ensuring employees are safe during snow storms or bomb threats. Another example includes workplace violence. Developing safety tips and conducting safety assessments that mitigate workplace violence are components of physical security.
Employees are key resources. Companies must assess the risks of losing key individuals. Success planning can address the future of a business when top leaders are lost to retirement or other events.
Contractors can play key roles in business success. Understanding contractors and their companies is important in assessing the risks associated with them. As a contractor, I have seen how a business relies on my services and the impact my departure may have if the right person is not located for my role.
CREATE A PLAN
A business continuity plan does not need to be complicated. It can grow as the business grows and becomes more mature. Below are four parts to a business continuity plan.
Risk mitigation involves planning to avoid the risk or to lessen the impact of the risk. Three potential risks include email outage, bomb threat, and data breach.
Often as an IT consultant, the focus is on backup and recovery of business critical systems. To mitigate these risks, a company may use SaaS (Software as a Service) for email, SalesForce for customer relationship management, and QuickBooks Online for accounting. Software such as these are great and can lessen the impact of hardware (server) failure. But, they don’t address other risks that put customer data at risk. An underlying assumption may exist that the provider of a SaaS application will do a better job of protecting the data than a typical business. But this risk should still appear on the risk assessment checklist.
A checklist should be created for event preparedness. For example, if the HVAC system goes out, what needs to happen? The event preparedness plan should include items that may be related to risk. Make sure to consider the loss of critical skill. The checklist would be used to confirm steps needed. Below is a brief example.
The incident response contains instructions on how to respond to a security breach or event. Below are the key components of incident response management.
Create a Response Team
The response team works to get operations back to normal if the incident causes a shutdown in operations. These are subject matter experts in each area of the business. They understand the efforts needed to return the operations to normal.
Create a Communication Plan
The communication plan outlines how the team will communicate internally and externally.
Recovery steps document recovery procedures necessary to restore business operations. The steps document the action that should be taken as part of the recovery. Items in this section of the business recovery plan include:
- Emergency contact list
- List and location of emergency items—flashlights, clipboards, pens, gloves, etc.
- Recovery checklist
- Call team members
- Check on employees and families
- Damage assessment
- Identify damage and loss of systems, equipment, and skills
- Implement needed recovery steps
- Communicate status to management and response team
- Communicate resumption of normal operations to staff, vendors and all others affected by the incident
REVIEW AND TEST THE PLAN
This part of any business continuity plan is paramount to success. The critical items of the review and test phase are listed below.
Training can be simple or complex. In a simple form, a lunch session with employees can be held to discuss plan awareness. Training sessions reassure employees that there are plans to deal with incidents. Training, whether simple or complex, should address items such as:
- Roles and Responsibilities
- Information About Potential Threats and Risks
- How Communication will be Handled
- Plan Testing
Take the testing phase seriously. It could make the difference in life and death of people and the business. Some examples of tests include simulation drills or full-scale exercises. At a bank, we used a simulation drills to respond to a scenario where access to our main facility was lost. We used our alternative location and verified that necessary roles and functions worked as expected. The results were documented and reported back to management.
The Department of Homeland Security has held full-scale exercises where they simulate disasters and evaluate the response. These are often reported on the news. For most businesses, these multi-agency exercises are not needed. But, they do provide valuable lessons on how to prepare teams for an effective response to an emergency.
Every plan needs to be reviewed and updated. Plan maintenance should include items like:
- Necessary adjustments that result from testing, changes in business operations, and changes in personnel
- Regularly scheduled formal review of all components
- Review and update after an incident
A business continuity plan does not need to perfect, but it needs to be prepared, reviewed, and updated. The business exists to execute a mission and employees count on it for their livelihood. It is irresponsible not to plan for incidents that will impact the business operations.
Ask, “Is our business prepared for the possibility of an incident that will impact operations?” If not, then get prepared!
IT Consultant | AfidenceIT
Data Breach Industry Forecast. (2015). Retrieved November 6, 2015, from http://www.experian.com /assets/data-breach/white-papers/2015-industry-forecast experian.pdf?ga= 1.172114915. 1943093614.1418003182