Don’t Forget IT in Your Business Continuity Plan
The tremendous risk to businesses from potential disasters is the reason for business continuity planning (BCP). The whole concept was popularized in the runup to the year 2000 (Y2K) event. Businesses spent months preparing for the strike of midnight when computer clocks in aging equipment were to click over from 1999 to 2000.
Y2K planning is one example of how information technology has become critical to the continuous operation of modern businesses. The world runs on computers now, and without them many businesses are just dead in the water. Have you ever tried to get gasoline only to find out that their systems were down and they could only take cash? Loss of IT means loss of money — and that should concern everyone.
What is Business Continuity?
Business continuity planning should account for all the risk factors that threaten an organization. It is a blueprint for continuing to deliver services through a major interruption. The problem is that many companies put little to no effort into business continuity planning.
The results can be devastating, including reputational loss and even the collapse of the business. According to the Business Continuity Institute, a quarter of businesses never reopen after a disaster. It's enough to keep a company's executive officers awake at night.
Business continuity is more than just putting out fires, and it is more than just rebooting an IT system. Disaster planning is only a subset of the BCP. Business processes are at the heart of business continuity. A BCP considers threats to people, physical infrastructure, as well as technology and data. It deals with where people should go and what people should do, and considers various scenarios that might arise, however improbable.
A full treatment of the subject is beyond the scope of this article. We'll just summarize business continuity planning with these five BCP steps from online trainer Dr. Mike Clayton:
Create a Business Impact Analysis (BIA).
Identify principal classes of threats.
Take action to mitigate those risks.
Create readiness plans to maintain continuity.
Identify a core team of business continuity leaders.
IT Plays a Central Role in Business Continuity
If you think your job as an IT professional is only to tinker with machines and software, you might want to reconsider. The entire reason for an IT department is to support the key business processes that are integral to an organization's goals. In other words, you should be keenly aware of the impact your work has on the company's success.
One area where IT involvement is critical is business continuity. That's why IT personnel are usually front and center on any business continuity or crisis management team. Company managers welcome the expertise of system and network professionals in business continuity planning.
There are two distinct approaches to business continuity that intertwine with IT processes, planning, and infrastructure. Disaster recovery (DR) is about what people do before, during, and after a crisis occurs. It's about picking up the pieces when everything falls apart. High availability (HA) is the use of strategies to ensure near constant uptime — no matter what happens. HA systems are generally more expensive, but they can save the company considerably by preventing disasters in the first place.
Risk Assessment: Earthquakes, Flooding, Hail
Any IT engineer worth their salt knows something about the risks related to their profession. Never work in a production environment without an approved change control procedure. Make sure antivirus software and security patches are up to date. Follow best practices for IT security management, and always be vigilant. But for business continuity to work, you need more than careful engineers. You need a plan — and for that you need an IT assessment.
To understand the potential threats, you may want to enlist the help of an ethical hacker, also known as as penetration tester. The report and brief from a pentester will give you a lot of information about what an unethical hacker could do to your IT infrastructure.
Of course, if you have holes in your IT defenses you'll want to take care of those based on the pentester's results. But you will also gain a lot of insight that will help in the development of a business continuity plan.
One of the best approaches is to think in terms of scenarios. What would happen if there were an earthquake affecting your data center? What about a power outage? How about a break-in? Or a fire?
TechTarget offers guidance on the development of a comprehensive IT risk assessment. They've prepared a matrix of potential disasters that are either natural or accidental, deliberate or indirect. A robust IT assessment would evaluate both the impact of various scenarios on the IT infrastructure and the methods that should be used for mitigation.
Image Source: TechTarget
A Glossary of Terms to Keep Things Going
Business continuity is a discipline all on its own. There are BC professionals who deal with specialized terms and concepts just like we do in IT. The Business Continuity Institute offers a glossary of terms along with references to relevant standards. Here are a few examples:
Business Impact Analysis (BIA)
Capability Assessment for Readiness (CAR)
Crisis Management Team (CMT)
Emergency Control Center (ECC)
Incident Command System (ICS)
Maximum Acceptable Outage (MAO)
Recovery Point Capability (RPC)
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
If you find yourself assigned to work on your organization's business continuity plan, be prepared to expand your thinking. Input from the IT department is essential for any BCP, but you should also be aware of the broader concepts involved. The day-to-day responsibilities related to meeting Service Level Agreements (SLA) for customers all go out the window if you can't keep services running through a catastrophic event.
Business Continuity vs. Disaster Recovery
Disaster recovery is when you have a disaster, then you recover. Here's the full rundown on disaster recovery. Business continuity is when you have a disaster and you continue doing business through it. The purpose of a business continuity plan is to minimize disruption to normal business processes. The best scenario is that when something terrible happens, proper procedures are in place so that everything keeps going.
One of the best things you can do for business continuity is to establish redundancy in your IT infrastructure from top to bottom. Instead of just one server, you have two. Instead of one data center, you employ a second one. There's at least one section on backup and recovery in Azure, Oracle, and AWS certifications for a reason. Duplicate network links, data backup and replication — all these strategies will keep business processes going whether there's a disaster or not.
It's not just disasters that can bring down business processes. Even seemingly minor problems like failed hard drives or down links can cause major problems for your company. A business continuity plan takes into account anything and everything that might take down your business.
Final Thoughts: Disaster Will Strike
This article is only an introduction to some of the concepts of business continuity. As an IT professional, you will need to know your part when a disaster strikes. But prevention is better than repair. IT plays an outsized role in any business continuity plan.
And every IT professional should be prepared to contribute to it.