The Business Continuity Lifecycle: Steps to Take
The time to sign up for your home insurance policy is not the same day as a hurricane takes off your roof. The business continuity lifecycle also starts well before a disaster. It includes 5 steps: minimize risk, prepare the plan, strategize communications, launch the plan, and get back to normal without serious data loss.
Step 1: Minimize risk with proactive planning.
Some business continuity lifecycle “plans” consist of the following:
- Hey, I’ve got backup.
- Corporate insists that I need a business continuity lifecycle plan so I’ll tell them that I can take over remote operations from my house. I don’t know if that’s true or not but that’s what I’ll say.
- Nothing is going to happen anyway.
None of these options are going to look good when a disaster does happen. Remember that a disaster doesn’t have to be caused by a major natural disaster -- an earthquake, tornado, hurricane, or flood. It can also be an extended loss of power, a user error that floods the network downstream, a hacker intrusion, or a scorned employee who just found out that he is being laid off. There are threats everywhere and you need to proactively plan for all of them.
Step 2: Get ready.
Data protection is a critical part of business continuity lifecycle planning. Assess the IT domain’s top risks and continuity gaps, then create incident response and recovery plans. To protect your applications from serious loss and downtime, look at business continuity providers for managed cloud backup and recovery, and for remote failover for critical applications. Remember to also plan out your bare metal recovery and application recovery procedures.
Make sure all the application folks in your organization are involved in the process. IT handles most enterprise applications, but database administrators may not necessarily be an IT department. In this case, reach out to involve the DBAs in database recovery planning to make sure everyone is on the same page with the plan.
Step 3: Don’t leave communications to chance.
Disaster communications isn’t IT’s official role. A large company may have a distinct business continuity group in charge of disaster planning and communications, and even a small company will have a spokesperson to keep everyone aware of the status the disaster and recovery process.
But IT must at least plan for critical communications between its members, internal stakeholders, vendor partners, emergency services, and customers. Consider the following communication channels and how to make that work for you during an emergency.
- Set up emergency bridge lines. Some IT organizations in NYC wrote emergency bridge line procedures into their BC planning. Good thing too, because these organizations could activate the lines during the worst flooding. Team members and key stakeholders could call in and get progress reports, while team members who stay in the data center got regular safety notifications.
- Create mobile notification groups ahead of time. Create communication group lists ahead of time in email and text. You really don’t want to create a test group in the middle of an emergency and forget your CIO.
- Plan for multiple communications channels. If you only plan for a single channel, you’re going to be unpleasantly surprised when the disaster hits. Plan for email, cell phones, and landlines -- semaphores or smoke signals for that matter – so you can have at least one working communication channel during a disaster. The more you have ready to go, the more likely you are to get through when you need it most.
Step 4: Launch your business continuity lifecycle’s disaster and recovery plan.
D-Day: The disaster. It won’t reach the scope of the fictional polar vortex of The Day After, and probably will not be on the scale of Hurricane Sandy or Houston flooding events. It can still be bad: Wildfire threatens an office and melts road pavement, making it impossible to get in or out. A power grid goes off-line, taking a data center with it. Rising waters flood first floors and basements, drowning facilities and destroying equipment. A terrorist attack destroys buildings and empties out whole city blocks.
Less than 5-minute failover from anywhere.
Step 5: Get back to normal.
With priority applications operating in the cloud or at secondary sites, IT and their vendors have time to restore the primary data center. Applications failback as repaired systems go online. IT monitors for issues and data loss, but thanks to business continuity lifecycle planning there is no long-term damage to the company’s data.
“Getting back to normal” after a significant disaster will take time. But the better you planned your business continuity lifecycle -- and the closer you stuck to your plan -- the less time it will take. Science fiction? No. Careful business continuity planning and strategic investment. These are the keys that will ensure company survival in the face of serious disasters.