A Disaster Can Take Many Forms: Are Your Business Customers Prepared?

According to the Institute for Business and Home Safety (IBHS), approximately 25 percent of businesses do not reopen following a major disaster. They also report that “the largest losses to business come in years after the disaster and not from the direct damage of the disaster itself.”

A disaster can take many forms: fires, flood, pandemics, or the failure of a critical server. Are your business customers prepared?

An Emergency Response Plan (ERP) or company specific standard operating procedures can provide immediate response and recovery to an incident, but do they incorporate the continuation of critical business processes?

For a comprehensive response to the threat of a disaster, it is recommended that businesses maintain a Business Continuity Plan (BCP) as part of a larger business continuity management program. A complete and well-planned program addresses both immediate disaster recovery and overall business continuity planning. Disaster recovery is a long-standing subset of emergency response planning that deals specifically with information systems (IS). BCP is deeply rooted in disaster recovery planning, which still maintains its importance, but is an all-encompassing program for the continuation of all critical business functions.

An effective BCP starts with a Business Impact Analysis (BIA). The objective of a BIA is to identify critical versus non-critical organizational functions and activities. All functions and activities are identified and prioritized in terms of the business’s mission. Typically, the BIA results in a mitigation plan, which is developed based upon the results of the risk assessment to eliminate or reduce the hazards during the assessment.

Managing Risk

Depending on the results of the risk assessment, mitigation strategies may vary greatly. Strategies will include preventive measures, such as upgrading security systems and instituting new IS measures. Strategies may also include measures that will increase response and recovery time from an event. For example, a strategy may include an improved document management system, containing mission-critical knowledge as a key component of effective recovery.

The BCP should include response and recovery actions to provide a strategy to resume normal operating conditions. A specific Business Resumption Plan (BRP) should be prepared for each of the threat scenarios identified. Resources required for response and recovery must be identified, including all required assets, personnel, and a description of the administration and logistics required for use of the resources. Also, the criteria for resuming normal operations after each threat scenario must be identified.

The BCP should be exercised as a training event both during and post development and at least annually thereafter. Training represents an important component to ensure system continuity that can be achieved by the identified response and recovery actions implemented by a prepared team.