Best practices in business continuity planning – now and for the future

Disasters are a common phenomenon, and every organization must have adequate plans and processes to ensure sustained business continuity. 

Every year, disasters – both manmade and natural – disrupt several lives. This year the global coronavirus pandemic has completely altered the way organizations function. If you look at the extensive damage caused by disasters, it reaffirms the need to have a comprehensive disaster recovery (DR) or business continuity policy in place.

We recommend the following best practices for ensuring sustained business continuity in the eventuality of any disaster:

1. Documenting the DR policy

The business continuity plan must be drafted according to the risks, and the processes that need to be followed in the event of a disaster. For example, the plan should clearly detail what employees must do in the event of a disaster, and the maximum timeframe by which critical IT services will be delivered. It’s also equally important to identify critical systems and take an inventory of the key applications. At the same time, organizations must document and have in place a list of external contacts such as bankers, IT consultants and utility personnel. As the coronavirus incident has taught us, organizations who had a well documented business continuity plan were the ones who could bounce back immediately.

2. Determine your recovery options

As every organization is unique, it must assess the risks and formulate a comprehensive business continuity plan. This plan must be designed depending on the business that the organization belongs to. For example, in the case of a bank or stock exchange, any downtime, even if it occurs for a few minutes, can cause losses in millions. For each organization, it’s important to define the approach to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.

Also, depending on the business that an organization operates in, it must determine its recovery options. In DR or business continuity language, two terms – RTO and RPO – are important. Recovery point objective (RPO) refers to the maximum acceptable data loss in terms of time, and recovery time objective (RTO) denotes the amount of time between an outage and the restoration of operations. By selecting the right RPO and RTO according to business guidelines and requirements, you can select the right DR options and recovery technologies.

3. Communicate clearly with internal and external stakeholders

In a crisis, it’s important to be proactive and communicate in detail about every possible piece of information. For example, in the current crisis, it’s vital that organizations send detailed information via emails or WhatsApp groups to communicate the various ways their people can operate smoothly from their homes. In addition to a detailed list of FAQs on company policies, organizations must also appraise employees with respect to paid or sick leave options, insurance coverage and access to software tools to work from home. When it comes to clients, it’s important to have transparent and open communication with respect to the availability of your teams.

4. Prepare, prepare and prepare

Most disasters catch organizations by surprise. This is why organizations must mandatorily and regularly conduct DR drills. While many organizations have the customary DR drill, where employees perform the drill in a standard way, they can fail as disasters are never the same.

For example, during this crisis, many organizations realized that they didn’t have the required VPN licenses for many employees. Many employees who were situated in tier II or tier III cities suffered from bandwidth issues. So, a business continuity plan must be subjected to multiple tests involving different scenarios to see if there are any issues that will impact the success of the plan. This helps in preparing a more realistic assessment of different situations, which in turn can help in soliciting the required responses from different teams. By regularly conducting DR tests or drills, organizations can assess and analyze the business impact and progressively close all gaps, if they arise.

5. Keep in mind security risks

Disasters often leave the door open for security risks. As recent incidents have shown, there has been an increase in phishing attacks and threat actors have duly taken advantage of the panic to specifically create malware. Ransomware attacks are also common during a time of crisis, as systems are most vulnerable. At this time, it’s important to review existing security policies and check endpoint security of devices. This is because as more remote workers work from their homes, the security risks too increase as many home networks lack the common security mechanisms such as firewalls, antivirus software or backup tools. This increases the risk of malware spreading its way from individual devices to corporate networks.

6. Adopt a DR in the cloud option

If you haven’t already done so, you should consider going in for a cloud-based business continuity plan. A cloud-based DR plan enables organizations to quickly speed up their recovery time. The cloud option also enables organizations to automatically provide access to services from any part of the world. For example, companies can empower their remote workers by delivering access to virtual desktops or critical applications. Moreover, with the elastic capability of the cloud, organizations can scale up their IT infrastructure in the cloud to meet increasing remote worker demands, as the coronavirus incident has shown.