What do old-time friends talk about when they finally have a chance to catch up with each other? Anything and everything! Topics range from interesting and awe-inspiring to the serious and uneasy. And the recent discussion between my friends and I on wills and trusts fell into the latter category.
It is no surprise that many people do not have them established – for various reasons: simply haven’t thought of the idea, believe that it is not necessary or a priority given their situation, aware but can’t afford the time and/or money to have it setup now, procrastination, aware but feeling apprehensive to even discussing the possibility, etc. All kinds of reasons – and yet, at the end we all nodded violently in agreement that there is a lot at stake: families, children, properties, other tangible assets, and the intangibles. And as we bid farewell, to some more than others the question lingered: What if….
Hold that thought… and bring it to work place today.
What if a major disruptive event (whether natural or man-made) impacted your business or work environment today? Is a business continuity and disaster recovery (BCDR) plan in-placed? It is a plan that focuses on what must be done to mitigate the risk of chaos, reduce the impact of a disaster, and improve the speed to recovery.
Creating a BCDR plan is a process, and a journey. It is not a one time event, rather a set of activities that result in the ongoing preparedness for disaster. In other words, BCDR plan must continually improve and adapt to the changing business needs. Key activities related to BCDR planning life cycle are:
- Develop BCDR policy: Just like any other strategic initiative, a formal BCDR policy is necessary. The policy should define scope, roles and responsibilities, and specific controls to ensure that key activities around BCDR are performed appropriately. Think COBIT.
- Conduct business impact analysis (BIA) during which all key processes and systems are cataloged and analyzed, owners and dependencies are understood, etc. This effort can be more challenging than anticipated. Due to the popularity and ease of leveraging cloud services, it is not uncommon that end users engage cloud providers directly without IT involvement. Not having holistic view of key systems/processes/data can obviously undermine BCDR plan’s integrity and effectiveness.
- Following BIA, conduct criticality analysis to understand impact, likelihood, and cost estimate if key systems and processes are debilitated/down. This will enable the company to set priority on its BCDR effort accordingly.
- Establish recovery targets, specifically RTO (Recovery Time Objective) and RPO (Recovery Point Objective). These two objectives, along with the two analyses above, will guide the appointed Disaster Recovery (DR) team to build most appropriate and cost-effective recovery strategy and architecture – whether it involves on-premise, cloud-based, or hybrid solution between the two.
- Develop recovery and continuity plans/procedures which specify actions to be taken during and immediately after the disaster. This includes procedures for operating critical operations, personnel safety, disaster declaration, roles and responsibilities, communication, etc.
- Test recovery and continuity plans/procedures. This is when the rubber meets the road. From document review, to walkthrough, to simulation, to parallel and cutover tests, the plan’s viability must be tested to validate that it is effective.
- Plan and conduct training to ensure that those responsible for carrying out the procedures are familiar with it. Involve them during testing phase, and ensure that documents and plans (which should be stored offsite) are easily accessible, when needed.
- And finally, review policy, strategy, plan, and procedures periodically. As business priority and technology changes, BCDR plan will quickly become obsolete if not updated. Ensure regular review, updates, and testing is performed.
Sounds like a lot of work? Yes – just like setting up those wills/trusts – it requires lots of thinking and planning. But let’s face it – if a disaster is not handled diligently, it will impact not only the company’s business operation, but also its long term image, brand and reputation. And the latter ones typically take a lot longer to repair, once damaged.
One last thing….for public and regulated companies, BCDR plans and activities are of auditors’ major interests. So, make sure that everything is well documented, including tests and evidence. And whenever possible, automate as much testing and evidence collection as you can.
Are you aware of BCDR plan and strategy in your company today?
In any disaster or emergency situation, what do you think is the highest priority?
