Why Your Company Needs a Disaster Recovery/Business Continuity Plan

It’s 2:30 A.M. and the phone is ringing. As you reach over to grab it and answer the call, you do a quick inventory of household members, hoping the call isn’t about one of them.

It isn’t.

It’s a representative from the local fire company informing you wildfires in the area are reaching dangerously close to your business and you have two hours to claim anything you need in the building before the fire department closes and evacuates the area.

What do you do?

If you and your staff have been proactive in planning for man-made or natural business disruptions, you execute your disaster recovery and business continuity (DR/BC) procedures and begin making calls to instruct the key leads for each department to begin the DR/BC process. If you don’t have such a plan in place, you now have to scramble to make decisions on issues and scenarios you haven’t explored; figure out who will be responsible for doing what; where everyone is; whom to contact and how; and, where and how you’re going to keep the business up and running while the fires are raging.

What’s the plan?

When disaster strikes, whether it’s a natural disaster such as wildfires or a man-made disaster such as a ransomware attack, a disaster recovery/business continuity plan serves as a step-by-step guide to protecting company assets and keeping the wheels of business turning. In a business disruption, the disaster recovery plan is the initial response designed to limit downtime and damages, and to restore the minimum acceptable level of functionality necessary to keep the business going. By contrast, the business continuity plan is the next phase of the process, executed after the initial response, and designed to take the business from restoration of key business functions to full operational functionality while the crisis and its aftermath are resolved.  The primary purpose of a disaster recovery/business continuity plan is to provide employees with procedures to safely and efficiently recover from the disaster and restore operating functionality in an emergency or other business disruption (Myers, Rogers, & Dunkerley, 2015).

Protect your assets: take the guesswork out of incident response.

The most valuable asset of any organization is its people. A disaster recover/business continuity plan ensures the people tasked with recovery and restoration are protected from injury and/or death. Not everyone responds well in an emergency and assuming people will know what to do can put your staff in dangerous situations. The DR/BC will promote employee safety and security by appointing a chain of command, assigning tasks, and establishing a clear set of objectives and instructions so employees understand the scope of their responsibilities and how to effectively, efficiently, and safely execute them. A DR/BC plan will protect all the company’s assets – equipment, facilities, and its people (Travelers Risk Control, N.D.).

Don’t let a business disruption empty your financial reserves.

Having a DR/BC plan in place helps reduce the financial impact of a business disruption by creating a process to ensure the financial resources necessary to bring the company back to full functionality are available and accessible. Included in those financial resources should be a plan to finance payroll so that employees can keep working to restore business functions as quickly as possible, keeping potential financial losses at a minimum. Proper funding will also help the company make it’s financial obligations to creditors, vendors, and to the organizations providing operational resources such as facilities and business equipment needed during the crisis (Wallace and Webber, 2011).

Plan to meet contractual obligations.

Meeting contractual obligations is of critical importance in the DR/BC plan as a failure to do so can result in fines and/or penalties for breach of contract, violation of Service Level Agreements, and non-compliance with government regulations. Contracts and SLAs often include “Act of God” clauses to protect both parties in the event of a natural disaster, but a failure to properly prepare for or mitigate an emergency might disqualify the company from that protection. Insurance policies may also provide some relief, but claims can be denied due to coverage limitations or failure to perform to the requirements of the policy, resulting in financial losses that impact the ability to replace lost equipment and repair facilities, impeding productivity (Department of Homeland Security, N.D.) Demonstrating due diligence in protecting data is required in both state and federal consumer protection and data protections laws, in federal regulations for government contractors such as Defense Federal Acquisition Regulatory System, and in laws such as Sarbanes-Oxley and the Healthcare Insurance Portability and Accountability Act (Tittel, 2018). The best defense against a failure to uphold a contractual obligation and to ensure that applicable insurance coverage is provided is by performing due diligence and exercising reasonable care in protecting the business operations and data with a DR/BC plan.

Don’t lose in the court of public opinion.

Failures in the business community to either protect data and information assets or to respond to crises that disrupt business can have a devastating impact on public opinion. The damage to a company’s reputation and the loss of public confidence in an organization can negatively impact the company’s credit rating, destroy relationships with vendors and business partners, and even result in permanent closures. According to a PriceWaterhouseCoopers study on the effects of data breaches, for example, 87% of respondents claimed they wouldn’t do business with a company hit with a data breach (Neveux, 2018). Most recently, The Heritage Company, with 60 years of respected experience helping non-profits in fundraising and marketing campaigns, closed its doors and laid off all 300 employees after a ransomware attack (Cimpanu, 2020).

Don’t let your hard work go up in smoke.

A well-developed DR/BC plan will include a comprehensive asset inventory; data backup, testing, and recovery strategies; documented testing and evaluation processes; and a coordinated communications plan, all of which will ensure the plan protects assets and data. All businesses, no matter the size or industry, benefit from having these plans in place. Protecting the company in the event of a business disruption protects employees, vendors, the community, and the economy (FEMA, 2014). 

Put the fires out before they reach your business: develop and establish a disaster recovery/business continuity plan that will provide your staff with the tools to extinguish business disruptions in an orderly, efficient, and effective manner, protect human and physical assets, and leave your business standing into the future.

For more information on how to stand up a disaster recover/business continuity plan, FEMA offers free guidance documents for businesses of all sizes:

IT Disaster Recovery https://www.ready.gov/business/implementation/IT

Business Continuity  https://www.fema.gov/media-library/assets/documents/89510

The Disaster Recovery Handbook: A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets (2nd ed.) by Wallace and Webber is a free eBook available via the link at the bottom of the page.

Resources

Business continuity plan (N.D.). Department of Homeland Security. Retrieved from https://www.ready.gov/business/implementation/continuity

Cimpanu, C. (2020, January 3). Company shuts down because of ransomware, leaves 300 without jobs just before holidays. ZDNet. Retrieved from https://www.zdnet.com/article/company-shuts-down-because-of-ransomware-leaves-300-without-jobs-just-before-holiday

FEMA (2014). Every business should have a plan. Federal Emergency Management Agency. Retrieved from https://www.fema.gov/media-library-data/1389022685845-7cdf7d7dad7638a19477d01fdbfa820f/Business_booklet_12pg_2014.pdf

Green, K.C. (Artist) (2013). This is fine. Gunshow Comic. Retrieved from https://gunshowcomic.com/648

Meyers, M., Rogers, B.E., & Dunkerley, D. (2015). CompTIA Security+ Certification Guide, 519-540. New York: McGraw-Hill Education.

Neveux, E. (2018). Reputation risks: How cyberattacks affect consumer perception. SecureLink. Retrieved from https://www.securelink.com/blog/reputation-risks-how-cyberattacks-affect-consumer-perception/

Tittel, E. (2018, August 27). How risk management and due diligence go hand in hand. CompTIA Blog. Retrieved from https://www.comptia.org/blog/how-risk-management-and-due-diligence-go-hand-in-hand

Travelers Risk Control (N.D.). Why is business continuity important? The Travelers Indemnity Company. Retrieved from https://www.travelers.com/resources/business-continuity/why-is-business-continuity-important

Wallace, M., & Webber, L. (2011). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets (2nd ed.) (eBook). New York: AMACOM. Retrieved from https://epdf.tips/the-disaster-recovery-handbook-a-step-by-step-plan-to-ensure-business-continuity68736.html

?2020 Korinne M. Jackman, all rights reserved. May not be reproduced in whole or in part without prior written permission. A previous version of this article was submitted as coursework for CSIA 310 6381 at UMGC, January 17, 2020.