Samsung Galaxy Note 7, Hurricane Matthew, the election and the need for Business Continuity Planning
October surprises bring to mind the importance of business continuity planning. Most recently, Samsung made the decision to stop production of its Galaxy Note 7 smartphone due to incidents of overheating and catching fire. Hurricane Matthew impacted businesses up and down the Eastern Seaboard, whether the damage was caused by the hurricane or flooding. Finally, the presidential election in the U.S will influence commerce and regulatory environments necessitating that business be prepared for whatever comes.
At the recent LockPath Ready Summit, one of the speakers was Troy Harris, Senior Director, Business Continuity Planning for RSM US. Harris spoke about the key points of Disaster Recovery/Business Continuity Planning (DR-BCP).
Here are five takeaways from the presentation:
- BCP isn’t the same as risk management
Managing risk is an ongoing concern of business but nothing to the degree that interrupts business operations for a length of time. Business continuity planning involves crises management plans, crisis communication plans, disaster recovery plans, business resumption plans and pandemic response plans.
In short, business continues with risk management. With BCP, business prepares in the event operations stop for whatever reason, and the plan determines the response with business continuation the goal.
- Good BCP policies include several key elements
Developing a business continuity planning policy entails several elements, according to Harris, along with clearly defined roles and responsibilities. Policy elements include:
- Clear and definitive
- Appropriate for the organization
- Follows policy standards
- Appropriate scope and content
- Formally approved and adopted
- Disseminated and enforced
- Reviewed and updated
- Supported by a program charter and other materials
This is a smart checklist for program development and ongoing reviews.
- Developing a BCP culture increases preparedness
Business continuity planning has a greater chance of success when the culture supports it. Do you have management’s support? Are departments and employees actively involved? BCP plans work better when it’s a collaborative effort instead of the responsibility of one or two individuals. Harris added these tips during the session:
“Talk to specific departments so they know what do. It’s better to have multiple recovery plans instead of just one. During testing, change up participants to keep people engaged.”
Testing contributes to the BCP culture of preparedness. Testing activities like call list tests, departmental walkthrough exercises, disaster scenario simulations and backup tape restorations reinforce what will occur during a business interruption. Testing is typically done annually with results reviewed in relation to plan objectives.
- Risk assessment helps categorize the unknowns
To the uninformed, assessing risks to the severity of disaster sounds next to impossible. However, Harris shared a detailed risk assessment process that rates probability of risks occurring and the impact to staff, facilities, systems and the business overall.
Risk data used to determine probability can come from perceptions within the company, government and industry authorities, historical experiences, observations and other research.
Impact to staff, for example, is categorized as high impact, meaning an incident would severely impact both on-site and off-site staff or medium impact, indicating an incident would severely impact only on-site or off-site staff, not both.
By knowing probability and impact, a business continuity plan can formulate by prioritizing based on probability and impact. What was the probability of Samsung stopping production on the Galaxy Note 7? Some might think since the smartphone was recalled, this move to stop production is to be expected. Even so, the New York Times article called the move unprecedented. Consider the impact to staff, facilities, systems and the business. A business continuity plan outlines what to do next, whether it’s a data breach, a product failure, a supplier incident or something horrific like Cantor Fitzgerald endured on 9/11 when the financial services firm located in the North Tower of the World Trade Center lost 658 of its 960 New York employees.
- Recovery strategies for getting business back to normal
After a business interruption or disaster, how long will it take for the business to recover? Harris labels this as Recovery Time Objective (RTO). Every resource can have a different RTO depending on the incident and the impact. For example, Internet access might have 3-day RTO while the data warehouse has a 5-day RTO.
Harris shared how recovery strategies could be aligned with requirements. Given an RTO of 48 hours, what could be accomplished within 36 hours and what progress could be made between 36 and 48 hours–the objective for recovery?
There should be recovery plans for departments, IT, executives, supplier networks, all impact areas. It’s part of the business continuity plan, following a pre-determined plan to get the business back up and running in a timely fashion.
Business interruptions and disasters can strike at any time. When order turns to chaos, business continuity plans are the first responders implementing action and recovery steps to get the business operational within a predetermined time period. It’s all about keeping your BCP-DR plans current and response ready.