Business Continuity is often left to the IT department to initiate with a focus on just recovering your IT systems, but maybe more firms can talk more about the wider impact of emergency situations after the recent floods. A few new backup tapes and extra telephone lines is not all that is needed; there is a need to think more widely (and to test different scenarios) about other implications in the event of a prolonged disruption.
Proper Business Continuity requires input from all areas of your practice. By the time it ends up being a set of technical procedures designed to either mitigate risk or provide suitable workarounds, implications should have been explored with people in all areas of the business to evaluate measures introduced to minimise the impact of risk of disruptive events occurring, in addition to dealing with events that do occur.
In simple terms, Business Continuity:
- Reduces the risk of certain things disrupting your business by putting measures in place to manage those risks;
- Enhances your ability to perform core business tasks when disruption is inevitable and minimises that disruption.
It’s important to establish exactly what is being protected, the risks inherent in the business and the importance of each aspect of the business before setting recovery objectives. A good business continuity plan should safeguard your key business activities and ensure normal services are maintained. This includes everything from client relationships to legislative and regulatory requirements and, ultimately, it should protect profit and revenue.
that the business needs to communicate to IT are the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO). Without this it’s impossible for the IT department to put anything meaningful in place.
The Recovery Point Objective (RPO) is a measure of how much data the business can afford to lose before it has serious consequences. For example, if you take backups every day at midnight, you could potentially lose 23 hours and 59 minutes worth of data if the systems failed directly before the nightly backup. Firms where data changes slowly may be able to withstand this and still stay in business. Financial organisations may specify that they cannot lose even a few seconds of data.
The Recovery Time Objective (RTO) is a target time for resumption of normal IT activities and services following an outage. How long can you afford to be without your IT systems before it really starts to hurt? Is it a week? A day? A few hours?
Once the RPO and RTO have been established it’s time to talk to IT and see if, in reality, your business continuity budget can meet your business continuity objectives.
So, as you can see, the two factors above are critical in determining the amount of effort and cost that needs to go into your specific Business Continuity Plan. RPO and RTO are important business concepts for firms to understand and consider.
To discuss business continuity options for your practice, contact Frank Manning.