Nancy Valente, VP Enterprise Business Continuity, Freedom Mortgage Corporation
Business Continuity planners must consider all kinds of threats that may disrupt their business. The volume and force of natural disasters as well as cyber-attacks on businesses have increased. Although the list of potential threats could be a mile long, many planners take an all-hazards approach to developing contingencies by preparing for the loss of facility, staff, suppliers and technology. This article focuses on digital technology and its impact and influence on business continuity planning.
Virtually every business relies on technology. Technology makes business and life easier, more productive and efficient. But what happens when there are technology failures? Disaster Recovery plans are developed and tested for technology failures and focus on how to recover the technology that supports the business. Business Continuity prepares contingencies for the time down (see image) – the time in between the technology failure and the time the technology is restored up through when business returns to normal. The focus of business continuity teams is to demonstrate that impacted processes can be recovered before there is an impact to the business.
The business impact analysis (BIA) is used to identify the impact of an incident, and how quickly the business needs their processes—and supporting technology—restored before there is a consequence to the company. This will determine the:
• RTO (Recovery Time Objective) - the maximum tolerable length of time that processes and systems can be down after a failure or disaster occurs
• RPO (Recovery Point Objective)—maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident
Which RTO(s) you choose are determined in the BIA process; therefore, the BIA should identify and prioritize critical IT applications and components to determine which Disaster Recovery (DR) solution is needed to avoid the negative consequence of a technology outage. Below are some DR options available:
Disaster Recovery (DR)
DR refers to a company’s disaster recovery strategy involving backing up and restoring data in their data center(s). DR has transformed from tape backup—with a minimum 24-hour RPO to zero data loss with in-house replication to an alternate data center.
Disaster Recovery as a Service (DRaaS)
DRaaS is a cloud-based offering that replicates and hosts critical data and apps to (VMs) Virtual Machines—examples include Amazon AWS, Google Cloud Platform, IBM Cloud, Microsoft Azure and others. A DRaaS solution gives you the ability to back up data to the cloud as often as needed and recover it far more quickly than with traditional on-premise solutions. Instead of paying for another data center you'll only access in a disaster, you can create a cloud account to continually backup the most recent instances of your servers and simply switch over to them if the servers at your local site fail. There are cost savings with DRaaS in that companies do not have to invest in the infrastructure or resources required to manage their backup and recovery solutions. Beware…many IT professionals say security is their most significant concern in adopting an enterprise cloud computing strategy.
Be sure to ask a lot of questions of each provider to ensure you understand what you’re getting, how secure it is and most importantly, how easy is it to recover from a disaster. Testing the recovery process is critical to validating your solution.
What happens if something goes wrong in the cloud? Service-level agreements (SLAs) hold cloud providers accountable and establish recourses and penalties if providers don't live up to their promises about cloud services, including guarantees for uptime, RTOs and RPOs or security breaches.
Make sure your cloud provider contract SLAs align to the RTO of the processes they must support.
It’s Not Just About DR
Technology advances extend beyond disaster recovery. A BIA does more than identify the RPO and RTO. It should also quantify the downtime impacts on facility, people and process outages, and sets the recovery priority for critical processes and technology. Below are some examples where technology advances have enabled better contingency options:
If you lose your facility—to fire, power outage, damage, etc, you need to understand the impact on your organization and how employees will resume working in the timeframe identified in your BIA. In the past, hiring a vendor who provided an alternate office—desk/phone/equipment/Internet—was the primary option. Companies paid to reserve space that they might never use, and because they were typically subscription based, you may have had to contend with sharing that space with other companies in a regional outage. Today, there are many options for your employees to connect remotely to your network using a laptop with a secure Virtual Private Network (VPN), or a cloud based virtual desktop—Amazon Work Space- AWS, Citrix, VMWare, vCenter and others—which allows the employee to access a URL on their home device to securely connect to their company’s network.
If you need to communicate with your employees for any disruptive event—to tell them not to report to their primary facility, that the power is out, or to find out if they are safe in a severe weather event—using a Phone Tree is cumbersome, hard to maintain and time consuming. Consider using an (EMNS) Emergency Mass Notification System (Everbridge, OnSolve, MIR3 and others). EMNS simplifies the process of reaching your employee base using multiple delivery methods (phone/SMS/email) on work and personal contact information. You can tell when the employees receive the message and how they confirmed receipt as well as enable two-way communication to ensure the safety of your employees. Social media (Facebook, Twitter, LinkedIn, etc.) is also a cheap and easy way for companies to communicate to many customers—e.g. the public sector or utility companies. Private companies don’t typically communicate outage information on social media for fear of exposing information not for public consumption.
Although business continuity Management (BCM) software has been around for 15+ years, not every company invests in it. Business Impact Analysis (BIA) and Risk Assessments can be done in Excel, Business Continuity Plans can be written in SharePoint or Word. However, this is generally time consuming and hard to collect the data to identify trends and make decisions on a corporate level. With office productivity tools, impact analysis is nearly impossible. BCM software solutions—Strategic BCP, Avalution, Assurance and others—provide several advantages; most importantly, the software stores your data outside of your network—how will you access your plans if your systems are down?. The methodology facilitates the planning process, empowers accountability of the plan owners and allows for aggregated reporting. Some software companies include BIA, BCP, Risk Assessment, DR, Crisis Management and Vendor Risk and Contingency Management components in one package, covering most of the key elements of a business continuity management program.
As we rely ever more on digital technology, the trend is moving away from human managed interfaces and towards utilizing machines and automated processes. More alerts, more auto-failovers, more synergies and communications between systems. In an instant gratification world, it is not hard to imagine that technology advancements will continue to grow at a fast rate. However, I still foresee that people and their expertise will be needed in the decision-making and communications process which will be key to protecting brand, business operations, customers and shareholders.