Business Recovery Plan and Why You Need It
John is stunned and terror-stricken. He is a Chief Operational Officer at one of the leading insurance companies, with a staff compliment of 350. On the way back to the office from a breakfast meeting, he hears loud sirens and sees ambulances rushing past him. On arrival at his office, he finds the building has been bombed by terrorists and is engulfed in flames.

As he watches the inferno, he thinks: what should I do? Where are my colleagues? Were they safely evacuated? How can I confirm this? What is the impact on the company? Where will we operate from? How and who will handle the staffs’ relatives, the media and our clients?

Had John’s company implemented a Business Continuity and Disaster recovery plan (BCP/DRP), it would have addressed the majority of the questions. Eventualities need to be planned for by setting up contingencies. A BCP/DRP is a contingency measure that provides guidance in the event of a disaster.

A BCP, on one hand, focuses on the non-IT aspects of a disaster, such as the safe evacuation of staff, liquidity crisis as well as damage to reputation. A DRP, on the other hand, looks at all IT aspects of a disaster; for example: the server unavailability due to system failure or fire in the server room.

The BCP/DRP takes into consideration scenarios derived from a Risk Assessment (AR) of the organization. The RA identifies threats, the probability that the threat could occur and actions to mitigate or minimize, eliminate, transfer or contain the threat. For example, a tornado is a common threat to some states in America but not in Africa.

Not all disasters that may occur involve technology, though for example:
Contagions: employees are the backbone of every organization. People spend more time in the office than anywhere else in their life time; and airborne diseases may easily spread in the office through poor ventilation. What would happen if a member of staff contracted a communicable respiratory disease?

Reputation risk: your business is just as good as its brand. It is important to have a plan in place the event that your reputation as an organization is put into question.

The BCP/DRP should target threats that are most likely to occur. It should be noted that new threats arise every day. For example, in the past few decades ago terrorist attacks were not a high probability but things have changed. It is important to carry out risk assessments annually to identify new emerging threats and to keep the plan current and alive. For organizations that have more than one office location across the country or region, it is advisable to perform a risk assessment at each location.

In the event of a disaster, organizations without a BCP/DRP face an increased risk of loss of life, financial loss, reputation as well as lengthy litigations. The best advice to John and other organizations without a BCP/DRP would be to conduct risk assessments to identify threats, put in place contingency and/or recovery measures, test the plan and educate members of staff.
Business Recovery Plan and Why You Need It

Post a Comment