NPI Technology Management Blog

Reducing IT risk: planning for business continuity

- January 7, 2019

This article originally appeared in the January 2019 issue of  Business People Vermont.

The new year is a great time for business planning, including evaluating and reducing the significant risk that IT failures pose to our businesses. We do this formally by creating four IT plans: business continuity plan; disaster recovery plan; security policy; data breach/incident response plan.

Of these, the business continuity plan (the focus of this column) is the least understood. It’s often confused with a disaster recovery plan. Here is how I define the difference — a business continuity plan prevents system outages, while a disaster recovery plan restores operations after an outage.

Does planning matter? Recently, an Internet outage struck a Vermont manufacturer. It had previously used the Internet to connect its distant buildings, and an outage would have left many team members completely unable to work. By good fortune and planning, it had, just a few weeks earlier, replaced Internet connections with more reliable private fiber connections between its buildings, which made the outage an inconvenience rather than a disaster. So yes, planning matters.

Reliability (high quality) and redundancy (spares) are the tools you will use to make your operation more continuous. The effort uses time and money in the form of more planning and design, better equipment, higher service levels, and/or regular testing. So, you will want to focus your efforts on the areas of your business that require near-continuous operation.

Here are the steps to creating your business continuity plan:

• Create a list of all the applications and data you use and ask others to add to it. The list is likely longer than you expect. Don’t forget facilities functions like sending emergency alerts and key entry systems.

• Identify the people who oversee the use and care of your various applications and data. Pull them together to agree on how long you can live without each function, what the consequences would be in each case, and what the critical applications are. For example, an online business may prioritize continuous access to its web storefront to protect sales and reputation, while deciding it can live without access to internal documents for an entire day.

• Learn which IT services must be working to use each of your applications: For example, does the application require a server, Wi-Fi, or Internet connectivity? Determine what work-arounds are available: For example, are cell phones a realistic alternative to phone service? Prioritize IT services and equipment that are used by the critical applications and data access you identified earlier.

• Consider likely failures in your priority IT services, and explore solutions that minimize or eliminate the most harmful outages.

a. Stock spare parts. Parts can sit preconfigured waiting for a manual swap (make sure you have clear instructions readily available). Or they can be built-in (for example, a switch with an extra power supply) so that a failed part has no impact at all.

b. Duplicate systems. For example, have two Internet connections that take over for each other in case of an outage, or duplicate and synchronize servers at a data center in another state.

c. Contract for expedited support and parts replacement.

Review your business continuity plan (and all your IT plans) annually to account for changes in systems, staff, business focus, and business growth. Make sure documentation of manual processes is still accurate.

While you can start by creating whichever of the four IT risk-management plans feels most urgent to you, the business continuity plan is a great first step. An understanding of your business processes, applications, and IT priorities will jump-start your work on all the other plans.

Happy New Year, and here’s to using these ideas to keep your business running without interruption! •