The Insurance Information Institute suggests that about 25% of businesses that close following a disaster do not open their doors again, and as a disaster could befall a business directly, or its partners. Ian explained that businesses should prepare contingency plans for scenarios both within, and outside each companies control, as a supply or distribution chain disruption can also cause problems so businesses need to plan for their failure too. For example, the road to a distribution center might be blocked for 24 hours, or the computer system that tells you what to load on each truck could fail.
The contingency plans should be prepared based on a business impact analysis of the possible scenarios that could occur and the potential damage to the business. All parts of the business should be involved as they understand what they need to do their jobs and understand the details of how different parts of a business interact with each other, rather than perhaps a more general view that higher level executives might have.
The next step is to determine who, what when and where the business will need things to help them recover, if something mission critical is unavailable for an hour people will moan about lost transactions, if that same mission critical component is not available for 48 hours your staff may be moaning about their loss of job.
The plans need to be simple enough to be understood and in the modern age easily ‘consumable’ on a mobile device, as that may be all people have. A block diagram type approach will also help break down the overall work into understandable blocks of procedures and practices that can easily be replicated.
The “Ideal solution” is a Systems Map that shows the grand scheme of interrelated activities and can dig down level by level which is difficult but not impossible to achieve.
Once the disaster has occurred and the business starts to move into its recovery phase there needs to be strategies to implement the plans. For example, Ransomware shuts down critical IT systems, but you have backups. Great you can delete corrupted files and restore backups but in what order do you do that, especially if your backups might have corrupted files in them too.
Ransomware is just one scenario, each business needs to think through the events that could occur to them and rate them on a probability of occurrence or severity of occurrence so they can be planned for. For each of those scenarios the business needs to work out how they would resolve them and what they would need, and how much it would cost to do so.
Now there is a plan, it should be tested and kept up to date. Businesses evolve, so should the emergency plans, especially the lessons learned from the testing of the plans.
