When you first started your small business, or new enterprise, your initial focus was probably given to preparing the groundwork in case things go wrong. You most likely took out indemnity and liability insurance to protect your name and your brand, prepared OH&S best practices to protect your staff and took out building and contents insurance to safeguard your premises.
IT systems are no different. As so many of you rely more and more on your IT systems for core business productivity, I felt it worthwhile taking a closer look at one of the initial steps to building a mature IT platform - planning for disaster.
The nature of IT business systems today facilitates many functions necessary for the smooth running of your businesses. They keep staff productive, they bank generated revenue and they communicate with existing and potential customers; all areas where an interruption to these processes can have a significant and lasting impact not only on your bottom line but also how you are perceived in the wider market place. And, just like life in general, these interruptions seem to come at a time when you can ill afford them. As such, both thought and planning need to go into how the business will react when IT systems are unavailable.
If you are like most businesses, you simply need your IT up and running all the time and if something does happen to go wrong then the systems need to be back up and operational immediately with no data lost. While such a panacea can exist, it comes at a hefty price and in most cases well outside the budget for everyday organisations. For most organisations, a compromise will need to be reached.
Identify your assets
To start planning, you need to begin by identifying you critical assets; those business systems that the organisation cannot be without. These may range from financial systems, customer management applications and communication systems such as email or the company website.
Ask yourself what a period of downtime would mean for such a system, how much would it cost the business? Would it result in lost revenue in the case of an eBusiness application? Will it impair communications with customers and/or suppliers? Would it result in a loss of public reputation in the wider community? All good questions that are not always related to just financial impacts.
Next is to quantify what circumstances would result in the loss of these critical systems. These can be many and varied and can include software corruption, hardware failure, intentional malice from a disgruntled employee or even a situation larger than just the IT systems, such as fire, flood or earthquake.
To use recent Canberra context, where a fire destroyed a substantial portion of a building, ask yourself "What if my business was located in the Sydney Building?"
This of course opens up larger discussions on Business Continuity as a whole, however, from an IT perspective, you can see how unforeseen circumstances can arise with little to no warning.
Plan Mitigation Strategies
Once an you have identified your key IT assets, ranked them according to impact to the business and identified the threat vectors that could render the systems inoperable, you can begin the process of planning mitigation strategies that can either remove the identified risk completely or minimise the impact of the interruption.
Strategies can be put in place to ensure communication channels stay open with customers and suppliers. For example, Twitter and Facebook can be, and have been, used successfully as an easy way to reach wider audiences in times of need. Most customers are normally accommodating of unplanned service interruptions if you keep the communication channels open and your customers informed. Additionally, as part of this step, tasks and processes to repair, replace or restore business systems need to be documented and clearly explained. This helps to lessen the stress of working under pressure in difficult circumstances, ensures recovery operations happen sequentially in the right order, and reduces the reliance on individual staff members and their knowledge of your systems.
Review and Test
After going through the above steps and developing your in depth IT Disaster Recovery Plan you should review and test the strategy regularly.
This involves attributing the time, finances and personnel resources to test that the strategy is sound and will work as expected when the time arrives. Consideration may need to be given to taking primary systems offline for a period whilst standby systems are brought online so they don't conflict with each other. This will have an obvious impact to normal business operations. Alternatively, it may be possible to test the strategy in an isolated environment, completely removed from normal systems. Such a review process will ensure that business assets, threats, key personnel contact details and recovery operations are kept up to date as your organisation changes over time.