9 steps to save your business from IT disaster
Information technology systems are vulnerable to a wide range of disruptions that run the gamut from small disruptions such as a failed disk drive or a brief interruption of internet service, to disaster events such as fire, flood, or cyber intrusion.
Even “small” interruptions such as those associated with temporary lack of Internet can be costly should a business be unable to access the cloud-based services it relies upon to serve its customers.
The fires that have roared through Napa, Sonoma, Mendocino and Lake counties over the past several years have provided stark reminders that without operational IT systems it is difficult, or impossible, to return to normal business operations.
Astute businesses assure business continuity through IT risk management and contingency planning. Effective planning begins with a basic roadmap that incorporates, at a minimum, the following elements:
1. Assess the business risk associated with loss of IT services. Identify each service, i.e. email, payroll application, e-commerce site, accounting program, and other systems involved in the delivery of your service or product.
2. Using your list of services, prioritize the importance of each service to your overall operations as high, medium or low.
Consider the impact the loss of each service would have over a time horizon ranging from hours, to days, to weeks. This prioritization will be used to determine where IT budget should be spent and will inform your IT team of the business's return-to-service priorities should multiple services be disrupted simultaneously.
3. Quantify the cost of the disruption at a level that makes sense for your organization – minutes, hours or days.
If, for example, your website generates $20,000 per day in sales, a disruption of this web service would cost your business, $833 per hour.
Take into account the loss of staff productivity when calculating the cost of disruption.
4. Consider the less tangible impacts of service outages such as customer perception of your business's ability to meet customer service expectations, satisfaction of staff, and when appropriate, any compliance guidelines governing how your business must function during various disruptive events.
5. Using your service list, prioritized by business impact and disruption cost, mitigate the possible vulnerability to the extent warranted, based upon likelihood of occurrence. Worthy of note when deciding which risks to mitigate:
• Up to 45 percent of unplanned downtime is due to hardware failure. Mitigate the risk of unplanned outage by replacing aging hardware and by having backup infrastructure in place. In the event of disruption, the backup infrastructure can be used until normal business resumption is possible.
• When your business is heavily reliant upon accessing cloud-based services, even brief circuit outages are costly. Invest in a network that provides primary and secondary means to access these services.
• Data should be backed up onsite and to an offsite location. The means of backup should be selected to meet your business's return-to-service objectives. Factor the cost of data restoration testing into your budget.
6. Create a contingency plan to address that which cannot be mitigated. An IT contingency plan includes coordinated procedures that will be followed and technical measures that will be taken to recover IT systems and data following a disruption.
Your contingency plan may include:
• Manual performance of some tasks while IT services are restored
• Restoration of IT operations at an alternate site
• Restoration of services using alternative hardware – both infrastructure and end-user workstations
7. Your contingency plan will identify who will be responsible for IT restoration for each service, the process the company will follow during the event, and how information will be communicated internally and externally throughout.
The priority levels assigned during your risk assessment will be reflected in the procedures outlined in the plan to restore the highest priority services first.
8. Test your contingency plans before a crisis occurs. Make this a routine part of your IT efforts and where improvements are warranted, incorporate this work as part of your day-to-day IT operations.
9. Your IT contingency plan is a living document. Keep it updated to reflect changes to your business and your IT systems.