This article was updated March 21, 2023.
How a company responds during an emergency or other unexpected event can drastically impact how quickly it can resume operations and its prospects for future success. Planning ahead and having systems in place for such events can be just as important as the actual response once an event occurs.
To prepare, companies should have both business continuity plans and disaster recovery plans in place. While business continuity and disaster recovery plans are two separate types of plans, they should complement each other as there are many similar concerns for each.
Below, we outline how these plans differ and steps your company can take to design effective plans should an emergency arise:
A business continuity plan is a predefined approach and procedure for how a business will continue to run when coping with an emergency.
A disaster recovery plan is a predefined approach and procedure for restoring the business to full functionality, following a system failure or compromise, while keeping the impact to a minimum.
While a business continuity plan focuses on defining how business operations should function under abnormal circumstances during a disaster or emergency, a disaster recovery plan focuses on getting applications and systems back to normal.
Business emergencies can include events that are intentionally or accidentally caused by humans as well as natural disasters.
Potential disasters and threats can include the following:
Regardless of the origin, business disasters may cause:
Business continuity planning and disaster recovering planning both provide several benefits to your organization, especially when they’re drafted in tandem, including:
Having emergency plans in place can help safeguard life and property of the company and its employees. The Occupational Safety and Health Administration (OSHA) even requires companies with more than 10 employees to write these plans in compliance with its Regulation 1910.38 Emergency Action Plans.
When employees know plans are in place, they may feel safer. This can help boost morale and potentially increase business value perception to buyers who recognize the responsibility and preparedness of the company.
Planning ahead allows for systemic, structured, and timely implementation of your plan and helps you make decisions based on the best available information, should an emergency occur.
It also provides room to be dynamic and responsive to change. Flexibility can allow you to take human and cultural factors into account, such as supporting workers with medical needs or managing teams that operate across geographic regions, and allows the company to be transparent and inclusive with its plans.
Even if you haven’t faced an emergency, planning for one can help facilitate continual improvement of the organization and become an integral part of all organizational processes.
Managing risk for organizations includes risks posed by relationships with third parties, such as service providers or vendors. These third parties can play a significant part in the overall risk for an organization based on the types of data they have access to or handle. They can also be used to provide recovery services or high availability for systems that need to meet high levels of up time.
For companies serving highly regulated industries, such as health care, financial services, and utilities, third-party risk management often includes assessing business continuity plans and disaster recovering plans. By documenting and testing these plans, organizations are better equipped to meet the expectations of those they serve.
There are several key factors to consider when creating a business continuity plan. While employees and customer safety should be your top concern, there are also other areas of focus that are especially important.
Business continuity planning should focus on:
To prepare for those concerns, a business continuity plan should define processes and procedures for the following:
Steps to assess various risks should include the following:
Primary and secondary points of contact should be determined internally and externally. It may help to create templates or prewritten communications as well as communications schedules that can be deployed immediately in the event of an emergency. This helps put plans into action and address employee and public concerns.
Emergencies can require all hands on deck, so it’s important to identify top personnel and their responsibilities in your plan, as well as team members to serve as alternates in case the primary role player is unavailable.
Responsibilities should be defined and assigned for the following roles:
Employees will need to be notified and provided instruction in an emergency situation. Employee contact information should be up-to-date and easily accessible with departmental organizational charts as well as cell and home phone numbers and emergency contact information included.
Planning should also consider the likelihood that communications systems may be inaccessible and define alternative means of connecting with employees and team members, including any third parties supporting business continuity efforts.
First-aid kits and other resources should be inspected at least on a monthly basis. Identify local hospitals, medical treatment options, and available 911 services so the correct parties can be contacted as quickly as possible if needed.
Evacuation plans from all company buildings should be readily available, and employees can be instructed on evacuation routes through drills. Additionally, they should be provided directions to shelter and safe areas.
For those not at a company location or to plan for how to access property following an emergency, alternate routes to key facilities should also be provided in the event of damaged roads.
Should you require the assistance of emergency personnel, repairs to infrastructure, or equipment, it’s important to consider how you’ll access these resources. Contractor contact information and tools and equipment requirements, as well as rentals, should be readily available.
Equipment you should consider having access to includes the following:
In addition to requesting these materials, it’s important to make sure anyone who will come in contact with the equipment has a deep knowledge of how to properly operate machinery and assess any safety concerns.
Other important vendors and contacts to have easy access to include the following:
Should damage take place to your property or if people are harmed, you’ll want to make sure the proper insurance protocol is in place. You should be able to easily access the contact and claims reporting information for the following:
Insurance concerns can also extend to cars and other vehicles, so it’s important to have access to vehicle identification numbers (VINs) in case they go missing or are damaged.
The purpose of disaster recovery planning is to support critical operations by returning IT systems to full functionality. This should be prioritized based on customer needs, regulatory requirements, and the importance to your organization or the operations that the IT system supports.
You should be able to determine the availability of workaround options compared to work stoppages to do the following:
A disaster recovery plan has many of the same elements of a business continuity plan that need to be documented and defined ahead of time, but there are several key elements that are different. These elements include:
A business impact analysis is essential for determining and evaluating the effects of an interruption to critical business operations. It assesses a disaster’s impact over time and helps establish recovery strategies, priorities, and requirements based on system criticality.
Business leaders and management should be involved in determining the system recovery priorities as this analysis will be used to document the critical systems, document dependencies with other systems, and prioritize the system recovery efforts.
Communication is a key process during the recovery effort so recovery teams should understand their roles and responsibilities. A disaster recovery coordinator should be established, along with a backup to this position. These persons will be responsible for coordinating, communicating, and managing staff during the recovery efforts.
An emergency response team should also be documented as these personnel will be responsible for the actual recovery of the systems. They will need to prepare the recovery site for operation, coordinate recovery steps and activities, interface with system vendors, and ensure recovery is complete once systems are restored.
Disaster preparedness is rooted in an agreed-upon backup strategy that addresses acceptable recovery time and data loss, adequate system redundancy, and sound data restoration processes. The data backup plan details the backup strategy employed to ensure that data is available in order to restore systems during emergency and nonemergency situations.
This plan outlines the backup strategy for all of the critical systems identified in the business impact analysis. The recovery and response action plan provides detailed steps on the recovery procedures that need to be performed in order to restore systems and data. The recovery steps are critical as they will help guide staff in the steps necessary to fully recover a system.
Once a plan is in place, perform tests that help verify that it can be properly executed.
Diverse testing methods must be deployed so that multiple scenarios can be addressed and tested. Suggested testing methods include the following:
Testing can be done for several purposes including the following:
Emergency preparedness is all about planning, training, and maintaining a supportive culture. To learn more about how your business can organize business continuity and disaster recovery plans and confidently test and execute them, contact your Moss Adams professional.