1. Ensure employee well-beingCommunication during and following an emergency presents a variety ofchallenges. So, crafting an employee safety and communication plan that worksis absolutely essential. The specifics will vary widely from company to company,but your emergency safety and communication plan must address the following:• How the company will ensure employees are safe during a disaster event• How it will communicate essential information to employeesfollowing the eventThe first part will depend heavily on the nature and location of your business.Safety planning for a large manufacturing facility will obviously be very differentthan for a small real estate office, for example. Because of this, it’s very difficultto provide specific best practices for this part of your BC/DR plan. However, thekey is to match your safety plan to the specific needs of your organization.For the second part, you will need to first gather a variety of information andmake sure that it is well documented, easily accessible and stored in a number ofsecure locations. This should include up-to-date employee contact information(email, mobile and home phone numbers, emergency contact information, etc.).It should also include a methodology for contacting employees.Effective communicationObviously, email is the easiest way to reach a large group of employees, but if yourcompany’s email server is down, you are out of luck. Some businesses employredundant Exchange servers or cloud-based services to ensure email access.Of course, if you are without Internet access entirely, you’ll need an alternative.
A call tree, sometimes referred to a phone tree, call list, phone chain or text chain,is another popular method for distributing important information to employeesduring and following an event. Here’s how it works. A predetermined employeeinitiates the call chain with a call to the next person on the chain. That employeecontacts the next person on the list and the chain continues until everyone onthe call tree ha s been reached. Other companies may automate emergency callswith purpose-built communications software/services.Regardless of the methods you use to distribute information to your employees,your emergency communications plan should provide enough detail that itcan be carried out if the plan’s creator is not available following the event (e.g.due to injury or impassable roads). Your plan should also be flexible enough toaccommodate for a variety of potential emergency situations. The responseto a fire in your facility during working hours will be very different fromcommunications following the widespread distribution of a defective product, forexample. Emergency communications should be brief and as accurate as possible.Depending on the structure of your organization, you may want to keep managersupdated, allowing them to pass on information to direct reports on a “need-toknow” basis. Again, the specifics of your business will dictate the correct approach.Finally, it is essential to test and update the communications plan periodically.Testing will identify gaps in the plan such as out-of-date employee lists orcontact information.
2. Keep customers in the loopManaging customer relationships is obviously critical to the ongoing success ofyour business. As such, it is important to craft a plan for distributing information toyour customers during and following a disaster event. The scope of your customercommunications plan will vary widely depending on the nature of your business.Obviously, not every glitch in operations will merit reaching out to your customers.However, if an event occurs that is likely to impact them, it is essential tocommunicate the details of the issue and explain the steps you are taking tomitigate it. This might mean direct communication to your customers, but it couldalso mean messaging via traditional and social media. Failure to do so can have anegative impact on the reputation of your organization.Take the way Toyota responded to reports of self-accelerating vehicles back in2009-2010 as an example. Instead of acknowledging the issue and assuringcustomers that the company was investigating the problem, the company optedto cite user error in a classic example of blaming the victim. The problem waseventually pinned on floor mats, gas pedal design and faulty electronics; andalthough Toyota spent billions to replace accelerator components, their initialresponse created distrust among customers.You will also need to handle a wide array of incoming communicationsfollowing a disruption. Depending on the nature of your business this couldmean: support requests, high volumes of email and phone traffic, social mediaactivity from frustrated customers, media interest—the list goes on and on.Your organization’s ability to respond to customer needs following an eventwill have a direct impact on reputation. 7Protect your repSo, how do you keep your good reputation intact? It comes down to carefulpreparation. First, you must be prepared from a personnel standpoint. Carefullyplanning communications with customers is essential. You will need to be able torespond quickly and clearly explain the steps you are taking to resolve issues.All customer-facing staffers should be briefed and ready to deliver a clear andconsistent message. You may want to consider using script templates, which canbe adapted to address various events. Pre-scripted messages can be developed,approved by management and quickly distributed to customers following a disruption.You also need to ensure access to communication infrastructure (phone, email,Internet access). This might mean redundant phone lines/services, hosted PBXsystems, cloud-based email or redundant Exchange servers, etc. Larger businessesmay need to invest in a secondary contact center to manage inbound and outboundcommunications. There are a number of vendors that offer call center services,temporary workspaces and even mobile data centers.Testing or rehearsing all or parts of your customer communications plan shouldbe considered essential as well. Testing is the best way to identify and resolvecustomer support weaknesses and communication infrastructure issues.
3. Enable IT uptimeTo understand the IT piece of disaster recovery and business continuity today,it helps to look at the not-so-distant past. It really wasn’t very long ago thatbackup meant daily incremental and weekly full backups to tape or a dedicateddisk backup target. Duplicate tape copies were created and shipped offsite fordisaster recovery—typically to a secondary site maintained by the business or toa tape vaulting facility (e.g. Iron Mountain). Many businesses continue to use thismodel today, and depending on your recovery needs it may be perfectly adequate.However, disaster recovery from offsite tape can be painfully slow. First, youneed to retrieve the tapes from an offsite location. Once they are back onpremises, you must ingest data to your backup server. At that point, you canrestore data and applications to your primary servers. This, of course, meansconsiderable downtime.When creating an IT disaster recovery plan, it’s important to understand twoconcepts: recovery time objective (RTO) and recovery point objective (RPO). RTOis the amount of time that it takes to get a system restored following a failure ordisaster event. So given the example above, your RTO might amount to 48 hours ormore. RPO is the point in time to which data can be restored following the event.So, if you performed a backup at 6pm each night and a server failed at 5pm thefollowing afternoon, your RPO would be 23 hours and any data created during thatspan would be lost. For many organizations this was unacceptable.So, rather than relying on tape for disaster recovery, some organizationsreplicated data to a secondary site that mirrored their data center for DR.However, this approach historically required a massive investment in hardware, 9because it required two sets of identical servers, storage, switches, softwareetc. Not to mention a secondary data center facility. Remote replication allowsusers to fail over operations to a secondary site in the event of a disaster, whichimproves RTO, but is well out of the reach of most businesses financially.Recovery-in-place and DRaaSAdvances in virtual server backup and cloud computing changed all of that. Today,users can run applications from image-based backups of virtual machines. Thiscapability is commonly referred to as “recovery-in-place” or “instant recovery.”Recovery-in-place dramatically improves RTO because operations can continuewhile primary servers are being restored. RPO is reduced as well—snapshot-based,incremental backups at 15 minute intervals are a common practice. Virtual machineimages can also be replicated to an alternate site or cloud for disaster recovery.There are a number of ways to implement this type of system. Many backupsoftware products today have the ability perform these tasks. If your current backupsoftware supports it, you can set it up yourself. If you are relying on an older backupsoftware product or you are starting from scratch, you might opt to outsource thesetasks. In this model, an appliance is typically placed on premises for local backupand recovery and data is replicated to the cloud for disaster recovery. Recovery-inplace technology allows you to run applications from the onsite appliance or fromthe cloud following an outage or disaster. This is commonly referred to as “clouddisaster recovery” or “disaster recovery as a service” (DRaaS).DRaaS offers the failover capabilities of traditional remote replication at amuch lower price point. Users typically pay a monthly subscription fee based onthe amount of data they are storing in the cloud.DRaaS offers the failovercapabilities of traditionalremote replication at amuch lower price point.9 9Some services charge additional fees for the processing power necessary torun applications in the cloud during disaster recovery. Compare that with thefacilities, personnel and technology expenses associated with setting up asecondary data center and the value of recovery-in-place and DRaaS is apparent.Testing IT disaster recovery plans is essential. Historically, this was a difficult andpotentially risky process. Today’s technologies and services have greatly easedthe testing process. Because of the ease in which virtual servers can be created,users can set up DR test environments without the risk of harming productionsystems. Some DRaaS providers will even perform DR testing for their clients.
4. Keep business movingAs noted above, many organizations today have limited tolerance for applicationdowntime. If your employees or customers do not have access to essentialapplications and data, there will be a direct impact on productivity and revenue.While this sounds obvious, many organizations do not consider the actualcosts of downtime for a business. To better understand the cost of downtime,consider the following example using Datto’s RTO calculator.Let’s say your business has 100 employees and on a typical day average hourlyrevenue is $1,500. In order to perform daily tasks, employees need access toemail, a large database and a variety of file-based data. Let’s say the sum of thisdata amounts to 2 TB and you perform an on-premises incremental backup at6pm each day which is also copied to a cloud backup service.Given these parameters, a full restore from a local backup would take 8 and ahalf hours and downtime would cost your organization $34,000 in lost revenue. 11When you look at restoring 2 TB from a cloud backup following a disaster,the picture gets considerably more bleak. To restore that same 2 TB over theInternet from a cloud service it would take 6 days, 9 hours and 42 minutes andthe cost to your to your business in lost revenue would be $614,800. Obviously,these numbers will vary widely from business to business, but this exampleclearly illustrates the importance of being able to continue operations whileprimary servers and storage are being restored.Continuity of operationsApplication downtime is, of course, just one factor that can impact your bottomline. Again, there are a broad spectrum of possible considerations depending onthe size and type of your organization. However, there are a variety of examplesthat apply to many businesses.Insurance—Insurance is an important factor in your recovery effort. For example,let’s say your business has numerous warehouses full of goods awaiting distributionat any given time. The cost to replace goods in the event of a fire or flood could bemassive and severely impact your ability to continue operations. So, it is obviouslyessential to select the proper insurance coverage for your business’ specific needs.Beyond that, it is also critical to document all insurance information including plannumbers/login information, the process for filing claims, etc.Training—Every business will need to identify employees critical to therecovery process. This might mean executives, department managers and ITstaff. Whatever the structure of your business, you will need to define businesscontinuity roles and responsibilities. It is also important to cross train staffers onessential tasks, in case a critical employee is unavailable following the event.11 11It is critical to evaluate thefacility or facilities in whichyour business operates.Facilities—It is critical to evaluate the facility or facilities in which yourbusiness operates. Considerations might include but are not limited to:• Appropriate fire suppression systems• Generators capable of powering essential equipment• Uninterruptible power supply systems for critical servers• Surge protection systems• Alarm/intercom systems to alert employees of emergenciesDependencies—It is important to consider dependencies within and especiallyoutside of your organization. Let’s say you are in the business of manufacturingmedical devices. You might source parts from a variety of vendors—possiblyworldwide. Let’s say one such vendor suffers a flood or fire and productioncomes to a halt. This could limit access to the raw materials you need, directlyimpacting your ability to continue operations. Your business continuity planshould offer solutions to mitigate these issues—for example, identifyingmultiple suppliers or stockpiling large numbers of essential parts.
ConclusionDisaster recovery and business continuity planning should be considered a criticalaspect of running a business. However, many organizations disregard it completely.Others have some kind of plan in place, but fail to grasp how time consuming therecovery process can be and the the associated cost of downtime. The good newsis that today’s data protection technologies and services have greatly improvedthe IT piece of the business continuity puzzle. There are a wide array of options inthe market today at different price points, which enables you to select a product orservice tailored to your specific business needs.As you may have noticed, testing your plans has come up throughout this ebook.The importance of testing business continuity/disaster recovery plans can not beunderstated. Testing is the only way to reveal gaps in your plans and address themproactively—not while you are frantically trying to pull the pieces back together afterheavy rains deposited a foot of water in your lobby.