Taking Care of Business: How to Write a Business Recovery Plan

Last time, we looked at how to write recovery plans to protect your organization’s computer systems and applications. In today’s post we’re going to lay out how to write plans to recover your business processes.

Related on MHA Consulting: The Science and Art of Writing an IT/DR Recovery Plan

Protecting Your Business Processes

Two weeks ago we tackled the subject of how to write an IT/DR recovery plan. Today we’re going to look at the other side of the coin by discussing how to write a plan to protect your business processes.

In the current environment, businesses are under several new types of threat, including from the pandemic, extreme weather, the supply crunch, and the rise in ransomware attacks.

Given these conditions, what can companies do to protect their businesses? The answer is, identify their critical business processes and write plans showing how to recover them in the event of an outage. This will minimize downtime and protect the organization’s ability to carry its mission.

The Four Types of Disruption

The first step in devising recovery plans for any department is thinking about the four types of disruption. Your plans need to protect your business processes from the following four types of event:

· Building loss

· Technology loss

· Third-party loss

· Personnel loss

Identifying Threats and Dependencies

Next identify the top four or five threats you face under each of the four types of events. You might have already identified these in conducting your business impact analysis (BIA) or threat and risk assessment (TRA).

Also, think about your dependencies: the things, people, and third parties you need in place for your recovery plans to be executable.

There are four main types of dependencies:

1. Application dependencies. Applications needed for the process (and how will you work if those are not available).

2. Equipment dependencies. The gear that must be available in order for your recovery plans to work.

3. Third-party dependencies. Data pertaining to third parties you might need to execute your plans and recover or sustain your business processes.

4. Relocation dependencies. Centralized alternate work sites and/or work from home requirements.

Taking Action

The next thing to look at in devising your business recovery plans is the actions that must be taken.

Immediate Actions. The actions that must be taken right away to protect people and property. After you are sure everyone is safe, identify and address any issues associated with your business processes that you have to take care of in the next 30 minutes. You might need to contact management, other employees, or some of your vendors or customers.

Containment Actions. Steps that must be taken to reduce further damage or impact from the event.

Recovery Actions. Actions that must be taken to move the department back toward normal operation. Common recovery actions include:

· Establish how people will travel to an alternate site and the first set of actions the recovery team will do when it gets there. Consider what will happen when people are working from home.

· Restore functions in order of importance as dependencies allow.

· Identify and document manual workarounds as needed.

· For each business process, develop recovery steps for the risks you’ve identified, then work out how you’re going to recover that process. Ensure you have identified manual workarounds to use if applications or technology are not available.

· Document any operational or relocation changes.

· Based on the risks and impacts, document specific actions that are going to be taken for each business process.

· Be prepared in case primary staff is unavailable and untrained people are required to perform key recovery tasks. You might need to hold a thirty-minute training session so secondary or tertiary staff will be capable of handling these tasks. Such training sessions should be included in your recovery plans. See below for information on documentation.

· In cases where relocation of operations is necessary, carry out the previously identified tasks needed to achieve this objective, such as changing phone numbers and implementing alternative communication arrangements.

Including Essential Reference Information

The last major element of your business recovery plans is your reference information. This is information you might need that isn’t included elsewhere in your plans. Either provide the information’s location or include a copy in your plan’s appendix.

The following are documents that are typically included in this group of resources:

· Asset List. List of important departmental assets such as laptops, phones, and special printers.

· Process documentation and SOPs. Documents that explain how to perform the department’s primary operations and activities.

· Employee List. List of departmental personnel with contact information. Might include a proposed employee work schedule for use during recovery. Such a schedule would list the various roles at the department and indicate how many employees in that role would be needed and for which times.

· Vendor List. List of names, products or services supplied, contract IDs, and contact information for key vendors.