Resilience is a much desired attribute, and its prominence has increased during the pandemic. Most businesses have a business continuity plan in place today. That said, having a business continuity plan is only half the battle won. If businesses do not test their business continuity plans regularly, they are at the risk of business continuity interruptions. It is also necessary to frequently test business continuity plans, not only to ensure if the plans are working, but also to understand if there are gaps. Tests can also reveal areas of dependencies and time taken for recovery time and costs involved.
Some best practices or recommendations include:
Test continuously: The more the number of times an enterprise tests its business continuity plan, the more effective it is, when an actual disaster takes place. Every test can reveal certain gaps, and with every progressive test, an attempt must be made to overcome these gaps. Every employee who is involved in the business continuity plan must also be made to go through each step to ensure that the recovery process is detailed and each member of the team knows their respective roles in case of a disaster. For example, during the COVID-19 crisis, many organizations realized that they didnot have the required VPN licenses for many employees. So, a business continuity plan must be subjected to multiple tests involving different scenarios to see if there are any issues that will impact the success of the plan. This helps in preparing a more realistic assessment of different situations, which in turn can help in soliciting the required responses from different teams.
Check for specific scenarios: Business continuity plans must be tested for a variety of scenarios. For example, data loss caused due to cyberattacks are one of the most common disaster related scenarios. Data loss can also be caused due to ransomware, outages or a server crash. Organizations can decide to test out scenarios where teams can be asked to recover data and find out if their business continuity plan works as documented or envisaged. Similarly, the BCP plan can also be tested for power outages, which will help the team prepare itself for situations where power is shut off for a specific number of hours. Testing will help teams understand and recognize problem areas. For example, during the case of the Chennai floods in 2015, many companies discovered that they could not continue to run their offices for more than 48 hours, due to insufficient stock of diesel for running diesel based generators. If testing is done for such situations, it can reveal gaps, and prepare organizations for such specific situations.
Prepare BCP plans by keeping people at the center:The COVID-19 situation has completely changed how organizations think with respect to their business continuity plans. Till date, disaster management was confined to regions. Risk was typically mitigated by assuming that if one physical asset was affected in a region, then the other physical asset in another location would take over. The pandemic has completely altered this approach. With a large number of employees working from home, enterprises suddenly needed to connect remote workers to ensure continuity of business. The business continuity plan must be tested for this eventuality. BCP plans must also document and prepare for situations involving people in Tier II or Tier III locations in India, where reliable bandwidth can be a huge issue. DR drills must hence be conducted from multiple remote locations involving different scenarios. This will help organizations in preparing a more realistic assessment of actual situations on the ground and close gaps progressively.
Test networks: As any downtime in the network can lead to huge issues, it is important to pay proper attention to networks. Networks have to be thoroughly tested for resiliency, and organizations must choose service providers that are carrier neutral and have the ability to offer a seamless switchover in case of a link failure at one of the telecom service provider.
In reality, while every disaster is different, and can stun even the most prepared organizations, by regularly conducting DR tests or drills, organizations can assess and analyze the business impact and progressively close all gaps, if they arise. This is the only way to continually build resilience and be prepared for every disaster.
(The author is Mr. Karan Kirpalani, Cloud Head, NTT Ltd. in India, and the views expressed in this article are his own)
