Business Continuity: Have a Plan
Earlier this year, while Americans across the country were still celebrating July 4th, Jaime Kosofsky and his staff woke the following day to learn that a fire had gutted Brady & Kosofsky’s main office in Matthews, N.C.
Kosofsky, a partner with the law firm, said that within minutes of arriving on scene, the executive management team activated the firm’s Disaster Recovery and Business Continuity Plan (BCP). The law firm relocated everyone to an alternate location as detailed in its BCP. The team contacted the proper parties, which made it possible for the firm to be open for business that day.
“This was a devastating blow to our team, however because of their commitment to compliance with our compliance management system, we were able to work through what could have been the end of Brady & Kosofsky,” Kosofsky said. “We are in great shape, our temporary office was up and running, and our new office was recently built.”
Having a business continuity plan is essential to keeping an operation going following a disaster. Being prepared to manage disaster recovery can greatly minimize business disruption. The third pillar of ALTA’s Title Insurance and Settlement Company Best Practices encourages title professionals to have a disaster management plan in place to help protect non-public personal information (NPI). To find a company to help with business continuity, go to alta.org/marketplace.
Despite the destruction, Kosofsky said that there was no data or document loss due to the firm’s move to a paperless office. The fire did extensive damage to the IT infrastructure and phone system, but the main number was forwarded to a cell phone.
Kosofsky said his firm’s first line of defense were the policies and procedures that were developed more than five years ago.
“While it was great to have this all on paper and in writing, it was the culture of compliance at our firm which really paid off and protected us,” he said. “Our employees took the adoption of our policies and procedures very seriously and take a great deal of pride from being an integral part of our security and compliance system.”
As the fire burned, the firm’s chief financial officer contacted Brady & Kosofsky’s managed service provider to get an assessment of data loss since the servers were in the building that burned. The good news was that data backups were stored in a data center some 1,000 miles from the fire.
“We knew the extent of the data loss before the fire was out. That took a lot of pressure off,” Kosofsky said.
The next concern was how quickly the firm could reopen and replace lost equipment. The CFO contacted the insurance company, filed a claim and got clearance from the adjuster to order equipment necessary to get the company operational.
Since the firm’s BCP required employees with laptops to take them home, only two of them were lost in the fire. The company then set up a war room in the building next door and relied on the BCP to formulate next steps such as contacting employees, and getting email, its title production system and other IT resources running again.
After figuring out who could work remotely, the leadership team secured alternate workspace, furniture and equipment necessary to continue business within two days. Clients were then contacted with alternate email and phone numbers.
In retrospect, Kosofksy says the law firm needed a stronger plan for restoring its phone system and will move its entire data infrastructure into the cloud, which will allow the company to rebound immediately following the next catastrophe.
“Our BCP/Compliance Policies have a strict clean-desk policy for anything containing NPI or other sensitive information,” Kosofsky said. “So, having that along with having employees take their computers home at night really paid off.”
A BCP doesn’t happen quickly. Reviewing these procedures ahead of a disaster can help your company find the weak points in the organization and let you proactively fix them. This will give you best shot of success after an unexpected event. We can always rebuild the network and we know the data is secure. The most important part was the communication between B&K and Premier One to make sure that they were up and running the next day.
Kansas-based Premier One helped B&K develop its business continuity plan. Shawn Fox, director of sales and marketing for Premier One, said a BCP can't be developed quickly. Reviewing procedures ahead of a disaster will help a company find the weak points and to proactively fix them. "This will give you best shot of success after an unexpected event," Fox added. "We can always rebuild the network and we know the data is secure. The most important part was the communication between B&K and Premier One to make sure that the law firm was up and running the next day."
How to Develop a Business Continuity Plan
According to ready.gov, the development of a business continuity plan includes a business impact analysis (BIA). This predicts the consequences of disruption of each business function and process and gathers information needed to develop recovery strategies. This involves identifying time-sensitive or critical business functions and processes and the resources that support them.
The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:
Lost sales and income
Delayed sales or income
Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
Contractual penalties or loss of contractual bonuses
Customer dissatisfaction or defection
Delay of new business plans
The BIA should identify the critical business processes and resources needed for the business to continue to function at different levels. A BIA questionnaire can be used to survey office managers within the company.
Scenarios resulting in significant business interruption should be assessed in terms of financial impact, if possible. These costs should be compared with the costs for possible recovery strategies.
The BIA report also should prioritize the order of events for restoration of the business. Business processes with the greatest operational and financial impacts should be restored first.
If an office is damaged and business is impacted, financial losses can quickly begin to grow. Recovery strategies are alternative means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the recovery time objectives (RTO) developed during the business impact analysis.
Recovery strategies require resources including people, facilities, equipment, materials and information technology. An analysis of the resources required to execute recovery strategies should be conducted to identify gaps. For example, if an office is destroyed by a natural disaster but other offices are readily available to make up lost production, then there is no resource gap.
Strategies may involve contracting with third parties, entering into partnership or reciprocal agreements or displacing other activities within the company. Staff with in-depth knowledge of business functions and processes are in the best position to determine what will work. Possible alternatives should be explored and presented to management for approval and to decide how much to spend.
Depending upon the size of the company and resources available, there may be many recovery strategies that can be explored.
Utilization of other owned or controlled facilities performing similar work is one option. Operations may be relocated to an alternate site. This strategy also assumes that the surviving site has the resources and capacity to assume the work of the impacted site. Prioritization of production or service levels, providing additional staff and resources and other action would be needed if capacity at the second site is inadequate.
Telecommuting is a strategy employed when staff can work remotely from home. It can be used in combination with other strategies to reduce alternate site requirements. This strategy requires ensuring telecommuters have a suitable home work environment and are equipped with or have access to a computer with required applications and data, peripherals and a secure broadband connection. It’s also a good idea to test this strategy from time to time by having employees work a day or to per month remotely.
Partnership or reciprocal agreements can be arranged with other businesses or organizations that can support each other in the event of a disaster. Assuming space is available, issues such as the capacity and connectivity of telecommunications and information technology, protection of privacy and intellectual property, the impacts to each other’s operation and allocating expenses must be addressed. Agreements should be negotiated in writing and documented in the business continuity plan. Periodic review of the agreement is needed to determine if there is a change in the ability of each party to support the other.
There are many vendors that support business continuity and information recovery strategies.
External suppliers can provide a full business environment, including office space and live data centers ready to be occupied. Other options include provision of technology-equipped office trailers, replacement machinery and other equipment. The availability and cost of these options can be affected when a regional disaster results in competition for these resources.
Develop plan framework
Organize recovery teams
Develop relocation plans
Write business continuity and information technology (IT) disaster recovery procedures: IT includes many components such as networks, servers, desktop and laptop computers and wireless devices. The ability to run both office productivity and enterprise software is critical. Therefore, IT recovery strategies should be developed so technology can be restored in time to meet the needs of the business. Manual workarounds should be part of the IT plan so business can continue while computer systems are being restored.
Document manual workarounds: If the staff is equipped with paper order forms, order processing can continue until the electronic system comes back up and no phone orders will be lost. Identify the steps in the automated process, creating a diagram of the process can help.
Assemble plan, validate and gain management approval
Testing and Exercises
Develop testing, exercise and maintenance requirements
Conduct training for business continuity team
Conduct orientation exercises
Conduct testing and document results
Update Business Continuity Plan to incorporate lessons learned from testing and exercises.
Developing an IT Disaster Recovery Plan
Part of any business recovery strategy should include an IT disaster recovery plan. This begins by compiling an inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. The plan should include a strategy to ensure that all critical information is backed up.
Identify critical software applications and data and the client and server hardware required to run them. Using standardized hardware will help to replicate and reimage new computers. Ensure that copies of program software are available to enable reinstallation on replacement equipment. Prioritize hardware and software restoration. Document the IT disaster recovery plan as part of the business continuity plan. Test the plan periodically to make sure that it works.
Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption.
Data backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed up.
Developing the Data Backup Plan
Identify data on network servers, desktop computers, laptop computers and wireless devices that need to be backed up along with other hard copy records and information. The plan should include regularly scheduled backups from wireless devices, laptop computers and desktop computers to a remote network server. Data on the server can then be backed up. Backing up hard copy vital records can be accomplished by scanning paper documents into digital formats and allowing them to be backed up along with other digital data.
Options for Data Backup
Many vendors offer online data backup services including storage in the “cloud.” When backup systems are installed and properly configured, software installed on the client server or computer is automatically backed up.
Large-capacity USB drives with integrated data backup software also are effective means for businesses to backup data. The frequency of backups, security of the backups and secure off-site storage should be addressed in the plan. Backups should be stored with the same level of security as the original data.
Data should be backed up as frequently as necessary to ensure that, if data is lost, it is not inaccessible to the business. The business impact analysis should evaluate the potential for lost data and define the “recovery point objective.” Data restoration times should be confirmed and compared with the IT and business function recovery time objectives.