Business Continuity is often left to left to the IT department to initiate. A few new backup tapes and extra telephone lines – just in case disaster strikes.
Proper Business Continuity has input from all areas of the firm. By the time it ends up being a set of technical procedures designed to either mitigate risk or provide suitable workarounds it should have been given full consideration across the business.
In simple terms Business Continuity:
- Reduces the risk of certain things disrupting your business by putting measures in place to manage those risks;
- Enhances your ability to perform core business tasks when disruption is inevitable and minimises that disruption.
It’s important to establish exactly what is being protected, the risks inherent in the business and the importance of each aspect of the business before setting recovery objectives. A good business continuity plan should safeguard your key business activities and ensure normal services are maintained. This includes everything from client relationships to legislative and regulatory requirements and, ultimately, it should protect profit and revenue.
The two critical factors that the business needs to communicate to IT are the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO). Without this it’s impossible for the IT department to put anything meaningful in place.
The Recovery Point Objective (RPO) is a measure of how much data the business can afford to lose before it has serious consequences. For example, if you take backups every day at midnight, you could potentially lose 23 hours and 59 minutes worth of data if the systems failed directly before the nightly backup. Firms where data changes slowly may be able to withstand this and still stay in business. Financial organisations may specify that they cannot lose even a few seconds of data.
The Recovery Time Objective (RTO) is a target time for resumption of normal IT activities and services following an outage. How long can you afford to be without your IT systems before it really starts to hurt? Is it a week? A day? A few hours?
Once the RPO and RTO have been established it’s time to talk to IT and see if, in reality, your business continuity budget can meet your business continuity objectives.
So, as you can see, the two factors above are critical in determining the amount of effort and cost that needs to go into your specific Business Continuity Plan. RPO and RTO are important business concepts for firms to understand and consider.
If you are struggling to understand or define your business objectives, or if you know what you want but need help to put it in place then get in touch and see where we can help you to achieve your objectives.