Disaster Recovery Journal, Fall 2009

SMALL BUSINESS BUSINESS CONTINUITY

can provide businesses with immediate operations while waiting for management to implement more stabilizing recovery actions. The process may not be highly efficient and will be labor intensive but the customers will appreciate efforts to maintain some level of business. The survival phase requires business owners and employees to implement interim processing strategies.

Suspension of business operations is a low-cost strategy. The business owner does not try to reopen business until all technology and resources are available. The total cost of suspending operations is more than cash flow; business reputation may suffer

Keep It

Simple,

Stupid

By KEN SCHROEDER

At therisk ofbeing branded a heretic, there are times when we in the business continuity profession get in the way and become our own worst enemy. To see what I mean, look at a typical small busi- ness – say 50 employees or less. On top of this struggling enterprise layer the business continuity tools, steps, and procedures we insist must be there for any successful program:

u Risk assessment u BIA u Planning strategies u Documentation u Gap analysis u Testing u Business continuity lifecycle

24 DISASTER RECOVERY JOURNAL FALL 2009

as customers seek out alternative sources. The size of the disruption will affect the availability of external resources and recovery time. A short planned suspension of operations may become a permanent closer of the business. Small business owners may forgo suspending operations by considering other options.

Many small business owners have grown businesses from simple manual operations to technology-enhanced operations. Implementing alternative operating methods using manual systems is a cost-effective option to remain open. This option is labor intensive and requires management to train employees on the alternative opera-

Let’s take a couple of minutes and apply some old-fashioned common sense to the issue.

First of all, in a typical small enterprise, business continuity probably evolves from a short blurb in a planning meeting where someone says, “Well, shouldn’t we have a business continuity plan?” following which, everyone nods and delegates the task to some unsuspecting underling in their three person IT shop, and then move on to the next topic. Right or wrong, it happens, and we have to live with the reality of it.

Our stalwart, dedicated hero picks up the latest copy of DRJ, reads some article that applies second order differential equations to a risk assessment model, throws up his hand in disgust, makes sure that IT makes backup tapes, and calls it a day.

What advice can we in the industry give our friend to make his job easier? I think we can really put some clarity in the process by asking, “What does he really need to know to get started?” Here’s my recommendation:

My mantra is: “Business continuity planning is simple!” When all is said and done, you only have to consider two lists of three:

List 1: Risk Assessment Process

1. What threats face us?

2. What risks do those threats impose on us?

3. What can we do to minimize (or eliminate) those risks?

tions. The operations may not be as fast as using technology and may cause customer irritation. Other small businesses have a high technology infrastructure that would not allow for either suspension or alternative methods for continuous operations.

The most costly option for businesses is maintaining redundant capability. Businesses depending on computer processing consider off-site backups and redundant services and equipment as the primary means for recovery. The majority of small businesses will not have financial resources to maintain redundant systems as a feasible solution for possible disruptions. Very small businesses may consider

List 2: The Planning Process: Ensure backups for:

1. People (Who backs up whom?)

2. Places (Where can they work if we lose our facility?)

3. Process (How can they operate if the primary process is unavailable?)

Is this an oversimplification? Absolutely. But that’s the point.

As your grandfather admonished you, “Always remember the KISS (keep it simple, stupid) principle!” A typical small business doesn’t have the assets, resources, or time to throw at the business continuity problem the way larger companies demand, but that doesn’t mean it’s hopeless. My two lists of three are a great starting point.

The first list covers the threat/risk assessment portion of planning. Our hero doesn’t need to struggle with all the differentiation he reads about.

(Why, for example, does he need a separate entry for blizzard and ice storm; or, to note the difference between a disgruntled employee and a disgruntled customer, when “someone going postal” might suffice?)

Keep it simple. Focus on the risk, not the threat: Computer systems go down! Work interruption occurs! The building incurs damage! Staff are unavailable!