Disaster Preparedness For Small Businesses With a Focus on IT

Business

Written by:

Reading Time: 5 minutes

Preparing for a disaster is not the most glamorous or exciting aspect of running a business but has to be dealt with nonetheless. Studies have found that 40% of businesses close down after a disaster while 90% of them fail within two years after being disrupted by a disaster (source: FEMA). 

Floods, fires or pandemics, when nature attacks, small businesses have a lot to lose than their more established counterparts. The ongoing onslaught of coronavirus has demonstrated the need for small businesses to take disaster planning more seriously. If done right, disaster preparedness can save you from going down (or at least help you stay afloat till you land on solid ground again). 

Disaster preparedness should start as early as the inception of the business and be updated regularly with the learnings from catastrophic events across the world. Every business worth its weight has a Business Continuity Plan. BCP lays down steps needed to be taken due to disruption or failure of mission critical systems and processes. BCP includes planning and deployment of preventive and recovery systems and specific measures to continue the business before and after the disruption and subsequent recovery. 

Disaster Recovery (a smaller part of a full Business Continuity Plan) focuses mainly on the IT infrastructure and the restoration of critical business operations once a disaster strikes. Find below essential tips to remain prepared when a natural (or man-made) disaster threatens to destroy your business.

Conduct Business Impact Analysis (BIA)

BIA is the first and foremost tool to protect your business from future uncertainties. It means taking stock of the overall impact a potential threat can cause on your business, including financial, operational, sales processes, product development delays, regulatory and contract fines, delivery delays, late payments, employee and customer loss, extra expenses, lost sales, etc. 

Prioritise critical activities 

List down activities that are absolutely vital to run the business and assign the maximum tolerable period of disruption for each one of them. For example, if product manufacturing is one of the most crucial components, determine the number of days it can remain down until it has to be revived. If MTPD is 15 days, that’s how long you’ll have to put together essential resources needed to get it up and running again. Low priority items (e.g. sales pitches, marketing, new product launch, etc) can have longer MTPDs.

Fill in the gaps

What are the recovery requirements vs what are the resources you have now? Gap analysis includes taking account of internal and external dependencies as well as staff requirements. For example, if a supply chain breaks down, are there any internal resources that would fill the gap temporarily? If so, what are the departments/people they may depend on to meet their needs? 

Assess the immediate risk

Figure out the types of disasters that are a threat to your business, in terms of your operational areas as well as the geographical area. Analyse the assets, equipment, servers, computers that need to be insured against natural disasters. You also need to ask yourself whether there’s a clear and present danger to your employees if a natural calamity strikes. The next step is to assess risk to your suppliers and vendors and what areas of your operations that might affect. Analyse from low impact to worse case scenarios that can cause damage.

Take inventory

Start with a physical recovery plan. Inventory the necessary and supporting equipment. What are the easiest grab and go components? What are the critical resources that would be required to remain afloat and how to immediately safeguard them? 

These could include:

Computers/laptops

Phone lines/wireless devices

Back-up servers/ off-site servers

Software copies

Back up data regularly

If you’ve followed the 3-2-1 data back-up plan from the get go, you’d be much better off during emergencies. It is a common approach of scheduling regular backups from wireless and wired devices, keeping 3 copies of your data, 2 back-up copies on different storage mediums and 1 of them placed off-site. 

Plan your recovery

This is the most crucial factor of your company’s disaster readiness. You can assign recovery roles in-house or hire a professional recovery specialist based on the scale and need of your business. If you’re planning recovery in-house, it’s best to download recovery plan templates available online and tailor them to suit your business. 

Determine your Recovery Time Objective (RTO) which is measured by how much time your IT systems can be down after a disaster occurs until they must be restored again. For example, if your RTO is 36 hours, it means if the damage is not repaired within that time, your business could suffer greatly.

Your Recovery Point Objective (RPO) is a metric to determine the maximum tolerable amount of data that you can afford to lose after the disaster. So if your back-up is scheduled every 24 hours at 10 in the morning and the disaster strikes at 12 in the noon, you lose two hour’s worth of data. 

All businesses will have to consider recovery types described below:

  • Virtualisation Disaster Recovery

This involves a regular and real time replication of virtual machines (OS or application environments) workloads offsite, separately from the hardware they physically occupy so that they’re up and running immediately in case of a disaster.

  • Network Disaster Recovery

This type of recovery puts in motion a completely vetted network system, after taking into stock all vulnerabilities, specific threats and problems along with worst case scenarios. After devising preventive measures, a company can assign restoration roles to employees on the basis of primary, secondary, high/medium/low priority systems (Template, LAN, WAN, offsite storage/network, voice communications, etc)

  • Cloud Disaster Recovery 

This differs from traditional disaster recovery as cloud storage already means automated storage with remote backup that requires no physical site (recovery is a matter of minutes with just the internet connection). As a failsafe, you can hire DRaaS (Disaster Recovery as a Service) after assessing the extent of impact that can be mitigated with a third-party cloud provider. 

  • Data Center Disaster Recovery

This involves securing the entire physical building that hosts the computers, servers and business infrastructure. However, the first step is to have an off-site/remote backup, secondary data center or co-location backup. Different types of disasters will require different types of hands on deck recoveries. Delegate roles to handle hardware vendors, software vendors, offsite storage facilities, system owners, database and application owners for smooth recovery.

Test your DR plans

This does not mean you start fires and flood the office floors. It simply means simulating drills, table-top exercises, structured walkthroughs in response to a disaster as if it’s actually occurred. It also entails following every step in your disaster recovery plan to see if the plans are susceptible to any failures or unexpected twists. It’s also necessary to train employees in evacuation scenarios and crisis communications. And ensure you have emergency fuel assistance for emergency power supplies to avoid downtime.

Small businesses can minimise the negative impacts of hardware/ software failure and system downtime effectively with a well thought out business resilience plan. While a good amount of time and resources go into the planning, not having a recovery plan at all is a recipe for disaster (pun certainly intended). In the end, forewarned is forearmed. 

AUTHOR BIO:

Sameer Mehta is a blogger and entrepreneur and writes on technology and lifestyle related topics. He has more than 15 years of experience across technology, consulting and marketing. He has written for Entrepreneur, West Agile Labs, Exegy Consulting, Jewellerista, etc.