Before you start your risk assessment and BIA, the first thing you should do is get all the stake holders on board with the business continuity program. Out of the stake holders, the most important to get on board, in my opinion (for what that’s worth to you), is your employees, in particular those who are going to be providing input into the business impact analysis. You do not want these people hem and hawing when you are trying to gather important information for your business continuity plan. You want them thinking of the process as something that is going to protect them as well as the company, and in turn you want them thinking of all the critical information you’ll need to ensure you get your dependencies, RTOs, and RPOs right.

So how do you get the stakeholders onboard? Like most things in life, you appeal to their self interest. What is in it for them?

For example, if you are talking to shareholders, you want to put a BCP (business continuity plan) in place in order to minimize any potential losses to the company and to ensure the company survives and thrives. The BCP will be one way to protect their investment and to ensure the investment isn’t lost when disaster strikes.

Your employees care about their jobs. Let them know that you are starting a business continuity program in order to ensure the company can survive any disaster. This in turn will help to preserve their jobs in the event of a disaster, which is a time when a job and the income it provides will be needed the most. There would be nothing worse than a disaster that effects the employee’s home and family and that employee also finds out they lost their job. Now they have to recover personally and professionally. Talk about stress!

If your company is owned by an individual or a small group of owners and you are tasked with business continuity or want to get buy in from the owner(s), explain that you want to ensure the company survives. The owner(s) are going to want to ensure what he, she or they built lasts and can be passed on as they see fit. The owner(s) do not want to put years of hard work into building a business only to see it destroyed by lack of preparation for a business impacting event.

What about your customers? Customers, in particular B2B customers, would love to hear that you are working on business continuity. It tells them that they can depend on you to be there even if disaster strikes. If your customers are comparing your reliability against another company’s, who wins, the company without a business continuity plan or you with your business continuity plan? Brag about having plans. It will get your customers questioning any potential rival’s reliability.

Lastly, although there are more, is your vendors. You need to reach out to vendors, especially ones that provide inputs to time-sensitive processes, and explain you are going to need some information from them for your BCP. From their point of view, they should be happy you are ensuring you’ll still be there buying from them in the event of a disaster. No one wants to lose a customer, especially ones that’s obviously reliable enough to plan for disasters.

RTOs (Recovery Time Objectives) are used a lot in disaster recovery. It is also used in business continuity planning as well, and as we mentioned before, DR and BC are not the same.

RTOs can get tricky though. For your business processes, you establish your RTOs during the BIA (business impact analysis). You may think that’s no big deal. Time goes on and one day you have an event. Your business has to recover from the event and get the processes back online within their designated RTO.

Sounds pretty straight forward right? Well, during the planning phase you told your IT people your RTO that you came up with for any given process. They said, “Sure, that won’t be a problem. We can hit that RTO.” Do you see where this is going?

RTOs in the IT realm are from the time of requested restoration. When you ask an IT person can you meet this four hour RTO, they are thinking sure, I can restore that server, application or whatever system you are talking about within four hours. The business on the other hand has an RTO of four hours that begins at the moment of impact from an event. The 4 hour clock is ticking from the time of impact and yet you still have to decide whether to declare this a disaster and initiate the emergency response. Say you are trying to avoid that and doing what you can to get things back up and running. An hour and half goes by. Then you decide, we need to initiate emergency response procedures and go into restoration and recovery mode.

Part of that process involves asking IT to initiate their disaster recovery plan and get the system, application, etc back up and running. Sure they say. No problem.

Another two hours goes by, and IT still doesn’t have the systems up. You call to find out how much longer it will be. You only have 30 minutes left to hit your RTO, which is the point at which you determined business would be critically impacted if operations did not resume. What’s IT’s response? It’s been two hours, they have another two hours left to meet their RTO.

Time is money

There was a mismatch in the understanding of RTOs between business process RTOs and what IT calls RTOs. If IT can’t substantially beat their RTO and instead comes in just under their RTO, you are going to be an hour and half past your RTO. This could be very bad.


When discussing RTOs during the planning process, make sure everyone is talking about the same RTO. If you are in IT, make sure you are explaining your RTOs as the time it takes to recover from the point at which recovery is requested, not the point of impact on the business. This is typically the point of disaster declaration. At this point the clock has already begun ticking.

Most small businesses think of disaster recovery and business continuity as one in the same. It’s understandable when most backup software and solution companies use the terms interchangeably, but the two are not the same.

Disaster recovery is typically concerned with your technology. Is your data backed up, where to, how often, how quickly can it be recovered and to what point in time? These are all very important to business continuity, but they are only a piece of the puzzle. Without all the pieces, you will never see the entire picture, and in this case that picture is what will help you recover your business in the event of a disaster.

So what are the other pieces or shall I say business functions and processes? A true business continuity plan (BCP) should be concerned with how all the functions of your business operate and what would happen if something interrupted any one of those functions. Disaster recovery or the recovery of the technology systems is just what enables these functions to operate, automate, communicate, etc. As part of the business continuity planning, you need to think about more than just your data.

You need to think about how quickly would you need each function operating again before your business is critically impacted? How does one function impact another function?

What good does it do you to have your data recovered (maybe your data was never effected) and yet you have no where to work? How long would you take to find office space, computers, printers, fax machines, communication lines, and the list goes on? Would it be fast enough for you to meet your client obligations?

These are all questions that should be addressed by a risk assessment, a business impact analysis (BIA) and finally with a business continuity plan. As part of the risk assessment, you want to draw up a list of all the possible risks you can think of, their likelihood, and their possible impact on your business. Then analyze which risks you want to mitigate, which you want to insure against, and which you’ll just accept.

After that, you then need to do a BIA to determine how your business functions relate to each other, how time sensitive each is, what’s the impact on the organization (financially, reputationally, legally) if this function ceases, and finally develop recovery time objectives (RTOs) for each function. Once you have your RTOs established, you can look at how you meet those RTOs? Do you need real-time data backup? Do you need to secure a warm site? Can you develop a work from home strategy that will allow you to have employees work from home in an event and know that they can work from home and yet remain productive.

Your disaster recovery plan is just a means to recover your technology that will hopefully help your business functions meet their RTOs. It is part of the recovery strategy in your business continuity plan, but it is not the plan. The plan is what addresses how you recover any of the functions within the time frames you determined during your BIA. It’s the documentation of your recovery strategies you came up with to meet those RTOs. It’s the playbook of who, how and what will be deployed to recover you business or just a function of your business in any type of event that impacts any function of your business or the business as a whole.

Now that you know the difference, do you really have a Business Continuity Plan or just a Disaster Recovery Plan? You need both.

I love when I see companies thinking outside the box. I thought this was a pretty cool idea from Sears Holdings to reuse all those closed Kmarts.

What happens when big box stores close down, leaving so much empty space behind? Few other retail environments need so much room. There is at least one former Walmart that has been converted in a giant library, but Walmart wasn’t involved in the effort–the building simply changed hands. Sears Holdings is taking a different approach: holding on to shuttered Sears and Kmart stores, and turning them into wireless towers, data centers, and disaster recovery centers.

Data Center Knowledge tells us that Sears Holdings has launched a new unit, Ubiquity Critical Environments, to convert a chunk of the company’s 3,200 properties (some are shuttered stores, some are open) into pieces of the modern global infrastructure.

via Turning Old Kmarts Into Data Centers And Disaster Recovery Spaces | Co.Exist: World changing ideas and innovation.

Usually when I start a new blog, I like to put out an introductory post explaining why I’m starting the blog and what will be the topics discussed. This particular blog is going to focus on Business Continuity with a focus on small and medium sized businesses.

To understand where I am coming from, my background is IT, helping clients build and maintain their IT infrastructures. It seems like more and more, we’re getting asked by clients to help with disaster recovery planning. This makes sense as we are managing data backups for our clients.

When clients bring this up to us, we like to explain that they should go further and develop business continuity plans. Where many business owners make a mistake is using Disaster Recovery and Business Continuity interchangeably. They are not the same thing.

Disaster recovery is focused on IT and recovery of data. This is very important, but it’s not the only aspect to worry about.

Business continuity on the other hand is concerned with your business operations in its totality. How do you react in a disaster or partial disaster? How long can a certain business function not operate before your business is severely impacted? Even worse, how long is too long, beyond the point of no return.

These are the things we encourage our clients to think about. Unfortunately, most small businesses, understandably, are too busy trying to grow their businesses and have too few resources to worry about business continuity planning. For some, everyday is about survival, so how can they worry about surviving in the unlikely scenario of a disaster when they have to worry about survival of the next payroll.

This is completely understandable. Hopefully, this is where this blog can help. We will try to give real world advice on business continuity planning for small and medium sized businesses, so stay tuned for more to come.