Business continuity, simply put, is enabling your business to continue operating at an acceptable level in the event of an incident – large or small. Continuity for your business means being proactive, ready for inevitable disruption and able to react to resume critical services.
Why does Business Continuity matter?
If a business goes down for a period of time, let’s say due to a cyber attack – what is the cost? Trading with customers may be disrupted or cease, payroll may be offline (can you pay your employees?) and severe reputational damage can occur – to name a few.
In the modern era of cloud-first or hybrid deployment, there are more considerations than ever to ensure continuity. Employees are generally working either fully remotely or hybrid, cloud and software platforms are run and managed by a third party and of course, cyber incidents are a constant threat. How do you protect all this data and, most importantly, how can you recover your business services in the event of an incident?
Business Continuity is also of huge importance to any firm in the United Kingdom regulated by the Financial Conduct Authority (FCA). The FCA has stipulated that regulated firms MUST perform auditing and testing to remain within tolerance levels to continue operating effectively – this is in progress and must be done before March 2025!
How Do I Start Getting Prepared?
A key component of business continuity is that of testing or rehearsing certain scenarios that the business agrees are key to mitigate. But how do you know what components to test? How quickly do business units need to be online? How much spend do I allocate to my critical infrastructure? And what is my critical infrastructure?
Business Continuity is a key component of a business’s overall Operational Resilience. Operational Resilience is made up of several components top down for a business including cyber and data protection, supply chain risk and incident response planning (to name a few).
Other key functions of Operational Resilience are:
- Business Continuity Management
- Business Impact Analysis
- Disaster Recovery
When a business has completed a Business Impact Analysis and has solid Business Continuity Management – the questions of how quickly – and how much spend to allocate are much easier to answer.
A Tried and Tested Business Continuity Plan
Your business continuity plan should be created according to clear and solid processes, as well as referring to industry best practices. It is key for the entire (ideally), or the greater part of a business to be familiar with what actions to take in the event of a disaster scenario. This could involve traveling to an alternate site or using an alternate piece of software to connect to the corporate network. The plan should always be updated regularly and be owned by the top level of the business.
Let’s now have a look at some key components of a Business Continuity Plan:
Once you have completed a Business Impact Analysis (BIA), either internally or by utilising a third party, your business should understand the overall risk to business units.
A key component of your Continuity Plan will be understanding how long the business unit can withstand data loss (RPO – Recovery Point Objective) and how rapidly the services need to be online (RTO – Recovery Time Objective). Another key point is how much data should I keep and for how long (data retention)?
This answers some fundamental questions about how much spend to allocate, as typically the lower an RPO and the more rapid an RTO – the cost increases accordingly.
We now understand our RPO, RTO, data retention and can create our Continuity Plan with appropriate technology to detect and protect from a critical incident.
Rehearse and Recover
One of the most important parts of a Business Continuity Plan is testing, or rehearsing the plan. A rehearsal may not always go to plan and there will almost certainly be lessons learned. The Continuity plan can then be updated in advance of any incident.
It may not always be practical to perform a full recovery for a large or Enterprise environment, therefore recovering different services at different times may suffice. It should never be OK to perform a “staged” rehearsal, or simply recovering one application out of 100 simply to put a tick in a box. Can you sleep at night in this case?
This part of the continuity plan should take into account known unknowns ensuring key people are aware of and own the emergency situation to respond accordingly. This could be but not limited to – sourcing equipment, an entire loss of a platform such as a cloud or cloud region, finding or populating alternative premises, contacting vendors and suppliers, communicating the incident, liaising with authorities such as fire rescue (amongst others).
Business Continuity with Veeam
Veeam has you covered with every part of protection of your infrastructure data wherever it may reside in cloud, on premise or a blend of both and helping you comply with your critical Business Continuity plan. Veeam allows you to be completely cyber secure, mobile and ready, having the ability to recover data to an entirely different location or platform.
Veeam also has the ability to periodically perform automated recovery of your protected data, ensure data is clean of malware and provide you with a fully automated compliance report for Business Continuity rehearsals, ready to provide to your auditors – nice!