Best Practices for Creating a Strong Business Continuity Plan

By Monty Goodwin

For any number of reasons, from the upswing in cyberattacks to the need for maximum uptime and access to the web, retailers are eager to create stronger business continuity plans. In the past, to a certain degree, the disciplines of IT security and business continuity were separated. IT professionals handled security and data protection while business continuity was more under the realm of risk managers.

Retailers today demand that this divide be narrowed, especially in light of the serious IT breaches at Target, Neiman Marcus and elsewhere that threatened customer loyalty and brand image. On the business continuity front, retailers need a solid response plan in place for customer and compliance reasons.

Retailers are responding. Many are changing their organizational models to account for more continuous risk assessment and continuity planning. They now view the eight-hour to 24-hour timeframe to be critical to restoring mission-critical applications when their IT systems go down. They can't be down beyond that window or they fear they'll lose customer loyalty. They're also adopting more cost-efficient backup technology and data protection because old technologies simply are passé.

So what are best practices to employ? Here are four to consider:

1. Consider the benefits of outsourcing disaster recovery and business continuity responsibilities to a managed services provider (MSP). Cloud computing can play into a retailer's decision to have a MSP handle disaster recovery and business continuity. Since retailer business volume spikes at certain times of the year, the cloud enables retailers to handle such periods without having to pay for more servers. Third-party providers almost always handle cloud responsibilities for cost and efficiency reasons, among others.

2. Ensure that your business process is functional. Test and test again. In the past, it was common to test business continuity processes by simply going to a hot site and restoring the system. Today, it's critical to define and determine the mission-critical processes and systems necessary to support and test them, with each test becoming a bit more complex as retailers track resiliency across all verticals. More and more retailers are executing validation recovery exercises against their business continuity plans at least yearly, a big increase from the past.

3. Employ a solid and reliable communication plan — internally and externally. It should include multiple communication types, including social media. Consider scenario planning based on the loss or combined loss of any of the following key business assets: technical services, physical facility, staff or key service provider.

Build business continuity strategies specific to each scenario with underlying tasks in support of each strategy. Consideration must be given to the possibility of an event affecting multiple business assets (e.g., regional hurricane, flooding, etc.) and the organization may be required to respond with less-than-optimal personnel participation and a loss of facilities. Train several backup people for each critical business function requiring a near immediate business continuity response.

4. Gain management buy-in for your business continuity efforts. Show the return on investment benefits that occur when developing a strong plan, including those that go beyond typical business continuity. Explain, among other suggestions, that the planning process can be used to identify lower priority applications allowing IT staff supporting those applications to be cross-trained and deployed to handle more vital activities. This strategy decreases recruiting and job transition costs.

For retailers, intense competitive pressures require business continuity plans to be solid. This goal may be achieved following any number of methodologies, while at the same time providing varied benefits across the organization.

If your plan could use some attention, avoid procrastinating and get started today.

Monty Goodwin, PMP, CBCP, is senior manager at SunGard Availability Services Consulting.