Do you have Business Continuity and Disaster Recovery Plans? In a cybersecurity risk webinar I presented a few weeks ago, only 25% of the Not for Profit participants said they had one. Unfortunately, in this cyber world, the lack of these plans could spell disaster for any organisation.
What are Business Continuity and Disaster Recovery Plans (BC/DR)?
Business Continuity and Disaster Recovery Plans (sometimes called Emergency Management Plans) can be individual or combined plans. Essentially, they give your leadership team guidance on how to continue business and ultimately return to normal operations should a disaster occur.
And a disaster could be anything…
- Acts of Nature such as a flood or bush fire requiring you to evacuate your premises;
- Acts of Service Providers such as electrical, phone, system or internet outages; or
- Acts of Man, which include theft, arson and all the cybersecurity risks.
For each type of disaster, it likely requires a different strategy.
As an example, when I was the CEO at RSPCA ACT, we had to create a different plan for different natural disasters depending on whether the whole facility was impacted or just certain parts like the dog kennels or vet clinic.
Where would we move the animals to if their part of the shelter could no longer house them? What would we do if the disaster happened while animals were in surgery at the time?
These were vital physical logistics that we had to consider as an animal shelter.
However, we also needed a plan for when we couldn’t process credit card payments or if the CRM went down. How would we continue to process adoptions and donations if this were to occur?
These are the types of questions that Business Continuity and Disaster Recovery Plans should cover. And with increased concerns about cyber threats, these plans are just as necessary as your organisation’s strategic plans.
Why Business Continuity / Disaster Recovery Plans matters more now
For every major cybersecurity breach you’ve heard about in the media, there are dozens that didn’t make the news page. Cybercriminal activity has increased even more in recent years, but ransomware has been particularly on the rise.
Nevertheless, whether it’s ransomware, a malicious virus or a denial of service attack on your website, the ability to restore systems and data through backups is absolutely critical. This is where a BC/DR Plan will outline exactly how you’ll do this.
The real value of the plans
While some may see these plans as a “check-box” exercise, the real value of a BC/DR Plan is that it forces you to develop a strategy (both proactive and reactive) with your service providers for each possible disaster scenario.
- What happens if your phone system drops out for more than a day?
- How would you restore files that were deleted by unauthorised access to your CRM?
- What would you do if your team had to suddenly run face-to-face events virtually? (we’ve all had recent practice with this one during the pandemic!)
These are the types of scenarios and many more that would be considered as part of the plan.
What are the components of Business Continuity and Disaster Recovery Plans?
There are plenty of great templates that you can use for free online for these plans as a starting point. Here’s one from business.gov.au called an Emergency Management Plan. And another template from Queensland Not for Profit, Community Door.
I’ve also asked Bing Enterprise Chat (secure AI tool) to give me a Table of Contents that includes cybersecurity tasks. This is what it said.
Hopefully, this will get you started. However, if it all feels overwhelming, get some external help. These plans are too important from a risk management perspective to allow the lack of time or knowledge to get in the way of preparing them.
Don’t forget!
While Business Continuity and Disaster Recovery plans are important to develop, they are just as important to test and update regularly. This should occur every six months, especially if your technical infrastructure changes at all.
And don’t forget to print out paper copies. For if your systems go down, it will be hard to find all the emergency phone numbers of your service providers and leadership team.
I regularly help Not for Profits with strategic IT decisions, including on identifying cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these ones too:
- What is cybersecurity insurance and why it is important for Not for Profits?
- What are some cheap ways to enhance your organisation’s cybersecurity?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today she helps NFPs with strategic IT decisions, especially around investments.