Conclusion

BCDR assessment checklist for your enterprise

If your organization faces an emergency today, do you have the necessary response, recovery, business continuity processes for dealing with it? We’ve summed up the pointers that our BCDR efforts are based on.

The below checklist is a starting point for both IT and other organizations to craft a comprehensive BCDR plan. The process will of course differ based on your organizational culture, IT systems and environments, and the nature and severity of the disaster.

BCDR checklist for enterprises

Purpose and scope
  • What is the purpose and scope of your BCDR plan?
  • Does it cover all your critical BUs, functions, resources, stakeholders (including customers), and the various kinds of disasters?

Governance and roles
  • Do you have a senior management team that controls and approves the plan?
  • Have you identified the team that crafts and modifies the plan?
  • Have you identified other teams that need to be involved in the BCDR planning, creation, training, and approval processes?

Risk assessment
  • Have you identified the risks to your organization – Is it lack of IT security, poor building structure, disasters such as earthquakes, floods and pandemics, man-made accidents such as fire and infrastructure failure such as power failure?
  • Have you assessed the likehood of the disasters and evaluated the risks?
  • Have you identified the measures to control and mitigate these risks?
  • Have you documented all your risk assessment data?

Business impact analysis
  • Have you identified the critical BUs and their functions?
  • Have you identified the interdependencies between these BUs and functions?
  • Have you identified the critical resources for the BUs and their backups?
  • Have you identified the critical IT systems?
  • Have you established the RTO and RPO?
  • Have you identified the minimum infrastructure, systems, and resources requirements to keep your business running?
  • Have you identified the financial impact to your organization?
  • Have you identified what is at stake for your company should the disaster last for weeks/months such as a pandemic?
  • Have you documented the impact and created a BIA report?

BCDR planning

Response

  • Have you identified the emergency response teams (including IT) and personnel?
  • Have you established the notification strategy based on your organizational hierarchy and structure?
  • Have you identified the assembly points in case of a disaster?
  • Do you have emergency response procedures for all disaster types? Are all IT arrangements in place such as protecting IT equipment, alternative power backup, alternative network connection? Is data backed up regularly? Are fire alarm systems in place?
  • Have you identified the loacl emergency hot lines?
  • Do you document every step and do you have forms in place to capture all details, example: disaster form?

Communication

  • Do you have a communications team to create your communications plan?
  • Do you have a well defined internal and external communication strategy in place?

Recovery

  • Have you created a timeline of your recovery activities? What will you do in the first 3-4 hours of the disaster, 5-24 hours, 2-4 days, 5-14 days?
  • Have you identified the emergency command centers and alternate locations for continued business operations?
  • What are your business continuity measures to ensure availability: data recovery and back procedures, data center resilience, secondary DCs, multiple ISPs, power back-up, temperature control systems, and fire-prevention systems in place?
  • Does your organization have a succession plan for making key decisions during disasters?
  • How will you stabilize the disaster situation?
  • Do you do damage assessment during a disaster to assess damage to critical assets?
  • What do you do to ensure continuity of supplies? Have you identified backup vendors?

Implementation and training
  • Do you provide regular training to all emergency personnel?
  • Do you conduct mock drills for fire, IT security such as phishing attacks et cetera with live simulations?
  • Have you established the time frames and frequency of these mock drills and simulations?
  • Do you document the results of the training for continual improvement?

Plan review and maintenance
  • Do you regularly review and update your BCDR plan to ensure that the plan stays current with the latest information and changes in terms of IT systems, resources, infrastructure and policies?

BCDR best practices

We understand how hard it is to think clearly under the intense pressure of a disaster event that happens suddenly. One of the best ways to respond to an emergency is to keep calm, and not panic. Here are some best practices to consider in your BCDR journey.

  • Let's be honest. No matter how many times the plan is tested and improvised, there will be some last revisions/additions during a real emergency. That's where our quick thinking and creativity comes into play. At Zoho, we have made some last minute revisions to our BCDR plan such as updating the contact of emergency service providers who have moved to a new location, changing evacuation routes, or reassigned employee responsibilities and tasks at last minute. It happens to the best of us, and there is no reason to panic.
  • It's good practice to involve the internal audit team, accountants, legal counsel in the BCDR planning efforts and while outlining policies to check for any infringement issues and ask for their suggestions to improve the plan. This is a crucial step that can save organizations from legal implications and huge fines.
  • During the initial phase of business impact analysis, a data gathering model that is less time-consuming and more aligned with how you work in your organization can work well. Any effort that is not part of your mainstream business activities such as business continuity, disaster recovery, and compliance are usually low on priority for your business units and resources, and any steps that you take to reduce the effort to gather the data can pay off.
  • It's best to have data centers in different geographical locations that are preferably in areas that are less prone to disasters.
  • Test the BCDR plan in a realistic way with all resources involved to ensure it actually works and then make the necessary tweaks.
  • Lastly, ensure the plan is accessible to all involved parties even in the event of a disaster.

Final words

In a way, we agree that COVID-19 is a wake up call for most organizations — it proved that disaster can strike at any time, and the impact can be felt worldwide.

Assuming, then, that senior management teams are all set on ensuring business continuity and teams world over are gearing to create or ramp up an existing plan — we hope this book is of help to all teams.

Until next time.

Get fresh content in your inbox

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.