Business Continuity – Yes you have done the hard work now to keep it up to date!


A Business Continuity and disaster recovery plan are critical to your business survival.   You may never have to use it but the piece of mind of having them in place can make you sleep better at night.   The problem is that neither of them are set a forget type documents.  Something that will never change.   The more your business changes the more these plans have to change.

The process of purchasing new hardware, of changing a policy or by moving your business to the cloud have to be included in these plans.   It is vital that in the event of a disaster that the plans reflects all of those changes.

You do have a plan? Your BC and DR plans have probably been on the shelf since the time that they were written.   That is if you have a plan.   In most small and medium business and not for profit Organisations the work load is overwhelming and a BC and DR plan are probably on page 10 of the 200 things that have to be done today.

Hypothetically the situation could arrive, now, where you no longer have access to your physical office, the building 3 up from you has burned down and you cannot access your street for the next 24 – 48 hours.   Look at the recent fire and explosions in Canada, your office could have been a mile from the locationbigstock-Adventurer-Lost-In-Jungle-6639024 of the fire but if they cordon off a 3 mile area you are not working for a while.  You see, Nothing bad has happened to you but that ill fortune has impacted your business.

Another hypothetical is, your senior sales and marketing person, you know the one, they bring in 85% of new business, well they have just won the lottery, 5 million in their hot little hands and the resignation is on your desk.   All that critical business information is about to walk out the door.   It is possible that With it goes your business.

This is where your BC, DR and business resilience plans all kick in.   Everyone need to know that there is a plan.   Not just any plan but a plan for your business.   Can’t get to the office – it’s in the plan, salesman leaving – no problem it’s in the plan.   In most cases, single disasters will never happen, that zombie apocalypse or attack by aliens has a one in a quadrillion chances of happening.   The chance that you get a virus, someone steals your server or someone puts a back hoe through your Internet and phone connection, these are a real possibility of happening – but they are in the plan.

The next step

We have to make sure that all of these things are in the plan.   To create a DR and BC plan you would have done a risk analysis.    That risk analysis would have looked at all of the possibilities that could harm your business, made assumptions on where and when they could happen and assigned mitigating systems to counteract the risk.

It would have proposed redundant systems, included Internet based backup, detailed how long a system or requirement can be unavailable before it will impact your business.   These are critical to ensure a business can recover in the wake of a disaster.   You also need to convey to your staff and management what constitutes a disaster and when the plans need to be enacted.

Resilience is a little different.   Resilience is the ability for a business to react to stimulus, this is both good or bad.   Resilience is seeing an opportunity and having the business capability to grasp it in both hands and run with it.   An opportunity that may have only come about because of the DR and BC components that are already in place.

Resilience is so much more that that, whereas BC and DR are paper driven, check lists and written plans, resilience is more culture related.    Having the right culture within the business will drive the business forward no matter what happens.   All of those can do people that you employ will drive your business forward in unexpected ways.

If your business culture is to listen to the coal face, listen to those people who interact with the customer.    They see more and better business capability than management who are usually isolated from the everyday workings of most businesses.    You do not need to have an MBA in business to see what customer are looking for, especially if you are being told constantly with their normal daily interaction.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.