Last month, the board of directors of CompTIA, one of the world’s largest technology trade associations, issued a news release identifying five factors that “shaped the information technology (IT) industry in 2017.” The CompTIA board considered nearly 20 developments during the preceding 12 months, including non-technical issues such as political dynamics and workforce evolution. Of the five items that rose to the top of the list of high-impact events, natural disasters ranked second.
Per CompTIA, earthquakes, hurricanes, wildfires and other natural disasters were major business disruptors for the IT industry in 2017 and for business in general around the world. CompTIA’s board cited an estimate by the National Oceanic and Atmospheric Administration estimating that 15 separate weather and climate disasters caused at least $1 billion apiece in damage.
On more than one occasion, we’ve encouraged readers to expand their definition of business disruption beyond the physical domain and focus more on threats in cyberspace, such as malware. In fact, in a recent post we called today’s ransomware epidemic a “cyber-disaster threatening your business continuity.” But the sobering statistics shared by CompTIA remind us that disasters in the real world deserve as much attention as those arising in the virtual realm. Natural catastrophes may not be as frequent as cyber-attacks, but when they occur they can be no less devastating.
So, as we move into 2018, we’re counseling readers to revisit their business continuity plans and assess their organization’s readiness for responding to major disruptions of all kinds – natural and cyber-generated. Several years ago, we posted a piece recommending company leaders define continuity in terms of resilience – i.e., the ability to recover data and restore operations rapidly after a disruption. The key to your firm’s resilience, we asserted, is planning. And three Rs reside at the heart of sound business continuity planning. Here’s a refresher for you:
- Recovery Time Objective (RTO) – Business leaders should set a timetable from the starting point of a business disruption, such as a major data loss, and the point the organization returns to normal operations. Sales cycles, production schedules and other processes vital to retaining customers and meeting financial obligations are among the factors used to determine an RTO period. For example, the RTO for a web-based business most likely will be short, but a small manufacturer may tolerate a longer RTO.
- Recovery Point Objective (RPO) – An RPO defines the precise moment when a crisis ends and operations return to normal. Typically, several critical paths of restoration make up an RPO. For example, restoration of all data, resumption of all IT systems and return to full service and operating hours. In a data-loss scenario, the date of the last back-up file will be a pivotal factor in determining RPO. After a natural disaster, an RPO could be re-opening physical locations.
- Return On Investment (ROI) – When determining ROI from business continuity planning, executives should take into account more than hard costs. Value should be placed on intangibles invested in business continuity, such as planning time spent by company leadership, staff hours devoted to training, and effort applied to developing good will and loyalty among customers.
Business continuity goes beyond bracing for once-in-a-lifetime calamities. An organization’s leaders should approach business continuity planning the same way they do other critical operational disciplines – with clear objectives, specific timelines and accurate financial analysis. We specialize in business continuity support and can provide insight, guidance and tips for speedy implementation. Contact us today.