BY DENNY FISHER, Chief Client Experience Officer, ACS
If 2020 was the year for flexibility and change, 2021 should be the year of resiliency and planning. We’ve had a stark reminder that our situation can change on a dime, and nothing is guaranteed. How can we learn from this and move forward? How can we be stronger, more resilient?
Contingency planning has always been an important factor in business. Whether we like it or not, we’ve all been thrust into a master class on how to adapt, reflect and overcome. Looking forward, what policies, procedures and technologies can we put in place to reduce the impact of the unknown on our organizations?
Disaster Recovery, Incident Response, and Business Continuity plans are essential in building a resilient organization. These strategies, though similar, are very different from one another in purpose and execution.
Business Continuity: This is the overarching document and guide that outlines how your organization will recover from a multitude of disruptions. It is the ultimate business survival guide covering financial, PR, employee and technological crises. The Disaster Recovery and Incident Response plans live within this overarching document.
Disaster Recovery: Disaster Recovery planning relates specifically to how your organization will recover from a technological failure, what to do if your systems are damaged due to natural disaster, cyberattack or employee error. This guide will have detailed instructions on how to restore data repositories, critical servers and applications, testing procedures, and recovery point and time objectives.
Recovery Point Objective: The amount of data your organization is comfortable losing due to downtime. Could you afford to lose data created in the past 15 minutes, one hour, 24 hours, data that could include client, accounting and operational records?
Recovery Time Objective: The amount of time your organization can afford to be nonoperational. This metric takes into account the cost per minute or hour of downtime for the organization. If it costs the organization $100,000 per hour of downtime, how many minutes or hours could your organization withstand? Also, what level of service loss is acceptable? If a hospital can’t access patient records, how long is it acceptable to serve patients without that information?
Incident Response: This strategy is becoming increasingly important. Though it relates closely to the Disaster Recovery Plan, the Incident Response plan details explicitly what to do in the event of a cyberattack. As hackers become more sophisticated and attacks more numerous, it’s vital to have an executable plan you can rely on. This strategy not only covers the technical aspects of a cyberattack, such as stopping or eliminating the threat, forensic analysis of the breach, internal and external communications (PR), but also legal and insurance considerations as well.
In the face of a crisis, the ability to react quickly, calmly and intelligently is imperative for success. Having a predetermined plan to act on increases your leadership team’s ability to guide the organization through the crisis and reduce the organization’s impact.
Almost more important than having these plans in place is the practice of testing, adjusting and communicating these plans to key stakeholders. Business Continuity, Disaster Recovery and Incident Response plans all require the inclusion and action of multiple departments, employees and outside third parties. Each of these entities must have physical and digital copies and a clear understanding of the plan and their role.
Beyond the ability to test the effectiveness and reliability of these plans with an annual or biannual physical test is the advantage of “Hot vs. Cold Cognition.” This theory states that there are two types of cognitive processing. Cold cognition is where we are most of the time; it’s our routine and more logical decision-making and processing. Hot cognition is the more emotional type of decision-making and processing. In a disaster, we are more likely to function in our hot cognition state, leading to more chaotic decisions and mistakes because we are making decisions based on emotion and potentially fear.
If we practice and routinely test the business plans and activities required during these times of high stress, it’s more likely that the decisions will be made using cold cognition rather than hot cognition because our brains have been prepared beforehand. In that instance, we would be recalling information rather than creating information on the spot. The value of using recall vs. on-the-spot determinations is huge. In essence, having a plan and testing it allows you to adapt the plan to changing conditions, ensure its reliability and improve decision-making while in crisis mode. It’s like having a fire drill in preparation for an actual fire.
It’s clear that life and business will continually throw us curveballs. It’s how we manage during those times of stress that defines our success or failure in those moments. Having well-thought-out, tested and communicated Business Continuity, Disaster Recovery and Incident Response plans will build a more resilient organization, allowing it to weather whatever storms may come.
|Denny Fisher, Chief Client Experience Officer, ACS